From 38fc1bd1807b18b83cf512eba222397227d105ba Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mar 17 2010 12:48:45 +0000 Subject: Likewise policy. Signed-off-by: Dominick Grift --- diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index f199aa3..9a5a82a 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -97,6 +97,7 @@ network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) +network_port(epmap, tcp,135,s0, udp,135,s0) network_port(fingerd, tcp,79,s0) network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 83d26a5..03a8781 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2923,6 +2923,24 @@ interface(`files_dontaudit_getattr_home_dir',` ######################################## ## +## Relabel to user home root (/home). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_home',` + gen_require(` + type home_root_t; + ') + + allow $1 home_root_t:dir relabelto; +') + +######################################## +## ## Search home directories root (/home). ## ## diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index db5ca26..d3cedf6 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -195,6 +195,26 @@ interface(`kerberos_read_keytab',` ######################################## ## +## Read/Write the kerberos key table. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kerberos_rw_keytab',` + gen_require(` + type krb5_keytab_t; + ') + + files_search_etc($1) + allow $1 krb5_keytab_t:file rw_file_perms; +') + +######################################## +## ## Create a derived type for kerberos keytab ## ## diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc new file mode 100644 index 0000000..6d29b1e --- /dev/null +++ b/policy/modules/services/likewise.fc @@ -0,0 +1,54 @@ +/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) +/etc/likewise-open/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) +/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0) + +/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) + +/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) +/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) +/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) +/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) +/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) +/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) +/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) +/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) + +/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) +/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) +/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) +/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) +/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) +/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) +/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0) +/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) +/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) +/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) +/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) +/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) +/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) +/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) +/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0) +/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0) + +/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0) +/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) +/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) +/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) +/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) +/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) + diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if new file mode 100644 index 0000000..549da5d --- /dev/null +++ b/policy/modules/services/likewise.if @@ -0,0 +1,105 @@ +## Likewise Active Directory support for UNIX. +## +##

+## Likewise Open is a free, open source application that joins Linux, Unix, +## and Mac machines to Microsoft Active Directory to securely authenticate +## users with their domain credentials. +##

+## + +####################################### +## +## The template to define a likewise domain. +## +## +##

+## This template creates a domain to be used for +## a new likewise daemon. +##

+## +## +## +## The type of daemon to be used. +## +## +# +template(`likewise_domain_template',` + + gen_require(` + attribute likewise_domains; + type likewise_var_lib_t; + ') + + ######################################## + # + # Declarations + # + + type $1_t; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + domain_use_interactive_fds($1_t) + + typeattribute $1_t likewise_domains; + + type $1_var_run_t; + files_pid_file($1_var_run_t) + + type $1_var_socket_t; + files_type($1_var_socket_t) + + type $1_var_lib_t; + files_type($1_var_lib_t) + + #################################### + # + # Local Policy + # + + allow $1_t self:process { signal_perms getsched setsched }; + allow $1_t self:fifo_file rw_fifo_file_perms; + allow $1_t self:unix_dgram_socket create_socket_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + + allow $1_t likewise_var_lib_t:dir setattr; + + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, file) + + manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t) + filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file) + + manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) + filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) + + dev_read_rand($1_t) + dev_read_urand($1_t) + + files_read_etc_files($1_t) + files_search_var_lib($1_t) + + logging_send_syslog_msg($1_t) + + miscfiles_read_localization($1_t) +') + +######################################## +## +## Connect to lsassd. +## +## +## +## Domain allowed access. +## +## +# +interface(`likewise_stream_connect_lsassd',` + gen_require(` + type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) +') diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te new file mode 100644 index 0000000..731399f --- /dev/null +++ b/policy/modules/services/likewise.te @@ -0,0 +1,289 @@ + +policy_module(likewise, 1.0.0) + +################################# +# +# Likewise global personal declarations. +# + +attribute likewise_domains; + +type likewise_etc_t; +files_config_file(likewise_etc_t) + +type likewise_initrc_exec_t; +init_script_file(likewise_initrc_exec_t) + +type likewise_var_lib_t; +files_type(likewise_var_lib_t) + +type likewise_pstore_lock_t; +files_type(likewise_pstore_lock_t) + +type likewise_krb5_ad_t; +files_type(likewise_krb5_ad_t) + +############################# +# +# Likewise dcerpcd personal declarations. +# + +likewise_domain_template(dcerpcd) + +############################# +# +# Likewise eventlogd personal declarations. +# + +likewise_domain_template(eventlogd) + +############################# +# +# Likewise lsassd personal declarations. +# + +likewise_domain_template(lsassd) + +type lsassd_tmp_t; +files_tmp_file(lsassd_tmp_t) + +############################# +# +# Likewise lwiod personal declarations. +# + +likewise_domain_template(lwiod) + +############################# +# +# Likewise lwregd personal declarations. +# + +likewise_domain_template(lwregd) + +############################# +# +# Likewise lwsmd personal declarations. +# + +likewise_domain_template(lwsmd) + +############################# +# +# Likewise netlogond personal declarations. +# + +likewise_domain_template(netlogond) + +############################# +# +# Likewise srvsvcd personal declarations. +# + +likewise_domain_template(srvsvcd) + +################################## +# +# Likewise global personal policy. + +################################# +# +# Likewise dcerpcd personal policy +# + +stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +corenet_all_recvfrom_netlabel(dcerpcd_t) +corenet_all_recvfrom_unlabeled(dcerpcd_t) +corenet_sendrecv_generic_client_packets(dcerpcd_t) +corenet_sendrecv_generic_server_packets(dcerpcd_t) +corenet_tcp_sendrecv_generic_if(dcerpcd_t) +corenet_tcp_sendrecv_generic_node(dcerpcd_t) +corenet_tcp_sendrecv_generic_port(dcerpcd_t) +corenet_tcp_bind_generic_node(dcerpcd_t) +corenet_tcp_bind_epmap_port(dcerpcd_t) +corenet_tcp_connect_generic_port(dcerpcd_t) +corenet_udp_bind_generic_node(dcerpcd_t) +corenet_udp_bind_epmap_port(dcerpcd_t) +corenet_udp_sendrecv_generic_if(dcerpcd_t) +corenet_udp_sendrecv_generic_node(dcerpcd_t) +corenet_udp_sendrecv_generic_port(dcerpcd_t) + +################################# +# +# Likewise Auditing and Logging service policy +# + +stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) +stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +corenet_all_recvfrom_netlabel(eventlogd_t) +corenet_all_recvfrom_unlabeled(eventlogd_t) +corenet_sendrecv_generic_server_packets(eventlogd_t) +corenet_tcp_sendrecv_generic_if(eventlogd_t) +corenet_tcp_sendrecv_generic_node(eventlogd_t) +corenet_tcp_sendrecv_generic_port(eventlogd_t) +corenet_tcp_bind_generic_node(eventlogd_t) +corenet_udp_bind_generic_node(eventlogd_t) +corenet_udp_sendrecv_generic_if(eventlogd_t) +corenet_udp_sendrecv_generic_node(eventlogd_t) +corenet_udp_sendrecv_generic_port(eventlogd_t) + +################################# +# +# Likewise Authentication service local policy +# + +allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time}; +allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto}; +allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; + +allow lsassd_t likewise_krb5_ad_t:file read_file_perms; +allow lsassd_t netlogond_var_lib_t:file read_file_perms; + +manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t) + +manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t); +files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file) + +stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) + +corecmd_exec_bin(lsassd_t) +corecmd_exec_shell(lsassd_t) + +corenet_all_recvfrom_netlabel(lsassd_t) +corenet_all_recvfrom_unlabeled(lsassd_t) +corenet_tcp_sendrecv_generic_if(lsassd_t) +corenet_tcp_sendrecv_generic_node(lsassd_t) +corenet_tcp_sendrecv_generic_port(lsassd_t) +corenet_tcp_bind_generic_node(lsassd_t) +corenet_tcp_connect_epmap_port(lsassd_t) +corenet_tcp_sendrecv_epmap_port(lsassd_t) + +files_manage_etc_files(lsassd_t) +files_manage_etc_symlinks(lsassd_t) +files_manage_etc_runtime_files(lsassd_t) + +files_relabelto_home(lsassd_t) + +kernel_read_system_state(lsassd_t) +kernel_getattr_proc_files(lsassd_t) +kernel_list_all_proc(lsassd_t) +kernel_list_proc(lsassd_t) + +domain_obj_id_change_exemption(lsassd_t) + +selinux_get_fs_mount(lsassd_t) +selinux_validate_context(lsassd_t) + +seutil_read_config(lsassd_t) +seutil_read_default_contexts(lsassd_t) +seutil_read_file_contexts(lsassd_t) +seutil_run_semanage(lsassd_t, lsassd_t) + +sysnet_use_ldap(lsassd_t) +sysnet_read_config(lsassd_t) + +userdom_home_filetrans_user_home_dir(lsassd_t) +userdom_manage_home_role(system_r, lsassd_t) + +optional_policy(` + kerberos_rw_keytab(lsassd_t) + kerberos_use(lsassd_t) +') + +################################# +# +# Likewise I/O service local policy +# + +allow lwiod_t self:capability {fowner chown fsetid dac_override }; +allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; + +allow lwiod_t likewise_krb5_ad_t:file read_file_perms; +allow lwiod_t netlogond_var_lib_t:file read_file_perms; + +stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) +stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) + +corenet_all_recvfrom_netlabel(lwiod_t) +corenet_all_recvfrom_unlabeled(lwiod_t) +corenet_sendrecv_smbd_server_packets(lwiod_t) +corenet_sendrecv_smbd_client_packets(lwiod_t) +corenet_tcp_sendrecv_generic_if(lwiod_t) +corenet_tcp_sendrecv_generic_node(lwiod_t) +corenet_tcp_sendrecv_generic_port(lwiod_t) +corenet_tcp_bind_generic_node(lwiod_t) +corenet_tcp_bind_smbd_port(lwiod_t) +corenet_tcp_connect_smbd_port(lwiod_t) + +sysnet_read_config(lwiod_t) + +optional_policy(` + kerberos_rw_config(lwiod_t) + kerberos_use(lwiod_t) +') + +################################# +# +# Likewise Registry server local policy +# + +################################# +# +# Likewise Service Manager service local policy +# + +allow lwsmd_t likewise_domains:process signal; + +domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t) +domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t) +domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t) +domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t) +domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t) +domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t) +domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t) + +stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) +stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +################################# +# +# Likewise DC location service local policy +# + +allow netlogond_t self:capability {dac_override}; + +manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) + +stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +sysnet_dns_name_resolve(netlogond_t) +sysnet_use_ldap(netlogond_t) + +################################# +# +# Likewise Srv service local policy +# + +allow srvsvcd_t likewise_etc_t:dir search_dir_perms; + +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +corenet_all_recvfrom_netlabel(srvsvcd_t) +corenet_all_recvfrom_unlabeled(srvsvcd_t) +corenet_sendrecv_generic_server_packets(srvsvcd_t) +corenet_tcp_sendrecv_generic_if(srvsvcd_t) +corenet_tcp_sendrecv_generic_node(srvsvcd_t) +corenet_tcp_sendrecv_generic_port(srvsvcd_t) +corenet_tcp_bind_generic_node(srvsvcd_t) + +optional_policy(` + kerberos_use(srvsvcd_t) +') diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index b193dd8..8fa6e24 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -1402,6 +1402,10 @@ interface(`auth_use_nsswitch',` avahi_stream_connect($1) ') + optional_policy(` + likewise_stream_connect_lsassd($1) + ') + optional_policy(` nis_use_ypbind($1) ')