From eb3cb6820a19c83b3a95ab3eb6d1ffffee1a0970 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 8 Sep 2005 17:12:38 +0000 Subject: [PATCH] add portmap --- refpolicy/Changelog | 1 + refpolicy/policy/modules/services/inetd.if | 22 +- refpolicy/policy/modules/services/inetd.te | 1 + refpolicy/policy/modules/services/portmap.fc | 10 + refpolicy/policy/modules/services/portmap.if | 79 +++++++ refpolicy/policy/modules/services/portmap.te | 193 ++++++++++++++++++ refpolicy/policy/modules/services/tcpd.te | 8 +- refpolicy/policy/modules/system/init.if | 18 ++ refpolicy/policy/modules/system/init.te | 4 + refpolicy/policy/modules/system/userdomain.if | 18 ++ refpolicy/policy/modules/system/userdomain.te | 4 + 11 files changed, 353 insertions(+), 5 deletions(-) create mode 100644 refpolicy/policy/modules/services/portmap.fc create mode 100644 refpolicy/policy/modules/services/portmap.if create mode 100644 refpolicy/policy/modules/services/portmap.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 1918e949..b916a8b7 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,5 +1,6 @@ - Added policies: ktalk + portmap * Wed Sep 07 2005 Chris PeBenito - 20050907 - Fix errors uncovered by sediff. diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if index 0dd31e51..4a851622 100644 --- a/refpolicy/policy/modules/services/inetd.if +++ b/refpolicy/policy/modules/services/inetd.if @@ -144,9 +144,7 @@ interface(`inetd_tcp_connect',` allow $1 inetd_t:tcp_socket { connectto recvfrom }; allow inetd_t $1:tcp_socket { acceptfrom recvfrom }; - - #allow inetd_t kernel_t:tcp_socket recvfrom; - #allow $1 kernel_t:tcp_socket recvfrom; + kernel_tcp_recvfrom($1) ') ######################################## @@ -173,3 +171,21 @@ interface(`inetd_domtrans_child',` allow inetd_child_t $1:fifo_file rw_file_perms; allow inetd_child_t $1:process sigchld; ') + +######################################## +## +## Send UDP network traffic to inetd. +## +## +## The type of the process performing this action. +## +# +interface(`inetd_udp_sendto',` + gen_require(` + type inetd_t; + class udp_socket { sendto recvfrom }; + ') + + allow $1 inetd_t:udp_socket sendto; + allow inetd_t $1:udp_socket recvfrom; +') diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 924a4805..7674b7d6 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -55,6 +55,7 @@ files_create_pid(inetd_t,inetd_var_run_t) kernel_read_kernel_sysctl(inetd_t) kernel_list_proc(inetd_t) kernel_read_proc_symlinks(inetd_t) +kernel_tcp_recvfrom(inetd_t) # networking: corenet_tcp_sendrecv_all_if(inetd_t) diff --git a/refpolicy/policy/modules/services/portmap.fc b/refpolicy/policy/modules/services/portmap.fc new file mode 100644 index 00000000..6975de01 --- /dev/null +++ b/refpolicy/policy/modules/services/portmap.fc @@ -0,0 +1,10 @@ + +/sbin/portmap -- context_template(system_u:object_r:portmap_exec_t,s0) + +ifdef(`distro_debian',` +/sbin/pmap_dump -- context_template(system_u:object_r:portmap_helper_exec_t,s0) +/sbin/pmap_set -- context_template(system_u:object_r:portmap_helper_exec_t,s0) +', ` +/usr/sbin/pmap_dump -- context_template(system_u:object_r:portmap_helper_exec_t,s0) +/usr/sbin/pmap_set -- context_template(system_u:object_r:portmap_helper_exec_t,s0) +') diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if new file mode 100644 index 00000000..943221ca --- /dev/null +++ b/refpolicy/policy/modules/services/portmap.if @@ -0,0 +1,79 @@ +## RPC port mapping service. + +######################################## +## +## Execute portmap_helper in the helper domain. +## +## +## Domain allowed access. +## +# +interface(`portmap_domtrans_helper',` + gen_require(` + type portmap_helper_t, portmap_helper_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + corecmd_search_bin($1) + domain_auto_trans($1,portmap_helper_exec_t,portmap_helper_t) + + allow $1 portmap_helper_t:fd use; + allow portmap_helper_t $1:fd use; + allow portmap_helper_t $1:fifo_file rw_file_perms; + allow portmap_helper_t $1:process sigchld; +') + +######################################## +## +## Execute portmap helper in the helper domain, and +## allow the specified role the helper domain. +## Communicate with portmap. +## +## +## Domain allowed access. +## +## +## The role to be allowed the portmap domain. +## +## +## The type of the terminal allow the portmap domain to use. +## +# +interface(`portmap_run_helper',` + gen_require(` + type portmap_helper_t; + class chr_file { getattr read write ioctl }; + ') + + portmap_domtrans_helper($1) + role $2 types portmap_helper_t; + allow portmap_helper_t $3:chr_file { getattr read write ioctl }; + + # send to portmap + allow $1 portmap_t:udp_socket sendto; + allow portmap_t $1:udp_socket recvfrom; + + # receive from portmap + allow portmap_t $1:udp_socket sendto; + allow $1 portmap_t:udp_socket recvfrom; +') + +######################################## +## +## Send UDP network traffic to portmap. +## +## +## The type of the process performing this action. +## +# +interface(`portmap_udp_sendto',` + gen_require(` + type portmap_t; + class udp_socket { sendto recvfrom }; + ') + + allow $1 portmap_t:udp_socket sendto; + allow portmap_t $1:udp_socket recvfrom; +') diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te new file mode 100644 index 00000000..5cc17e6f --- /dev/null +++ b/refpolicy/policy/modules/services/portmap.te @@ -0,0 +1,193 @@ + +policy_module(portmap,1.0) + +######################################## +# +# Declarations +# + +type portmap_t; +type portmap_exec_t; +init_daemon_domain(portmap_t,portmap_exec_t) + +type portmap_helper_t; +type portmap_helper_exec_t; +init_system_domain(portmap_helper_t,portmap_helper_exec_t) +role system_r types portmap_helper_t; + +type portmap_tmp_t; +files_tmp_file(portmap_tmp_t) + +type portmap_var_run_t; +files_pid_file(portmap_var_run_t) + +######################################## +# +# Portmap local policy +# + +allow portmap_t self:capability { setuid setgid }; +dontaudit portmap_t self:capability sys_tty_config; +allow portmap_t self:netlink_route_socket r_netlink_socket_perms; +allow portmap_t self:unix_dgram_socket create_socket_perms; +allow portmap_t self:unix_stream_socket create_stream_socket_perms; +allow portmap_t self:tcp_socket create_stream_socket_perms; +allow portmap_t self:udp_socket create_socket_perms; + +allow portmap_t portmap_tmp_t:dir create_dir_perms; +allow portmap_t portmap_tmp_t:file create_file_perms; +files_create_tmp_files(portmap_t, portmap_tmp_t, { file dir }) + +allow portmap_t portmap_var_run_t:file create_file_perms; +files_create_pid(portmap_t,portmap_var_run_t) + +kernel_read_kernel_sysctl(portmap_t) +kernel_list_proc(portmap_t) +kernel_read_proc_symlinks(portmap_t) + +corenet_tcp_sendrecv_all_if(portmap_t) +corenet_udp_sendrecv_all_if(portmap_t) +corenet_raw_sendrecv_all_if(portmap_t) +corenet_tcp_sendrecv_all_nodes(portmap_t) +corenet_udp_sendrecv_all_nodes(portmap_t) +corenet_raw_sendrecv_all_nodes(portmap_t) +corenet_tcp_sendrecv_all_ports(portmap_t) +corenet_udp_sendrecv_all_ports(portmap_t) +corenet_tcp_bind_all_nodes(portmap_t) +corenet_udp_bind_all_nodes(portmap_t) +corenet_tcp_bind_portmap_port(portmap_t) +corenet_udp_bind_portmap_port(portmap_t) +# portmap binds to arbitary ports +corenet_tcp_bind_generic_port(portmap_t) +corenet_udp_bind_generic_port(portmap_t) +corenet_tcp_bind_reserved_port(portmap_t) +corenet_udp_bind_reserved_port(portmap_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t) +corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t) + +dev_read_sysfs(portmap_t) + +fs_getattr_all_fs(portmap_t) +fs_search_auto_mountpoints(portmap_t) + +term_dontaudit_use_console(portmap_t) + +domain_use_wide_inherit_fd(portmap_t) + +files_read_etc_files(portmap_t) + +init_use_fd(portmap_t) +init_use_script_pty(portmap_t) +init_udp_sendto(portmap_t) +init_udp_sendto_script(portmap_t) + +libs_use_ld_so(portmap_t) +libs_use_shared_libs(portmap_t) + +logging_send_syslog_msg(portmap_t) + +miscfiles_read_localization(portmap_t) + +sysnet_read_config(portmap_t) + +userdom_dontaudit_use_unpriv_user_fd(portmap_t) +userdom_dontaudit_search_sysadm_home_dir(portmap_t) + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(portmap_t) + term_dontaudit_use_generic_pty(portmap_t) + files_dontaudit_read_root_file(portmap_t) +') + +optional_policy(`inetd.te',` + inetd_udp_sendto(portmap_t) +') + +optional_policy(`mount.te',` + mount_send_nfs_client_request(portmap_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(portmap_t) + nis_udp_sendto_ypbind(portmap_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(portmap_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(portmap_t) +') + +optional_policy(`udev.te', ` + udev_read_db(portmap_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(portmap_t) +') + +ifdef(`rpcd.te',`can_udp_send(portmap_t, rpcd_t)') +allow portmap_t rpcd_t:udp_socket sendto; +allow rpcd_t portmap_t:udp_socket recvfrom; + +ifdef(`lpd.te',`can_udp_send(portmap_t, lpd_t)') +allow portmap_t lpd_t:udp_socket sendto; +allow lpd_t portmap_t:udp_socket recvfrom; + +can_udp_send(portmap_t, kernel_t) +allow portmap_t kernel_t:udp_socket sendto; +allow kernel_t portmap_t:udp_socket recvfrom; + +can_udp_send(kernel_t, portmap_t) +allow kernel_t portmap_t:udp_socket sendto; +allow portmap_t kernel_t:udp_socket recvfrom; + +') dnl end TODO + +######################################## +# +# Portmap helper local policy +# + +dontaudit portmap_helper_t self:capability net_admin; +allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; +allow portmap_helper_t self:tcp_socket create_stream_socket_perms; +allow portmap_helper_t self:udp_socket create_socket_perms; + +corenet_tcp_sendrecv_all_if(portmap_helper_t) +corenet_udp_sendrecv_all_if(portmap_helper_t) +corenet_raw_sendrecv_all_if(portmap_helper_t) +corenet_tcp_sendrecv_all_nodes(portmap_helper_t) +corenet_udp_sendrecv_all_nodes(portmap_helper_t) +corenet_raw_sendrecv_all_nodes(portmap_helper_t) +corenet_tcp_sendrecv_all_ports(portmap_helper_t) +corenet_udp_sendrecv_all_ports(portmap_helper_t) +corenet_tcp_bind_all_nodes(portmap_helper_t) +corenet_udp_bind_all_nodes(portmap_helper_t) +corenet_tcp_bind_reserved_port(portmap_helper_t) +corenet_udp_bind_reserved_port(portmap_helper_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t) +corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t) + +files_read_etc_files(portmap_helper_t) +files_rw_generic_pids(portmap_helper_t) + +init_rw_script_pid(portmap_helper_t) + +libs_use_ld_so(portmap_helper_t) +libs_use_shared_libs(portmap_helper_t) + +sysnet_read_config(portmap_helper_t) + +userdom_dontaudit_use_all_user_fd(portmap_helper_t) + +optional_policy(`mount.te',` + mount_send_nfs_client_request(portmap_helper_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(portmap_helper_t) +') diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te index 882f4337..93123ad6 100644 --- a/refpolicy/policy/modules/services/tcpd.te +++ b/refpolicy/policy/modules/services/tcpd.te @@ -55,6 +55,10 @@ optional_policy(`nis.te',` nis_use_ypbind(tcpd_t) ') -optional_policy(`rshd.te',` - rshd_domtrans(rshd_t) +optional_policy(`portmap.te',` + portmap_udp_sendto(tcpd_t) +') + +optional_policy(`rshd.te',` + rshd_domtrans(tcpd_t) ') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index e11f7f10..dd087c7d 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -297,6 +297,24 @@ interface(`init_dontaudit_use_fd',` dontaudit $1 init_t:fd use; ') +######################################## +## +## Send UDP network traffic to init. +## +## +## The type of the process performing this action. +## +# +interface(`init_udp_sendto',` + gen_require(` + type init_t; + class udp_socket { sendto recvfrom }; + ') + + allow $1 init_t:udp_socket sendto; + allow init_t $1:udp_socket recvfrom; +') + ######################################## # # init_domtrans_script(domain) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 18a32f26..31547a49 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -143,6 +143,10 @@ optional_policy(`authlogin.te',` auth_rw_login_records(init_t) ') +optional_policy(`portmap.te',` + portmap_udp_sendto(init_t) +') + # Run the shell in the sysadm_t domain for single-user mode. optional_policy(`userdomain.te',` userdom_shell_domtrans_sysadm(init_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 99963248..3fa926c9 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1872,6 +1872,24 @@ interface(`userdom_use_all_user_fd',` allow $1 userdomain:fd use; ') +######################################## +## +## Do not audit attempts to inherit the file +## descriptors from any user domains. +## +## +## Domain to not audit. +## +# +interface(`userdom_dontaudit_use_all_user_fd',` + gen_require(` + attribute userdomain; + class fd use; + ') + + dontaudit $1 userdomain:fd use; +') + ######################################## ## ## Send general signals to all user domains. diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index bd6303f8..1719c118 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -190,6 +190,10 @@ ifdef(`targeted_policy',` pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`portmap.te',` + portmap_run_helper(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`quota.te',` quota_run(sysadm_t,sysadm_r,admin_terminal) ')