[selinux-policy: 1430/3172] add nx, bug 1535
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:08:58 UTC 2010
commit 6bd449484ddc44c8ccfe94a48da2d8a8da5263b6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue May 9 15:12:17 2006 +0000
add nx, bug 1535
refpolicy/Changelog | 1 +
refpolicy/policy/modules/services/nx.fc | 5 +
refpolicy/policy/modules/services/nx.if | 22 +++
refpolicy/policy/modules/services/nx.te | 93 +++++++++++
refpolicy/policy/modules/services/ssh.if | 245 +++++++++++++++++------------
refpolicy/policy/modules/services/ssh.te | 2 +-
6 files changed, 266 insertions(+), 102 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 6225edb..c629006 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -69,6 +69,7 @@
nessus
nsd
ntop
+ nx
oav
openca
openvpn (Petre Rodan)
diff --git a/refpolicy/policy/modules/services/nx.fc b/refpolicy/policy/modules/services/nx.fc
new file mode 100644
index 0000000..3a294f3
--- /dev/null
+++ b/refpolicy/policy/modules/services/nx.fc
@@ -0,0 +1,5 @@
+/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+
+/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
+/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/nx.if b/refpolicy/policy/modules/services/nx.if
new file mode 100644
index 0000000..2287f85
--- /dev/null
+++ b/refpolicy/policy/modules/services/nx.if
@@ -0,0 +1,22 @@
+## <summary>NX remote desktop</summary>
+
+########################################
+## <summary>
+## Transition to NX server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_spec_domtrans_server',`
+ gen_require(`
+ type nx_server_t, nx_server_exec_t;
+ ')
+
+ domain_trans($1,nx_server_exec_t,nx_server_t)
+ allow nx_server_t $1:fd use;
+ allow nx_server_t $1:fifo_file rw_file_perms;
+ allow nx_server_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/services/nx.te b/refpolicy/policy/modules/services/nx.te
new file mode 100644
index 0000000..89af374
--- /dev/null
+++ b/refpolicy/policy/modules/services/nx.te
@@ -0,0 +1,93 @@
+
+policy_module(nx,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type nx_server_t;
+type nx_server_exec_t;
+domain_type(nx_server_t)
+domain_entry_file(nx_server_t,nx_server_exec_t)
+domain_user_exemption_target(nx_server_t)
+# we need an extra role because nxserver is called from sshd
+# cjp: do we really need this?
+role nx_server_r types nx_server_t;
+allow system_r nx_server_r;
+
+type nx_server_devpts_t;
+term_user_pty(nx_server_t,nx_server_devpts_t)
+
+type nx_server_tmp_t;
+files_tmp_file(nx_server_tmp_t)
+
+type nx_server_var_run_t;
+files_pid_file(nx_server_var_run_t)
+
+########################################
+#
+# NX server local policy
+#
+
+allow nx_server_t self:fifo_file { getattr ioctl read write };
+allow nx_server_t self:tcp_socket create_socket_perms;
+allow nx_server_t self:udp_socket create_socket_perms;
+
+allow nx_server_t nx_server_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(nx_server_t,nx_server_devpts_t)
+
+allow nx_server_t nx_server_tmp_t:dir manage_dir_perms;
+allow nx_server_t nx_server_tmp_t:file manage_file_perms;
+files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
+
+allow nx_server_t nx_server_var_run_t:file manage_file_perms;
+allow nx_server_t nx_server_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(nx_server_t,nx_server_var_run_t,file)
+
+kernel_read_system_state(nx_server_t)
+kernel_read_kernel_sysctls(nx_server_t)
+
+# nxserver is a shell script --> call other programs
+corecmd_exec_shell(nx_server_t)
+corecmd_exec_bin(nx_server_t)
+
+corenet_non_ipsec_sendrecv(nx_server_t)
+corenet_tcp_sendrecv_generic_if(nx_server_t)
+corenet_udp_sendrecv_generic_if(nx_server_t)
+corenet_tcp_sendrecv_all_nodes(nx_server_t)
+corenet_udp_sendrecv_all_nodes(nx_server_t)
+corenet_tcp_sendrecv_all_ports(nx_server_t)
+corenet_udp_sendrecv_all_ports(nx_server_t)
+corenet_tcp_connect_all_ports(nx_server_t)
+
+dev_read_urand(nx_server_t)
+
+files_read_etc_files(nx_server_t)
+files_read_etc_runtime_files(nx_server_t)
+# for reading the config files; maybe a separate type,
+# but users need to be able to also read the config
+files_read_usr_files(nx_server_t)
+
+libs_use_ld_so(nx_server_t)
+libs_use_shared_libs(nx_server_t)
+
+miscfiles_read_localization(nx_server_t)
+
+seutil_dontaudit_search_config(nx_server_t)
+
+sysnet_read_config(nx_server_t)
+
+ifdef(`TODO',`
+# clients already have create permissions; the nxclient wants to also have unlink rights
+allow userdomain xdm_tmp_t:sock_file unlink;
+# for a lockfile created by the client process
+allow nx_server_t user_tmpfile:file getattr;
+')
+
+########################################
+#
+# SSH component local policy
+#
+
+ssh_basic_client_template(nx_server,nx_server_t,nx_server_r)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 1f84ebc..1ea248e 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -2,29 +2,27 @@
#######################################
## <summary>
-## The per user domain template for the ssh module.
+## Basic SSH client template.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
-## for ssh client sessions and user ssh agents. A derived
+## for ssh client sessions. A derived
## type is also created to protect the user ssh keys.
## </p>
## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
+## This template was added for NX.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
-## The prefix of the user domain (e.g., user
+## The prefix of the domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
-## The type of the user domain.
+## The type of the domain.
## </summary>
## </param>
## <param name="user_role">
@@ -33,12 +31,15 @@
## </summary>
## </param>
#
-template(`ssh_per_userdomain_template',`
+template(`ssh_basic_client_template',`
+
gen_require(`
attribute ssh_server;
- type ssh_exec_t, ssh_agent_exec_t;
- type sshd_key_t, ssh_keysign_exec_t;
- type sshd_tmp_t, sshd_t;
+ type ssh_exec_t, sshd_key_t;
+
+ ifdef(`strict_policy',`
+ type sshd_tmp_t;
+ ')
')
##############################
@@ -46,70 +47,55 @@ template(`ssh_per_userdomain_template',`
# Declarations
#
- type $1_home_ssh_t;
- userdom_user_home_content($1,$1_home_ssh_t)
- role $3 types $1_ssh_t;
-
type $1_ssh_t;
domain_type($1_ssh_t)
domain_entry_file($1_ssh_t,ssh_exec_t)
+ role $3 types $1_ssh_t;
- type $1_ssh_agent_t;
- domain_type($1_ssh_agent_t)
- domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
- role $3 types $1_ssh_agent_t;
-
- type $1_ssh_keysign_t;
- domain_type($1_ssh_keysign_t)
- domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
- role $3 types $1_ssh_keysign_t;
-
- type $1_ssh_tmpfs_t;
- files_tmpfs_file($1_ssh_tmpfs_t)
+ type $1_home_ssh_t;
+ files_type($1_home_ssh_t)
##############################
#
- # $1_ssh_t local policy
+ # Client local policy
#
+
allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_ssh_t self:fd use;
- allow $1_ssh_t self:fifo_file { read getattr lock ioctl write append };
- allow $1_ssh_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
- allow $1_ssh_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
- allow $1_ssh_t self:unix_dgram_socket sendto;
- allow $1_ssh_t self:unix_stream_socket connectto;
- allow $1_ssh_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
- allow $1_ssh_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
- allow $1_ssh_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+ allow $1_ssh_t self:fifo_file rw_file_perms;
+ allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_ssh_t self:shm create_shm_perms;
+ allow $1_ssh_t self:sem create_sem_perms;
+ allow $1_ssh_t self:msgq create_msgq_perms;
allow $1_ssh_t self:msg { send receive };
- allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+ allow $1_ssh_t self:tcp_socket create_socket_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ # for rsync
+ allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
+ allow $1_ssh_t $2:unix_stream_socket connectto;
- # Transition from the user domain to the derived domain.
+ # Read the ssh key file.
+ allow $1_ssh_t sshd_key_t:file r_file_perms;
+
+ # Transition from the domain to the derived domain.
domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
allow $2 $1_ssh_t:fd use;
allow $1_ssh_t $2:fd use;
allow $1_ssh_t $2:fifo_file rw_file_perms;
allow $1_ssh_t $2:process sigchld;
- # Read the ssh key file.
- allow $1_ssh_t sshd_key_t:file r_file_perms;
-
- # Access the ssh temporary files.
- allow $1_ssh_t sshd_tmp_t:dir create_dir_perms;
- allow $1_ssh_t sshd_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
+ # inheriting stream sockets is needed for "ssh host command" as no pty
+ # is allocated
+ # cjp: should probably fix target to be an attribute for ssh servers
+ # or "regular" (not special like sshd_extern_t) servers
+ allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
- # for rsync
- allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
- allow $1_ssh_t $2:unix_stream_socket connectto;
+ # allow ps to show ssh
+ allow $2 $1_ssh_t:dir { search getattr read };
+ allow $2 $1_ssh_t:{ file lnk_file } { read getattr };
+ allow $2 $1_ssh_t:process getattr;
# user can manage the keys and config
allow $2 $1_home_ssh_t:dir rw_dir_perms;
@@ -117,14 +103,7 @@ template(`ssh_per_userdomain_template',`
allow $2 $1_home_ssh_t:lnk_file create_lnk_perms;
allow $2 $1_home_ssh_t:sock_file create_file_perms;
- # inheriting stream sockets is needed for "ssh host command" as no pty
- # is allocated
- # cjp: should probably fix target to be an attribute for ssh servers
- # or "regular" (not special like sshd_extern_t) servers
- allow $2 sshd_t:unix_stream_socket rw_stream_socket_perms;
-
# ssh client can manage the keys and config
- userdom_search_user_home_dirs($1,$1_ssh_t)
allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms;
allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
@@ -136,13 +115,10 @@ template(`ssh_per_userdomain_template',`
kernel_read_kernel_sysctls($1_ssh_t)
+ corenet_non_ipsec_sendrecv($1_ssh_t)
corenet_tcp_sendrecv_all_if($1_ssh_t)
- corenet_raw_sendrecv_all_if($1_ssh_t)
corenet_tcp_sendrecv_all_nodes($1_ssh_t)
- corenet_raw_sendrecv_all_nodes($1_ssh_t)
corenet_tcp_sendrecv_all_ports($1_ssh_t)
- corenet_non_ipsec_sendrecv($1_ssh_t)
- corenet_tcp_bind_all_nodes($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
dev_read_urand($1_ssh_t)
@@ -155,10 +131,6 @@ template(`ssh_per_userdomain_template',`
corecmd_exec_bin($1_ssh_t)
corecmd_list_sbin($1_ssh_t)
corecmd_read_sbin_symlinks($1_ssh_t)
- # cjp: these are probably not needed:
- corecmd_read_sbin_files($1_ssh_t)
- corecmd_read_sbin_pipes($1_ssh_t)
- corecmd_read_sbin_sockets($1_ssh_t)
domain_use_interactive_fds($1_ssh_t)
@@ -181,9 +153,12 @@ template(`ssh_per_userdomain_template',`
sysnet_read_config($1_ssh_t)
sysnet_dns_name_resolve($1_ssh_t)
- userdom_use_unpriv_users_fds($1_ssh_t)
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_ssh_t)
+ ifdef(`strict_policy',`
+ # Access the ssh temporary files.
+ allow $1_ssh_t sshd_tmp_t:dir create_dir_perms;
+ allow $1_ssh_t sshd_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
+ ')
tunable_policy(`read_default_t',`
files_list_default($1_ssh_t)
@@ -193,6 +168,101 @@ template(`ssh_per_userdomain_template',`
files_read_default_pipes($1_ssh_t)
')
+ optional_policy(`
+ kerberos_use($1_ssh_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_ssh_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_ssh_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The per user domain template for the ssh module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for ssh client sessions and user ssh agents. A derived
+## type is also created to protect the user ssh keys.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`ssh_per_userdomain_template',`
+ gen_require(`
+ type ssh_agent_exec_t, ssh_keysign_exec_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ ssh_basic_client_template($1,$2,$3)
+
+ userdom_user_home_content($1,$1_home_ssh_t)
+
+ type $1_ssh_agent_t;
+ domain_type($1_ssh_agent_t)
+ domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
+ role $3 types $1_ssh_agent_t;
+
+ type $1_ssh_keysign_t;
+ domain_type($1_ssh_keysign_t)
+ domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
+ role $3 types $1_ssh_keysign_t;
+
+ type $1_ssh_tmpfs_t;
+ files_tmpfs_file($1_ssh_tmpfs_t)
+
+ ##############################
+ #
+ # Client local policy
+ #
+
+ allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms;
+ allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_ssh_t $1_home_ssh_t:dir manage_dir_perms;
+ allow $1_ssh_t $1_home_ssh_t:sock_file manage_file_perms;
+ userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
+
+ userdom_use_unpriv_users_fds($1_ssh_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
+ userdom_search_user_home_dirs($1,$1_ssh_t)
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_ssh_t)
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_ssh_t)
fs_manage_nfs_files($1_ssh_t)
@@ -209,43 +279,16 @@ template(`ssh_per_userdomain_template',`
')
optional_policy(`
- kerberos_use($1_ssh_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_ssh_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_ssh_t)
- ')
-
- optional_policy(`
xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t)
xserver_domtrans_user_xauth($1,$1_ssh_t)
')
ifdef(`TODO',`
-
- # Read /var/run, /var/log.
- allow $1_ssh_t var_run_t:dir r_dir_perms;
- allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
-
allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
- # Access the users .ssh directory.
- file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir)
- file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file)
- allow sysadm_ssh_t $1_home_ssh_t:file create_file_perms;
- allow sysadm_ssh_t $1_home_ssh_t:lnk_file { getattr read };
- dontaudit $1_ssh_t $1_home_t:dir { getattr search };
-
# for /bin/sh used to execute xauth
dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
- # allow ps to show ssh
- can_ps($1_t, $1_ssh_t)
-
#allow ssh to access keys stored on removable media
# Should we have a boolean around this?
files_search_mnt($1_ssh_t)
@@ -552,11 +595,11 @@ template(`ssh_server_template', `
')
optional_policy(`
- mount_send_nfs_client_request($1_t)
+ nscd_socket_use($1_t)
')
optional_policy(`
- nscd_socket_use($1_t)
+ nx_spec_domtrans_server($1_t)
')
')
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 498198b..05718bb 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.3.2)
+policy_module(ssh,1.3.3)
########################################
#
More information about the scm-commits
mailing list