[selinux-policy: 635/3172] add portmap
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:59:32 UTC 2010
commit eb3cb6820a19c83b3a95ab3eb6d1ffffee1a0970
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Sep 8 17:12:38 2005 +0000
add portmap
refpolicy/Changelog | 1 +
refpolicy/policy/modules/services/inetd.if | 22 +++-
refpolicy/policy/modules/services/inetd.te | 1 +
refpolicy/policy/modules/services/portmap.fc | 10 ++
refpolicy/policy/modules/services/portmap.if | 79 ++++++++++
refpolicy/policy/modules/services/portmap.te | 193 +++++++++++++++++++++++++
refpolicy/policy/modules/services/tcpd.te | 6 +-
refpolicy/policy/modules/system/init.if | 18 +++
refpolicy/policy/modules/system/init.te | 4 +
refpolicy/policy/modules/system/userdomain.if | 18 +++
refpolicy/policy/modules/system/userdomain.te | 4 +
11 files changed, 352 insertions(+), 4 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 1918e94..b916a8b 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,5 +1,6 @@
- Added policies:
ktalk
+ portmap
* Wed Sep 07 2005 Chris PeBenito <selinux at tresys.com> - 20050907
- Fix errors uncovered by sediff.
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index 0dd31e5..4a85162 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -144,9 +144,7 @@ interface(`inetd_tcp_connect',`
allow $1 inetd_t:tcp_socket { connectto recvfrom };
allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
-
- #allow inetd_t kernel_t:tcp_socket recvfrom;
- #allow $1 kernel_t:tcp_socket recvfrom;
+ kernel_tcp_recvfrom($1)
')
########################################
@@ -173,3 +171,21 @@ interface(`inetd_domtrans_child',`
allow inetd_child_t $1:fifo_file rw_file_perms;
allow inetd_child_t $1:process sigchld;
')
+
+########################################
+## <summary>
+## Send UDP network traffic to inetd.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`inetd_udp_sendto',`
+ gen_require(`
+ type inetd_t;
+ class udp_socket { sendto recvfrom };
+ ')
+
+ allow $1 inetd_t:udp_socket sendto;
+ allow inetd_t $1:udp_socket recvfrom;
+')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 924a480..7674b7d 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -55,6 +55,7 @@ files_create_pid(inetd_t,inetd_var_run_t)
kernel_read_kernel_sysctl(inetd_t)
kernel_list_proc(inetd_t)
kernel_read_proc_symlinks(inetd_t)
+kernel_tcp_recvfrom(inetd_t)
# networking:
corenet_tcp_sendrecv_all_if(inetd_t)
diff --git a/refpolicy/policy/modules/services/portmap.fc b/refpolicy/policy/modules/services/portmap.fc
new file mode 100644
index 0000000..6975de0
--- /dev/null
+++ b/refpolicy/policy/modules/services/portmap.fc
@@ -0,0 +1,10 @@
+
+/sbin/portmap -- context_template(system_u:object_r:portmap_exec_t,s0)
+
+ifdef(`distro_debian',`
+/sbin/pmap_dump -- context_template(system_u:object_r:portmap_helper_exec_t,s0)
+/sbin/pmap_set -- context_template(system_u:object_r:portmap_helper_exec_t,s0)
+', `
+/usr/sbin/pmap_dump -- context_template(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/sbin/pmap_set -- context_template(system_u:object_r:portmap_helper_exec_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if
new file mode 100644
index 0000000..943221c
--- /dev/null
+++ b/refpolicy/policy/modules/services/portmap.if
@@ -0,0 +1,79 @@
+## <summary>RPC port mapping service.</summary>
+
+########################################
+## <summary>
+## Execute portmap_helper in the helper domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`portmap_domtrans_helper',`
+ gen_require(`
+ type portmap_helper_t, portmap_helper_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,portmap_helper_exec_t,portmap_helper_t)
+
+ allow $1 portmap_helper_t:fd use;
+ allow portmap_helper_t $1:fd use;
+ allow portmap_helper_t $1:fifo_file rw_file_perms;
+ allow portmap_helper_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute portmap helper in the helper domain, and
+## allow the specified role the helper domain.
+## Communicate with portmap.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="role">
+## The role to be allowed the portmap domain.
+## </param>
+## <param name="terminal">
+## The type of the terminal allow the portmap domain to use.
+## </param>
+#
+interface(`portmap_run_helper',`
+ gen_require(`
+ type portmap_helper_t;
+ class chr_file { getattr read write ioctl };
+ ')
+
+ portmap_domtrans_helper($1)
+ role $2 types portmap_helper_t;
+ allow portmap_helper_t $3:chr_file { getattr read write ioctl };
+
+ # send to portmap
+ allow $1 portmap_t:udp_socket sendto;
+ allow portmap_t $1:udp_socket recvfrom;
+
+ # receive from portmap
+ allow portmap_t $1:udp_socket sendto;
+ allow $1 portmap_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to portmap.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`portmap_udp_sendto',`
+ gen_require(`
+ type portmap_t;
+ class udp_socket { sendto recvfrom };
+ ')
+
+ allow $1 portmap_t:udp_socket sendto;
+ allow portmap_t $1:udp_socket recvfrom;
+')
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
new file mode 100644
index 0000000..5cc17e6
--- /dev/null
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -0,0 +1,193 @@
+
+policy_module(portmap,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type portmap_t;
+type portmap_exec_t;
+init_daemon_domain(portmap_t,portmap_exec_t)
+
+type portmap_helper_t;
+type portmap_helper_exec_t;
+init_system_domain(portmap_helper_t,portmap_helper_exec_t)
+role system_r types portmap_helper_t;
+
+type portmap_tmp_t;
+files_tmp_file(portmap_tmp_t)
+
+type portmap_var_run_t;
+files_pid_file(portmap_var_run_t)
+
+########################################
+#
+# Portmap local policy
+#
+
+allow portmap_t self:capability { setuid setgid };
+dontaudit portmap_t self:capability sys_tty_config;
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_t self:unix_dgram_socket create_socket_perms;
+allow portmap_t self:unix_stream_socket create_stream_socket_perms;
+allow portmap_t self:tcp_socket create_stream_socket_perms;
+allow portmap_t self:udp_socket create_socket_perms;
+
+allow portmap_t portmap_tmp_t:dir create_dir_perms;
+allow portmap_t portmap_tmp_t:file create_file_perms;
+files_create_tmp_files(portmap_t, portmap_tmp_t, { file dir })
+
+allow portmap_t portmap_var_run_t:file create_file_perms;
+files_create_pid(portmap_t,portmap_var_run_t)
+
+kernel_read_kernel_sysctl(portmap_t)
+kernel_list_proc(portmap_t)
+kernel_read_proc_symlinks(portmap_t)
+
+corenet_tcp_sendrecv_all_if(portmap_t)
+corenet_udp_sendrecv_all_if(portmap_t)
+corenet_raw_sendrecv_all_if(portmap_t)
+corenet_tcp_sendrecv_all_nodes(portmap_t)
+corenet_udp_sendrecv_all_nodes(portmap_t)
+corenet_raw_sendrecv_all_nodes(portmap_t)
+corenet_tcp_sendrecv_all_ports(portmap_t)
+corenet_udp_sendrecv_all_ports(portmap_t)
+corenet_tcp_bind_all_nodes(portmap_t)
+corenet_udp_bind_all_nodes(portmap_t)
+corenet_tcp_bind_portmap_port(portmap_t)
+corenet_udp_bind_portmap_port(portmap_t)
+# portmap binds to arbitary ports
+corenet_tcp_bind_generic_port(portmap_t)
+corenet_udp_bind_generic_port(portmap_t)
+corenet_tcp_bind_reserved_port(portmap_t)
+corenet_udp_bind_reserved_port(portmap_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t)
+
+dev_read_sysfs(portmap_t)
+
+fs_getattr_all_fs(portmap_t)
+fs_search_auto_mountpoints(portmap_t)
+
+term_dontaudit_use_console(portmap_t)
+
+domain_use_wide_inherit_fd(portmap_t)
+
+files_read_etc_files(portmap_t)
+
+init_use_fd(portmap_t)
+init_use_script_pty(portmap_t)
+init_udp_sendto(portmap_t)
+init_udp_sendto_script(portmap_t)
+
+libs_use_ld_so(portmap_t)
+libs_use_shared_libs(portmap_t)
+
+logging_send_syslog_msg(portmap_t)
+
+miscfiles_read_localization(portmap_t)
+
+sysnet_read_config(portmap_t)
+
+userdom_dontaudit_use_unpriv_user_fd(portmap_t)
+userdom_dontaudit_search_sysadm_home_dir(portmap_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(portmap_t)
+ term_dontaudit_use_generic_pty(portmap_t)
+ files_dontaudit_read_root_file(portmap_t)
+')
+
+optional_policy(`inetd.te',`
+ inetd_udp_sendto(portmap_t)
+')
+
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(portmap_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(portmap_t)
+ nis_udp_sendto_ypbind(portmap_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(portmap_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(portmap_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(portmap_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(portmap_t)
+')
+
+ifdef(`rpcd.te',`can_udp_send(portmap_t, rpcd_t)')
+allow portmap_t rpcd_t:udp_socket sendto;
+allow rpcd_t portmap_t:udp_socket recvfrom;
+
+ifdef(`lpd.te',`can_udp_send(portmap_t, lpd_t)')
+allow portmap_t lpd_t:udp_socket sendto;
+allow lpd_t portmap_t:udp_socket recvfrom;
+
+can_udp_send(portmap_t, kernel_t)
+allow portmap_t kernel_t:udp_socket sendto;
+allow kernel_t portmap_t:udp_socket recvfrom;
+
+can_udp_send(kernel_t, portmap_t)
+allow kernel_t portmap_t:udp_socket sendto;
+allow portmap_t kernel_t:udp_socket recvfrom;
+
+') dnl end TODO
+
+########################################
+#
+# Portmap helper local policy
+#
+
+dontaudit portmap_helper_t self:capability net_admin;
+allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
+allow portmap_helper_t self:udp_socket create_socket_perms;
+
+corenet_tcp_sendrecv_all_if(portmap_helper_t)
+corenet_udp_sendrecv_all_if(portmap_helper_t)
+corenet_raw_sendrecv_all_if(portmap_helper_t)
+corenet_tcp_sendrecv_all_nodes(portmap_helper_t)
+corenet_udp_sendrecv_all_nodes(portmap_helper_t)
+corenet_raw_sendrecv_all_nodes(portmap_helper_t)
+corenet_tcp_sendrecv_all_ports(portmap_helper_t)
+corenet_udp_sendrecv_all_ports(portmap_helper_t)
+corenet_tcp_bind_all_nodes(portmap_helper_t)
+corenet_udp_bind_all_nodes(portmap_helper_t)
+corenet_tcp_bind_reserved_port(portmap_helper_t)
+corenet_udp_bind_reserved_port(portmap_helper_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
+
+files_read_etc_files(portmap_helper_t)
+files_rw_generic_pids(portmap_helper_t)
+
+init_rw_script_pid(portmap_helper_t)
+
+libs_use_ld_so(portmap_helper_t)
+libs_use_shared_libs(portmap_helper_t)
+
+sysnet_read_config(portmap_helper_t)
+
+userdom_dontaudit_use_all_user_fd(portmap_helper_t)
+
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(portmap_helper_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(portmap_helper_t)
+')
diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te
index 882f433..93123ad 100644
--- a/refpolicy/policy/modules/services/tcpd.te
+++ b/refpolicy/policy/modules/services/tcpd.te
@@ -55,6 +55,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(tcpd_t)
')
+optional_policy(`portmap.te',`
+ portmap_udp_sendto(tcpd_t)
+')
+
optional_policy(`rshd.te',`
- rshd_domtrans(rshd_t)
+ rshd_domtrans(tcpd_t)
')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index e11f7f1..dd087c7 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -298,6 +298,24 @@ interface(`init_dontaudit_use_fd',`
')
########################################
+## <summary>
+## Send UDP network traffic to init.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`init_udp_sendto',`
+ gen_require(`
+ type init_t;
+ class udp_socket { sendto recvfrom };
+ ')
+
+ allow $1 init_t:udp_socket sendto;
+ allow init_t $1:udp_socket recvfrom;
+')
+
+########################################
#
# init_domtrans_script(domain)
#
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 18a32f2..31547a4 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -143,6 +143,10 @@ optional_policy(`authlogin.te',`
auth_rw_login_records(init_t)
')
+optional_policy(`portmap.te',`
+ portmap_udp_sendto(init_t)
+')
+
# Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`userdomain.te',`
userdom_shell_domtrans_sysadm(init_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 9996324..3fa926c 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1874,6 +1874,24 @@ interface(`userdom_use_all_user_fd',`
########################################
## <summary>
+## Do not audit attempts to inherit the file
+## descriptors from any user domains.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_use_all_user_fd',`
+ gen_require(`
+ attribute userdomain;
+ class fd use;
+ ')
+
+ dontaudit $1 userdomain:fd use;
+')
+
+########################################
+## <summary>
## Send general signals to all user domains.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index bd6303f..1719c11 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -190,6 +190,10 @@ ifdef(`targeted_policy',`
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`portmap.te',`
+ portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`quota.te',`
quota_run(sysadm_t,sysadm_r,admin_terminal)
')
More information about the scm-commits
mailing list