[selinux-policy: 2144/3172] 5 patches from dan
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:10:13 UTC 2010
commit ce6fee6575bd086427c2fe67eb50e40592fc7ebd
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jul 14 10:30:22 2009 -0400
5 patches from dan
policy/modules/apps/uml.te | 8 +--
policy/modules/kernel/corenetwork.te.in | 3 +-
policy/modules/services/bind.fc | 11 +++++-
policy/modules/services/bind.if | 42 +++++++++++++++++++-
policy/modules/services/bind.te | 5 +-
policy/modules/services/inetd.if | 3 +-
policy/modules/services/inetd.te | 2 +-
policy/modules/services/munin.fc | 4 +-
policy/modules/services/munin.if | 54 +++++++++++++++++++++++++-
policy/modules/services/munin.te | 65 +++++++++++++++++++++++++++----
10 files changed, 173 insertions(+), 24 deletions(-)
---
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 4d8f914..82c4052 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -1,5 +1,5 @@
-policy_module(uml, 2.0.1)
+policy_module(uml, 2.0.2)
########################################
#
@@ -16,14 +16,12 @@ ubac_constrained(uml_t)
type uml_ro_t;
typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
-files_type(uml_ro_t)
-ubac_constrained(uml_ro_t)
+userdom_user_home_content(uml_ro_t)
type uml_rw_t;
typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
-files_type(uml_rw_t)
-ubac_constrained(uml_rw_t)
+userdom_user_home_content(uml_rw_t)
type uml_tmp_t;
typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 508fee1..0de3898 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.11.9)
+policy_module(corenetwork, 1.11.10)
########################################
#
@@ -131,6 +131,7 @@ network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index bb40138..59aa54f 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -1,17 +1,22 @@
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
ifdef(`distro_debian',`
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -40,8 +45,12 @@ ifdef(`distro_redhat',`
/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/proc(/.*)? <<none>>
/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 728901d..0bc0189 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -38,6 +38,42 @@ interface(`bind_signal',`
########################################
## <summary>
+## Send null sigals to BIND.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_signull',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process signull;
+')
+
+########################################
+## <summary>
+## Send BIND the kill signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_kill',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process sigkill;
+')
+
+########################################
+## <summary>
## Execute ndc in the ndc domain, and
## allow the specified role the ndc domain.
## </summary>
@@ -269,7 +305,7 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_conf_t, named_var_run_t;
+ type named_conf_t, named_var_lib_t, named_var_run_t;
type named_cache_t, named_zone_t;
type dnssec_t, ndc_t;
type named_initrc_exec_t;
@@ -283,6 +319,7 @@ interface(`bind_admin',`
bind_run_ndc($1, $2)
+ init_labeled_script_domtrans($1, bind_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 named_initrc_exec_t system_r;
allow $2 system_r;
@@ -300,6 +337,9 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
+ files_list_var_lib($1)
+ admin_pattern($1, named_var_lib_t)
+
files_list_pids($1)
admin_pattern($1, named_var_run_t)
')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index f5f80a8..d047e9d 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind, 1.9.2)
+policy_module(bind, 1.9.3)
########################################
#
@@ -123,6 +123,7 @@ corenet_sendrecv_dns_server_packets(named_t)
corenet_sendrecv_dns_client_packets(named_t)
corenet_sendrecv_rndc_server_packets(named_t)
corenet_sendrecv_rndc_client_packets(named_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
corenet_udp_bind_all_unreserved_ports(named_t)
dev_read_sysfs(named_t)
@@ -169,7 +170,7 @@ optional_policy(`
')
optional_policy(`
- kerberos_use(named_t)
+ kerberos_keytab_template(named, named_t)
')
optional_policy(`
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
index 614e0e4..40eeebe 100644
--- a/policy/modules/services/inetd.if
+++ b/policy/modules/services/inetd.if
@@ -36,8 +36,7 @@ interface(`inetd_core_service_domain',`
role system_r types $1;
domtrans_pattern(inetd_t, $2, $1)
-
- allow inetd_t $1:process sigkill;
+ allow inetd_t $1:process { siginh sigkill };
')
########################################
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index b0d82ba..8eda765 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd, 1.9.2)
+policy_module(inetd, 1.9.3)
########################################
#
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
index 205f91b..797e903 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
@@ -1,4 +1,5 @@
/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
+/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0)
/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
@@ -6,6 +7,5 @@
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 903e39b..b94c507 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -59,8 +59,9 @@ interface(`munin_append_log',`
type munin_log_t;
')
- allow $1 munin_log_t:file append_file_perms;
logging_search_logs($1)
+ allow $1 munin_log_t:dir list_dir_perms;
+ append_files_pattern($1, munin_log_t, munin_log_t)
')
#######################################
@@ -100,3 +101,54 @@ interface(`munin_dontaudit_search_lib',`
dontaudit $1 munin_var_lib_t:dir search_dir_perms;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an munin environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the munin domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_admin',`
+ gen_require(`
+ type munin_t, munin_etc_t, munin_tmp_t;
+ type munin_log_t, munin_var_lib_t, munin_var_run_t;
+ type httpd_munin_content_t;
+ type munin_initrc_exec_t;
+ ')
+
+ allow $1 munin_t:process { ptrace signal_perms };
+ ps_process_pattern($1, munin_t)
+
+ init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 munin_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, munin_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, munin_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, munin_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, munin_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, munin_var_run_t)
+
+ admin_pattern($1, httpd_munin_content_t)
+')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 80afc14..0031618 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
-policy_module(munin, 1.6.2)
+policy_module(munin, 1.6.3)
########################################
#
@@ -13,6 +13,9 @@ init_daemon_domain(munin_t, munin_exec_t)
type munin_etc_t alias lrrd_etc_t;
files_config_file(munin_etc_t)
+type munin_initrc_exec_t;
+init_script_file(munin_initrc_exec_t)
+
type munin_log_t alias lrrd_log_t;
logging_log_file(munin_log_t)
@@ -30,21 +33,25 @@ files_pid_file(munin_var_run_t)
# Local policy
#
-allow munin_t self:capability { setgid setuid };
+allow munin_t self:capability { chown dac_override setgid setuid };
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
allow munin_t self:tcp_socket create_stream_socket_perms;
allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
allow munin_t munin_etc_t:dir list_dir_perms;
read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
files_search_etc(munin_t)
-allow munin_t munin_log_t:file manage_file_perms;
-logging_log_filetrans(munin_t, munin_log_t, file)
+can_exec(munin_t, munin_exec_t)
+
+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_t, munin_log_t, munin_log_t)
+logging_log_filetrans(munin_t, munin_log_t, { file dir })
manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
@@ -61,9 +68,11 @@ manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
files_pid_filetrans(munin_t, munin_var_run_t, file)
kernel_read_system_state(munin_t)
-kernel_read_kernel_sysctls(munin_t)
+kernel_read_network_state(munin_t)
+kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
+corecmd_exec_shell(munin_t)
corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
@@ -73,30 +82,43 @@ corenet_tcp_sendrecv_generic_node(munin_t)
corenet_udp_sendrecv_generic_node(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_bind_generic_node(munin_t)
+corenet_tcp_bind_munin_port(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
+corenet_tcp_connect_http_port(munin_t)
dev_read_sysfs(munin_t)
dev_read_urand(munin_t)
domain_use_interactive_fds(munin_t)
+domain_read_all_domains_state(munin_t)
files_read_etc_files(munin_t)
files_read_etc_runtime_files(munin_t)
files_read_usr_files(munin_t)
+files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
fs_search_auto_mountpoints(munin_t)
+auth_use_nsswitch(munin_t)
+
logging_send_syslog_msg(munin_t)
+logging_read_all_logs(munin_t)
+miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
-sysnet_read_config(munin_t)
+sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
optional_policy(`
- # for accessing the output directory
+ apache_content_template(munin)
+
+ manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+ manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
apache_search_sys_content(munin_t)
')
@@ -105,7 +127,34 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(munin_t)
+ fstools_domtrans(munin_t)
+')
+
+optional_policy(`
+ mta_read_config(munin_t)
+ mta_send_mail(munin_t)
+ mta_read_queue(munin_t)
+')
+
+optional_policy(`
+ mysql_read_config(munin_t)
+ mysql_stream_connect(munin_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(munin_t)
+')
+
+optional_policy(`
+ postfix_list_spool(munin_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(munin_t)
+')
+
+optional_policy(`
+ sendmail_read_log(munin_t)
')
optional_policy(`
More information about the scm-commits
mailing list