From fb4826f424da1c6f76cc0eb8e0a9171fecc20418 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 3 Dec 2008 15:21:33 +0000 Subject: [PATCH] trunk: 3 patches from dan. --- policy/modules/services/lpd.fc | 2 + policy/modules/services/lpd.te | 15 ++----- policy/modules/services/snmp.fc | 5 +++ policy/modules/services/snmp.if | 17 ++++++-- policy/modules/services/snmp.te | 30 +++++++++++--- policy/modules/services/virt.fc | 1 + policy/modules/services/virt.if | 70 ++++++++++++++++++++++++++++++++- policy/modules/services/virt.te | 32 +++++++++------ 8 files changed, 139 insertions(+), 33 deletions(-) diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc index a6704a24..5c9eb683 100644 --- a/policy/modules/services/lpd.fc +++ b/policy/modules/services/lpd.fc @@ -3,6 +3,8 @@ # /dev/printer -s gen_context(system_u:object_r:printer_t,s0) +/opt/gutenprint/s?bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0) + # # /usr # diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index a37c4fe8..eec92085 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd, 1.10.2) +policy_module(lpd, 1.10.3) ######################################## # @@ -233,7 +233,6 @@ allow lpr_t self:capability { setuid dac_override net_bind_service chown }; allow lpr_t self:unix_stream_socket create_stream_socket_perms; allow lpr_t self:tcp_socket create_socket_perms; allow lpr_t self:udp_socket create_socket_perms; -allow lpr_t self:netlink_route_socket r_netlink_socket_perms; can_exec(lpr_t, lpr_exec_t) @@ -273,9 +272,9 @@ fs_getattr_xattr_fs(lpr_t) term_use_controlling_term(lpr_t) term_use_generic_ptys(lpr_t) -miscfiles_read_localization(lpr_t) +auth_use_nsswitch(lpr_t) -sysnet_read_config(lpr_t) +miscfiles_read_localization(lpr_t) userdom_read_user_tmp_symlinks(lpr_t) # Write to the user domain tty. @@ -338,11 +337,3 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(lpr_t) ') - -optional_policy(` - nscd_socket_use(lpr_t) -') - -optional_policy(` - nis_use_ypbind(lpr_t) -') diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc index fbe30aa1..2bc5cb90 100644 --- a/policy/modules/services/snmp.fc +++ b/policy/modules/services/snmp.fc @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) + # # /usr # @@ -8,6 +11,8 @@ # # /var # +/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index 58eb4ee6..42f5ca60 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -95,23 +95,34 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` ## Domain allowed access. ## ## +## +## +## The role to be allowed to manage the snmp domain. +## +## ## # interface(`snmp_admin',` gen_require(` type snmpd_t, snmpd_log_t; type snmpd_var_lib_t, snmpd_var_run_t; + type snmpd_initrc_exec_t; ') allow $1 snmpd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, snmpd_t) + init_labeled_script_domtrans($1, snmpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 snmpd_initrc_exec_t system_r; + allow $2 system_r; + logging_list_logs($1) - manage_files_pattern($1, snmpd_log_t, snmpd_log_t) + admin_pattern($1, snmpd_log_t) files_list_var_lib($1) - manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) + admin_pattern($1, snmpd_var_lib_t) files_list_pids($1) - manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t) + admin_pattern($1, snmpd_var_run_t) ') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 242e92f5..23c8fad0 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -1,5 +1,5 @@ -policy_module(snmp, 1.8.1) +policy_module(snmp, 1.8.2) ######################################## # @@ -9,6 +9,9 @@ type snmpd_t; type snmpd_exec_t; init_daemon_domain(snmpd_t, snmpd_exec_t) +type snmpd_initrc_exec_t; +init_script_file(snmpd_initrc_exec_t) + type snmpd_log_t; logging_log_file(snmpd_log_t) @@ -22,8 +25,9 @@ files_type(snmpd_var_lib_t) # # Local policy # -allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; +allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; +allow snmpd_t self:process { getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; @@ -45,6 +49,7 @@ files_pid_filetrans(snmpd_t, snmpd_var_run_t, file) kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) +kernel_read_fs_sysctls(snmpd_t) kernel_read_net_sysctls(snmpd_t) kernel_read_proc_symlinks(snmpd_t) kernel_read_system_state(snmpd_t) @@ -76,13 +81,13 @@ dev_getattr_usbfs_dirs(snmpd_t) domain_use_interactive_fds(snmpd_t) domain_signull_all_domains(snmpd_t) domain_read_all_domains_state(snmpd_t) +domain_dontaudit_ptrace_all_domains(snmpd_t) +domain_exec_all_entry_files(snmpd_t) files_read_etc_files(snmpd_t) files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) -files_getattr_boot_dirs(snmpd_t) -files_dontaudit_getattr_home_dir(snmpd_t) fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) @@ -91,6 +96,9 @@ fs_search_auto_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) +auth_use_nsswitch(snmpd_t) +auth_read_all_dirs_except_shadow(snmpd_t) + init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) @@ -117,7 +125,7 @@ optional_policy(` ') optional_policy(` - auth_use_nsswitch(snmpd_t) + consoletype_exec(snmpd_t) ') optional_policy(` @@ -148,3 +156,15 @@ optional_policy(` optional_policy(` udev_read_db(snmpd_t) ') + +optional_policy(` + virt_stream_connect(snmpd_t) +') + +optional_policy(` + kernel_read_xen_state(snmpd_t) + kernel_write_xen_state(snmpd_t) + + xen_stream_connect(snmpd_t) + xen_stream_connect_xenstore(snmpd_t) +') diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc index b30e11b8..b6f5f5a7 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -2,6 +2,7 @@ /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index d4542a80..3ed14311 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -1,5 +1,27 @@ ## Libvirt virtualization API +######################################## +## +## Make the specified type usable as a virt image +## +## +## +## Type to be used as a virtual image +## +## +# +interface(`virt_image',` + gen_require(` + attribute virt_image_type; + ') + + typeattribute $1 virt_image_type; + files_type($1) + + # virt images can be assigned to blk devices + dev_node($1) +') + ######################################## ## ## Execute a domain transition to run virt. @@ -18,6 +40,25 @@ interface(`virt_domtrans',` domtrans_pattern($1, virtd_exec_t, virtd_t) ') +####################################### +## +## Connect to virt over an unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_stream_connect',` + gen_require(` + type virtd_t, virt_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) +') + ######################################## ## ## Read virt config files. @@ -39,6 +80,27 @@ interface(`virt_read_config',` read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ') +######################################## +## +## manage virt config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_manage_config',` + gen_require(` + type virt_etc_t; + type virt_etc_rw_t; + ') + + files_search_etc($1) + manage_files_pattern($1, virt_etc_t, virt_etc_t) + manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +') + ######################################## ## ## Read virt PID files. @@ -214,6 +276,7 @@ interface(`virt_manage_images',` manage_dirs_pattern($1, virt_image_t, virt_image_t) manage_files_pattern($1, virt_image_t, virt_image_t) read_lnk_files_pattern($1, virt_image_t, virt_image_t) + rw_blk_files_pattern($1, virt_image_t, virt_image_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs($1) @@ -242,12 +305,17 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` - type virtd_t; + type virtd_t, virtd_initrc_exec_t; ') allow $1 virtd_t:process { ptrace signal_perms }; ps_process_pattern($1, virtd_t) + init_labeled_script_domtrans($1, virtd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 virtd_initrc_exec_t system_r; + allow $2 system_r; + virt_manage_pid_files($1) virt_manage_lib_files($1) diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 6aff9bd9..fa5d7a98 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -1,5 +1,5 @@ -policy_module(virt, 1.0.1) +policy_module(virt, 1.0.2) ######################################## # @@ -20,6 +20,8 @@ gen_tunable(virt_use_nfs, false) ## gen_tunable(virt_use_samba, false) +attribute virt_image_type; + type virt_etc_t; files_config_file(virt_etc_t) @@ -27,10 +29,8 @@ type virt_etc_rw_t; files_type(virt_etc_rw_t) # virt Image files -type virt_image_t; # customizable -files_type(virt_image_t) -# virt_image_t can be assigned to blk devices -dev_node(virt_image_t) +type virt_image_t, virt_image_type; # customizable +virt_image(virt_image_t) type virt_log_t; logging_log_file(virt_log_t) @@ -45,13 +45,16 @@ type virtd_t; type virtd_exec_t; init_daemon_domain(virtd_t, virtd_exec_t) +type virtd_initrc_exec_t; +init_script_file(virtd_initrc_exec_t) + ######################################## # # virtd local policy # allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; -allow virtd_t self:process { sigkill signal execmem }; +allow virtd_t self:process { getsched sigkill signal execmem }; allow virtd_t self:fifo_file rw_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; @@ -64,7 +67,7 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) -manage_files_pattern(virtd_t, virt_image_t, virt_image_t) +manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) @@ -109,6 +112,7 @@ files_read_usr_files(virtd_t) files_read_etc_files(virtd_t) files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) +files_list_kernel_modules(virtd_t) fs_list_auto_mountpoints(virtd_t) @@ -159,11 +163,11 @@ optional_policy(` ') ') -#optional_policy(` -# dnsmasq_domtrans(virtd_t) -# dnsmasq_signal(virtd_t) -# dnsmasq_sigkill(virtd_t) -#') +optional_policy(` + dnsmasq_domtrans(virtd_t) + dnsmasq_signal(virtd_t) + dnsmasq_kill(virtd_t) +') optional_policy(` iptables_domtrans(virtd_t) @@ -192,3 +196,7 @@ optional_policy(` xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) ') + +optional_policy(` + unconfined_domain(virtd_t) +')