[selinux-policy: 635/3172] add portmap

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:59:32 UTC 2010 

commit eb3cb6820a19c83b3a95ab3eb6d1ffffee1a0970
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Sep 8 17:12:38 2005 +0000

    add portmap

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/modules/services/inetd.if    |   22 +++-
 refpolicy/policy/modules/services/inetd.te    |    1 +
 refpolicy/policy/modules/services/portmap.fc  |   10 ++
 refpolicy/policy/modules/services/portmap.if  |   79 ++++++++++
 refpolicy/policy/modules/services/portmap.te  |  193 +++++++++++++++++++++++++
 refpolicy/policy/modules/services/tcpd.te     |    6 +-
 refpolicy/policy/modules/system/init.if       |   18 +++
 refpolicy/policy/modules/system/init.te       |    4 +
 refpolicy/policy/modules/system/userdomain.if |   18 +++
 refpolicy/policy/modules/system/userdomain.te |    4 +
 11 files changed, 352 insertions(+), 4 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 1918e94..b916a8b 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,5 +1,6 @@
 - Added policies:
 	ktalk
+	portmap
 
 * Wed Sep 07 2005 Chris PeBenito <selinux at tresys.com> - 20050907
 - Fix errors uncovered by sediff.
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index 0dd31e5..4a85162 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -144,9 +144,7 @@ interface(`inetd_tcp_connect',`
 
 	allow $1 inetd_t:tcp_socket { connectto recvfrom };
 	allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
-
-	#allow inetd_t kernel_t:tcp_socket recvfrom;
-	#allow $1 kernel_t:tcp_socket recvfrom;
+	kernel_tcp_recvfrom($1)
 ')
 
 ########################################
@@ -173,3 +171,21 @@ interface(`inetd_domtrans_child',`
 	allow inetd_child_t $1:fifo_file rw_file_perms;
 	allow inetd_child_t $1:process sigchld;
 ')
+
+########################################
+## <summary>
+##	Send UDP network traffic to inetd.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`inetd_udp_sendto',`
+	gen_require(`
+		type inetd_t;
+		class udp_socket { sendto recvfrom };
+	')
+
+	allow $1 inetd_t:udp_socket sendto;
+	allow inetd_t $1:udp_socket recvfrom;
+')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 924a480..7674b7d 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -55,6 +55,7 @@ files_create_pid(inetd_t,inetd_var_run_t)
 kernel_read_kernel_sysctl(inetd_t)
 kernel_list_proc(inetd_t)
 kernel_read_proc_symlinks(inetd_t)
+kernel_tcp_recvfrom(inetd_t)
 
 # networking:
 corenet_tcp_sendrecv_all_if(inetd_t)
diff --git a/refpolicy/policy/modules/services/portmap.fc b/refpolicy/policy/modules/services/portmap.fc
new file mode 100644
index 0000000..6975de0
--- /dev/null
+++ b/refpolicy/policy/modules/services/portmap.fc
@@ -0,0 +1,10 @@
+
+/sbin/portmap		--	context_template(system_u:object_r:portmap_exec_t,s0)
+
+ifdef(`distro_debian',`
+/sbin/pmap_dump		--	context_template(system_u:object_r:portmap_helper_exec_t,s0)
+/sbin/pmap_set		--	context_template(system_u:object_r:portmap_helper_exec_t,s0)
+', `
+/usr/sbin/pmap_dump	--	context_template(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/sbin/pmap_set	--	context_template(system_u:object_r:portmap_helper_exec_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if
new file mode 100644
index 0000000..943221c
--- /dev/null
+++ b/refpolicy/policy/modules/services/portmap.if
@@ -0,0 +1,79 @@
+## <summary>RPC port mapping service.</summary>
+
+########################################
+## <summary>
+##	Execute portmap_helper in the helper domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`portmap_domtrans_helper',`
+	gen_require(`
+		type portmap_helper_t, portmap_helper_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1,portmap_helper_exec_t,portmap_helper_t)
+
+	allow $1 portmap_helper_t:fd use;
+	allow portmap_helper_t $1:fd use;
+	allow portmap_helper_t $1:fifo_file rw_file_perms;
+	allow portmap_helper_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute portmap helper in the helper domain, and
+##	allow the specified role the helper domain.
+##	Communicate with portmap.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="role">
+##	The role to be allowed the portmap domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the portmap domain to use.
+## </param>
+#
+interface(`portmap_run_helper',`
+	gen_require(`
+		type portmap_helper_t;
+		class chr_file { getattr read write ioctl };
+	')
+
+	portmap_domtrans_helper($1)
+	role $2 types portmap_helper_t;
+	allow portmap_helper_t $3:chr_file { getattr read write ioctl };
+
+	# send to portmap
+	allow $1 portmap_t:udp_socket sendto;
+	allow portmap_t $1:udp_socket recvfrom;
+
+	# receive from portmap
+	allow portmap_t $1:udp_socket sendto;
+	allow $1 portmap_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic to portmap.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`portmap_udp_sendto',`
+	gen_require(`
+		type portmap_t;
+		class udp_socket { sendto recvfrom };
+	')
+
+	allow $1 portmap_t:udp_socket sendto;
+	allow portmap_t $1:udp_socket recvfrom;
+')
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
new file mode 100644
index 0000000..5cc17e6
--- /dev/null
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -0,0 +1,193 @@
+
+policy_module(portmap,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type portmap_t;
+type portmap_exec_t;
+init_daemon_domain(portmap_t,portmap_exec_t)
+
+type portmap_helper_t;
+type portmap_helper_exec_t;
+init_system_domain(portmap_helper_t,portmap_helper_exec_t)
+role system_r types portmap_helper_t;
+
+type portmap_tmp_t;
+files_tmp_file(portmap_tmp_t)
+
+type portmap_var_run_t;
+files_pid_file(portmap_var_run_t)
+
+########################################
+#
+# Portmap local policy
+#
+
+allow portmap_t self:capability { setuid setgid };
+dontaudit portmap_t self:capability sys_tty_config;
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_t self:unix_dgram_socket create_socket_perms;
+allow portmap_t self:unix_stream_socket create_stream_socket_perms;
+allow portmap_t self:tcp_socket create_stream_socket_perms;
+allow portmap_t self:udp_socket create_socket_perms;
+
+allow portmap_t portmap_tmp_t:dir create_dir_perms;
+allow portmap_t portmap_tmp_t:file create_file_perms;
+files_create_tmp_files(portmap_t, portmap_tmp_t, { file dir })
+
+allow portmap_t portmap_var_run_t:file create_file_perms;
+files_create_pid(portmap_t,portmap_var_run_t)
+
+kernel_read_kernel_sysctl(portmap_t)
+kernel_list_proc(portmap_t)
+kernel_read_proc_symlinks(portmap_t)
+
+corenet_tcp_sendrecv_all_if(portmap_t)
+corenet_udp_sendrecv_all_if(portmap_t)
+corenet_raw_sendrecv_all_if(portmap_t)
+corenet_tcp_sendrecv_all_nodes(portmap_t)
+corenet_udp_sendrecv_all_nodes(portmap_t)
+corenet_raw_sendrecv_all_nodes(portmap_t)
+corenet_tcp_sendrecv_all_ports(portmap_t)
+corenet_udp_sendrecv_all_ports(portmap_t)
+corenet_tcp_bind_all_nodes(portmap_t)
+corenet_udp_bind_all_nodes(portmap_t)
+corenet_tcp_bind_portmap_port(portmap_t)
+corenet_udp_bind_portmap_port(portmap_t)
+# portmap binds to arbitary ports
+corenet_tcp_bind_generic_port(portmap_t)
+corenet_udp_bind_generic_port(portmap_t)
+corenet_tcp_bind_reserved_port(portmap_t)
+corenet_udp_bind_reserved_port(portmap_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t)
+
+dev_read_sysfs(portmap_t)
+
+fs_getattr_all_fs(portmap_t)
+fs_search_auto_mountpoints(portmap_t)
+
+term_dontaudit_use_console(portmap_t)
+
+domain_use_wide_inherit_fd(portmap_t)
+
+files_read_etc_files(portmap_t)
+
+init_use_fd(portmap_t)
+init_use_script_pty(portmap_t)
+init_udp_sendto(portmap_t)
+init_udp_sendto_script(portmap_t)
+
+libs_use_ld_so(portmap_t)
+libs_use_shared_libs(portmap_t)
+
+logging_send_syslog_msg(portmap_t)
+
+miscfiles_read_localization(portmap_t)
+
+sysnet_read_config(portmap_t)
+
+userdom_dontaudit_use_unpriv_user_fd(portmap_t)
+userdom_dontaudit_search_sysadm_home_dir(portmap_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(portmap_t)
+	term_dontaudit_use_generic_pty(portmap_t)
+	files_dontaudit_read_root_file(portmap_t)
+')
+
+optional_policy(`inetd.te',`
+	inetd_udp_sendto(portmap_t)
+')
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(portmap_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(portmap_t)
+	nis_udp_sendto_ypbind(portmap_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(portmap_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(portmap_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(portmap_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(portmap_t)
+')
+
+ifdef(`rpcd.te',`can_udp_send(portmap_t, rpcd_t)')
+allow portmap_t rpcd_t:udp_socket sendto;
+allow rpcd_t portmap_t:udp_socket recvfrom;
+
+ifdef(`lpd.te',`can_udp_send(portmap_t, lpd_t)')
+allow portmap_t lpd_t:udp_socket sendto;
+allow lpd_t portmap_t:udp_socket recvfrom;
+
+can_udp_send(portmap_t, kernel_t)
+allow portmap_t kernel_t:udp_socket sendto;
+allow kernel_t portmap_t:udp_socket recvfrom;
+
+can_udp_send(kernel_t, portmap_t)
+allow kernel_t portmap_t:udp_socket sendto;
+allow portmap_t kernel_t:udp_socket recvfrom;
+
+') dnl end TODO
+
+########################################
+#
+# Portmap helper local policy
+#
+
+dontaudit portmap_helper_t self:capability net_admin;
+allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
+allow portmap_helper_t self:udp_socket create_socket_perms;
+
+corenet_tcp_sendrecv_all_if(portmap_helper_t)
+corenet_udp_sendrecv_all_if(portmap_helper_t)
+corenet_raw_sendrecv_all_if(portmap_helper_t)
+corenet_tcp_sendrecv_all_nodes(portmap_helper_t)
+corenet_udp_sendrecv_all_nodes(portmap_helper_t)
+corenet_raw_sendrecv_all_nodes(portmap_helper_t)
+corenet_tcp_sendrecv_all_ports(portmap_helper_t)
+corenet_udp_sendrecv_all_ports(portmap_helper_t)
+corenet_tcp_bind_all_nodes(portmap_helper_t)
+corenet_udp_bind_all_nodes(portmap_helper_t)
+corenet_tcp_bind_reserved_port(portmap_helper_t)
+corenet_udp_bind_reserved_port(portmap_helper_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
+
+files_read_etc_files(portmap_helper_t)
+files_rw_generic_pids(portmap_helper_t)
+
+init_rw_script_pid(portmap_helper_t)
+
+libs_use_ld_so(portmap_helper_t)
+libs_use_shared_libs(portmap_helper_t)
+
+sysnet_read_config(portmap_helper_t)
+
+userdom_dontaudit_use_all_user_fd(portmap_helper_t)
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(portmap_helper_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(portmap_helper_t)
+')
diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te
index 882f433..93123ad 100644
--- a/refpolicy/policy/modules/services/tcpd.te
+++ b/refpolicy/policy/modules/services/tcpd.te
@@ -55,6 +55,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(tcpd_t)
 ')
 
+optional_policy(`portmap.te',`
+	portmap_udp_sendto(tcpd_t)
+')
+
 optional_policy(`rshd.te',`
-	rshd_domtrans(rshd_t)
+	rshd_domtrans(tcpd_t)
 ')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index e11f7f1..dd087c7 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -298,6 +298,24 @@ interface(`init_dontaudit_use_fd',`
 ')
 
 ########################################
+## <summary>
+##	Send UDP network traffic to init.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`init_udp_sendto',`
+	gen_require(`
+		type init_t;
+		class udp_socket { sendto recvfrom };
+	')
+
+	allow $1 init_t:udp_socket sendto;
+	allow init_t $1:udp_socket recvfrom;
+')
+
+########################################
 #
 # init_domtrans_script(domain)
 #
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 18a32f2..31547a4 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -143,6 +143,10 @@ optional_policy(`authlogin.te',`
 	auth_rw_login_records(init_t)
 ')
 
+optional_policy(`portmap.te',`
+	portmap_udp_sendto(init_t)
+')
+
 # Run the shell in the sysadm_t domain for single-user mode.
 optional_policy(`userdomain.te',`
 	userdom_shell_domtrans_sysadm(init_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 9996324..3fa926c 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1874,6 +1874,24 @@ interface(`userdom_use_all_user_fd',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to inherit the file
+##	descriptors from any user domains.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_use_all_user_fd',`
+	gen_require(`
+		attribute userdomain;
+		class fd use;
+	')
+
+	dontaudit $1 userdomain:fd use;
+')
+
+########################################
+## <summary>
 ##	Send general signals to all user domains.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index bd6303f..1719c11 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -190,6 +190,10 @@ ifdef(`targeted_policy',`
 		pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`portmap.te',`
+		portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`quota.te',`
 		quota_run(sysadm_t,sysadm_r,admin_terminal)
 	')

More information about the scm-commits mailing list