trunk: 3 patches from dan.
This commit is contained in:
parent
8bdb48da2e
commit
eaed904cd5
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(iptables,1.5.1)
|
||||
policy_module(iptables,1.5.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -64,6 +64,7 @@ init_use_fds(iptables_t)
|
||||
init_use_script_ptys(iptables_t)
|
||||
# to allow rules to be saved on reboot:
|
||||
init_rw_script_tmp_files(iptables_t)
|
||||
init_rw_script_stream_sockets(iptables_t)
|
||||
|
||||
libs_use_ld_so(iptables_t)
|
||||
libs_use_shared_libs(iptables_t)
|
||||
@ -101,6 +102,10 @@ optional_policy(`
|
||||
ppp_dontaudit_use_fds(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rhgb_dontaudit_use_ptys(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(iptables_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(iscsid,1.2.2)
|
||||
policy_module(iscsid,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -54,6 +54,8 @@ files_search_var_lib(iscsid_t)
|
||||
manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t)
|
||||
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(iscsid_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(iscsid_t)
|
||||
corenet_all_recvfrom_netlabel(iscsid_t)
|
||||
corenet_tcp_sendrecv_all_if(iscsid_t)
|
||||
|
@ -1,5 +1,7 @@
|
||||
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
|
||||
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
|
||||
|
||||
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
|
||||
@ -28,12 +30,14 @@ ifdef(`distro_suse', `
|
||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
|
||||
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
|
||||
ifndef(`distro_gentoo',`
|
||||
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
')
|
||||
|
||||
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/audispd_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
|
||||
|
@ -34,6 +34,51 @@ interface(`logging_log_file',`
|
||||
#
|
||||
interface(`logging_send_audit_msgs',`
|
||||
allow $1 self:capability audit_write;
|
||||
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## dontaudit attempts to send audit messages.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_dontaudit_send_audit_msgs',`
|
||||
dontaudit $1 self:capability audit_write;
|
||||
dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set login uid
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_set_loginuid',`
|
||||
allow $1 self:capability audit_control;
|
||||
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set up audit
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_set_audit_parameters',`
|
||||
allow $1 self:capability { audit_write audit_control };
|
||||
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
')
|
||||
|
||||
@ -484,12 +529,11 @@ interface(`logging_append_all_logs',`
|
||||
interface(`logging_read_all_logs',`
|
||||
gen_require(`
|
||||
attribute logfile;
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
read_files_pattern($1,logfile, logfile)
|
||||
allow $1 logfile:dir list_dir_perms;
|
||||
read_files_pattern($1, logfile, logfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -616,3 +660,128 @@ interface(`logging_manage_generic_logs',`
|
||||
files_search_var($1)
|
||||
manage_files_pattern($1,var_log_t,var_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## the audit environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the audit domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_admin_audit',`
|
||||
gen_require(`
|
||||
type auditd_t, auditd_etc_t, auditd_log_t;
|
||||
type auditd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 auditd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, auditd_t)
|
||||
|
||||
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
||||
|
||||
manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
|
||||
manage_files_pattern($1, auditd_log_t, auditd_log_t)
|
||||
|
||||
manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
|
||||
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## the syslog environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the syslog domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_admin_syslog',`
|
||||
gen_require(`
|
||||
type syslogd_t, klogd_t, syslog_conf_t;
|
||||
type syslogd_tmp_t, syslogd_var_lib_t;
|
||||
type syslogd_var_run_t, klogd_var_run_t;
|
||||
type klogd_tmp_t, var_log_t;
|
||||
')
|
||||
|
||||
allow $1 syslogd_t:process { ptrace signal_perms };
|
||||
allow $1 klogd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, syslogd_t)
|
||||
ps_process_pattern($1, klogd_t)
|
||||
|
||||
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
||||
|
||||
manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
|
||||
manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
|
||||
|
||||
manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
|
||||
manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
|
||||
|
||||
manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
|
||||
manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
|
||||
files_etc_filetrans($1, syslog_conf_t, file)
|
||||
|
||||
manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
|
||||
manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
|
||||
|
||||
manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
|
||||
logging_manage_all_logs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## the logging environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the syslog domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_admin',`
|
||||
logging_admin_audit($1, $2, $3)
|
||||
logging_admin_syslog($1, $2, $3)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logging,1.8.1)
|
||||
policy_module(logging,1.8.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -41,6 +41,9 @@ files_tmp_file(klogd_tmp_t)
|
||||
type klogd_var_run_t;
|
||||
files_pid_file(klogd_var_run_t)
|
||||
|
||||
type syslog_conf_t;
|
||||
files_type(syslog_conf_t)
|
||||
|
||||
type syslogd_t;
|
||||
type syslogd_exec_t;
|
||||
init_daemon_domain(syslogd_t,syslogd_exec_t)
|
||||
@ -48,6 +51,9 @@ init_daemon_domain(syslogd_t,syslogd_exec_t)
|
||||
type syslogd_tmp_t;
|
||||
files_tmp_file(syslogd_tmp_t)
|
||||
|
||||
type syslogd_var_lib_t;
|
||||
files_type(syslogd_var_lib_t)
|
||||
|
||||
type syslogd_var_run_t;
|
||||
files_pid_file(syslogd_var_run_t)
|
||||
|
||||
@ -64,8 +70,8 @@ ifdef(`enable_mls',`
|
||||
# Auditctl local policy
|
||||
#
|
||||
|
||||
allow auditctl_t self:capability { fsetid dac_read_search dac_override audit_write audit_control };
|
||||
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
allow auditctl_t self:capability { fsetid dac_read_search dac_override };
|
||||
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
|
||||
|
||||
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
|
||||
allow auditctl_t auditd_etc_t:dir list_dir_perms;
|
||||
@ -92,6 +98,7 @@ libs_use_shared_libs(auditctl_t)
|
||||
|
||||
locallogin_dontaudit_use_fds(auditctl_t)
|
||||
|
||||
logging_set_audit_parameters(auditctl_t)
|
||||
logging_send_syslog_msg(auditctl_t)
|
||||
|
||||
########################################
|
||||
@ -99,12 +106,12 @@ logging_send_syslog_msg(auditctl_t)
|
||||
# Auditd local policy
|
||||
#
|
||||
|
||||
allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource };
|
||||
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
|
||||
dontaudit auditd_t self:capability sys_tty_config;
|
||||
allow auditd_t self:process { signal_perms setpgid setsched };
|
||||
allow auditd_t self:file { getattr read write };
|
||||
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
allow auditd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow auditd_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow auditd_t auditd_etc_t:dir list_dir_perms;
|
||||
allow auditd_t auditd_etc_t:file read_file_perms;
|
||||
@ -141,6 +148,7 @@ files_list_usr(auditd_t)
|
||||
|
||||
init_telinit(auditd_t)
|
||||
|
||||
logging_set_audit_parameters(auditd_t)
|
||||
logging_send_syslog_msg(auditd_t)
|
||||
|
||||
libs_use_ld_so(auditd_t)
|
||||
@ -241,6 +249,8 @@ allow syslogd_t self:fifo_file rw_file_perms;
|
||||
allow syslogd_t self:udp_socket create_socket_perms;
|
||||
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow syslogd_t syslog_conf_t:file read_file_perms;
|
||||
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
|
||||
@ -257,6 +267,9 @@ manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
||||
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
|
||||
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
|
||||
|
||||
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
|
||||
files_search_var_lib(syslogd_t)
|
||||
|
||||
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user