add portmap
This commit is contained in:
parent
d17b4d2323
commit
eb3cb6820a
|
@ -1,5 +1,6 @@
|
||||||
- Added policies:
|
- Added policies:
|
||||||
ktalk
|
ktalk
|
||||||
|
portmap
|
||||||
|
|
||||||
* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
|
* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
|
||||||
- Fix errors uncovered by sediff.
|
- Fix errors uncovered by sediff.
|
||||||
|
|
|
@ -144,9 +144,7 @@ interface(`inetd_tcp_connect',`
|
||||||
|
|
||||||
allow $1 inetd_t:tcp_socket { connectto recvfrom };
|
allow $1 inetd_t:tcp_socket { connectto recvfrom };
|
||||||
allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
|
allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||||
|
kernel_tcp_recvfrom($1)
|
||||||
#allow inetd_t kernel_t:tcp_socket recvfrom;
|
|
||||||
#allow $1 kernel_t:tcp_socket recvfrom;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -173,3 +171,21 @@ interface(`inetd_domtrans_child',`
|
||||||
allow inetd_child_t $1:fifo_file rw_file_perms;
|
allow inetd_child_t $1:fifo_file rw_file_perms;
|
||||||
allow inetd_child_t $1:process sigchld;
|
allow inetd_child_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send UDP network traffic to inetd.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`inetd_udp_sendto',`
|
||||||
|
gen_require(`
|
||||||
|
type inetd_t;
|
||||||
|
class udp_socket { sendto recvfrom };
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 inetd_t:udp_socket sendto;
|
||||||
|
allow inetd_t $1:udp_socket recvfrom;
|
||||||
|
')
|
||||||
|
|
|
@ -55,6 +55,7 @@ files_create_pid(inetd_t,inetd_var_run_t)
|
||||||
kernel_read_kernel_sysctl(inetd_t)
|
kernel_read_kernel_sysctl(inetd_t)
|
||||||
kernel_list_proc(inetd_t)
|
kernel_list_proc(inetd_t)
|
||||||
kernel_read_proc_symlinks(inetd_t)
|
kernel_read_proc_symlinks(inetd_t)
|
||||||
|
kernel_tcp_recvfrom(inetd_t)
|
||||||
|
|
||||||
# networking:
|
# networking:
|
||||||
corenet_tcp_sendrecv_all_if(inetd_t)
|
corenet_tcp_sendrecv_all_if(inetd_t)
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
|
||||||
|
/sbin/portmap -- context_template(system_u:object_r:portmap_exec_t,s0)
|
||||||
|
|
||||||
|
ifdef(`distro_debian',`
|
||||||
|
/sbin/pmap_dump -- context_template(system_u:object_r:portmap_helper_exec_t,s0)
|
||||||
|
/sbin/pmap_set -- context_template(system_u:object_r:portmap_helper_exec_t,s0)
|
||||||
|
', `
|
||||||
|
/usr/sbin/pmap_dump -- context_template(system_u:object_r:portmap_helper_exec_t,s0)
|
||||||
|
/usr/sbin/pmap_set -- context_template(system_u:object_r:portmap_helper_exec_t,s0)
|
||||||
|
')
|
|
@ -0,0 +1,79 @@
|
||||||
|
## <summary>RPC port mapping service.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute portmap_helper in the helper domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`portmap_domtrans_helper',`
|
||||||
|
gen_require(`
|
||||||
|
type portmap_helper_t, portmap_helper_exec_t;
|
||||||
|
class process sigchld;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domain_auto_trans($1,portmap_helper_exec_t,portmap_helper_t)
|
||||||
|
|
||||||
|
allow $1 portmap_helper_t:fd use;
|
||||||
|
allow portmap_helper_t $1:fd use;
|
||||||
|
allow portmap_helper_t $1:fifo_file rw_file_perms;
|
||||||
|
allow portmap_helper_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute portmap helper in the helper domain, and
|
||||||
|
## allow the specified role the helper domain.
|
||||||
|
## Communicate with portmap.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## The role to be allowed the portmap domain.
|
||||||
|
## </param>
|
||||||
|
## <param name="terminal">
|
||||||
|
## The type of the terminal allow the portmap domain to use.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`portmap_run_helper',`
|
||||||
|
gen_require(`
|
||||||
|
type portmap_helper_t;
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
|
')
|
||||||
|
|
||||||
|
portmap_domtrans_helper($1)
|
||||||
|
role $2 types portmap_helper_t;
|
||||||
|
allow portmap_helper_t $3:chr_file { getattr read write ioctl };
|
||||||
|
|
||||||
|
# send to portmap
|
||||||
|
allow $1 portmap_t:udp_socket sendto;
|
||||||
|
allow portmap_t $1:udp_socket recvfrom;
|
||||||
|
|
||||||
|
# receive from portmap
|
||||||
|
allow portmap_t $1:udp_socket sendto;
|
||||||
|
allow $1 portmap_t:udp_socket recvfrom;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send UDP network traffic to portmap.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`portmap_udp_sendto',`
|
||||||
|
gen_require(`
|
||||||
|
type portmap_t;
|
||||||
|
class udp_socket { sendto recvfrom };
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 portmap_t:udp_socket sendto;
|
||||||
|
allow portmap_t $1:udp_socket recvfrom;
|
||||||
|
')
|
|
@ -0,0 +1,193 @@
|
||||||
|
|
||||||
|
policy_module(portmap,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type portmap_t;
|
||||||
|
type portmap_exec_t;
|
||||||
|
init_daemon_domain(portmap_t,portmap_exec_t)
|
||||||
|
|
||||||
|
type portmap_helper_t;
|
||||||
|
type portmap_helper_exec_t;
|
||||||
|
init_system_domain(portmap_helper_t,portmap_helper_exec_t)
|
||||||
|
role system_r types portmap_helper_t;
|
||||||
|
|
||||||
|
type portmap_tmp_t;
|
||||||
|
files_tmp_file(portmap_tmp_t)
|
||||||
|
|
||||||
|
type portmap_var_run_t;
|
||||||
|
files_pid_file(portmap_var_run_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Portmap local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow portmap_t self:capability { setuid setgid };
|
||||||
|
dontaudit portmap_t self:capability sys_tty_config;
|
||||||
|
allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
allow portmap_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
allow portmap_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow portmap_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
allow portmap_t portmap_tmp_t:dir create_dir_perms;
|
||||||
|
allow portmap_t portmap_tmp_t:file create_file_perms;
|
||||||
|
files_create_tmp_files(portmap_t, portmap_tmp_t, { file dir })
|
||||||
|
|
||||||
|
allow portmap_t portmap_var_run_t:file create_file_perms;
|
||||||
|
files_create_pid(portmap_t,portmap_var_run_t)
|
||||||
|
|
||||||
|
kernel_read_kernel_sysctl(portmap_t)
|
||||||
|
kernel_list_proc(portmap_t)
|
||||||
|
kernel_read_proc_symlinks(portmap_t)
|
||||||
|
|
||||||
|
corenet_tcp_sendrecv_all_if(portmap_t)
|
||||||
|
corenet_udp_sendrecv_all_if(portmap_t)
|
||||||
|
corenet_raw_sendrecv_all_if(portmap_t)
|
||||||
|
corenet_tcp_sendrecv_all_nodes(portmap_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(portmap_t)
|
||||||
|
corenet_raw_sendrecv_all_nodes(portmap_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(portmap_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(portmap_t)
|
||||||
|
corenet_tcp_bind_all_nodes(portmap_t)
|
||||||
|
corenet_udp_bind_all_nodes(portmap_t)
|
||||||
|
corenet_tcp_bind_portmap_port(portmap_t)
|
||||||
|
corenet_udp_bind_portmap_port(portmap_t)
|
||||||
|
# portmap binds to arbitary ports
|
||||||
|
corenet_tcp_bind_generic_port(portmap_t)
|
||||||
|
corenet_udp_bind_generic_port(portmap_t)
|
||||||
|
corenet_tcp_bind_reserved_port(portmap_t)
|
||||||
|
corenet_udp_bind_reserved_port(portmap_t)
|
||||||
|
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
|
||||||
|
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t)
|
||||||
|
|
||||||
|
dev_read_sysfs(portmap_t)
|
||||||
|
|
||||||
|
fs_getattr_all_fs(portmap_t)
|
||||||
|
fs_search_auto_mountpoints(portmap_t)
|
||||||
|
|
||||||
|
term_dontaudit_use_console(portmap_t)
|
||||||
|
|
||||||
|
domain_use_wide_inherit_fd(portmap_t)
|
||||||
|
|
||||||
|
files_read_etc_files(portmap_t)
|
||||||
|
|
||||||
|
init_use_fd(portmap_t)
|
||||||
|
init_use_script_pty(portmap_t)
|
||||||
|
init_udp_sendto(portmap_t)
|
||||||
|
init_udp_sendto_script(portmap_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(portmap_t)
|
||||||
|
libs_use_shared_libs(portmap_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(portmap_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(portmap_t)
|
||||||
|
|
||||||
|
sysnet_read_config(portmap_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_use_unpriv_user_fd(portmap_t)
|
||||||
|
userdom_dontaudit_search_sysadm_home_dir(portmap_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy', `
|
||||||
|
term_dontaudit_use_unallocated_tty(portmap_t)
|
||||||
|
term_dontaudit_use_generic_pty(portmap_t)
|
||||||
|
files_dontaudit_read_root_file(portmap_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`inetd.te',`
|
||||||
|
inetd_udp_sendto(portmap_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`mount.te',`
|
||||||
|
mount_send_nfs_client_request(portmap_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nis.te',`
|
||||||
|
nis_use_ypbind(portmap_t)
|
||||||
|
nis_udp_sendto_ypbind(portmap_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd.te',`
|
||||||
|
nscd_use_socket(portmap_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`selinuxutil.te',`
|
||||||
|
seutil_sigchld_newrole(portmap_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`udev.te', `
|
||||||
|
udev_read_db(portmap_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
optional_policy(`rhgb.te',`
|
||||||
|
rhgb_domain(portmap_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`rpcd.te',`can_udp_send(portmap_t, rpcd_t)')
|
||||||
|
allow portmap_t rpcd_t:udp_socket sendto;
|
||||||
|
allow rpcd_t portmap_t:udp_socket recvfrom;
|
||||||
|
|
||||||
|
ifdef(`lpd.te',`can_udp_send(portmap_t, lpd_t)')
|
||||||
|
allow portmap_t lpd_t:udp_socket sendto;
|
||||||
|
allow lpd_t portmap_t:udp_socket recvfrom;
|
||||||
|
|
||||||
|
can_udp_send(portmap_t, kernel_t)
|
||||||
|
allow portmap_t kernel_t:udp_socket sendto;
|
||||||
|
allow kernel_t portmap_t:udp_socket recvfrom;
|
||||||
|
|
||||||
|
can_udp_send(kernel_t, portmap_t)
|
||||||
|
allow kernel_t portmap_t:udp_socket sendto;
|
||||||
|
allow portmap_t kernel_t:udp_socket recvfrom;
|
||||||
|
|
||||||
|
') dnl end TODO
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Portmap helper local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
dontaudit portmap_helper_t self:capability net_admin;
|
||||||
|
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow portmap_helper_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
corenet_tcp_sendrecv_all_if(portmap_helper_t)
|
||||||
|
corenet_udp_sendrecv_all_if(portmap_helper_t)
|
||||||
|
corenet_raw_sendrecv_all_if(portmap_helper_t)
|
||||||
|
corenet_tcp_sendrecv_all_nodes(portmap_helper_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(portmap_helper_t)
|
||||||
|
corenet_raw_sendrecv_all_nodes(portmap_helper_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(portmap_helper_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(portmap_helper_t)
|
||||||
|
corenet_tcp_bind_all_nodes(portmap_helper_t)
|
||||||
|
corenet_udp_bind_all_nodes(portmap_helper_t)
|
||||||
|
corenet_tcp_bind_reserved_port(portmap_helper_t)
|
||||||
|
corenet_udp_bind_reserved_port(portmap_helper_t)
|
||||||
|
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
|
||||||
|
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
|
||||||
|
|
||||||
|
files_read_etc_files(portmap_helper_t)
|
||||||
|
files_rw_generic_pids(portmap_helper_t)
|
||||||
|
|
||||||
|
init_rw_script_pid(portmap_helper_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(portmap_helper_t)
|
||||||
|
libs_use_shared_libs(portmap_helper_t)
|
||||||
|
|
||||||
|
sysnet_read_config(portmap_helper_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_use_all_user_fd(portmap_helper_t)
|
||||||
|
|
||||||
|
optional_policy(`mount.te',`
|
||||||
|
mount_send_nfs_client_request(portmap_helper_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nis.te',`
|
||||||
|
nis_use_ypbind(portmap_helper_t)
|
||||||
|
')
|
|
@ -55,6 +55,10 @@ optional_policy(`nis.te',`
|
||||||
nis_use_ypbind(tcpd_t)
|
nis_use_ypbind(tcpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`rshd.te',`
|
optional_policy(`portmap.te',`
|
||||||
rshd_domtrans(rshd_t)
|
portmap_udp_sendto(tcpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`rshd.te',`
|
||||||
|
rshd_domtrans(tcpd_t)
|
||||||
')
|
')
|
||||||
|
|
|
@ -297,6 +297,24 @@ interface(`init_dontaudit_use_fd',`
|
||||||
dontaudit $1 init_t:fd use;
|
dontaudit $1 init_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send UDP network traffic to init.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`init_udp_sendto',`
|
||||||
|
gen_require(`
|
||||||
|
type init_t;
|
||||||
|
class udp_socket { sendto recvfrom };
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 init_t:udp_socket sendto;
|
||||||
|
allow init_t $1:udp_socket recvfrom;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_domtrans_script(domain)
|
# init_domtrans_script(domain)
|
||||||
|
|
|
@ -143,6 +143,10 @@ optional_policy(`authlogin.te',`
|
||||||
auth_rw_login_records(init_t)
|
auth_rw_login_records(init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`portmap.te',`
|
||||||
|
portmap_udp_sendto(init_t)
|
||||||
|
')
|
||||||
|
|
||||||
# Run the shell in the sysadm_t domain for single-user mode.
|
# Run the shell in the sysadm_t domain for single-user mode.
|
||||||
optional_policy(`userdomain.te',`
|
optional_policy(`userdomain.te',`
|
||||||
userdom_shell_domtrans_sysadm(init_t)
|
userdom_shell_domtrans_sysadm(init_t)
|
||||||
|
|
|
@ -1872,6 +1872,24 @@ interface(`userdom_use_all_user_fd',`
|
||||||
allow $1 userdomain:fd use;
|
allow $1 userdomain:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to inherit the file
|
||||||
|
## descriptors from any user domains.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_dontaudit_use_all_user_fd',`
|
||||||
|
gen_require(`
|
||||||
|
attribute userdomain;
|
||||||
|
class fd use;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 userdomain:fd use;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send general signals to all user domains.
|
## Send general signals to all user domains.
|
||||||
|
|
|
@ -190,6 +190,10 @@ ifdef(`targeted_policy',`
|
||||||
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
|
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`portmap.te',`
|
||||||
|
portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`quota.te',`
|
optional_policy(`quota.te',`
|
||||||
quota_run(sysadm_t,sysadm_r,admin_terminal)
|
quota_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
Loading…
Reference in New Issue