trunk: 3 patches from dan.

2007-11-05 19:35:08 +00:00 · 2007-11-05 19:35:08 +00:00 · eaed904cd5
parent 8bdb48da2e
commit eaed904cd5
5 changed files with 204 additions and 11 deletions
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@ -1,5 +1,5 @@

-policy_module(iptables,1.5.1)
+policy_module(iptables,1.5.2)

 ########################################
 #
@ -64,6 +64,7 @@ init_use_fds(iptables_t)
 init_use_script_ptys(iptables_t)
 # to allow rules to be saved on reboot:
 init_rw_script_tmp_files(iptables_t)
+init_rw_script_stream_sockets(iptables_t)

 libs_use_ld_so(iptables_t)
 libs_use_shared_libs(iptables_t)
@ -101,6 +102,10 @@ optional_policy(`
 	ppp_dontaudit_use_fds(iptables_t)
 ')

+optional_policy(`
+	rhgb_dontaudit_use_ptys(iptables_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(iptables_t)
 ')
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@ -1,5 +1,5 @@

-policy_module(iscsid,1.2.2)
+policy_module(iscsid,1.2.3)

 ########################################
 #
@ -54,6 +54,8 @@ files_search_var_lib(iscsid_t)
 manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t)
 files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)

+kernel_read_system_state(iscsid_t)
+
 corenet_all_recvfrom_unlabeled(iscsid_t)
 corenet_all_recvfrom_netlabel(iscsid_t)
 corenet_tcp_sendrecv_all_if(iscsid_t)
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@ -1,5 +1,7 @@
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,s0)

+/etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)

 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
@ -28,12 +30,14 @@ ifdef(`distro_suse', `
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+/var/log/syslog-ng(/.*)? --	gen_context(system_u:object_r:syslogd_var_run_t,s0)

 ifndef(`distro_gentoo',`
 /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
 ')

 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/audispd_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@ -34,6 +34,51 @@ interface(`logging_log_file',`
 #
 interface(`logging_send_audit_msgs',`
 	allow $1 self:capability audit_write;
+	allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+#######################################
+## <summary>
+##	dontaudit attempts to send audit messages.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_dontaudit_send_audit_msgs',`
+	dontaudit $1 self:capability audit_write;
+	dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+########################################
+## <summary>
+##	Set login uid
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_set_loginuid',`
+	allow $1 self:capability audit_control;
+	allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+########################################
+## <summary>
+##	Set up audit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_set_audit_parameters',`
+	allow $1 self:capability { audit_write audit_control };
 	allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 ')

@ -484,12 +529,11 @@ interface(`logging_append_all_logs',`
 interface(`logging_read_all_logs',`
 	gen_require(`
 		attribute logfile;
-		type var_log_t;
 	')

 	files_search_var($1)
-	allow $1 var_log_t:dir list_dir_perms;
-	read_files_pattern($1,logfile, logfile)
+	allow $1 logfile:dir list_dir_perms;
+	read_files_pattern($1, logfile, logfile)
 ')

 ########################################
@ -616,3 +660,128 @@ interface(`logging_manage_generic_logs',`
 	files_search_var($1)
 	manage_files_pattern($1,var_log_t,var_log_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	the audit environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the audit domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin_audit',`
+	gen_require(`
+		type auditd_t, auditd_etc_t, auditd_log_t;
+		type auditd_var_run_t;
+	')
+
+	allow $1 auditd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, auditd_t)
+
+	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
+	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+
+	manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
+	manage_files_pattern($1, auditd_log_t, auditd_log_t)
+
+	manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
+	manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	the syslog environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin_syslog',`
+	gen_require(`
+		type syslogd_t, klogd_t, syslog_conf_t;
+		type syslogd_tmp_t, syslogd_var_lib_t;
+		type syslogd_var_run_t, klogd_var_run_t;
+		type klogd_tmp_t, var_log_t;
+	')
+
+	allow $1 syslogd_t:process { ptrace signal_perms };
+	allow $1 klogd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, syslogd_t)
+	ps_process_pattern($1, klogd_t)
+
+	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
+	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
+
+	manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
+	manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
+
+	manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
+	manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
+
+	manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
+	manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
+	files_etc_filetrans($1, syslog_conf_t, file)
+
+	manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
+	manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
+
+	manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+
+	logging_manage_all_logs($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	the logging environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin',`
+	logging_admin_audit($1, $2, $3)
+	logging_admin_syslog($1, $2, $3)
+')
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -1,5 +1,5 @@

-policy_module(logging,1.8.1)
+policy_module(logging,1.8.2)

 ########################################
 #
@ -41,6 +41,9 @@ files_tmp_file(klogd_tmp_t)
 type klogd_var_run_t;
 files_pid_file(klogd_var_run_t)

+type syslog_conf_t;
+files_type(syslog_conf_t)
+
 type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t,syslogd_exec_t)
@ -48,6 +51,9 @@ init_daemon_domain(syslogd_t,syslogd_exec_t)
 type syslogd_tmp_t;
 files_tmp_file(syslogd_tmp_t)

+type syslogd_var_lib_t;
+files_type(syslogd_var_lib_t)
+
 type syslogd_var_run_t;
 files_pid_file(syslogd_var_run_t)

@ -64,8 +70,8 @@ ifdef(`enable_mls',`
 # Auditctl local policy
 #

-allow auditctl_t self:capability { fsetid dac_read_search dac_override audit_write audit_control };
-allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;

 read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
@ -92,6 +98,7 @@ libs_use_shared_libs(auditctl_t)

 locallogin_dontaudit_use_fds(auditctl_t)

+logging_set_audit_parameters(auditctl_t)
 logging_send_syslog_msg(auditctl_t)

 ########################################
@ -99,12 +106,12 @@ logging_send_syslog_msg(auditctl_t)
 # Auditd local policy
 #

-allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource };
+allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
 dontaudit auditd_t self:capability sys_tty_config;
 allow auditd_t self:process { signal_perms setpgid setsched };
+allow auditd_t self:file { getattr read write };
 allow auditd_t self:unix_dgram_socket create_socket_perms;
-allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-allow auditd_t self:fifo_file rw_fifo_file_perms;
+allow auditd_t self:fifo_file rw_file_perms;

 allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
@ -141,6 +148,7 @@ files_list_usr(auditd_t)

 init_telinit(auditd_t)

+logging_set_audit_parameters(auditd_t)
 logging_send_syslog_msg(auditd_t)

 libs_use_ld_so(auditd_t)
@ -241,6 +249,8 @@ allow syslogd_t self:fifo_file rw_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;

+allow syslogd_t syslog_conf_t:file read_file_perms;
+
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t,devlog_t,sock_file)
@ -257,6 +267,9 @@ manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
 manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })

+manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+files_search_var_lib(syslogd_t)
+
 allow syslogd_t syslogd_var_run_t:file manage_file_perms;
 files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)