patch from dan Thu, 31 Aug 2006 15:16:30 -0400

This commit is contained in:
Chris PeBenito 2006-09-01 15:52:05 +00:00
parent c634db20c6
commit eac818f040
27 changed files with 288 additions and 35 deletions

View File

@ -64,6 +64,7 @@
Tue, 20 Jun 2006
Wed, 26 Jul 2006
Wed, 23 Aug 2006
Thu, 31 Aug 2006
- Added modules:
afs
amavis (Erich Schubert)

View File

@ -53,6 +53,10 @@ optional_policy(`
rpm_domtrans_script(anaconda_t)
')
optional_policy(`
ssh_domtrans_keygen(anaconda_t)
')
optional_policy(`
udev_domtrans(anaconda_t)
')

View File

@ -19,9 +19,12 @@ domain_entry_file(mono_t,mono_exec_t)
ifdef(`targeted_policy',`
allow mono_t self:process { execheap execmem };
unconfined_domain_noaudit(mono_t)
unconfined_dbus_chat(mono_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
init_dbus_chat_script(mono_t)
optional_policy(`

View File

@ -54,7 +54,9 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifdown-.* -l gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)

View File

@ -126,6 +126,7 @@ network_port(rndc, tcp,953,s0)
network_port(router, udp,520,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(setroubleshoot, tcp,3267,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)

View File

@ -3,7 +3,7 @@
/dev/.* gen_context(system_u:object_r:device_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/adsp -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)

View File

@ -57,6 +57,7 @@ ifdef(`distro_suse',`
/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/reader.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/smartd\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)

View File

@ -1048,6 +1048,24 @@ interface(`kernel_write_xen_state',`
allow $1 proc_xen_t:file write;
')
########################################
## <summary>
## Do not audit attempts to list all proc directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_list_all_proc',`
gen_require(`
attribute proc_type;
')
dontaudit $1 proc_type:dir list_dir_perms;
')
########################################
## <summary>
## Do not audit attempts by caller to search
@ -1604,6 +1622,24 @@ interface(`kernel_rw_rpc_sysctls',`
allow $1 sysctl_rpc_t:file rw_file_perms;
')
########################################
## <summary>
## Do not audit attempts to list all sysctl directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_list_all_sysctls',`
gen_require(`
attribute sysctl_type;
')
dontaudit $1 sysctl_type:dir list_dir_perms;
')
########################################
## <summary>
## Allow caller to read all sysctls.

View File

@ -22,11 +22,13 @@
/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/usb/tty.* -c gen_context(system_u:object_r:usbtty_device_t,s0)
/dev/vcc?/.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/vcs[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/usb/tty.* -c gen_context(system_u:object_r:usbtty_device_t,s0)
/dev/xvc[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)
ifdef(`distro_gentoo',`
/dev/tts/[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)

View File

@ -185,6 +185,7 @@ files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
libs_use_ld_so(dovecot_auth_t)
libs_use_shared_libs(dovecot_auth_t)

View File

@ -110,10 +110,6 @@ storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
storage_raw_write_fixed_disk(hald_t)
term_dontaudit_use_console(hald_t)
term_dontaudit_use_generic_ptys(hald_t)
term_use_unallocated_ttys(hald_t)
auth_use_nsswitch(hald_t)
init_use_fds(hald_t)
@ -145,7 +141,8 @@ sysnet_read_config(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
ifdef(`targeted_policy', `
ifdef(`targeted_policy',`
term_dontaudit_use_console(hald_t)
term_setattr_unallocated_ttys(hald_t)
term_dontaudit_use_unallocated_ttys(hald_t)
term_dontaudit_use_generic_ptys(hald_t)

View File

@ -58,6 +58,8 @@ libs_use_shared_libs(pyzor_t)
miscfiles_read_localization(pyzor_t)
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
optional_policy(`
amavis_manage_lib_files(pyzor_t)
amavis_manage_spool_files(pyzor_t)
@ -104,13 +106,13 @@ corenet_sendrecv_pyzor_server_packets(pyzord_t)
files_read_etc_files(pyzord_t)
term_dontaudit_use_generic_ptys(pyzord_t)
auth_use_nsswitch(pyzord_t)
libs_use_ld_so(pyzord_t)
libs_use_shared_libs(pyzord_t)
locallogin_dontaudit_use_fds(pyzord_t)
miscfiles_read_localization(pyzord_t)
# Do not audit attempts to access /root.
@ -120,6 +122,9 @@ userdom_dontaudit_search_staff_home_dirs(pyzord_t)
mta_manage_spool(pyzord_t)
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(pyzord_t)
term_dontaudit_use_unallocated_ttys(pyzord_t)
userdom_read_generic_user_home_content_files(pyzord_t)
')

View File

@ -105,6 +105,7 @@ xserver_kill_xdm_xserver(rhgb_t)
xserver_read_xkb_libs(rhgb_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(rhgb_t)
term_dontaudit_use_generic_ptys(rhgb_t)
files_dontaudit_read_root_files(rhgb_t)
')

View File

@ -0,0 +1,7 @@
/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)

View File

@ -0,0 +1 @@
## <summary>SELinux troubleshooting service</summary>

View File

@ -0,0 +1,111 @@
policy_module(setroubleshoot,1.0.0)
########################################
#
# Declarations
#
type setroubleshootd_t alias setroubleshoot_t;
type setroubleshootd_exec_t;
domain_type(setroubleshootd_t)
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
type setroubleshoot_var_lib_t;
files_type(setroubleshoot_var_lib_t)
# log files
type setroubleshoot_var_log_t;
logging_log_file(setroubleshoot_var_log_t)
# pid files
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
########################################
#
# setroubleshootd local policy
#
allow setroubleshootd_t self:capability { dac_override sys_tty_config };
allow setroubleshootd_t self:process { signal getattr };
allow setroubleshootd_t self:fifo_file rw_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
# database files
allow setroubleshootd_t setroubleshoot_var_lib_t:file create_file_perms;
allow setroubleshootd_t setroubleshoot_var_lib_t:dir { rw_dir_perms setattr };
files_var_lib_filetrans(setroubleshootd_t,setroubleshoot_var_lib_t,{ file dir })
# log files
allow setroubleshootd_t setroubleshoot_var_log_t:file manage_file_perms;
allow setroubleshootd_t setroubleshoot_var_log_t:sock_file manage_file_perms;
allow setroubleshootd_t setroubleshoot_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(setroubleshootd_t,setroubleshoot_var_log_t,{ file dir })
# pid file
allow setroubleshootd_t setroubleshoot_var_run_t:file manage_file_perms;
allow setroubleshootd_t setroubleshoot_var_run_t:sock_file manage_file_perms;
allow setroubleshootd_t setroubleshoot_var_run_t:dir rw_dir_perms;
files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
corecmd_exec_sbin(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
corenet_non_ipsec_sendrecv(setroubleshootd_t)
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
corenet_tcp_bind_all_nodes(setroubleshootd_t)
corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
corenet_tcp_connect_smtp_port(setroubleshootd_t)
corenet_sendrecv_setroubleshoot_server_packets(setroubleshootd_t)
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
files_read_usr_files(setroubleshootd_t)
files_read_etc_files(setroubleshootd_t)
files_getattr_all_dirs(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
term_dontaudit_use_console(setroubleshootd_t)
term_dontaudit_use_all_user_ptys(setroubleshootd_t)
term_dontaudit_use_all_user_ttys(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
init_use_fds(setroubleshootd_t)
libs_use_ld_so(setroubleshootd_t)
libs_use_shared_libs(setroubleshootd_t)
miscfiles_read_localization(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_auditd(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
sysnet_read_config(setroubleshootd_t)
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(setroubleshootd_t)
term_dontaudit_use_unallocated_ttys(setroubleshootd_t)
')
optional_policy(`
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')

View File

@ -132,8 +132,11 @@ userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(spamd_t)
term_dontaudit_use_generic_ptys(spamd_t)
files_dontaudit_read_root_files(spamd_t)
tunable_policy(`spamd_enable_home_dirs',`
userdom_home_filetrans_generic_user_home_dir(spamd_t)
userdom_manage_generic_user_home_content_dirs(spamd_t)
userdom_manage_generic_user_home_content_files(spamd_t)
userdom_manage_generic_user_home_content_symlinks(spamd_t)

View File

@ -694,6 +694,27 @@ interface(`ssh_exec',`
can_exec($1,ssh_exec_t)
')
########################################
## <summary>
## Execute the ssh key generator in the ssh keygen domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_domtrans_keygen',`
gen_require(`
type ssh_keygen_t, ssh_keygen_exec_t;
')
domain_auto_trans($1,ssh_keygen_exec_t,ssh_keygen_t)
allow ssh_keygen_t $1:fd use;
allow ssh_keygen_t $1:fifo_file rw_file_perms;
allow ssh_keygen_t $1:process sigchld;
')
########################################
## <summary>
## Read ssh server keys

View File

@ -45,7 +45,6 @@ template(`xserver_common_domain_template',`
allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
dontaudit $1_xserver_t self:capability chown;
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_xserver_t self:process { execmem execheap execstack setsched };
allow $1_xserver_t self:fd use;
allow $1_xserver_t self:fifo_file rw_file_perms;
allow $1_xserver_t self:sock_file r_file_perms;
@ -159,6 +158,14 @@ template(`xserver_common_domain_template',`
sysnet_read_config($1_xserver_t)
ifndef(`distro_redhat',`
allow $1_xserver_t self:process { execmem execheap execstack };
')
ifdef(`distro_rhel4',`
allow $1_xserver_t self:process { execmem execheap execstack };
')
optional_policy(`
apm_stream_connect($1_xserver_t)
')
@ -770,9 +777,12 @@ interface(`xserver_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
type xdm_t;
type xdm_t, xdm_tmp_t;
')
files_search_tmp($1)
allow $1 xdm_tmp_t:dir search_dir_perms;
allow $1 xdm_tmp_t:sock_file write;
allow $1 xdm_t:unix_stream_socket connectto;
')
@ -1047,6 +1057,24 @@ interface(`xserver_read_xdm_xserver_tmp_files',`
allow $1 xdm_xserver_tmp_t:file { getattr read };
')
########################################
## <summary>
## Read xdm temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit
## </summary>
## </param>
#
interface(`xserver_read_xdm_tmp_files',`
gen_require(`
type xdm_tmp_t;
')
allow $1 xdm_tmp_t:file { getattr read };
')
########################################
## <summary>
## Kill XDM X servers

View File

@ -292,11 +292,17 @@ ifdef(`strict_policy',`
')
ifdef(`targeted_policy',`
allow xdm_t self:process { execheap execmem };
unconfined_domain(xdm_t)
unconfined_domtrans(xdm_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
')
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
')
tunable_policy(`use_nfs_home_dirs',`
@ -420,10 +426,16 @@ ifdef(`strict_policy',`
')
ifdef(`targeted_policy',`
allow xdm_xserver_t self:process { execheap execmem };
unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t)
ifndef(`distro_redhat',`
allow xdm_xserver_t self:process { execheap execmem };
')
ifdef(`distro_rhel4',`
allow xdm_xserver_t self:process { execheap execmem };
')
')
optional_policy(`

View File

@ -27,7 +27,7 @@ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
allow hotplug_t self:process { getsession getattr signal_perms };
allow hotplug_t self:process { setpgid getsession getattr signal_perms };
allow hotplug_t self:fifo_file rw_file_perms;
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;

View File

@ -30,6 +30,7 @@ ifdef(`distro_suse', `
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)

View File

@ -11,6 +11,9 @@ type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
@ -28,6 +31,8 @@ ifdef(`targeted_policy',`
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
allow mount_t mount_loopback_t:file r_file_perms;
allow mount_t mount_tmp_t:file create_file_perms;
allow mount_t mount_tmp_t:dir create_dir_perms;
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })

View File

@ -355,6 +355,8 @@ kernel_relabelfrom_unlabeled_files(restorecon_t)
kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
kernel_relabelfrom_unlabeled_pipes(restorecon_t)
kernel_relabelfrom_unlabeled_sockets(restorecon_t)
kernel_dontaudit_list_all_proc(restorecon_t)
kernel_dontaudit_list_all_sysctls(restorecon_t)
dev_relabel_all_dev_nodes(restorecon_t)
# cjp: why is this needed?
@ -458,6 +460,8 @@ init_dontaudit_use_script_ptys(restorecond_t)
libs_use_ld_so(restorecond_t)
libs_use_shared_libs(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)

View File

@ -56,6 +56,7 @@ mls_rangetrans_target(setrans_t)
selinux_compute_access_vector(setrans_t)
term_dontaudit_use_generic_ptys(setrans_t)
term_dontaudit_use_unallocated_ttys(setrans_t)
init_use_fds(setrans_t)
init_dontaudit_use_script_ptys(setrans_t)
@ -63,6 +64,8 @@ init_dontaudit_use_script_ptys(setrans_t)
libs_use_ld_so(setrans_t)
libs_use_shared_libs(setrans_t)
locallogin_dontaudit_use_fds(setrans_t)
logging_send_syslog_msg(setrans_t)
miscfiles_read_localization(setrans_t)

View File

@ -84,14 +84,33 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
domain_read_all_domains_state(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
mcs_ptrace_all(udev_t)
mls_file_read_up(udev_t)
mls_file_write_down(udev_t)
mls_file_upgrade(udev_t)
mls_file_downgrade(udev_t)
mls_process_write_down(udev_t)
selinux_get_fs_mount(udev_t)
selinux_validate_context(udev_t)
selinux_compute_access_vector(udev_t)
@ -103,17 +122,6 @@ auth_read_pam_console_data(udev_t)
auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
corecmd_exec_all_executables(udev_t)
domain_read_all_domains_state(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
init_use_fds(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
@ -126,12 +134,6 @@ logging_send_syslog_msg(udev_t)
miscfiles_read_localization(udev_t)
mls_file_read_up(udev_t)
mls_file_write_down(udev_t)
mls_file_upgrade(udev_t)
mls_file_downgrade(udev_t)
mls_process_write_down(udev_t)
modutils_domtrans_insmod(udev_t)
seutil_read_config(udev_t)

View File

@ -10,4 +10,5 @@ ifdef(`targeted_policy',`
/usr/local/RealPlay/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')