trunk: 3 patches from dan.

This commit is contained in:
Chris PeBenito 2007-11-05 19:35:08 +00:00
parent 8bdb48da2e
commit eaed904cd5
5 changed files with 204 additions and 11 deletions

View File

@ -1,5 +1,5 @@
policy_module(iptables,1.5.1) policy_module(iptables,1.5.2)
######################################## ########################################
# #
@ -64,6 +64,7 @@ init_use_fds(iptables_t)
init_use_script_ptys(iptables_t) init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot: # to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t) init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
libs_use_ld_so(iptables_t) libs_use_ld_so(iptables_t)
libs_use_shared_libs(iptables_t) libs_use_shared_libs(iptables_t)
@ -101,6 +102,10 @@ optional_policy(`
ppp_dontaudit_use_fds(iptables_t) ppp_dontaudit_use_fds(iptables_t)
') ')
optional_policy(`
rhgb_dontaudit_use_ptys(iptables_t)
')
optional_policy(` optional_policy(`
seutil_sigchld_newrole(iptables_t) seutil_sigchld_newrole(iptables_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(iscsid,1.2.2) policy_module(iscsid,1.2.3)
######################################## ########################################
# #
@ -54,6 +54,8 @@ files_search_var_lib(iscsid_t)
manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t) manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t)
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
kernel_read_system_state(iscsid_t)
corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_all_if(iscsid_t) corenet_tcp_sendrecv_all_if(iscsid_t)

View File

@ -1,5 +1,7 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,s0) /dev/log -s gen_context(system_u:object_r:devlog_t,s0)
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
@ -28,12 +30,14 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0) /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
ifndef(`distro_gentoo',` ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
') ')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/audispd_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)

View File

@ -34,6 +34,51 @@ interface(`logging_log_file',`
# #
interface(`logging_send_audit_msgs',` interface(`logging_send_audit_msgs',`
allow $1 self:capability audit_write; allow $1 self:capability audit_write;
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
')
#######################################
## <summary>
## dontaudit attempts to send audit messages.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_dontaudit_send_audit_msgs',`
dontaudit $1 self:capability audit_write;
dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
')
########################################
## <summary>
## Set login uid
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_set_loginuid',`
allow $1 self:capability audit_control;
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
')
########################################
## <summary>
## Set up audit
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_set_audit_parameters',`
allow $1 self:capability { audit_write audit_control };
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
') ')
@ -484,12 +529,11 @@ interface(`logging_append_all_logs',`
interface(`logging_read_all_logs',` interface(`logging_read_all_logs',`
gen_require(` gen_require(`
attribute logfile; attribute logfile;
type var_log_t;
') ')
files_search_var($1) files_search_var($1)
allow $1 var_log_t:dir list_dir_perms; allow $1 logfile:dir list_dir_perms;
read_files_pattern($1,logfile, logfile) read_files_pattern($1, logfile, logfile)
') ')
######################################## ########################################
@ -616,3 +660,128 @@ interface(`logging_manage_generic_logs',`
files_search_var($1) files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t) manage_files_pattern($1,var_log_t,var_log_t)
') ')
########################################
## <summary>
## All of the rules required to administrate
## the audit environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the audit domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_admin_audit',`
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
')
allow $1 auditd_t:process { ptrace signal_perms };
ps_process_pattern($1, auditd_t)
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
manage_files_pattern($1, auditd_log_t, auditd_log_t)
manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
')
########################################
## <summary>
## All of the rules required to administrate
## the syslog environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the syslog domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_admin_syslog',`
gen_require(`
type syslogd_t, klogd_t, syslog_conf_t;
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
')
allow $1 syslogd_t:process { ptrace signal_perms };
allow $1 klogd_t:process { ptrace signal_perms };
ps_process_pattern($1, syslogd_t)
ps_process_pattern($1, klogd_t)
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
files_etc_filetrans($1, syslog_conf_t, file)
manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
')
########################################
## <summary>
## All of the rules required to administrate
## the logging environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the syslog domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`logging_admin',`
logging_admin_audit($1, $2, $3)
logging_admin_syslog($1, $2, $3)
')

View File

@ -1,5 +1,5 @@
policy_module(logging,1.8.1) policy_module(logging,1.8.2)
######################################## ########################################
# #
@ -41,6 +41,9 @@ files_tmp_file(klogd_tmp_t)
type klogd_var_run_t; type klogd_var_run_t;
files_pid_file(klogd_var_run_t) files_pid_file(klogd_var_run_t)
type syslog_conf_t;
files_type(syslog_conf_t)
type syslogd_t; type syslogd_t;
type syslogd_exec_t; type syslogd_exec_t;
init_daemon_domain(syslogd_t,syslogd_exec_t) init_daemon_domain(syslogd_t,syslogd_exec_t)
@ -48,6 +51,9 @@ init_daemon_domain(syslogd_t,syslogd_exec_t)
type syslogd_tmp_t; type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t) files_tmp_file(syslogd_tmp_t)
type syslogd_var_lib_t;
files_type(syslogd_var_lib_t)
type syslogd_var_run_t; type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t) files_pid_file(syslogd_var_run_t)
@ -64,8 +70,8 @@ ifdef(`enable_mls',`
# Auditctl local policy # Auditctl local policy
# #
allow auditctl_t self:capability { fsetid dac_read_search dac_override audit_write audit_control }; allow auditctl_t self:capability { fsetid dac_read_search dac_override };
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t) read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms; allow auditctl_t auditd_etc_t:dir list_dir_perms;
@ -92,6 +98,7 @@ libs_use_shared_libs(auditctl_t)
locallogin_dontaudit_use_fds(auditctl_t) locallogin_dontaudit_use_fds(auditctl_t)
logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t) logging_send_syslog_msg(auditctl_t)
######################################## ########################################
@ -99,12 +106,12 @@ logging_send_syslog_msg(auditctl_t)
# Auditd local policy # Auditd local policy
# #
allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource }; allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config; dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file { getattr read write };
allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t self:fifo_file rw_fifo_file_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms; allow auditd_t auditd_etc_t:file read_file_perms;
@ -141,6 +148,7 @@ files_list_usr(auditd_t)
init_telinit(auditd_t) init_telinit(auditd_t)
logging_set_audit_parameters(auditd_t)
logging_send_syslog_msg(auditd_t) logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t) libs_use_ld_so(auditd_t)
@ -241,6 +249,8 @@ allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
# Create and bind to /dev/log or /var/run/log. # Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms; allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file) files_pid_filetrans(syslogd_t,devlog_t,sock_file)
@ -257,6 +267,9 @@ manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file }) files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)
allow syslogd_t syslogd_var_run_t:file manage_file_perms; allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)