1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
455 lines
12 KiB
Plaintext
455 lines
12 KiB
Plaintext
|
|
policy_module(dcc,1.2.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type cdcc_t;
|
|
type cdcc_exec_t;
|
|
domain_type(cdcc_t)
|
|
domain_entry_file(cdcc_t,cdcc_exec_t)
|
|
role system_r types cdcc_t;
|
|
|
|
type cdcc_tmp_t;
|
|
files_tmp_file(cdcc_tmp_t)
|
|
|
|
type dcc_client_t;
|
|
type dcc_client_exec_t;
|
|
domain_type(dcc_client_t)
|
|
domain_entry_file(dcc_client_t,dcc_client_exec_t)
|
|
role system_r types dcc_client_t;
|
|
|
|
type dcc_client_map_t;
|
|
files_type(dcc_client_map_t)
|
|
|
|
type dcc_client_tmp_t;
|
|
files_tmp_file(dcc_client_tmp_t)
|
|
|
|
type dcc_dbclean_t;
|
|
type dcc_dbclean_exec_t;
|
|
domain_type(dcc_dbclean_t)
|
|
domain_entry_file(dcc_dbclean_t,dcc_dbclean_exec_t)
|
|
role system_r types dcc_dbclean_t;
|
|
|
|
type dcc_dbclean_tmp_t;
|
|
files_tmp_file(dcc_dbclean_tmp_t)
|
|
|
|
type dcc_var_t;
|
|
files_type(dcc_var_t)
|
|
|
|
type dcc_var_run_t;
|
|
files_type(dcc_var_run_t)
|
|
|
|
type dccd_t;
|
|
type dccd_exec_t;
|
|
init_daemon_domain(dccd_t,dccd_exec_t)
|
|
|
|
type dccd_tmp_t;
|
|
files_tmp_file(dccd_tmp_t)
|
|
|
|
type dccd_var_run_t;
|
|
files_pid_file(dccd_var_run_t)
|
|
|
|
type dccifd_t;
|
|
type dccifd_exec_t;
|
|
init_daemon_domain(dccifd_t,dccifd_exec_t)
|
|
|
|
type dccifd_tmp_t;
|
|
files_tmp_file(dccifd_tmp_t)
|
|
|
|
type dccifd_var_run_t;
|
|
files_pid_file(dccifd_var_run_t)
|
|
|
|
type dccm_t;
|
|
type dccm_exec_t;
|
|
init_daemon_domain(dccm_t,dccm_exec_t)
|
|
|
|
type dccm_tmp_t;
|
|
files_tmp_file(dccm_tmp_t)
|
|
|
|
type dccm_var_run_t;
|
|
files_pid_file(dccm_var_run_t)
|
|
|
|
# NOTE: DCC has writeable files in /etc/dcc that should probably be in
|
|
# /var/lib/dcc. For now this policy supports both directories being
|
|
# writable.
|
|
|
|
# cjp: dccifd and dccm should be merged, as
|
|
# they have the same rules.
|
|
|
|
########################################
|
|
#
|
|
# dcc daemon controller local policy
|
|
#
|
|
|
|
allow cdcc_t self:capability setuid;
|
|
allow cdcc_t self:unix_dgram_socket create_socket_perms;
|
|
allow cdcc_t self:udp_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(cdcc_t,cdcc_tmp_t,cdcc_tmp_t)
|
|
manage_files_pattern(cdcc_t,cdcc_tmp_t,cdcc_tmp_t)
|
|
files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
|
|
|
|
allow cdcc_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
# Access files in /var/dcc. The map file can be updated
|
|
allow cdcc_t dcc_var_t:dir list_dir_perms;
|
|
read_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
|
|
read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(cdcc_t)
|
|
corenet_all_recvfrom_netlabel(cdcc_t)
|
|
corenet_udp_sendrecv_generic_if(cdcc_t)
|
|
corenet_udp_sendrecv_all_nodes(cdcc_t)
|
|
corenet_udp_sendrecv_all_ports(cdcc_t)
|
|
|
|
files_read_etc_files(cdcc_t)
|
|
files_read_etc_runtime_files(cdcc_t)
|
|
|
|
libs_use_ld_so(cdcc_t)
|
|
libs_use_shared_libs(cdcc_t)
|
|
|
|
logging_send_syslog_msg(cdcc_t)
|
|
|
|
miscfiles_read_localization(cdcc_t)
|
|
|
|
sysnet_read_config(cdcc_t)
|
|
sysnet_dns_name_resolve(cdcc_t)
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(cdcc_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# dcc procmail interface local policy
|
|
#
|
|
|
|
allow dcc_client_t self:capability setuid;
|
|
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
|
|
allow dcc_client_t self:udp_socket create_socket_perms;
|
|
|
|
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
manage_dirs_pattern(dcc_client_t,dcc_client_tmp_t,dcc_client_tmp_t)
|
|
manage_files_pattern(dcc_client_t,dcc_client_tmp_t,dcc_client_tmp_t)
|
|
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
|
|
|
|
# Access files in /var/dcc. The map file can be updated
|
|
allow dcc_client_t dcc_var_t:dir list_dir_perms;
|
|
read_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
|
|
read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dcc_client_t)
|
|
corenet_all_recvfrom_netlabel(dcc_client_t)
|
|
corenet_udp_sendrecv_generic_if(dcc_client_t)
|
|
corenet_udp_sendrecv_all_nodes(dcc_client_t)
|
|
corenet_udp_sendrecv_all_ports(dcc_client_t)
|
|
|
|
files_read_etc_files(dcc_client_t)
|
|
files_read_etc_runtime_files(dcc_client_t)
|
|
|
|
libs_use_ld_so(dcc_client_t)
|
|
libs_use_shared_libs(dcc_client_t)
|
|
|
|
logging_send_syslog_msg(dcc_client_t)
|
|
|
|
miscfiles_read_localization(dcc_client_t)
|
|
|
|
sysnet_read_config(dcc_client_t)
|
|
sysnet_dns_name_resolve(dcc_client_t)
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(dcc_client_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Database cleanup tool local policy
|
|
#
|
|
|
|
allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
|
|
allow dcc_dbclean_t self:udp_socket create_socket_perms;
|
|
|
|
allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
manage_dirs_pattern(dcc_dbclean_t,dcc_dbclean_tmp_t,dcc_dbclean_tmp_t)
|
|
manage_files_pattern(dcc_dbclean_t,dcc_dbclean_tmp_t,dcc_dbclean_tmp_t)
|
|
files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
|
|
|
|
manage_dirs_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
|
|
manage_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
|
|
manage_lnk_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
|
|
|
|
kernel_read_system_state(dcc_dbclean_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
|
|
corenet_all_recvfrom_netlabel(dcc_dbclean_t)
|
|
corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
|
|
corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
|
|
corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
|
|
|
|
files_read_etc_files(dcc_dbclean_t)
|
|
files_read_etc_runtime_files(dcc_dbclean_t)
|
|
|
|
libs_use_ld_so(dcc_dbclean_t)
|
|
libs_use_shared_libs(dcc_dbclean_t)
|
|
|
|
logging_send_syslog_msg(dcc_dbclean_t)
|
|
|
|
miscfiles_read_localization(dcc_dbclean_t)
|
|
|
|
sysnet_read_config(dcc_dbclean_t)
|
|
sysnet_dns_name_resolve(dcc_dbclean_t)
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(dcc_dbclean_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Server daemon local policy
|
|
#
|
|
|
|
allow dccd_t self:capability net_admin;
|
|
dontaudit dccd_t self:capability sys_tty_config;
|
|
allow dccd_t self:process signal_perms;
|
|
allow dccd_t self:unix_stream_socket create_socket_perms;
|
|
allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
|
allow dccd_t self:udp_socket create_socket_perms;
|
|
|
|
allow dccd_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
# Access files in /var/dcc. The map file can be updated
|
|
allow dccd_t dcc_var_t:dir list_dir_perms;
|
|
read_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
|
|
read_lnk_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
|
|
|
|
# Runs the dbclean program
|
|
domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
|
|
corecmd_search_bin(dccd_t)
|
|
|
|
# Updating dcc_db, flod, ...
|
|
manage_dirs_pattern(dccd_t,dcc_var_t,dcc_var_t)
|
|
manage_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
|
|
manage_lnk_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
|
|
|
|
manage_dirs_pattern(dccd_t,dccd_tmp_t,dccd_tmp_t)
|
|
manage_files_pattern(dccd_t,dccd_tmp_t,dccd_tmp_t)
|
|
files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(dccd_t,dccd_var_run_t,dccd_var_run_t)
|
|
files_pid_filetrans(dccd_t,dccd_var_run_t,file)
|
|
|
|
kernel_read_system_state(dccd_t)
|
|
kernel_read_kernel_sysctls(dccd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dccd_t)
|
|
corenet_all_recvfrom_netlabel(dccd_t)
|
|
corenet_udp_sendrecv_generic_if(dccd_t)
|
|
corenet_udp_sendrecv_all_nodes(dccd_t)
|
|
corenet_udp_sendrecv_all_ports(dccd_t)
|
|
corenet_udp_bind_all_nodes(dccd_t)
|
|
corenet_udp_bind_dcc_port(dccd_t)
|
|
corenet_sendrecv_dcc_server_packets(dccd_t)
|
|
|
|
dev_read_sysfs(dccd_t)
|
|
|
|
domain_use_interactive_fds(dccd_t)
|
|
|
|
files_read_etc_files(dccd_t)
|
|
files_read_etc_runtime_files(dccd_t)
|
|
|
|
fs_getattr_all_fs(dccd_t)
|
|
fs_search_auto_mountpoints(dccd_t)
|
|
|
|
libs_use_ld_so(dccd_t)
|
|
libs_use_shared_libs(dccd_t)
|
|
|
|
logging_send_syslog_msg(dccd_t)
|
|
|
|
miscfiles_read_localization(dccd_t)
|
|
|
|
sysnet_read_config(dccd_t)
|
|
sysnet_dns_name_resolve(dccd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_unallocated_ttys(dccd_t)
|
|
term_dontaudit_use_generic_ptys(dccd_t)
|
|
files_dontaudit_read_root_files(dccd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(dccd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(dccd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(dccd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Spamassassin and general MTA persistent client local policy
|
|
#
|
|
|
|
dontaudit dccifd_t self:capability sys_tty_config;
|
|
allow dccifd_t self:process signal_perms;
|
|
allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow dccifd_t self:unix_dgram_socket create_socket_perms;
|
|
allow dccifd_t self:udp_socket create_socket_perms;
|
|
|
|
allow dccifd_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
# Updating dcc_db, flod, ...
|
|
manage_dirs_pattern(dccifd_t,dcc_var_t,dcc_var_t)
|
|
manage_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
|
|
manage_lnk_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
|
|
manage_fifo_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
|
|
manage_sock_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
|
|
|
|
manage_dirs_pattern(dccifd_t,dccifd_tmp_t,dccifd_tmp_t)
|
|
manage_files_pattern(dccifd_t,dccifd_tmp_t,dccifd_tmp_t)
|
|
files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(dccifd_t,dccifd_var_run_t,dccifd_var_run_t)
|
|
manage_sock_files_pattern(dccifd_t,dccifd_var_run_t,dccifd_var_run_t)
|
|
filetrans_pattern(dccifd_t,dcc_var_t,dccifd_var_run_t,{ file sock_file })
|
|
files_pid_filetrans(dccifd_t,dccifd_var_run_t,file)
|
|
|
|
kernel_read_system_state(dccifd_t)
|
|
kernel_read_kernel_sysctls(dccifd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dccifd_t)
|
|
corenet_all_recvfrom_netlabel(dccifd_t)
|
|
corenet_udp_sendrecv_generic_if(dccifd_t)
|
|
corenet_udp_sendrecv_all_nodes(dccifd_t)
|
|
corenet_udp_sendrecv_all_ports(dccifd_t)
|
|
|
|
dev_read_sysfs(dccifd_t)
|
|
|
|
domain_use_interactive_fds(dccifd_t)
|
|
|
|
files_read_etc_files(dccifd_t)
|
|
files_read_etc_runtime_files(dccifd_t)
|
|
|
|
fs_getattr_all_fs(dccifd_t)
|
|
fs_search_auto_mountpoints(dccifd_t)
|
|
|
|
libs_use_ld_so(dccifd_t)
|
|
libs_use_shared_libs(dccifd_t)
|
|
|
|
logging_send_syslog_msg(dccifd_t)
|
|
|
|
miscfiles_read_localization(dccifd_t)
|
|
|
|
sysnet_read_config(dccifd_t)
|
|
sysnet_dns_name_resolve(dccifd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_unallocated_ttys(dccifd_t)
|
|
term_dontaudit_use_generic_ptys(dccifd_t)
|
|
files_dontaudit_read_root_files(dccifd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(dccifd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(dccifd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(dccifd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# sendmail milter client local policy
|
|
#
|
|
|
|
dontaudit dccm_t self:capability sys_tty_config;
|
|
allow dccm_t self:process signal_perms;
|
|
allow dccm_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow dccm_t self:unix_dgram_socket create_socket_perms;
|
|
allow dccm_t self:udp_socket create_socket_perms;
|
|
|
|
allow dccm_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
manage_dirs_pattern(dccm_t,dcc_var_t,dcc_var_t)
|
|
manage_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
|
|
manage_lnk_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
|
|
manage_fifo_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
|
|
manage_sock_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
|
|
|
|
manage_dirs_pattern(dccm_t,dccm_tmp_t,dccm_tmp_t)
|
|
manage_files_pattern(dccm_t,dccm_tmp_t,dccm_tmp_t)
|
|
files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(dccm_t,dccm_var_run_t,dccm_var_run_t)
|
|
manage_sock_files_pattern(dccm_t,dccm_var_run_t,dccm_var_run_t)
|
|
filetrans_pattern(dccm_t,dcc_var_run_t,dccm_var_run_t,{ file sock_file })
|
|
files_pid_filetrans(dccm_t,dccm_var_run_t,file)
|
|
|
|
kernel_read_system_state(dccm_t)
|
|
kernel_read_kernel_sysctls(dccm_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dccm_t)
|
|
corenet_all_recvfrom_netlabel(dccm_t)
|
|
corenet_udp_sendrecv_generic_if(dccm_t)
|
|
corenet_udp_sendrecv_all_nodes(dccm_t)
|
|
corenet_udp_sendrecv_all_ports(dccm_t)
|
|
|
|
dev_read_sysfs(dccm_t)
|
|
|
|
domain_use_interactive_fds(dccm_t)
|
|
|
|
files_read_etc_files(dccm_t)
|
|
files_read_etc_runtime_files(dccm_t)
|
|
|
|
fs_getattr_all_fs(dccm_t)
|
|
fs_search_auto_mountpoints(dccm_t)
|
|
|
|
libs_use_ld_so(dccm_t)
|
|
libs_use_shared_libs(dccm_t)
|
|
|
|
logging_send_syslog_msg(dccm_t)
|
|
|
|
miscfiles_read_localization(dccm_t)
|
|
|
|
sysnet_read_config(dccm_t)
|
|
sysnet_dns_name_resolve(dccm_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_unallocated_ttys(dccm_t)
|
|
term_dontaudit_use_generic_ptys(dccm_t)
|
|
files_dontaudit_read_root_files(dccm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(dccm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(dccm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(dccm_t)
|
|
')
|