[selinux-policy: 655/3172] more merging from nsa cvs
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:01:32 UTC 2010
commit 605ba28540be34d7b0383b74b29784613470be1b
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Sep 15 15:34:31 2005 +0000
more merging from nsa cvs
refpolicy/policy/modules/admin/consoletype.te | 13 ++-
refpolicy/policy/modules/admin/firstboot.te | 12 ++-
refpolicy/policy/modules/admin/updfstab.te | 8 ++
refpolicy/policy/modules/admin/usermanage.te | 1 +
refpolicy/policy/modules/kernel/devices.if | 8 +-
refpolicy/policy/modules/kernel/kernel.if | 2 +-
refpolicy/policy/modules/kernel/kernel.te | 15 ++-
refpolicy/policy/modules/services/cron.fc | 2 -
refpolicy/policy/modules/services/cron.if | 20 ----
refpolicy/policy/modules/services/cron.te | 11 +--
refpolicy/policy/modules/system/authlogin.te | 9 +-
refpolicy/policy/modules/system/domain.if | 54 ++++++++++-
refpolicy/policy/modules/system/domain.te | 3 +
refpolicy/policy/modules/system/hotplug.te | 6 +-
refpolicy/policy/modules/system/init.if | 17 ++++
refpolicy/policy/modules/system/init.te | 3 +
refpolicy/policy/modules/system/locallogin.if | 19 ++++-
refpolicy/policy/modules/system/logging.if | 18 ++++
refpolicy/policy/modules/system/logging.te | 128 +++++++++++++++++--------
refpolicy/policy/modules/system/pcmcia.te | 2 +-
strict/domains/misc/kernel.te | 8 +-
strict/domains/program/auditd.te | 63 +++++++++++-
strict/domains/program/cardmgr.te | 4 +-
strict/domains/program/checkpolicy.te | 3 +-
strict/domains/program/consoletype.te | 12 +-
strict/domains/program/crond.te | 11 +--
strict/domains/program/firstboot.te | 9 ++-
strict/domains/program/getty.te | 1 +
strict/domains/program/initrc.te | 15 ++-
strict/domains/program/samba.te | 46 ++++++++--
strict/domains/program/syslogd.te | 24 +++--
strict/domains/program/updfstab.te | 7 ++
strict/domains/program/useradd.te | 4 +
strict/domains/program/utempter.te | 5 +-
strict/file_contexts/program/samba.fc | 1 +
35 files changed, 415 insertions(+), 149 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 7dc2c5f..61f46ad 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -9,9 +9,12 @@ policy_module(consoletype, 1.0)
type consoletype_t; #, mlsfileread, mlsfilewrite
type consoletype_exec_t;
init_domain(consoletype_t,consoletype_exec_t)
-init_system_domain(consoletype_t,consoletype_exec_t)
role system_r types consoletype_t;
+ifdef(`targeted_policy',`',`
+ init_system_domain(consoletype_t,consoletype_exec_t)
+')
+
########################################
#
# Local declarations
@@ -54,7 +57,7 @@ userdom_use_sysadm_terms(consoletype_t)
userdom_use_sysadm_fd(consoletype_t)
userdom_rw_sysadm_pipe(consoletype_t)
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
fs_use_tmpfs_chr_dev(consoletype_t)
')
@@ -99,8 +102,10 @@ allow consoletype_t xdm_tmp_t:file rw_file_perms;
')
# this goes to xdm module
-optional_policy(`consoletype.te',`
- consoletype_domtrans(xdm_t)
+ifdef(`targeted_policy',`
+ optional_policy(`consoletype.te',`
+ consoletype_domtrans(xdm_t)
+ ')
')
optional_policy(`lpd.te', `
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index aaf5090..8f19fa6 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -10,6 +10,7 @@ type firstboot_t;
type firstboot_exec_t;
init_system_domain(firstboot_t,firstboot_exec_t)
domain_obj_id_change_exempt(firstboot_t)
+domain_subj_id_change_exempt(firstboot_t)
role system_r types firstboot_t;
type firstboot_etc_t; #, usercanread;
@@ -103,8 +104,10 @@ userdom_manage_user_home_files(firstboot_t)
userdom_manage_user_home_symlinks(firstboot_t)
userdom_manage_user_home_pipes(firstboot_t)
userdom_manage_user_home_sockets(firstboot_t)
-usermanage_domtrans_useradd(firstboot_t)
-usermanage_domtrans_groupadd(firstboot_t)
+
+ifdef(`targeted_policy',`
+ unconfined_domtrans(firstboot_t)
+')
optional_policy(`kerberos.te',`
kerberos_rw_config(firstboot_t)
@@ -114,6 +117,11 @@ optional_policy(`nis.te',`
nis_use_ypbind(firstboot_t)
')
+optional_policy(`usermanage.te',`
+ usermanage_domtrans_useradd(firstboot_t)
+ usermanage_domtrans_groupadd(firstboot_t)
+')
+
ifdef(`TODO',`
allow firstboot_t proc_t:file write;
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index ad6ffc9..f429e86 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -116,4 +116,12 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(updfstab_t)
')
+ifdef(`dbusd.te',`
+allow initrc_t updfstab_t:dbus send_msg;
+allow updfstab_t initrc_t:dbus send_msg;
+')
+allow updfstab_t tmpfs_t:dir getattr;
+ifdef(`hald.te', `
+can_unix_connect(updfstab_t, hald_t)
+')
')
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 8f6ed38..3d1a165 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -520,6 +520,7 @@ logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
seutil_read_config(useradd_t)
+seutil_read_file_contexts(useradd_t)
userdom_use_unpriv_users_fd(useradd_t)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 2c306ca..0f0904e 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -395,12 +395,12 @@ interface(`dev_del_generic_symlinks',`
interface(`dev_manage_generic_symlinks',`
gen_require(`
type device_t;
- class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- class lnk_file { create read getattr setattr link unlink rename };
+ class dir rw_dir_perms;
+ class lnk_file create_lnk_perms;
')
- allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 device_t:lnk_file create_lnk_perms;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index e74c2d2..02d3827 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1492,7 +1492,7 @@ interface(`kernel_use_shared_libs_from',`
gen_require(`
type kernel_t;
class lnk_file r_file_perms;
- class file rx_dir_perms;
+ class file rx_file_perms;
')
allow kernel_t $1:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 94f7780..282f5d0 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -25,7 +25,7 @@ attribute sysctl_type;
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, can_load_kernmodule;
+type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans
role system_r types kernel_t;
domain_base_type(kernel_t)
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
@@ -169,6 +169,9 @@ allow kernel_t sysctl_t:dir r_dir_perms;
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
allow kernel_t sysctl_kernel_t:file r_file_perms;
+# cjp: this seems questionable
+allow kernel_t unlabeled_t:fifo_file rw_file_perms;
+
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
@@ -176,20 +179,24 @@ corenet_raw_sendrecv_all_nodes(kernel_t)
corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
-selinux_load_policy(kernel_t)
-
-term_use_console(kernel_t)
+dev_read_sysfs(kernel_t)
+dev_search_usbfs(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
+selinux_load_policy(kernel_t)
+
+term_use_console(kernel_t)
+
corecmd_exec_shell(kernel_t)
corecmd_list_sbin(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
corecmd_exec_bin(kernel_t)
domain_signal_all_domains(kernel_t)
+domain_search_all_domains_state(kernel_t)
files_list_root(kernel_t)
files_list_etc(kernel_t)
diff --git a/refpolicy/policy/modules/services/cron.fc b/refpolicy/policy/modules/services/cron.fc
index 04937cf..2d705aa 100644
--- a/refpolicy/policy/modules/services/cron.fc
+++ b/refpolicy/policy/modules/services/cron.fc
@@ -10,8 +10,6 @@
/usr/sbin/cron(d)? -- context_template(system_u:object_r:crond_exec_t,s0)
/usr/sbin/fcron -- context_template(system_u:object_r:crond_exec_t,s0)
-/var/log/cron.* -- context_template(system_u:object_r:crond_log_t,s0)
-
/var/run/atd\.pid -- context_template(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- context_template(system_u:object_r:crond_var_run_t,s0)
/var/run/crond\.reboot -- context_template(system_u:object_r:crond_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 44fd2c1..b01cbfd 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -188,8 +188,6 @@ template(`cron_per_userdomain_template',`
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
- allow $1_crontab_t crond_log_t:file ra_file_perms;
-
# for the checks used by crontab -u
selinux_dontaudit_search_fs($1_crontab_t)
@@ -386,24 +384,6 @@ interface(`cron_rw_pipe',`
########################################
## <summary>
-## Read and write the cron daemon log files.
-## </summary>
-## <param name="domain">
-## The type of the process to performing this action.
-## </param>
-#
-interface(`cron_rw_log',`
- gen_require(`
- type crond_log_t;
- class file rw_file_perms;
- ')
-
- logging_search_logs($1)
- allow $1 crond_log_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
## Search the directory containing user cron tables.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 998f73c..a20b616 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -19,9 +19,6 @@ init_daemon_domain(crond_t,crond_exec_t)
domain_wide_inherit_fd(crond_t)
domain_cron_exemption_source(crond_t)
-type crond_log_t;
-logging_log_file(crond_log_t)
-
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
@@ -65,8 +62,6 @@ allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
-allow crond_t crond_log_t:file create_file_perms;
-
allow crond_t crond_var_run_t:file create_file_perms;
files_create_pid(crond_t,crond_var_run_t)
@@ -228,10 +223,6 @@ type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
allow system_crond_t cron_spool_t:dir r_dir_perms;
allow system_crond_t cron_spool_t:file r_file_perms;
-# Access crond log files
-allow system_crond_t crond_log_t:file create_file_perms;
-logging_create_log(system_crond_t,crond_log_t)
-
kernel_read_kernel_sysctl(system_crond_t)
kernel_read_system_state(system_crond_t)
kernel_read_software_raid_state(system_crond_t)
@@ -372,7 +363,7 @@ allow system_crond_su_t crond_t:fifo_file ioctl;
# Required for webalizer
#
ifdef(`apache.te', `
-allow system_crond_t httpd_log_t:file r_file_perms;
+allow system_crond_t { httpd_log_t httpd_config_t }:file r_file_perms;
')
ifdef(`mta.te', `
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 46dbce6..21620db 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -342,9 +342,8 @@ optional_policy(`nscd.te',`
nscd_use_socket(utempter_t)
')
-optional_policy(`xdm.te', `
- #allow utempter_t xdm_t:fd use;
- xdm_use_fd(utempter_t)
- #allow utempter_t xdm_t:fifo_file { write getattr };
- xdm_write_pipe(utempter_t)
+ifdef(`TODO',`
+optional_policy(`xdm.te',`
+ can_pipe_xdm(utempter_t)
+')
')
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 45bb6e8..7ecdbf7 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -423,13 +423,30 @@ interface(`domain_kill_all_domains',`
allow $1 domain:process sigkill;
allow $1 self:capability kill;
')
+########################################
+## <summary>
+## Search the process state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_search_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ class dir search;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 domain:dir search;
+')
########################################
## <summary>
## Read the process state (/proc/pid) of all domains.
## </summary>
## <param name="domain">
-## The type of the process performing this action.
+## Domain allowed access.
## </param>
#
interface(`domain_read_all_domains_state',`
@@ -441,6 +458,7 @@ interface(`domain_read_all_domains_state',`
class process { getattr ptrace };
')
+ kernel_search_proc($1)
allow $1 domain:dir r_dir_perms;
allow $1 domain:lnk_file r_file_perms;
allow $1 domain:file r_file_perms;
@@ -455,6 +473,38 @@ interface(`domain_read_all_domains_state',`
########################################
## <summary>
+## Read the process state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_read_confined_domains_state',`
+ gen_require(`
+ attribute domain, unconfined_domain;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file r_file_perms;
+ class process { getattr ptrace };
+ ')
+
+ kernel_search_proc($1)
+ allow $1 { domain -unconfined_domain }:dir r_dir_perms;
+ allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
+ allow $1 { domain -unconfined_domain }:file r_file_perms;
+ allow $1 { domain -unconfined_domain }:process getattr;
+
+ dontaudit $1 unconfined_domain:dir search;
+
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $1 { domain -unconfined_domain }:process ptrace;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read the process
## state (/proc/pid) of all domains.
## </summary>
@@ -767,6 +817,8 @@ interface(`domain_unconfined',`
class lnk_file r_file_perms;
')
+ typeattribute $1 unconfined_domain;
+
# pass all constraints
typeattribute $1 can_change_process_identity;
typeattribute $1 can_change_process_role;
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index efd8a4b..a368df8 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -12,6 +12,9 @@ attribute domain;
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
+# Domains that are unconfined
+attribute unconfined_domain;
+
# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 125e95a..b6c33db 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -123,10 +123,10 @@ ifdef(`distro_redhat', `
ifdef(`targeted_policy', `
unconfined_domain_template(hotplug_t)
-')
-optional_policy(`consoletype.te',`
- consoletype_domtrans(hotplug_t)
+ optional_policy(`consoletype.te',`
+ consoletype_domtrans(hotplug_t)
+ ')
')
optional_policy(`dbus.te',`
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index dd087c7..5e702c9 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -158,6 +158,23 @@ interface(`init_domtrans',`
')
########################################
+## <summary>
+## Execute the init program in the caller domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`init_exec',`
+ gen_require(`
+ type init_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,init_exec_t)
+')
+
+########################################
#
# init_get_process_group(domain)
#
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9941b9c..b105b6e 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -239,6 +239,7 @@ dev_write_snd_mixer_dev(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_read_lvm_control(initrc_t)
dev_delete_lvm_control(initrc_t)
+dev_manage_generic_symlinks(initrc_t)
# Wants to remove udev.tbl:
dev_del_generic_symlinks(initrc_t)
@@ -317,6 +318,7 @@ logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
+logging_read_auditd_config(initrc_t)
miscfiles_read_localization(initrc_t)
@@ -386,6 +388,7 @@ ifdef(`distro_redhat',`
')
ifdef(`targeted_policy',`
+ domain_subj_id_change_exempt(initrc_t)
unconfined_domain_template(initrc_t)
unconfined_shell_domtrans(initrc_t)
')
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index 15991ef..d370d54 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -18,7 +18,7 @@ interface(`locallogin_domtrans',`
########################################
## <summary>
-## Allow processes to inherit local login file descriptors
+## Allow processes to inherit local login file descriptors.
## </summary>
## <param name="domain">
## The type of the process performing this action.
@@ -35,6 +35,23 @@ interface(`locallogin_use_fd',`
########################################
## <summary>
+## Do not audit attempts to inherit local login file descriptors.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`locallogin_dontaudit_use_fd',`
+ gen_require(`
+ type local_login_t;
+ class fd use;
+ ')
+
+ dontaudit $1 local_login_t:fd use;
+')
+
+########################################
+## <summary>
## Send a null signal to local login processes.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 4c3c744..5098be3 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -85,6 +85,24 @@ interface(`logging_send_syslog_msg',`
########################################
## <summary>
+## Read the auditd configuration files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`logging_read_auditd_config',`
+ gen_require(`
+ type auditd_etc_t;
+ class file r_file_perms;
+ ')
+
+ files_search_etc($1)
+ allow $1 auditd_etc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 039d8ea..4dabd10 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -8,7 +8,15 @@ policy_module(logging,1.0)
attribute logfile;
-type auditd_log_t;
+type auditctl_t; #, privlog;
+type auditctl_exec_t;
+init_system_domain(auditctl_t,auditctl_exec_t)
+role system_r types auditctl_t;
+
+type auditd_etc_t; #, secure_file_type;
+files_type(auditd_etc_t)
+
+type auditd_log_t; # secure_file_type;
files_type(auditd_log_t)
type auditd_t;
@@ -49,13 +57,55 @@ files_type(var_log_t)
# Auditd local policy
#
+allow auditctl_t self:capability { audit_write audit_control };
+allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+
+libs_use_ld_so(auditctl_t)
+libs_use_shared_libs(auditctl_t)
+
+allow auditctl_t etc_t:file { getattr read };
+
+allow auditctl_t auditd_etc_t:file r_file_perms;
+
+kernel_read_kernel_sysctl(auditctl_t)
+
+domain_use_wide_inherit_fd(auditctl_t)
+
+init_use_script_pty(auditctl_t)
+init_dontaudit_use_fd(auditctl_t)
+
+locallogin_dontaudit_use_fd(auditctl_t)
+
+ifdef(`TODO',`
+role secadm_r types auditctl_t;
+role sysadm_r types auditctl_t;
+audit_manager_domain(secadm_t)
+
+ifdef(`targeted_policy', `', `
+ifdef(`separate_secadm', `', `
+audit_manager_domain(sysadm_t)
+allow auditctl_t admin_tty_type:chr_file rw_file_perms;
+')
+')
+') dnl end TODO
+
+########################################
+#
+# Auditd local policy
+#
+
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { signal_perms setsched };
-allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow auditd_t self:file { getattr read write };
+allow auditd_t self:unix_dgram_socket create_socket_perms;
+allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+
+allow auditd_t auditd_etc_t:file r_file_perms;
-allow auditd_t var_log_t:dir rw_dir_perms;
+allow auditd_t auditd_log_t:dir rw_dir_perms;
allow auditd_t auditd_log_t:file create_file_perms;
+allow auditd_t var_log_t:dir search;
allow auditd_t auditd_var_run_t:file create_file_perms;
files_create_pid(auditd_t,auditd_var_run_t)
@@ -72,6 +122,8 @@ fs_search_auto_mountpoints(auditd_t)
term_dontaudit_use_console(auditd_t)
init_use_fd(auditd_t)
+init_exec(auditd_t)
+init_write_initctl(auditd_t)
init_use_script_pty(auditd_t)
domain_use_wide_inherit_fd(auditd_t)
@@ -91,10 +143,8 @@ userdom_dontaudit_search_sysadm_home_dir(auditd_t)
# cjp: this is questionable
userdom_use_sysadm_tty(auditd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_tty(auditd_t)
- term_dontaudit_use_generic_pty(auditd_t)
- files_dontaudit_read_root_file(auditd_t)
+ifdef(`targeted_policy',`
+ unconfined_domain_template(auditd_t)
')
optional_policy(`selinuxutil.te',`
@@ -155,11 +205,12 @@ miscfiles_read_localization(klogd_t)
# syslogd local policy
#
+# sys_admin chown fsetid for syslog-ng
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
allow syslogd_t self:process signal_perms;
-
+allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -167,9 +218,18 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t self:udp_socket { connected_socket_perms connect };
+# Create and bind to /dev/log or /var/run/log.
+allow syslogd_t devlog_t:sock_file create_file_perms;
+files_create_pid(syslogd_t,devlog_t,sock_file)
+# cjp: I belive these are not needed:
+allow syslogd_t devlog_t:unix_stream_socket name_bind;
+allow syslogd_t devlog_t:unix_dgram_socket name_bind;
+
# create/append log files.
allow syslogd_t var_log_t:dir rw_dir_perms;
allow syslogd_t var_log_t:file create_file_perms;
+# Allow access for syslog-ng
+allow syslogd_t var_log_t:dir { create setattr };
# manage temporary files
allow syslogd_t syslogd_tmp_t:file create_file_perms;
@@ -178,13 +238,6 @@ files_create_tmp_files(syslogd_t,syslogd_tmp_t)
allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_pid(syslogd_t,syslogd_var_run_t,file)
-# Create and bind to /dev/log or /var/run/log.
-allow syslogd_t devlog_t:sock_file create_file_perms;
-files_create_pid(syslogd_t,devlog_t,sock_file)
-# I belive these are not needed:
-allow syslogd_t devlog_t:unix_stream_socket name_bind;
-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
-
# manage pid file
allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_pid(syslogd_t,syslogd_var_run_t)
@@ -192,6 +245,10 @@ files_create_pid(syslogd_t,syslogd_var_run_t)
kernel_read_kernel_sysctl(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
kernel_send_syslog_msg_from(devlog_t,syslogd_t)
+# Allow access to /proc/kmsg for syslog-ng
+kernel_read_messages(klogd_t)
+kernel_clear_ring_buffer(klogd_t)
+kernel_change_ring_buffer_level(klogd_t)
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
@@ -213,7 +270,9 @@ corenet_raw_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_ports(syslogd_t)
corenet_udp_bind_all_nodes(syslogd_t)
-corenet_udp_bind_syslogd_port(syslogd_t)
+corenet_tcp_bind_syslogd_port(syslogd_t)
+#cjp: why?
+corenet_tcp_connect_rsh_port(syslogd_t)
fs_getattr_all_fs(syslogd_t)
@@ -223,6 +282,8 @@ init_use_script_pty(syslogd_t)
domain_use_wide_inherit_fd(syslogd_t)
files_read_etc_files(syslogd_t)
+# /initrd is not umounted before minilog starts
+files_dontaudit_search_isid_type_dir(syslogd_t)
libs_use_ld_so(syslogd_t)
libs_use_shared_libs(syslogd_t)
@@ -234,38 +295,18 @@ miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fd(syslogd_t)
userdom_dontaudit_search_sysadm_home_dir(syslogd_t)
-#
-# /initrd is not umounted before minilog starts
-#
-files_dontaudit_search_isid_type_dir(syslogd_t)
-#allow syslogd_t tmpfs_t:dir search;
-#dontaudit syslogd_t unlabeled_t:file read;
-#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
-allow syslogd_t self:capability net_admin;
-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
-
-ifdef(`distro_suse', `
+ifdef(`distro_suse',`
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
files_create_var_lib(syslogd_t,devlog_t,sock_file)
')
-ifdef(`klogd.te', `', `
- # Allow access to /proc/kmsg for syslog-ng
- kernel_read_messages(syslogd_t)
- kernel_clear_ring_buffer(syslogd_t)
- kernel_change_ring_buffer_level(syslogd_t)
-')
-
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
+ allow syslogd_t var_run_t:fifo_file { ioctl read write };
term_dontaudit_use_unallocated_tty(syslogd_t)
term_dontaudit_use_generic_pty(syslogd_t)
files_dontaudit_read_root_file(syslogd_t)
')
-optional_policy(`cron.te',`
- cron_rw_log(syslogd_t)
-')
-
optional_policy(`inn.te',`
inn_manage_log(syslogd_t)
')
@@ -283,16 +324,19 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-
optional_policy(`rhgb.te', `
rhgb_domain(syslogd_t)
')
+allow syslogd_t tmpfs_t:dir search;
+dontaudit syslogd_t unlabeled_t:file { getattr read };
+dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
+
# log to the xconsole
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
#
# Special case to handle crashes
#
-allow syslogd_t { device_t file_t }:sock_file unlink;
+allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 59430db..387500f 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -72,7 +72,7 @@ corecmd_exec_sbin(cardmgr_t)
domain_use_wide_inherit_fd(cardmgr_t)
domain_exec_all_entry_files(cardmgr_t)
# Read /proc/PID directories for all domains (for fuser).
-domain_read_all_domains_state(cardmgr_t)
+domain_read_confined_domains_state(cardmgr_t)
# cjp: these look excessive:
domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
domain_dontaudit_getattr_all_sockets(cardmgr_t)
diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te
index 4b2cbbb..3901bc4 100644
--- a/strict/domains/misc/kernel.te
+++ b/strict/domains/misc/kernel.te
@@ -11,7 +11,7 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite ifdef(`nfs_export_all_rw',`,etc_writer') ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
@@ -22,8 +22,8 @@ can_exec(kernel_t, shell_exec_t)
# Use capabilities.
allow kernel_t self:capability *;
-allow kernel_t sysfs_t:dir search;
-allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
+r_dir_file(kernel_t, sysfs_t)
+allow kernel_t { usbfs_t usbdevfs_t }:dir search;
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
@@ -36,6 +36,7 @@ allow kernel_t fs_type:filesystem mount_fs_perms;
# Send signal to any process.
allow kernel_t domain:process signal;
+allow kernel_t domain:dir search;
# Access the console.
allow kernel_t device_t:dir search;
@@ -50,6 +51,7 @@ can_exec(kernel_t, chroot_exec_t)
allow kernel_t self:capability sys_chroot;
allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
+allow kernel_t unlabeled_t:fifo_file rw_file_perms;
allow kernel_t file_t:dir rw_dir_perms;
allow kernel_t file_t:blk_file create_file_perms;
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
diff --git a/strict/domains/program/auditd.te b/strict/domains/program/auditd.te
index ce6210e..84adf36 100644
--- a/strict/domains/program/auditd.te
+++ b/strict/domains/program/auditd.te
@@ -2,11 +2,66 @@
#
# Authors: Colin Walters <walters at verbum.org>
#
+# Some fixes by Paul Moore <paul.moore at hp.com>
+#
+define(`audit_manager_domain', `
+allow $1 auditd_etc_t:file rw_file_perms;
+create_dir_file($1, auditd_log_t)
+domain_auto_trans($1, auditctl_exec_t, auditctl_t)
+')
daemon_domain(auditd)
-allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow auditd_t self:capability { audit_write audit_control };
-allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
+
+allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:unix_dgram_socket create_socket_perms;
+allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
+allow auditd_t self:process setsched;
+allow auditd_t self:file { getattr read write };
allow auditd_t etc_t:file { getattr read };
-log_domain(auditd)
+
+# Do not use logdir_domain since this is a security file
+type auditd_log_t, file_type, secure_file_type;
+allow auditd_t var_log_t:dir search;
+rw_dir_create_file(auditd_t, auditd_log_t)
+
+can_exec(auditd_t, init_exec_t)
+allow auditd_t initctl_t:fifo_file write;
+
+ifdef(`targeted_policy', `
+dontaudit auditd_t unconfined_t:fifo_file read;
+')
+
+type auditctl_t, domain, privlog;
+type auditctl_exec_t, file_type, exec_type, sysadmfile;
+uses_shlib(auditctl_t)
+allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+allow auditctl_t self:capability { audit_write audit_control };
+allow auditctl_t etc_t:file { getattr read };
+allow auditctl_t admin_tty_type:chr_file rw_file_perms;
+
+type auditd_etc_t, file_type, secure_file_type;
+allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
+allow initrc_t auditd_etc_t:file r_file_perms;
+
+role secadm_r types auditctl_t;
+role sysadm_r types auditctl_t;
+audit_manager_domain(secadm_t)
+
+ifdef(`targeted_policy', `', `
+ifdef(`separate_secadm', `', `
+audit_manager_domain(sysadm_t)
+')
+')
+
+role system_r types auditctl_t;
+domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
+
+dontaudit auditctl_t local_login_t:fd use;
+allow auditctl_t proc_t:dir search;
+allow auditctl_t sysctl_kernel_t:dir search;
+allow auditctl_t sysctl_kernel_t:file { getattr read };
+dontaudit auditctl_t init_t:fd use;
+allow auditctl_t initrc_devpts_t:chr_file { read write };
+allow auditctl_t privfd:fd use;
+
+
diff --git a/strict/domains/program/cardmgr.te b/strict/domains/program/cardmgr.te
index c9a5e97..16a6f1f 100644
--- a/strict/domains/program/cardmgr.te
+++ b/strict/domains/program/cardmgr.te
@@ -61,7 +61,9 @@ allow ifconfig_t cardmgr_t:fd use;
allow cardmgr_t proc_t:file { getattr read ioctl };
# Read /proc/PID directories for all domains (for fuser).
-can_ps(cardmgr_t, domain)
+can_ps(cardmgr_t, domain -unrestricted)
+dontaudit cardmgr_t unrestricted:dir search;
+
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
allow cardmgr_t ttyfile:chr_file getattr;
dontaudit cardmgr_t ptyfile:chr_file getattr;
diff --git a/strict/domains/program/checkpolicy.te b/strict/domains/program/checkpolicy.te
index d75b4f8..0cfa5a0 100644
--- a/strict/domains/program/checkpolicy.te
+++ b/strict/domains/program/checkpolicy.te
@@ -12,6 +12,7 @@
type checkpolicy_t, domain;
role sysadm_r types checkpolicy_t;
role system_r types checkpolicy_t;
+role secadm_r types checkpolicy_t;
type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
@@ -19,7 +20,7 @@ type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
#
# Rules
-domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
+domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
# able to create and modify binary policy files
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
diff --git a/strict/domains/program/consoletype.te b/strict/domains/program/consoletype.te
index f3f2c28..b1cc126 100644
--- a/strict/domains/program/consoletype.te
+++ b/strict/domains/program/consoletype.te
@@ -19,28 +19,28 @@ role system_r types consoletype_t;
uses_shlib(consoletype_t)
general_domain_access(consoletype_t)
+ifdef(`targeted_policy', `', `
domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
-allow consoletype_t tty_device_t:chr_file { getattr ioctl write };
-allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl };
-
ifdef(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
allow consoletype_t xdm_tmp_t:file { read write };
')
-allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
-allow consoletype_t admin_tty_type:chr_file rw_file_perms;
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
')
+')
+
+allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
+
+allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
# Use capabilities.
allow consoletype_t self:capability sys_admin;
allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
allow consoletype_t initrc_t:fifo_file write;
-allow consoletype_t tty_device_t:chr_file read;
allow consoletype_t nfs_t:file write;
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
index c19a2d8..d92a422 100644
--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@@ -43,8 +43,6 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
read_locale(crond_t)
-log_domain(crond)
-
# Use capabilities.
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
dontaudit crond_t self:capability sys_resource;
@@ -101,9 +99,6 @@ can_setexec(crond_t)
# Still need to study anacron.
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
-# Access log files
-file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
-
# Inherit and use descriptors from init for anacron.
allow system_crond_t init_t:fd use;
@@ -205,11 +200,11 @@ domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
r_dir_file(system_crond_t, file_context_t)
can_getsecurity(system_crond_t)
}
-allow system_crond_t removable_t:filesystem { getattr };
+dontaudit system_crond_t removable_t:filesystem getattr;
#
# Required for webalizer
#
ifdef(`apache.te', `
-allow system_crond_t httpd_log_t:file { getattr read };
+allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
')
-dontaudit crond_t self:capability { sys_tty_config };
+dontaudit crond_t self:capability sys_tty_config;
diff --git a/strict/domains/program/firstboot.te b/strict/domains/program/firstboot.te
index 37b107d..bb4d4e8 100644
--- a/strict/domains/program/firstboot.te
+++ b/strict/domains/program/firstboot.te
@@ -10,7 +10,7 @@
#
# firstboot_exec_t is the type of the firstboot executable.
#
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
+application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
type firstboot_rw_t, file_type, sysadmfile;
role system_r types firstboot_t;
@@ -29,8 +29,10 @@ domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
can_exec_any(firstboot_t)
+ifdef(`useradd.te',`
domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
+')
allow firstboot_t etc_runtime_t:file { getattr read };
r_dir_file(firstboot_t, etc_t)
@@ -107,8 +109,10 @@ read_sysctl(firstboot_t)
allow firstboot_t var_run_t:dir getattr;
allow firstboot_t var_t:dir getattr;
+ifdef(`hostname.te', `
allow hostname_t devtty_t:chr_file { read write };
allow hostname_t firstboot_t:fd use;
+')
ifdef(`iptables.te', `
allow iptables_t devtty_t:chr_file { read write };
allow iptables_t firstboot_t:fd use;
@@ -128,4 +132,7 @@ file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
# The big hammer
#
unconfined_domain(firstboot_t)
+ifdef(`targeted_policy', `
+allow firstboot_t unconfined_t:process transition;
+')
diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te
index c060211..7899aec 100644
--- a/strict/domains/program/getty.te
+++ b/strict/domains/program/getty.te
@@ -42,6 +42,7 @@ allow getty_t wtmp_t:file rw_file_perms;
# Chown, chmod, read and write ttys.
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
+dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
# for error condition handling
allow getty_t fs_t:filesystem getattr;
diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te
index f6e248e..8832423 100644
--- a/strict/domains/program/initrc.te
+++ b/strict/domains/program/initrc.te
@@ -120,7 +120,10 @@ allow initrc_t domain:process { getattr getsession };
# Mount and unmount file systems.
allow initrc_t fs_type:filesystem mount_fs_perms;
-allow initrc_t { file_t default_t }:dir { read search getattr mounton };
+allow initrc_t file_t:dir { read search getattr mounton };
+
+# during boot up initrc needs to do the following
+allow initrc_t default_t:dir { read search getattr mounton };
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
@@ -153,9 +156,6 @@ allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
# Kill all processes.
allow initrc_t domain:process signal_perms;
-# Read and unlink /var/run/*.pid files.
-allow initrc_t pidfile:file { getattr read unlink };
-
# Write to /dev/urandom.
allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
@@ -229,9 +229,13 @@ allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
allow initrc_t { home_root_t home_type }:dir r_dir_perms;
allow initrc_t home_type:file r_file_perms;
+# Read and unlink /var/run/*.pid files.
+allow initrc_t pidfile:file { getattr read unlink };
+
# for system start scripts
allow initrc_t pidfile:dir rw_dir_perms;
allow initrc_t pidfile:sock_file unlink;
+
rw_dir_create_file(initrc_t, var_lib_t)
# allow start scripts to clean /tmp
@@ -252,7 +256,9 @@ type run_init_t, domain;
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+typeattribute initrc_t privuser;
domain_trans(initrc_t, shell_exec_t, unconfined_t)
+allow initrc_t unconfined_t:system syslog_mod;
', `
run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
')
@@ -309,3 +315,4 @@ ifdef(`distro_gentoo', `
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
+allow initrc_t device_t:lnk_file create_file_perms;
diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te
index 43b31ef..09f5960 100644
--- a/strict/domains/program/samba.te
+++ b/strict/domains/program/samba.te
@@ -9,14 +9,13 @@
# Declarations for Samba
#
-daemon_domain(smbd, `, auth_chkpwd')
+daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
daemon_domain(nmbd)
type samba_etc_t, file_type, sysadmfile, usercanread;
type samba_log_t, file_type, sysadmfile, logfile;
type samba_var_t, file_type, sysadmfile;
type samba_share_t, file_type, sysadmfile, customizable;
type samba_secrets_t, file_type, sysadmfile;
-typealias samba_var_t alias samba_spool_t;
# for /var/run/samba/messages.tdb
allow smbd_t nmbd_var_run_t:file rw_file_perms;
@@ -41,14 +40,17 @@ allow system_crond_t samba_log_t:file { read getattr lock };
general_domain_access(smbd_t)
general_proc_read_access(smbd_t)
-type smbd_port_t, port_type, reserved_port_type;
allow smbd_t smbd_port_t:tcp_socket name_bind;
# Use capabilities.
allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
# Use the network.
-can_network_server(smbd_t)
+can_network(smbd_t)
+can_ldap(smbd_t)
+can_kerberos(smbd_t)
+can_winbind(smbd_t)
+allow smbd_t ipp_port_t:tcp_socket name_connect;
allow smbd_t urandom_device_t:chr_file { getattr read };
@@ -62,13 +64,16 @@ allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
allow smbd_t var_lib_t:dir search;
-allow smbd_t samba_var_t:dir create_dir_perms;
-allow smbd_t samba_var_t:file create_file_perms;
+create_dir_file(smbd_t, samba_var_t)
+
+# Needed for shared printers
+allow smbd_t var_spool_t:dir search;
# Permissions to write log files.
allow smbd_t samba_log_t:file { create ra_file_perms };
allow smbd_t var_log_t:dir search;
allow smbd_t samba_log_t:dir ra_dir_perms;
+dontaudit smbd_t samba_log_t:dir remove_name;
allow smbd_t usr_t:file { getattr read };
@@ -88,7 +93,6 @@ can_exec(logrotate_t, samba_log_t)
general_domain_access(nmbd_t)
general_proc_read_access(nmbd_t)
-type nmbd_port_t, port_type, reserved_port_type;
allow nmbd_t nmbd_port_t:udp_socket name_bind;
# Use capabilities.
@@ -111,6 +115,7 @@ allow nmbd_t usr_t:file { getattr read };
allow nmbd_t samba_log_t:file { create ra_file_perms };
allow nmbd_t var_log_t:dir search;
allow nmbd_t samba_log_t:dir ra_dir_perms;
+allow nmbd_t etc_t:file { getattr read };
ifdef(`cups.te', `
allow smbd_t cupsd_rw_etc_t:file { getattr read };
')
@@ -136,6 +141,7 @@ allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_over
# Access samba config
allow smbmount_t samba_etc_t:file r_file_perms;
allow smbmount_t samba_etc_t:dir r_dir_perms;
+allow initrc_t samba_etc_t:file rw_file_perms;
# Write samba log
allow smbmount_t samba_log_t:file create_file_perms;
@@ -153,6 +159,7 @@ allow smbmount_t etc_t:file r_file_perms;
# Networking
can_network(smbmount_t)
+allow smbmount_t port_type:tcp_socket name_connect;
can_ypbind(smbmount_t)
allow smbmount_t self:unix_dgram_socket create_socket_perms;
allow smbmount_t self:unix_stream_socket create_socket_perms;
@@ -180,3 +187,28 @@ access_terminal(smbmount_t, sysadm)
allow smbmount_t userdomain:fd use;
allow smbmount_t local_login_t:fd use;
')
+# Derive from app. domain. Transition from mount.
+application_domain(samba_net, `, nscd_client_domain')
+file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
+read_locale(samba_net_t)
+allow samba_net_t samba_etc_t:file r_file_perms;
+r_dir_file(samba_net_t, samba_var_t)
+can_network_udp(samba_net_t)
+access_terminal(samba_net_t, sysadm)
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+rw_dir_create_file(samba_net_t, samba_var_t)
+allow samba_net_t etc_t:file { getattr read };
+can_network_client(samba_net_t)
+allow samba_net_t smbd_port_t:tcp_socket name_connect;
+can_ldap(samba_net_t)
+can_kerberos(samba_net_t)
+allow samba_net_t urandom_device_t:chr_file r_file_perms;
+allow samba_net_t proc_t:dir search;
+allow samba_net_t proc_t:lnk_file read;
+allow samba_net_t self:dir search;
+allow samba_net_t self:file read;
+allow samba_net_t self:process signal;
+tmp_domain(samba_net)
+dontaudit samba_net_t sysadm_home_dir_t:dir search;
+allow samba_net_t privfd:fd use;
diff --git a/strict/domains/program/syslogd.te b/strict/domains/program/syslogd.te
index 33d1e20..8583814 100644
--- a/strict/domains/program/syslogd.te
+++ b/strict/domains/program/syslogd.te
@@ -64,8 +64,6 @@ can_unix_connect(privlog,syslogd_t)
allow privlog devlog_t:lnk_file read;
ifdef(`crond.te', `
-# Write to the cron log.
-allow syslogd_t crond_log_t:file rw_file_perms;
# for daemon re-start
allow system_crond_t syslogd_t:lnk_file read;
')
@@ -79,16 +77,10 @@ allow syslogd_t initrc_var_run_t:file { read lock };
dontaudit syslogd_t initrc_var_run_t:file write;
allow syslogd_t ttyfile:chr_file { getattr write };
-ifdef(`klogd.te', `', `
-# Allow access to /proc/kmsg for syslog-ng
-allow syslogd_t proc_t:dir search;
-allow syslogd_t proc_kmsg_t:file { getattr read };
-allow syslogd_t kernel_t:system { syslog_mod syslog_console };
-')
#
# Special case to handle crashes
#
-allow syslogd_t { device_t file_t }:sock_file unlink;
+allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
# Allow syslog to a terminal
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
@@ -100,6 +92,18 @@ allow syslogd_t syslogd_port_t:udp_socket name_bind;
#
dontaudit syslogd_t file_t:dir search;
allow syslogd_t { tmpfs_t devpts_t }:dir search;
-dontaudit syslogd_t unlabeled_t:file read;
+dontaudit syslogd_t unlabeled_t:file { getattr read };
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
+ifdef(`targeted_policy', `
+allow syslogd_t var_run_t:fifo_file { ioctl read write };
+')
+
+# Allow access to /proc/kmsg for syslog-ng
+allow syslogd_t proc_t:dir search;
+allow syslogd_t proc_kmsg_t:file { getattr read };
+allow syslogd_t kernel_t:system { syslog_mod syslog_console };
+allow syslogd_t self:capability { sys_admin chown fsetid };
+allow syslogd_t var_log_t:dir { create setattr };
+allow syslogd_t syslogd_port_t:tcp_socket name_bind;
+allow syslogd_t rsh_port_t:tcp_socket name_connect;
diff --git a/strict/domains/program/updfstab.te b/strict/domains/program/updfstab.te
index 5c5c452..82edf3d 100644
--- a/strict/domains/program/updfstab.te
+++ b/strict/domains/program/updfstab.te
@@ -31,6 +31,8 @@ read_locale(updfstab_t)
ifdef(`dbusd.te', `
dbusd_client(system, updfstab)
allow updfstab_t system_dbusd_t:dbus { send_msg };
+allow initrc_t updfstab_t:dbus send_msg;
+allow updfstab_t initrc_t:dbus send_msg;
')
# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
@@ -72,3 +74,8 @@ can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
dontaudit updfstab_t home_root_t:dir { getattr search };
dontaudit updfstab_t { home_dir_type home_type }:dir search;
allow updfstab_t fs_t:filesystem { getattr };
+allow updfstab_t tmpfs_t:dir getattr;
+ifdef(`hald.te', `
+can_unix_connect(updfstab_t, hald_t)
+')
+
diff --git a/strict/domains/program/useradd.te b/strict/domains/program/useradd.te
index 2b1118f..779cd31 100644
--- a/strict/domains/program/useradd.te
+++ b/strict/domains/program/useradd.te
@@ -98,3 +98,7 @@ allow groupadd_t self:capability { setuid sys_resource };
allow groupadd_t self:process setrlimit;
allow groupadd_t initrc_var_run_t:file r_file_perms;
dontaudit groupadd_t initrc_var_run_t:file write;
+
+allow useradd_t default_context_t:dir search;
+allow useradd_t file_context_t:dir search;
+allow useradd_t file_context_t:file { getattr read };
diff --git a/strict/domains/program/utempter.te b/strict/domains/program/utempter.te
index eb1af02..b9e670d 100644
--- a/strict/domains/program/utempter.te
+++ b/strict/domains/program/utempter.te
@@ -38,10 +38,7 @@ allow utempter_t user_tmpfile:file { getattr write append };
# Inherit and use descriptors from login.
allow utempter_t privfd:fd use;
-ifdef(`xdm.te', `
-allow utempter_t xdm_t:fd use;
-allow utempter_t xdm_t:fifo_file { write getattr };
-')
+ifdef(`xdm.te', `can_pipe_xdm(utempter_t)')
allow utempter_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/strict/file_contexts/program/samba.fc b/strict/file_contexts/program/samba.fc
index b8a9439..5ac7c2f 100644
--- a/strict/file_contexts/program/samba.fc
+++ b/strict/file_contexts/program/samba.fc
@@ -1,6 +1,7 @@
# samba scripts
/usr/sbin/smbd -- system_u:object_r:smbd_exec_t
/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t
+/usr/bin/net -- system_u:object_r:samba_net_exec_t
/etc/samba(/.*)? system_u:object_r:samba_etc_t
/var/log/samba(/.*)? system_u:object_r:samba_log_t
/var/cache/samba(/.*)? system_u:object_r:samba_var_t
More information about the scm-commits
mailing list