[selinux-policy: 1807/3172] trunk: add bitlbee from devin carraway and add tcpd_wrapped_domain().
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:41:16 UTC 2010
commit 8242f5a68dee6ce1c77d6c06aab82b9938363e50
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Sep 17 14:33:40 2007 +0000
trunk: add bitlbee from devin carraway and add tcpd_wrapped_domain().
Changelog | 2 +
policy/modules/kernel/corenetwork.te.in | 5 ++-
policy/modules/services/bitlbee.fc | 3 +
policy/modules/services/bitlbee.if | 22 ++++++++++
policy/modules/services/bitlbee.te | 70 +++++++++++++++++++++++++++++++
policy/modules/services/finger.te | 24 ++++++----
policy/modules/services/nagios.te | 44 +++++++++++---------
policy/modules/services/rlogin.te | 16 ++++---
policy/modules/services/rshd.te | 8 +--
policy/modules/services/tcpd.if | 28 ++++++++++++-
policy/modules/services/tcpd.te | 28 ++-----------
policy/modules/services/uwimap.te | 18 +++++---
12 files changed, 194 insertions(+), 74 deletions(-)
---
diff --git a/Changelog b/Changelog
index 23fe8d4..06ef194 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add tcpd_wrapped_domain() for services that use tcp wrappers.
- Update MLS constraints from LSPP evaluated policy.
- Allow initrc_t file descriptors to be inherited regardless of MLS level.
Accordingly drop MLS permissions from daemons that inherit from any level.
@@ -16,6 +17,7 @@
- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
- Added modules:
application
+ bitlbee (Devin Carraway)
brctl (Dan Walsh)
* Fri Jun 29 2007 Chris PeBenito <selinux at tresys.com> - 20070629
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index bf24b64..b0f5d5f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.10)
+policy_module(corenetwork,1.2.11)
########################################
#
@@ -67,6 +67,7 @@ network_port(afs_vl, udp,7003,s0)
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
+network_port(aol, tcp,5190,s0, udp,5190,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
@@ -112,6 +113,8 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
+network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(monopd, tcp,1234,s0)
network_port(mysqld, tcp,3306,s0)
network_port(nessus, tcp,1241,s0)
diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc
new file mode 100644
index 0000000..b9c9c53
--- /dev/null
+++ b/policy/modules/services/bitlbee.fc
@@ -0,0 +1,3 @@
+/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
+/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if
new file mode 100644
index 0000000..d2cc8ae
--- /dev/null
+++ b/policy/modules/services/bitlbee.if
@@ -0,0 +1,22 @@
+## <summary>Bitlbee service</summary>
+
+########################################
+## <summary>
+## Read bitlbee configuration files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed accesss.
+## </summary>
+## </param>
+#
+interface(`bitlbee_read_config',`
+ gen_require(`
+ type bitlbee_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 bitlbee_conf_t:dir { getattr read search };
+ allow $1 bitlbee_conf_t:file { read getattr };
+')
+
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
new file mode 100644
index 0000000..8a4006e
--- /dev/null
+++ b/policy/modules/services/bitlbee.te
@@ -0,0 +1,70 @@
+
+policy_module(bitlbee, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bitlbee_t;
+type bitlbee_exec_t;
+init_daemon_domain(bitlbee_t, bitlbee_exec_t)
+inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
+
+type bitlbee_conf_t;
+files_config_file(bitlbee_conf_t)
+
+type bitlbee_var_t;
+files_type(bitlbee_var_t)
+
+########################################
+#
+# Local policy
+#
+#
+
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+
+bitlbee_read_config(bitlbee_t)
+
+# user account information is read and edited at runtime; give the usual
+# r/w access to bitlbee_var_t
+manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+
+corenet_all_recvfrom_unlabeled(bitlbee_t)
+corenet_udp_sendrecv_generic_if(bitlbee_t)
+corenet_udp_sendrecv_generic_node(bitlbee_t)
+corenet_udp_sendrecv_lo_node(bitlbee_t)
+corenet_tcp_sendrecv_generic_if(bitlbee_t)
+corenet_tcp_sendrecv_generic_node(bitlbee_t)
+corenet_tcp_sendrecv_lo_node(bitlbee_t)
+# Allow bitlbee to connect to jabber servers
+corenet_tcp_connect_jabber_client_port(bitlbee_t)
+corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+# to AIM servers:
+corenet_tcp_connect_aol_port(bitlbee_t)
+corenet_tcp_sendrecv_aol_port(bitlbee_t)
+# and to MMCC (Yahoo IM) servers:
+corenet_tcp_connect_mmcc_port(bitlbee_t)
+corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
+# and to MSNP (MSN Messenger) servers:
+corenet_tcp_connect_msnp_port(bitlbee_t)
+corenet_tcp_sendrecv_msnp_port(bitlbee_t)
+
+files_read_etc_files(bitlbee_t)
+files_search_pids(bitlbee_t)
+# grant read-only access to the user help files
+files_read_usr_files(bitlbee_t)
+
+libs_legacy_use_shared_libs(bitlbee_t)
+libs_use_ld_so(bitlbee_t)
+
+sysnet_dns_name_resolve(bitlbee_t)
+
+optional_policy(`
+ # normally started from inetd using tcpwrappers, so use those entry points
+ tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
+')
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 7f88b61..af69106 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -1,5 +1,5 @@
-policy_module(finger,1.4.0)
+policy_module(finger,1.4.1)
########################################
#
@@ -8,8 +8,8 @@ policy_module(finger,1.4.0)
type fingerd_t;
type fingerd_exec_t;
-init_daemon_domain(fingerd_t,fingerd_exec_t)
-inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
+init_daemon_domain(fingerd_t, fingerd_exec_t)
+inetd_tcp_service_domain(fingerd_t, fingerd_exec_t)
type fingerd_etc_t;
files_config_file(fingerd_etc_t)
@@ -34,15 +34,15 @@ allow fingerd_t self:udp_socket create_socket_perms;
allow fingerd_t self:unix_dgram_socket create_socket_perms;
allow fingerd_t self:unix_stream_socket create_socket_perms;
-manage_files_pattern(fingerd_t,fingerd_var_run_t,fingerd_var_run_t)
-files_pid_filetrans(fingerd_t,fingerd_var_run_t,file)
+manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t)
+files_pid_filetrans(fingerd_t, fingerd_var_run_t, file)
-allow fingerd_t fingerd_etc_t:dir r_dir_perms;
-read_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t)
-read_lnk_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t)
+allow fingerd_t fingerd_etc_t:dir list_dir_perms;
+read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
+read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
allow fingerd_t fingerd_log_t:file manage_file_perms;
-logging_log_filetrans(fingerd_t,fingerd_log_t,file)
+logging_log_filetrans(fingerd_t, fingerd_log_t, file)
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
@@ -105,7 +105,7 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- cron_system_entry(fingerd_t,fingerd_exec_t)
+ cron_system_entry(fingerd_t, fingerd_exec_t)
')
optional_policy(`
@@ -125,5 +125,9 @@ optional_policy(`
')
optional_policy(`
+ tcpd_wrapped_domain(fingerd_t, fingerd_exec_t)
+')
+
+optional_policy(`
udev_read_db(fingerd_t)
')
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 174139b..64840dc 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -1,5 +1,5 @@
-policy_module(nagios,1.3.0)
+policy_module(nagios,1.3.1)
########################################
#
@@ -8,11 +8,11 @@ policy_module(nagios,1.3.0)
type nagios_t;
type nagios_exec_t;
-init_daemon_domain(nagios_t,nagios_exec_t)
+init_daemon_domain(nagios_t, nagios_exec_t)
type nagios_cgi_t;
type nagios_cgi_exec_t;
-init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
+init_system_domain(nagios_cgi_t, nagios_cgi_exec_t)
type nagios_etc_t;
files_config_file(nagios_etc_t)
@@ -28,7 +28,7 @@ files_pid_file(nagios_var_run_t)
type nrpe_t;
type nrpe_exec_t;
-init_daemon_domain(nrpe_t,nrpe_exec_t)
+init_daemon_domain(nrpe_t, nrpe_exec_t)
type nrpe_etc_t;
files_config_file(nrpe_etc_t)
@@ -45,20 +45,20 @@ allow nagios_t self:fifo_file rw_file_perms;
allow nagios_t self:tcp_socket create_stream_socket_perms;
allow nagios_t self:udp_socket create_socket_perms;
-read_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
-read_lnk_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
+read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
allow nagios_t nagios_etc_t:dir list_dir_perms;
-manage_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
-manage_fifo_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
-logging_log_filetrans(nagios_t,nagios_log_t,{ file dir })
+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+logging_log_filetrans(nagios_t, nagios_log_t, { file dir })
-manage_dirs_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
-manage_files_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
+manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
+manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
-manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t)
-files_pid_filetrans(nagios_t,nagios_var_run_t,file)
+manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+files_pid_filetrans(nagios_t, nagios_var_run_t, file)
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
@@ -142,16 +142,16 @@ optional_policy(`
allow nagios_cgi_t self:process signal_perms;
allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-read_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
+read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
+read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
+read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
+read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
kernel_read_system_state(nagios_cgi_t)
@@ -218,7 +218,7 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- inetd_tcp_service_domain(nrpe_t,nrpe_exec_t)
+ inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
optional_policy(`
@@ -226,5 +226,9 @@ optional_policy(`
')
optional_policy(`
+ tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
+')
+
+optional_policy(`
udev_read_db(nrpe_t)
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 7978f66..3d55bc1 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -1,5 +1,5 @@
-policy_module(rlogin,1.4.0)
+policy_module(rlogin,1.4.1)
########################################
#
@@ -8,7 +8,7 @@ policy_module(rlogin,1.4.0)
type rlogind_t;
type rlogind_exec_t;
-inetd_service_domain(rlogind_t,rlogind_exec_t)
+inetd_service_domain(rlogind_t, rlogind_exec_t)
role system_r types rlogind_t;
type rlogind_devpts_t; #, userpty_type;
@@ -39,12 +39,12 @@ term_create_pty(rlogind_t,rlogind_devpts_t)
# for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t)
-manage_dirs_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t)
-manage_files_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t)
+manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
-manage_files_pattern(rlogind_t,rlogind_var_run_t,rlogind_var_run_t)
-files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)
+manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
+files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
@@ -96,6 +96,10 @@ optional_policy(`
kerberos_read_keytab(rlogind_t)
')
+optional_policy(`
+ tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
+')
+
ifdef(`TODO',`
# Allow krb5 rlogind to use fork and open /dev/tty for use
allow rlogind_t userpty_type:chr_file setattr;
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index b3b6103..0b0373a 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -1,5 +1,5 @@
-policy_module(rshd,1.3.1)
+policy_module(rshd,1.3.2)
########################################
#
@@ -7,7 +7,7 @@ policy_module(rshd,1.3.1)
#
type rshd_t;
type rshd_exec_t;
-inetd_tcp_service_domain(rshd_t,rshd_exec_t)
+inetd_tcp_service_domain(rshd_t, rshd_exec_t)
domain_subj_id_change_exemption(rshd_t)
domain_role_change_exemption(rshd_t)
role system_r types rshd_t;
@@ -88,8 +88,6 @@ optional_policy(`
nscd_socket_use(rshd_t)
')
-ifdef(`TODO',`
optional_policy(`
- allow rshd_t rlogind_tmp_t:file rw_file_perms;
-')
+ tcpd_wrapped_domain(rshd_t,rshd_exec_t)
')
diff --git a/policy/modules/services/tcpd.if b/policy/modules/services/tcpd.if
index 82958cf..98dc24b 100644
--- a/policy/modules/services/tcpd.if
+++ b/policy/modules/services/tcpd.if
@@ -15,5 +15,31 @@ interface(`tcpd_domtrans',`
type tcpd_t, tcpd_exec_t;
')
- domtrans_pattern($1,tcpd_exec_t,tcpd_t)
+ domtrans_pattern($1, tcpd_exec_t, tcpd_t)
+')
+
+########################################
+## <summary>
+## Create a domain for services that
+## utilize tcp wrappers.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`tcpd_wrapped_domain',`
+ gen_require(`
+ type tcpd_t;
+ role system_r;
+ ')
+
+ domtrans_pattern(tcpd_t, $2, $1)
+ role system_r types $1;
')
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
index 8925d48..acf506a 100644
--- a/policy/modules/services/tcpd.te
+++ b/policy/modules/services/tcpd.te
@@ -1,5 +1,5 @@
-policy_module(tcpd,1.2.0)
+policy_module(tcpd,1.2.1)
########################################
#
@@ -7,7 +7,7 @@ policy_module(tcpd,1.2.0)
#
type tcpd_t;
type tcpd_exec_t;
-inetd_tcp_service_domain(tcpd_t,tcpd_exec_t)
+inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
role system_r types tcpd_t;
type tcpd_tmp_t;
@@ -19,8 +19,8 @@ files_tmp_file(tcpd_tmp_t)
#
allow tcpd_t self:tcp_socket create_stream_socket_perms;
-manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
-manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
+manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
+manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
corenet_all_recvfrom_unlabeled(tcpd_t)
@@ -50,25 +50,5 @@ sysnet_read_config(tcpd_t)
inetd_domtrans_child(tcpd_t)
optional_policy(`
- finger_domtrans(tcpd_t)
-')
-
-optional_policy(`
nis_use_ypbind(tcpd_t)
')
-
-optional_policy(`
- nagios_domtrans_nrpe(tcpd_t)
-')
-
-optional_policy(`
- rlogin_domtrans(tcpd_t)
-')
-
-optional_policy(`
- rshd_domtrans(tcpd_t)
-')
-
-optional_policy(`
- uwimap_domtrans(tcpd_t)
-')
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
index ab20a88..5ba1f99 100644
--- a/policy/modules/services/uwimap.te
+++ b/policy/modules/services/uwimap.te
@@ -1,5 +1,5 @@
-policy_module(uwimap,1.3.0)
+policy_module(uwimap,1.3.1)
########################################
#
@@ -8,8 +8,8 @@ policy_module(uwimap,1.3.0)
type imapd_t;
type imapd_exec_t;
-init_daemon_domain(imapd_t,imapd_exec_t)
-inetd_tcp_service_domain(imapd_t,imapd_exec_t)
+init_daemon_domain(imapd_t, imapd_exec_t)
+inetd_tcp_service_domain(imapd_t, imapd_exec_t)
type imapd_tmp_t;
files_tmp_file(imapd_tmp_t)
@@ -28,12 +28,12 @@ allow imapd_t self:process signal_perms;
allow imapd_t self:fifo_file rw_fifo_file_perms;
allow imapd_t self:tcp_socket create_stream_socket_perms;
-manage_dirs_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t)
-manage_files_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t)
+manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
+manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
-manage_files_pattern(imapd_t,imapd_var_run_t,imapd_var_run_t)
-files_pid_filetrans(imapd_t,imapd_var_run_t,file)
+manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t)
+files_pid_filetrans(imapd_t, imapd_var_run_t, file)
kernel_read_kernel_sysctls(imapd_t)
kernel_list_proc(imapd_t)
@@ -93,5 +93,9 @@ optional_policy(`
')
optional_policy(`
+ tcpd_wrapped_domain(imapd_t, imapd_exec_t)
+')
+
+optional_policy(`
udev_read_db(imapd_t)
')
More information about the scm-commits
mailing list