[selinux-policy: 1425/3172] add portslave, bug 1538
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:08:33 UTC 2010
commit 12cd9a06bffbe01708e047e5ec7ce8ca61d91f7e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri May 5 18:51:42 2006 +0000
add portslave, bug 1538
refpolicy/Changelog | 1 +
refpolicy/policy/modules/services/portslave.fc | 4 +
refpolicy/policy/modules/services/portslave.if | 24 ++++
refpolicy/policy/modules/services/portslave.te | 142 ++++++++++++++++++++++++
refpolicy/policy/modules/services/ppp.if | 95 ++++++++++++++++
refpolicy/policy/modules/services/ppp.te | 2 +-
refpolicy/policy/modules/services/ssh.if | 19 +++
refpolicy/policy/modules/services/ssh.te | 2 +-
8 files changed, 287 insertions(+), 2 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index e361e59..935c03d 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -72,6 +72,7 @@
openca
openvpn (Petre Rodan)
perdition
+ portslave
postgrey
pxe
pyzor (Dan Walsh)
diff --git a/refpolicy/policy/modules/services/portslave.fc b/refpolicy/policy/modules/services/portslave.fc
new file mode 100644
index 0000000..2dd7786
--- /dev/null
+++ b/refpolicy/policy/modules/services/portslave.fc
@@ -0,0 +1,4 @@
+/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0)
+
+/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/portslave.if b/refpolicy/policy/modules/services/portslave.if
new file mode 100644
index 0000000..410cdb1
--- /dev/null
+++ b/refpolicy/policy/modules/services/portslave.if
@@ -0,0 +1,24 @@
+## <summary>Portslave terminal server software</summary>
+
+########################################
+## <summary>
+## Execute portslave with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portslave_domtrans',`
+ gen_require(`
+ type portslave_t, portslave_exec_t;
+ ')
+
+ domain_auto_trans($1,portslave_exec_t,portslave_t)
+
+ allow $1 portslave_t:fd use;
+ allow portslave_t $1:fd use;
+ allow portslave_t $1:fifo_file rw_file_perms;
+ allow portslave_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/services/portslave.te b/refpolicy/policy/modules/services/portslave.te
new file mode 100644
index 0000000..9e58c3f
--- /dev/null
+++ b/refpolicy/policy/modules/services/portslave.te
@@ -0,0 +1,142 @@
+
+policy_module(portslave,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type portslave_t;
+type portslave_exec_t;
+init_domain(portslave_t,portslave_exec_t)
+init_daemon_domain(portslave_t,portslave_exec_t)
+
+type portslave_etc_t;
+files_type(portslave_etc_t)
+
+type portslave_lock_t;
+files_lock_file(portslave_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+# setuid setgid net_admin fsetid for pppd
+# sys_admin for ctlportslave
+# net_bind_service for rlogin
+allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
+dontaudit portslave_t self:capability sys_admin;
+allow portslave_t self:process signal_perms;
+allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow portslave_t self:fd use;
+allow portslave_t self:fifo_file rw_file_perms;
+allow portslave_t self:unix_dgram_socket create_socket_perms;
+allow portslave_t self:unix_stream_socket create_stream_socket_perms;
+allow portslave_t self:unix_dgram_socket sendto;
+allow portslave_t self:unix_stream_socket connectto;
+allow portslave_t self:shm create_shm_perms;
+allow portslave_t self:sem create_sem_perms;
+allow portslave_t self:msgq create_msgq_perms;
+allow portslave_t self:msg { send receive };
+allow portslave_t self:tcp_socket create_stream_socket_perms;
+allow portslave_t self:udp_socket create_socket_perms;
+
+allow portslave_t portslave_etc_t:dir r_dir_perms;
+allow portslave_t portslave_etc_t:file r_file_perms;
+allow portslave_t portslave_etc_t:lnk_file { getattr read };
+
+allow portslave_t portslave_lock_t:file create_file_perms;
+files_lock_filetrans(portslave_t,portslave_lock_t,file)
+
+kernel_read_system_state(portslave_t)
+kernel_read_kernel_sysctls(portslave_t)
+
+corecmd_exec_bin(portslave_t)
+corecmd_exec_shell(portslave_t)
+
+corenet_non_ipsec_sendrecv(portslave_t)
+corenet_tcp_sendrecv_generic_if(portslave_t)
+corenet_udp_sendrecv_generic_if(portslave_t)
+corenet_tcp_sendrecv_all_nodes(portslave_t)
+corenet_udp_sendrecv_all_nodes(portslave_t)
+corenet_tcp_sendrecv_all_ports(portslave_t)
+corenet_udp_sendrecv_all_ports(portslave_t)
+corenet_tcp_bind_all_nodes(portslave_t)
+corenet_udp_bind_all_nodes(portslave_t)
+corenet_rw_ppp_dev(portslave_t)
+
+dev_read_sysfs(portslave_t)
+# for ssh
+dev_read_urand(portslave_t)
+
+domain_use_interactive_fds(portslave_t)
+
+files_read_etc_files(portslave_t)
+files_read_etc_runtime_files(portslave_t)
+files_exec_etc_files(portslave_t)
+
+fs_search_auto_mountpoints(portslave_t)
+fs_getattr_xattr_fs(portslave_t)
+
+term_use_unallocated_ttys(portslave_t)
+term_setattr_unallocated_ttys(portslave_t)
+term_use_all_user_ttys(portslave_t)
+term_dontaudit_use_console(portslave_t)
+term_search_ptys(portslave_t)
+
+auth_rw_login_records(portslave_t)
+auth_domtrans_chk_passwd(portslave_t)
+init_use_fds(portslave_t)
+init_use_script_ptys(portslave_t)
+init_rw_utmp(portslave_t)
+
+libs_use_ld_so(portslave_t)
+libs_use_shared_libs(portslave_t)
+
+logging_send_syslog_msg(portslave_t)
+logging_search_logs(portslave_t)
+
+sysnet_read_config(portslave_t)
+
+userdom_use_unpriv_users_fds(portslave_t)
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+userdom_search_all_users_home_dirs(portslave_t)
+
+mta_send_mail(portslave_t)
+
+# this should probably be a domtrans to pppd
+# instead of exec.
+ppp_read_rw_config(portslave_t)
+ppp_exec(portslave_t)
+ppp_read_secrets(portslave_t)
+ppp_manage_pid_files(portslave_t)
+ppp_pid_filetrans(portslave_t)
+
+ssh_exec(portslave_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(portslave_t)
+ term_dontaudit_use_generic_ptys(portslave_t)
+ files_dontaudit_read_root_files(portslave_t)
+')
+
+optional_policy(`
+ inetd_tcp_service_domain(portslave_t,portslave_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(portslave_t)
+')
+
+optional_policy(`
+ radius_use(portslave_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(portslave_t)
+')
+
+optional_policy(`
+ udev_read_db(portslave_t)
+')
diff --git a/refpolicy/policy/modules/services/ppp.if b/refpolicy/policy/modules/services/ppp.if
index aa2bc56..afec620 100644
--- a/refpolicy/policy/modules/services/ppp.if
+++ b/refpolicy/policy/modules/services/ppp.if
@@ -140,3 +140,98 @@ interface(`ppp_run',`
role $2 types pppd_t;
allow pppd_t $3:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Execute domain in the ppp caller.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_exec',`
+ gen_require(`
+ type pppd_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1, pppd_exec_t)
+')
+
+########################################
+## <summary>
+## Read PPP-writable configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_read_rw_config',`
+ gen_require(`
+ type pppd_etc_t, pppd_etc_rw_t;
+ ')
+
+ allow $1 pppd_etc_t:dir list_dir_perms;
+ allow $1 pppd_etc_rw_t:file { getattr read };
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read PPP secrets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_read_secrets',`
+ gen_require(`
+ type pppd_etc_t, pppd_secret_t;
+ ')
+
+ allow $1 pppd_etc_t:dir list_dir_perms;
+ allow $1 pppd_secret_t:file { getattr read };
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete PPP pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_manage_pid_files',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
+ allow $1 pppd_var_run_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete PPP pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_pid_filetrans',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
+ files_pid_filetrans($1,pppd_var_run_t,file)
+')
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index 269c125..b65a2ac 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
-policy_module(ppp,1.2.1)
+policy_module(ppp,1.2.2)
########################################
#
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index de3e1b7..1f84ebc 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -673,6 +673,25 @@ interface(`ssh_tcp_connect',`
########################################
## <summary>
+## Execute the ssh client in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_exec',`
+ gen_require(`
+ type ssh_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1,ssh_exec_t)
+')
+
+########################################
+## <summary>
## Read ssh server keys
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index fa32d34..498198b 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.3.1)
+policy_module(ssh,1.3.2)
########################################
#
More information about the scm-commits
mailing list