From 3c9b2e9bc6c12678fa609e8af702ebb32a605398 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mar 19 2009 17:56:10 +0000 Subject: trunk: 6 patches from dan. --- diff --git a/Changelog b/Changelog index b2cfb6c..a3656ff 100644 --- a/Changelog +++ b/Changelog @@ -11,6 +11,9 @@ - Add support for labeled Booleans. - Remove node definitions and change node usage to generic nodes. - Add kernel_service access vectors, from Stephen Smalley. +- Added modules: + logadm (Dan Walsh) + zosremote (Dan Walsh) * Wed Dec 10 2008 Chris PeBenito - 2.20081210 - Fix consistency of audioentropy and iscsi module naming. diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index 3d24189..cb86035 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -1,5 +1,5 @@ -policy_module(logwatch, 1.9.0) +policy_module(logwatch, 1.9.1) ################################# # @@ -43,6 +43,8 @@ files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) +kernel_read_net_sysctls(logwatch_t) +kernel_read_network_state(logwatch_t) corecmd_exec_bin(logwatch_t) corecmd_exec_shell(logwatch_t) @@ -54,6 +56,7 @@ dev_read_sysfs(logwatch_t) domain_read_all_domains_state(logwatch_t) files_list_var(logwatch_t) +files_read_var_symlinks(logwatch_t) files_read_etc_files(logwatch_t) files_read_etc_runtime_files(logwatch_t) files_read_usr_files(logwatch_t) @@ -66,10 +69,12 @@ files_dontaudit_search_all_dirs(logwatch_t) fs_getattr_all_fs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) +fs_list_inotifyfs(logwatch_t) term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_list_ptys(logwatch_t) +auth_use_nsswitch(logwatch_t) auth_dontaudit_read_shadow(logwatch_t) init_read_utmp(logwatch_t) @@ -85,6 +90,7 @@ miscfiles_read_localization(logwatch_t) selinux_dontaudit_getattr_dir(logwatch_t) sysnet_dns_name_resolve(logwatch_t) +sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) @@ -95,10 +101,6 @@ optional_policy(` ') optional_policy(` - auth_use_nsswitch(logwatch_t) -') - -optional_policy(` avahi_dontaudit_search_pid(logwatch_t) ') diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index ac74240..0950bc7 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -117,6 +117,24 @@ interface(`usermanage_domtrans_passwd',` ######################################## ## +## Send sigkills to passwd. +## +## +## +## Domain allowed access. +## +## +# +interface(`usermanage_kill_passwd',` + gen_require(` + type passwd_t; + ') + + allow $1 passwd_t:process sigkill; +') + +######################################## +## ## Execute passwd in the passwd domain, and ## allow the specified role the passwd domain. ## @@ -138,6 +156,7 @@ interface(`usermanage_run_passwd',` usermanage_domtrans_passwd($1) role $2 types passwd_t; + auth_run_chk_passwd(passwd_t, $2) ') ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 7388b53..ac4e7ff 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage, 1.12.0) +policy_module(usermanage, 1.12.1) ######################################## # @@ -288,6 +288,7 @@ selinux_compute_user_contexts(passwd_t) term_use_all_user_ttys(passwd_t) term_use_all_user_ptys(passwd_t) +auth_domtrans_chk_passwd(passwd_t) auth_manage_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) @@ -307,6 +308,7 @@ files_relabel_etc_files(passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) +init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) @@ -320,6 +322,7 @@ userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) userdom_read_all_users_state(passwd_t) +userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -492,6 +495,12 @@ userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_se mta_manage_spool(useradd_t) +ifdef(`distro_redhat',` + optional_policy(` + unconfined_domain(useradd_t) + ') +') + optional_policy(` apache_manage_all_user_content(useradd_t) ') diff --git a/policy/modules/roles/logadm.fc b/policy/modules/roles/logadm.fc new file mode 100644 index 0000000..601a7b0 --- /dev/null +++ b/policy/modules/roles/logadm.fc @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/logadm.if b/policy/modules/roles/logadm.if new file mode 100644 index 0000000..6bd00f9 --- /dev/null +++ b/policy/modules/roles/logadm.if @@ -0,0 +1,50 @@ +## Log administrator role + +######################################## +## +## Change to the log administrator role. +## +## +## +## Role allowed access. +## +## +## +# +interface(`logadm_role_change',` + gen_require(` + role logadm_r; + ') + + allow $1 logadm_r; +') + +######################################## +## +## Change from the log administrator role. +## +## +##

+## Change from the log administrator role to +## the specified role. +##

+##

+## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+## +## +## +## Role allowed access. +## +## +## +# +interface(`logadm_role_change_to',` + gen_require(` + role logadm_r; + ') + + allow logadm_r $1; +') diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te new file mode 100644 index 0000000..dfd9310 --- /dev/null +++ b/policy/modules/roles/logadm.te @@ -0,0 +1,20 @@ + +policy_module(logadm, 1.0.0) + +######################################## +# +# Declarations +# + +role logadm_r; + +userdom_base_user_template(logadm) + +######################################## +# +# logadmin local policy +# + +allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; + +logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc index 629f473..b492db5 100644 --- a/policy/modules/services/rpc.fc +++ b/policy/modules/services/rpc.fc @@ -16,6 +16,7 @@ /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) +/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) # diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index 7584b3e..20b2e7b 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -83,12 +83,13 @@ template(`rpc_domain_template', ` corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_portmap_client_packets($1_t) # do not log when it tries to bind to a port belonging to another domain - corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) - corenet_dontaudit_udp_bind_all_reserved_ports($1_t) + corenet_dontaudit_tcp_bind_all_ports($1_t) + corenet_dontaudit_udp_bind_all_ports($1_t) # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) corenet_udp_bind_generic_port($1_t) - corenet_udp_bind_reserved_port($1_t) + corenet_tcp_bind_all_rpc_ports($1_t) + corenet_udp_bind_all_rpc_ports($1_t) corenet_sendrecv_generic_server_packets($1_t) fs_rw_rpc_named_pipes($1_t) @@ -205,6 +206,25 @@ interface(`rpc_domtrans_nfsd',` ######################################## ## +## Execute domain in nfsd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rpc_domtrans_rpcd',` + gen_require(` + type rpcd_t, rpcd_exec_t; + ') + + domtrans_pattern($1, rpcd_exec_t, rpcd_t) + allow rpcd_t $1:process signal; +') + +######################################## +## ## Read NFS exported content. ## ## @@ -335,3 +355,22 @@ interface(`rpc_read_nfs_state_data',` files_search_var_lib($1) read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) ') + +######################################## +## +## Manage NFS state data in /var/lib/nfs. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpc_manage_nfs_state_data',` + gen_require(` + type var_lib_nfs_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) +') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 012cb34..808154d 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -1,5 +1,5 @@ -policy_module(rpc, 1.10.3) +policy_module(rpc, 1.10.4) ######################################## # @@ -68,6 +68,7 @@ kernel_read_network_state(rpcd_t) # for rpc.rquotad kernel_read_sysctl(rpcd_t) kernel_rw_fs_sysctls(rpcd_t) +kernel_dontaudit_getattr_core_if(rpcd_t) corecmd_exec_bin(rpcd_t) @@ -101,6 +102,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) +kernel_dontaudit_getattr_core_if(nfsd_t) corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) @@ -133,12 +135,23 @@ tunable_policy(`allow_nfsd_anon_write',` ') tunable_policy(`nfs_export_all_rw',` + dev_getattr_all_blk_files(nfsd_t) + dev_getattr_all_chr_files(nfsd_t) + fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') tunable_policy(`nfs_export_all_ro',` - fs_read_noxattr_fs_files(nfsd_t) + dev_getattr_all_blk_files(nfsd_t) + dev_getattr_all_chr_files(nfsd_t) + + files_getattr_all_pipes(nfsd_t) + files_getattr_all_sockets(nfsd_t) + + fs_read_noxattr_fs_files(nfsd_t) + + auth_read_all_dirs_except_shadow(nfsd_t) auth_read_all_files_except_shadow(nfsd_t) ') @@ -180,8 +193,7 @@ tunable_policy(`allow_gssd_read_tmp',` ') optional_policy(` - kerberos_use(gssd_t) - kerberos_read_keytab(gssd_t) + kerberos_keytab_template(gssd, gssd_t) ') optional_policy(` diff --git a/policy/modules/services/zosremote.fc b/policy/modules/services/zosremote.fc new file mode 100644 index 0000000..d719d0b --- /dev/null +++ b/policy/modules/services/zosremote.fc @@ -0,0 +1 @@ +/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if new file mode 100644 index 0000000..3e49a8c --- /dev/null +++ b/policy/modules/services/zosremote.if @@ -0,0 +1,45 @@ +## policy for z/OS Remote-services Audit dispatcher plugin + +######################################## +## +## Execute a domain transition to run audispd-zos-remote. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`zosremote_domtrans',` + gen_require(` + type zos_remote_t, type zos_remote_exec_t; + ') + + domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) +') + +######################################## +## +## Allow specified type and role to transition and +## run in the zos_remote_t domain. Allow specified type +## to use zos_remote_t terminal. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the zos_remote domain. +## +## +# +interface(`zosremote_run',` + gen_require(` + type zos_remote_t; + ') + + zosremote_domtrans($1) + role $2 types zos_remote_t; +') diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te new file mode 100644 index 0000000..bdddee3 --- /dev/null +++ b/policy/modules/services/zosremote.te @@ -0,0 +1,28 @@ +policy_module(zosremote,1.0.0) + +######################################## +# +# Declarations +# + +type zos_remote_t; +type zos_remote_exec_t; +init_system_domain(zos_remote_t, zos_remote_exec_t) +logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) + +######################################## +# +# zos_remote local policy +# + +allow zos_remote_t self:process signal; +allow zos_remote_t self:fifo_file rw_file_perms; +allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; + +files_read_etc_files(zos_remote_t) + +auth_use_nsswitch(zos_remote_t); + +miscfiles_read_localization(zos_remote_t) + +logging_send_syslog_msg(zos_remote_t) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 571f028..9b924c3 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -17,3 +17,5 @@ /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) + +/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index 573a890..e1f3c65 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -96,6 +96,24 @@ interface(`udev_dontaudit_rw_dgram_sockets',` ######################################## ## +## Do not audit search of udev database directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`udev_dontaudit_search_db',` + gen_require(` + type udev_tbl_t; + ') + + dontaudit $1 udev_tbl_t:dir search_dir_perms; +') + +######################################## +## ## Allow process to read list of devices. ## ## @@ -106,11 +124,13 @@ interface(`udev_dontaudit_rw_dgram_sockets',` # interface(`udev_read_db',` gen_require(` - type udev_tdb_t; + type udev_tbl_t; ') dev_list_all_dev_nodes($1) - allow $1 udev_tdb_t:file read_file_perms; + allow $1 udev_tbl_t:dir list_dir_perms; + read_files_pattern($1, udev_tbl_t, udev_tbl_t) + read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) ') ######################################## @@ -125,9 +145,9 @@ interface(`udev_read_db',` # interface(`udev_rw_db',` gen_require(` - type udev_tdb_t; + type udev_tbl_t; ') dev_list_all_dev_nodes($1) - allow $1 udev_tdb_t:file rw_file_perms; + allow $1 udev_tbl_t:file rw_file_perms; ') diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 40d3ac2..f51a3af 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev, 1.10.1) +policy_module(udev, 1.10.2) ######################################## # @@ -55,6 +55,7 @@ allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) allow udev_t udev_helper_exec_t:dir list_dir_perms; +can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -78,10 +79,12 @@ kernel_rw_hotplug_sysctls(udev_t) kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) kernel_signal(udev_t) +kernel_search_debugfs(udev_t) #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) kernel_read_network_state(udev_t) +kernel_read_software_raid_state(udev_t) corecmd_exec_all_executables(udev_t) @@ -134,6 +137,7 @@ init_getattr_initctl(udev_t) logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) +logging_send_audit_msgs(udev_t) miscfiles_read_localization(udev_t) @@ -181,6 +185,7 @@ ifdef(`distro_redhat',` optional_policy(` alsa_domtrans(udev_t) + alsa_read_lib(udev_t) alsa_read_rw_config(udev_t) ') @@ -189,6 +194,10 @@ optional_policy(` ') optional_policy(` + clock_domtrans(udev_t) +') + +optional_policy(` consoletype_exec(udev_t) ') @@ -197,6 +206,10 @@ optional_policy(` ') optional_policy(` + lvm_domtrans(udev_t) +') + +optional_policy(` fstools_domtrans(udev_t) ')