diff options
| author |   Chris PeBenito <pebenito@ieee.org> | 2018-06-23 10:38:58 -0400 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2018-06-24 16:33:24 +0800 |
| commit | 751926c0fbba4bf7105622ee65888b66740847a0 (patch) | |
| tree | 6bbdd39cd5becdddc8e4cbc41332c383874c7972 /policy/modules/services | |
| parent | xdg: move compat interfaces to upstream xdg module (diff) | |
| download | hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.tar.gz hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.tar.bz2 hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.zip | |
Move all files out of the old contrib directory.
Diffstat (limited to 'policy/modules/services')
777 files changed, 81888 insertions, 0 deletions
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc new file mode 100644 index 000000000..d05819bea --- /dev/null +++ b/policy/modules/services/abrt.fc @@ -0,0 +1,34 @@ +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) +/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) + +/usr/bin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/bin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) +/usr/bin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) +/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) +/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) + +/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) +/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + +/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) + +/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) + +/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) + +/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0) +/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) + +/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if new file mode 100644 index 000000000..9d1f00da9 --- /dev/null +++ b/policy/modules/services/abrt.if @@ -0,0 +1,307 @@ +## <summary>Automated bug-reporting tool.</summary> + +###################################### +## <summary> +## Execute abrt in the abrt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`abrt_domtrans',` + gen_require(` + type abrt_t, abrt_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, abrt_exec_t, abrt_t) +') + +###################################### +## <summary> +## Execute abrt in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_exec',` + gen_require(` + type abrt_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, abrt_exec_t) +') + +######################################## +## <summary> +## Send null signals to abrt. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_signull',` + gen_require(` + type abrt_t; + ') + + allow $1 abrt_t:process signull; +') + +######################################## +## <summary> +## Read process state of abrt. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_read_state',` + gen_require(` + type abrt_t; + ') + + ps_process_pattern($1, abrt_t) +') + +######################################## +## <summary> +## Connect to abrt over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_stream_connect',` + gen_require(` + type abrt_t, abrt_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t) +') + +######################################## +## <summary> +## Send and receive messages from +## abrt over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_dbus_chat',` + gen_require(` + type abrt_t; + class dbus send_msg; + ') + + allow $1 abrt_t:dbus send_msg; + allow abrt_t $1:dbus send_msg; +') + +##################################### +## <summary> +## Execute abrt-helper in the abrt +## helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`abrt_domtrans_helper',` + gen_require(` + type abrt_helper_t, abrt_helper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) +') + +######################################## +## <summary> +## Execute abrt helper in the abrt +## helper domain, and allow the +## specified role the abrt helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`abrt_run_helper',` + gen_require(` + attribute_role abrt_helper_roles; + ') + + abrt_domtrans_helper($1) + roleattribute $2 abrt_helper_roles; +') + +######################################## +## <summary> +## Create, read, write, and delete +## abrt cache content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_manage_cache',` + gen_require(` + type abrt_var_cache_t; + ') + + files_search_var($1) + manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) +') + +#################################### +## <summary> +## Read abrt configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_read_config',` + gen_require(` + type abrt_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, abrt_etc_t, abrt_etc_t) +') + +###################################### +## <summary> +## Read abrt log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_read_log',` + gen_require(` + type abrt_var_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) +') + +###################################### +## <summary> +## Read abrt PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_read_pid_files',` + gen_require(` + type abrt_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, abrt_var_run_t, abrt_var_run_t) +') + +###################################### +## <summary> +## Create, read, write, and delete +## abrt PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_manage_pid_files',` + gen_require(` + type abrt_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) +') + +##################################### +## <summary> +## All of the rules required to +## administrate an abrt environment, +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`abrt_admin',` + gen_require(` + attribute abrt_domain; + type abrt_t, abrt_etc_t, abrt_initrc_exec_t; + type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t; + type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t; + ') + + allow $1 abrt_domain:process { ptrace signal_perms }; + ps_process_pattern($1, abrt_domain) + + init_startstop_service($1, $2, abrt_t, abrt_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, abrt_etc_t) + + logging_search_logs($1) + admin_pattern($1, abrt_var_log_t) + + files_search_var($1) + admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t }) + + files_search_pids($1) + admin_pattern($1, abrt_var_run_t) + + files_search_tmp($1) + admin_pattern($1, abrt_tmp_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te new file mode 100644 index 000000000..718736b50 --- /dev/null +++ b/policy/modules/services/abrt.te @@ -0,0 +1,441 @@ +policy_module(abrt, 1.8.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether ABRT can modify +## public files used for public file +## transfer services. +## </p> +## </desc> +gen_tunable(abrt_anon_write, false) + +## <desc> +## <p> +## Determine whether abrt-handle-upload +## can modify public files used for public file +## transfer services in /var/spool/abrt-upload/. +## </p> +## </desc> +gen_tunable(abrt_upload_watch_anon_write, true) + +## <desc> +## <p> +## Determine whether ABRT can run in +## the abrt_handle_event_t domain to +## handle ABRT event scripts. +## </p> +## </desc> +gen_tunable(abrt_handle_event, false) + +attribute abrt_domain; + +attribute_role abrt_helper_roles; +roleattribute system_r abrt_helper_roles; + +type abrt_t, abrt_domain; +type abrt_exec_t; +init_daemon_domain(abrt_t, abrt_exec_t) + +type abrt_initrc_exec_t; +init_script_file(abrt_initrc_exec_t) + +type abrt_etc_t; +files_config_file(abrt_etc_t) + +type abrt_var_log_t; +logging_log_file(abrt_var_log_t) + +type abrt_tmp_t; +files_tmp_file(abrt_tmp_t) + +type abrt_var_cache_t; +files_type(abrt_var_cache_t) + +type abrt_var_run_t; +files_pid_file(abrt_var_run_t) + +type abrt_dump_oops_t, abrt_domain; +type abrt_dump_oops_exec_t; +init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) + +type abrt_handle_event_t, abrt_domain; +type abrt_handle_event_exec_t; +domain_type(abrt_handle_event_t) +domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t) +role system_r types abrt_handle_event_t; + +type abrt_helper_t, abrt_domain; +type abrt_helper_exec_t; +application_domain(abrt_helper_t, abrt_helper_exec_t) +role abrt_helper_roles types abrt_helper_t; + +type abrt_retrace_coredump_t, abrt_domain; +type abrt_retrace_coredump_exec_t; +domain_type(abrt_retrace_coredump_t) +domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) +role system_r types abrt_retrace_coredump_t; + +type abrt_retrace_worker_t, abrt_domain; +type abrt_retrace_worker_exec_t; +domain_type(abrt_retrace_worker_t) +domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) +role system_r types abrt_retrace_worker_t; + +type abrt_retrace_cache_t; +files_type(abrt_retrace_cache_t) + +type abrt_retrace_spool_t; +files_type(abrt_retrace_spool_t) + +type abrt_watch_log_t, abrt_domain; +type abrt_watch_log_exec_t; +init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t) + +type abrt_upload_watch_t, abrt_domain; +type abrt_upload_watch_exec_t; +init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) +') + +######################################## +# +# Local policy +# + +allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; +dontaudit abrt_t self:capability sys_rawio; +allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; +allow abrt_t self:fifo_file rw_fifo_file_perms; +allow abrt_t self:tcp_socket { accept listen }; + +allow abrt_t abrt_etc_t:dir list_dir_perms; +rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) + +manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) +logging_log_filetrans(abrt_t, abrt_var_log_t, file) + +manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) + +manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) +manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) +manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) +files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) +files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) + +manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) + +can_exec(abrt_t, abrt_tmp_t) + +kernel_read_ring_buffer(abrt_t) +kernel_read_system_state(abrt_t) +kernel_request_load_module(abrt_t) +kernel_rw_kernel_sysctl(abrt_t) + +corecmd_exec_bin(abrt_t) +corecmd_exec_shell(abrt_t) +corecmd_read_all_executables(abrt_t) + +corenet_all_recvfrom_netlabel(abrt_t) +corenet_all_recvfrom_unlabeled(abrt_t) +corenet_tcp_sendrecv_generic_if(abrt_t) +corenet_tcp_sendrecv_generic_node(abrt_t) +corenet_tcp_sendrecv_all_ports(abrt_t) +corenet_tcp_bind_generic_node(abrt_t) + +corenet_sendrecv_all_client_packets(abrt_t) +corenet_tcp_connect_http_port(abrt_t) +corenet_tcp_connect_ftp_port(abrt_t) +corenet_tcp_connect_all_ports(abrt_t) + +dev_getattr_all_chr_files(abrt_t) +dev_getattr_all_blk_files(abrt_t) +dev_read_rand(abrt_t) +dev_read_urand(abrt_t) +dev_rw_sysfs(abrt_t) +dev_dontaudit_read_raw_memory(abrt_t) + +domain_getattr_all_domains(abrt_t) +domain_read_all_domains_state(abrt_t) +domain_signull_all_domains(abrt_t) + +files_getattr_all_files(abrt_t) +files_read_config_files(abrt_t) +files_read_etc_runtime_files(abrt_t) +files_read_var_symlinks(abrt_t) +files_read_usr_files(abrt_t) +files_read_kernel_modules(abrt_t) +files_dontaudit_read_default_files(abrt_t) +files_dontaudit_read_all_symlinks(abrt_t) +files_dontaudit_getattr_all_sockets(abrt_t) +files_list_mnt(abrt_t) + +fs_getattr_all_fs(abrt_t) +fs_getattr_all_dirs(abrt_t) +fs_list_inotifyfs(abrt_t) +fs_read_fusefs_files(abrt_t) +fs_read_noxattr_fs_files(abrt_t) +fs_read_nfs_files(abrt_t) +fs_read_nfs_symlinks(abrt_t) +fs_search_all(abrt_t) + +auth_use_nsswitch(abrt_t) + +logging_read_generic_logs(abrt_t) + +miscfiles_read_public_files(abrt_t) + +userdom_dontaudit_read_user_home_content_files(abrt_t) + +tunable_policy(`abrt_anon_write',` + miscfiles_manage_public_files(abrt_t) +') + +optional_policy(` + apache_list_modules(abrt_t) + apache_read_module_files(abrt_t) +') + +optional_policy(` + dbus_system_domain(abrt_t, abrt_exec_t) + + optional_policy(` + policykit_dbus_chat(abrt_t) + ') +') + +optional_policy(` + dmesg_domtrans(abrt_t) +') + +optional_policy(` + policykit_domtrans_auth(abrt_t) + policykit_read_lib(abrt_t) + policykit_read_reload(abrt_t) +') + +optional_policy(` + prelink_exec(abrt_t) + libs_exec_ld_so(abrt_t) + corecmd_exec_all_executables(abrt_t) +') + +optional_policy(` + rpm_exec(abrt_t) + rpm_dontaudit_manage_db(abrt_t) + rpm_manage_cache(abrt_t) + rpm_manage_log(abrt_t) + rpm_manage_pid_files(abrt_t) + rpm_read_db(abrt_t) + rpm_signull(abrt_t) +') + +optional_policy(` + sendmail_domtrans(abrt_t) +') + +optional_policy(` + sosreport_domtrans(abrt_t) + sosreport_read_tmp_files(abrt_t) + sosreport_delete_tmp_files(abrt_t) +') + +####################################### +# +# Handle-event local policy +# + +allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; + +tunable_policy(`abrt_handle_event',` + domtrans_pattern(abrt_t, abrt_handle_event_exec_t, abrt_handle_event_t) +',` + can_exec(abrt_t, abrt_handle_event_exec_t) +') + +######################################## +# +# Helper local policy +# + +allow abrt_helper_t self:capability { chown setgid sys_nice }; +allow abrt_helper_t self:process signal; + +read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) + +files_search_spool(abrt_helper_t) +manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) + +read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) +read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) + +corecmd_read_all_executables(abrt_helper_t) + +domain_read_all_domains_state(abrt_helper_t) + +fs_list_inotifyfs(abrt_helper_t) +fs_getattr_all_fs(abrt_helper_t) + +auth_use_nsswitch(abrt_helper_t) + +term_dontaudit_use_all_ttys(abrt_helper_t) +term_dontaudit_use_all_ptys(abrt_helper_t) + +ifdef(`hide_broken_symptoms',` + userdom_dontaudit_read_user_home_content_files(abrt_helper_t) + userdom_dontaudit_read_user_tmp_files(abrt_helper_t) + dev_dontaudit_read_all_blk_files(abrt_helper_t) + dev_dontaudit_read_all_chr_files(abrt_helper_t) + dev_dontaudit_write_all_chr_files(abrt_helper_t) + dev_dontaudit_write_all_blk_files(abrt_helper_t) + fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) +') + +####################################### +# +# Retrace coredump policy +# + +allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; + +list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) +read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) +read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) + +list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) +read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) +read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) + +corecmd_exec_bin(abrt_retrace_coredump_t) +corecmd_exec_shell(abrt_retrace_coredump_t) + +dev_read_urand(abrt_retrace_coredump_t) + +files_read_usr_files(abrt_retrace_coredump_t) + +sysnet_dns_name_resolve(abrt_retrace_coredump_t) + +optional_policy(` + rpm_exec(abrt_retrace_coredump_t) + rpm_dontaudit_manage_db(abrt_retrace_coredump_t) + rpm_manage_cache(abrt_retrace_coredump_t) + rpm_manage_log(abrt_retrace_coredump_t) + rpm_manage_pid_files(abrt_retrace_coredump_t) + rpm_read_db(abrt_retrace_coredump_t) + rpm_signull(abrt_retrace_coredump_t) +') + +####################################### +# +# Retrace worker policy +# + +allow abrt_retrace_worker_t self:capability setuid; +allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; + +domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) +allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl; + +manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) +manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) +manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) + +allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms; + +can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) + +corecmd_exec_bin(abrt_retrace_worker_t) +corecmd_exec_shell(abrt_retrace_worker_t) + +dev_read_urand(abrt_retrace_worker_t) + +files_read_usr_files(abrt_retrace_worker_t) + +sysnet_dns_name_resolve(abrt_retrace_worker_t) + +######################################## +# +# Dump oops local policy +# + +allow abrt_dump_oops_t self:capability dac_override; +allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; +allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; + +files_search_spool(abrt_dump_oops_t) +manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) +manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) +manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) +files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) + +read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) +read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) + +read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t) + +kernel_read_kernel_sysctls(abrt_dump_oops_t) +kernel_read_ring_buffer(abrt_dump_oops_t) + +domain_use_interactive_fds(abrt_dump_oops_t) + +fs_list_inotifyfs(abrt_dump_oops_t) + +logging_read_generic_logs(abrt_dump_oops_t) +logging_mmap_generic_logs(abrt_dump_oops_t) +logging_mmap_journal(abrt_dump_oops_t) + +####################################### +# +# Watch log local policy +# + +allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; +allow abrt_watch_log_t self:unix_stream_socket { accept listen }; + +read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) + +domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) + +corecmd_exec_bin(abrt_watch_log_t) + +logging_read_all_logs(abrt_watch_log_t) + +####################################### +# +# Upload watch local policy +# + +corecmd_exec_bin(abrt_upload_watch_t) + +tunable_policy(`abrt_upload_watch_anon_write',` + miscfiles_manage_public_files(abrt_upload_watch_t) +') + +####################################### +# +# Global local policy +# + +kernel_read_system_state(abrt_domain) + +files_read_etc_files(abrt_domain) + +logging_send_syslog_msg(abrt_domain) + +miscfiles_read_localization(abrt_domain) diff --git a/policy/modules/services/accountsd.fc b/policy/modules/services/accountsd.fc new file mode 100644 index 000000000..f9d8d7a92 --- /dev/null +++ b/policy/modules/services/accountsd.fc @@ -0,0 +1,5 @@ +/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) + +/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) + +/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if new file mode 100644 index 000000000..312d5692f --- /dev/null +++ b/policy/modules/services/accountsd.if @@ -0,0 +1,148 @@ +## <summary>AccountsService and daemon for manipulating user account information via D-Bus.</summary> + +######################################## +## <summary> +## Execute a domain transition to +## run accountsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`accountsd_domtrans',` + gen_require(` + type accountsd_t, accountsd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, accountsd_exec_t, accountsd_t) +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write Accounts Daemon fifo files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`accountsd_dontaudit_rw_fifo_file',` + gen_require(` + type accountsd_t; + ') + + dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Send and receive messages from +## accountsd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_dbus_chat',` + gen_require(` + type accountsd_t; + class dbus send_msg; + ') + + allow $1 accountsd_t:dbus send_msg; + allow accountsd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Search accountsd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_search_lib',` + gen_require(` + type accountsd_var_lib_t; + ') + + allow $1 accountsd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read accountsd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_read_lib_files',` + gen_require(` + type accountsd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 accountsd_var_lib_t:dir list_dir_perms; + read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## accountsd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_manage_lib_files',` + gen_require(` + type accountsd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an accountsd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role" unused="true"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`accountsd_admin',` + gen_require(` + type accountsd_t; + ') + + allow $1 accountsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, accountsd_t) + + accountsd_manage_lib_files($1) +') diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te new file mode 100644 index 000000000..5ae5fa505 --- /dev/null +++ b/policy/modules/services/accountsd.te @@ -0,0 +1,75 @@ +policy_module(accountsd, 1.2.1) + +gen_require(` + class passwd all_passwd_perms; +') + +######################################## +# +# Declarations +# + +type accountsd_t; +type accountsd_exec_t; +dbus_system_domain(accountsd_t, accountsd_exec_t) + +type accountsd_var_lib_t; +files_type(accountsd_var_lib_t) + +######################################## +# +# Local policy +# + +allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace }; +allow accountsd_t self:process signal; +allow accountsd_t self:fifo_file rw_fifo_file_perms; +allow accountsd_t self:passwd { rootok passwd chfn chsh }; + +manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) +manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) +files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir) + +kernel_read_crypto_sysctls(accountsd_t) +kernel_read_kernel_sysctls(accountsd_t) +kernel_read_system_state(accountsd_t) + +corecmd_exec_bin(accountsd_t) + +dev_read_sysfs(accountsd_t) + +files_read_mnt_files(accountsd_t) +files_read_usr_files(accountsd_t) + +fs_getattr_xattr_fs(accountsd_t) +fs_list_inotifyfs(accountsd_t) +fs_read_noxattr_fs_files(accountsd_t) + +auth_use_nsswitch(accountsd_t) +auth_read_login_records(accountsd_t) +auth_read_shadow(accountsd_t) + +miscfiles_read_localization(accountsd_t) + +logging_list_logs(accountsd_t) +logging_send_syslog_msg(accountsd_t) +logging_set_loginuid(accountsd_t) + +userdom_read_user_tmp_files(accountsd_t) +userdom_read_user_home_content_files(accountsd_t) + +usermanage_domtrans_useradd(accountsd_t) +usermanage_domtrans_passwd(accountsd_t) + +optional_policy(` + consolekit_dbus_chat(accountsd_t) + consolekit_read_log(accountsd_t) +') + +optional_policy(` + policykit_dbus_chat(accountsd_t) +') + +optional_policy(` + xserver_read_xdm_tmp_files(accountsd_t) +') diff --git a/policy/modules/services/acpi.fc b/policy/modules/services/acpi.fc new file mode 100644 index 000000000..ffd4ea007 --- /dev/null +++ b/policy/modules/services/acpi.fc @@ -0,0 +1,24 @@ +/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0) + +/usr/bin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0) +/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0) +/usr/bin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0) +/usr/bin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0) + +/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0) + +/usr/sbin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0) +/usr/sbin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0) +/usr/sbin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0) + +/var/lock/subsys/acpid -- gen_context(system_u:object_r:acpid_lock_t,s0) + +/var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0) + +/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0) +/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0) +/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0) +/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0) +/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0) + +/var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0) diff --git a/policy/modules/services/acpi.if b/policy/modules/services/acpi.if new file mode 100644 index 000000000..109b644eb --- /dev/null +++ b/policy/modules/services/acpi.if @@ -0,0 +1,187 @@ +## <summary>Advanced power management.</summary> + +######################################## +## <summary> +## Execute apm in the apm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`acpi_domtrans_client',` + gen_require(` + type acpi_t, acpi_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, acpi_exec_t, acpi_t) +') + +######################################## +## <summary> +## Execute apm in the apm domain +## and allow the specified role +## the apm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`acpi_run_client',` + gen_require(` + attribute_role acpi_roles; + ') + + acpi_domtrans_client($1) + roleattribute $2 acpi_roles; +') + +######################################## +## <summary> +## Use apmd file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acpi_use_fds',` + gen_require(` + type acpid_t; + ') + + allow $1 acpid_t:fd use; +') + +######################################## +## <summary> +## Write apmd unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acpi_write_pipes',` + gen_require(` + type acpid_t; + ') + + allow $1 acpid_t:fifo_file write; +') + +######################################## +## <summary> +## Read and write to apmd unix +## stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acpi_rw_stream_sockets',` + gen_require(` + type acpid_t; + ') + + allow $1 acpid_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Append apmd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acpi_append_log',` + gen_require(` + type acpid_log_t; + ') + + logging_search_logs($1) + allow $1 acpid_log_t:file append_file_perms; +') + +######################################## +## <summary> +## Connect to apmd over an unix +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acpi_stream_connect',` + gen_require(` + type acpid_t, acpid_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an apm environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`acpi_admin',` + gen_require(` + type acpid_t, acpid_initrc_exec_t, acpid_log_t; + type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t; + type acpid_tmp_t; + ') + + allow $1 acpid_t:process { ptrace signal_perms }; + ps_process_pattern($1, acpid_t) + + init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, acpid_log_t) + + files_search_locks($1) + admin_pattern($1, acpid_lock_t) + + files_search_pids($1) + admin_pattern($1, acpid_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, acpid_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, acpid_tmp_t) + + acpi_run_client($1, $2) +') diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te new file mode 100644 index 000000000..3a7320d75 --- /dev/null +++ b/policy/modules/services/acpi.te @@ -0,0 +1,247 @@ +policy_module(acpi, 1.1.0) + +######################################## +# +# Declarations +# + +attribute_role acpi_roles; +roleattribute system_r acpi_roles; + +type acpid_t; +type acpid_exec_t; +typealias acpid_t alias apmd_t; +typealias acpid_exec_t alias apmd_exec_t; +init_daemon_domain(acpid_t, acpid_exec_t) + +type acpid_initrc_exec_t; +typealias acpid_initrc_exec_t alias apmd_initrc_exec_t; +init_script_file(acpid_initrc_exec_t) + +type acpi_t; +type acpi_exec_t; +typealias acpi_t alias apm_t; +typealias acpi_exec_t alias apm_exec_t; +application_domain(acpi_t, acpi_exec_t) +role acpi_roles types acpi_t; + +type acpid_lock_t; +typealias acpid_lock_t alias apmd_lock_t; +files_lock_file(acpid_lock_t) + +type acpid_log_t; +typealias acpid_log_t alias apmd_log_t; +logging_log_file(acpid_log_t) + +type acpid_tmp_t; +typealias acpid_tmp_t alias apmd_tmp_t; +files_tmp_file(acpid_tmp_t) + +type acpid_unit_t; +typealias acpid_unit_t alias apmd_unit_t; +init_unit_file(acpid_unit_t) + +type acpid_var_lib_t; +typealias acpid_var_lib_t alias apmd_var_lib_t; +files_type(acpid_var_lib_t) + +type acpid_var_run_t; +typealias acpid_var_run_t alias apmd_var_run_t; +files_pid_file(acpid_var_run_t) + +######################################## +# +# Client local policy +# + +allow acpi_t self:capability { dac_override sys_admin }; + +kernel_read_system_state(acpi_t) + +dev_rw_acpi_bios(acpi_t) + +fs_getattr_xattr_fs(acpi_t) + +term_use_all_terms(acpi_t) + +domain_use_interactive_fds(acpi_t) + +logging_send_syslog_msg(acpi_t) + +######################################## +# +# Server local policy +# + +allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time }; +dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config }; +allow acpid_t self:process { signal_perms getsession }; +allow acpid_t self:fifo_file rw_fifo_file_perms; +allow acpid_t self:netlink_socket create_socket_perms; +allow acpid_t self:netlink_generic_socket create_socket_perms; +allow acpid_t self:unix_stream_socket { accept listen }; + +allow acpid_t acpid_lock_t:file manage_file_perms; +files_lock_filetrans(acpid_t, acpid_lock_t, file) + +allow acpid_t acpid_log_t:file manage_file_perms; +logging_log_filetrans(acpid_t, acpid_log_t, file) + +manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t) +manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t) +files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir }) + +manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t) +manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t) +files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir) + +manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t) +manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t) +files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file }) + +can_exec(acpid_t, acpid_var_run_t) + +kernel_read_kernel_sysctls(acpid_t) +kernel_rw_all_sysctls(acpid_t) +kernel_read_system_state(acpid_t) +kernel_write_proc_files(acpid_t) +kernel_request_load_module(acpid_t) + +dev_read_input(acpid_t) +dev_read_mouse(acpid_t) +dev_read_realtime_clock(acpid_t) +dev_read_urand(acpid_t) +dev_rw_acpi_bios(acpid_t) +dev_rw_sysfs(acpid_t) +dev_dontaudit_getattr_all_chr_files(acpid_t) +dev_dontaudit_getattr_all_blk_files(acpid_t) + +files_exec_etc_files(acpid_t) +files_read_etc_runtime_files(acpid_t) +files_dontaudit_getattr_all_files(acpid_t) +files_dontaudit_getattr_all_symlinks(acpid_t) +files_dontaudit_getattr_all_pipes(acpid_t) +files_dontaudit_getattr_all_sockets(acpid_t) + +fs_dontaudit_list_tmpfs(acpid_t) +fs_getattr_all_fs(acpid_t) +fs_search_auto_mountpoints(acpid_t) +fs_dontaudit_getattr_all_files(acpid_t) +fs_dontaudit_getattr_all_symlinks(acpid_t) +fs_dontaudit_getattr_all_pipes(acpid_t) +fs_dontaudit_getattr_all_sockets(acpid_t) + +selinux_search_fs(acpid_t) + +corecmd_exec_all_executables(acpid_t) + +domain_read_all_domains_state(acpid_t) +domain_dontaudit_ptrace_all_domains(acpid_t) +domain_use_interactive_fds(acpid_t) +domain_dontaudit_getattr_all_sockets(acpid_t) +domain_dontaudit_getattr_all_key_sockets(acpid_t) +domain_dontaudit_list_all_domains_state(acpid_t) + +auth_use_nsswitch(acpid_t) + +init_domtrans_script(acpid_t) + +libs_exec_ld_so(acpid_t) +libs_exec_lib_files(acpid_t) + +logging_send_audit_msgs(acpid_t) +logging_send_syslog_msg(acpid_t) + +miscfiles_read_localization(acpid_t) +miscfiles_read_hwdata(acpid_t) + +modutils_domtrans(acpid_t) +modutils_read_module_config(acpid_t) + +seutil_dontaudit_read_config(acpid_t) + +userdom_dontaudit_use_unpriv_user_fds(acpid_t) +userdom_dontaudit_search_user_home_dirs(acpid_t) +userdom_dontaudit_search_user_home_content(acpid_t) + +optional_policy(` + automount_domtrans(acpid_t) +') + +optional_policy(` + clock_domtrans(acpid_t) + clock_rw_adjtime(acpid_t) +') + +optional_policy(` + cron_system_entry(acpid_t, acpid_exec_t) + cron_anacron_domtrans_system_job(acpid_t) +') + +optional_policy(` + devicekit_manage_pid_files(acpid_t) + devicekit_manage_log_files(acpid_t) + devicekit_relabel_log_files(acpid_t) +') + +optional_policy(` + dbus_system_bus_client(acpid_t) + + optional_policy(` + consolekit_dbus_chat(acpid_t) + ') + + optional_policy(` + networkmanager_dbus_chat(acpid_t) + ') +') + +optional_policy(` + fstools_domtrans(acpid_t) +') + +optional_policy(` + iptables_domtrans(acpid_t) +') + +optional_policy(` + logrotate_use_fds(acpid_t) +') + +optional_policy(` + mta_send_mail(acpid_t) +') + +optional_policy(` + netutils_domtrans(acpid_t) +') + +optional_policy(` + pcmcia_domtrans_cardmgr(acpid_t) + pcmcia_domtrans_cardctl(acpid_t) +') + +optional_policy(` + seutil_sigchld_newrole(acpid_t) +') + +optional_policy(` + shutdown_domtrans(acpid_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(acpid_t) +') + +optional_policy(` + udev_read_db(acpid_t) + udev_read_state(acpid_t) +') + +optional_policy(` + vbetool_domtrans(acpid_t) +') + +optional_policy(` + xserver_domtrans(acpid_t) +') diff --git a/policy/modules/services/afs.fc b/policy/modules/services/afs.fc new file mode 100644 index 000000000..9307074ef --- /dev/null +++ b/policy/modules/services/afs.fc @@ -0,0 +1,52 @@ +/etc/(open)?afs(/.*)? gen_context(system_u:object_r:afs_config_t,s0) + +/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) +/etc/rc\.d/init\.d/openafs-server -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) +/etc/rc\.d/init\.d/(open)?afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) + +/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) +/usr/afs/bin/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) +/usr/afs/bin/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0) +/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/salvageserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0) + +/usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0) +/usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0) +/usr/afs/db/ka.* -- gen_context(system_u:object_r:afs_ka_db_t,s0) +/usr/afs/db/vl.* -- gen_context(system_u:object_r:afs_vl_db_t,s0) + +/usr/afs/etc(/.*)? gen_context(system_u:object_r:afs_config_t,s0) + +/usr/afs/local(/.*)? gen_context(system_u:object_r:afs_config_t,s0) + +/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) + +/usr/bin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) +/usr/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) + +/usr/libexec/openafs/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/libexec/openafs/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/libexec/openafs/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/libexec/openafs/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/libexec/openafs/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) +/usr/libexec/openafs/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0) +/usr/libexec/openafs/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/libexec/openafs/salvagerserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/libexec/openafs/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/libexec/openafs/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0) + +/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) +/usr/sbin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) + +/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) +/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) + +/var/cache/(open)?afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) + +/vicep[a-z][a-z]?(/.*)? gen_context(system_u:object_r:afs_files_t,s0) diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if new file mode 100644 index 000000000..d934f4549 --- /dev/null +++ b/policy/modules/services/afs.if @@ -0,0 +1,122 @@ +## <summary>Andrew Filesystem server.</summary> + +######################################## +## <summary> +## Execute a domain transition to run the +## afs client. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`afs_domtrans',` + gen_require(` + type afs_t, afs_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, afs_exec_t, afs_t) +') + +######################################## +## <summary> +## Read and write afs client UDP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`afs_rw_udp_sockets',` + gen_require(` + type afs_t; + ') + + allow $1 afs_t:udp_socket { read write }; +') + +######################################## +## <summary> +## Read and write afs cache files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`afs_rw_cache',` + gen_require(` + type afs_cache_t; + ') + + files_search_var($1) + allow $1 afs_cache_t:file { read write }; +') + +######################################## +## <summary> +## Execute afs server in the afs domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`afs_initrc_domtrans',` + gen_require(` + type afs_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, afs_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an afs environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`afs_admin',` + gen_require(` + attribute afs_domain; + type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t; + type afs_ka_db_t, afs_vl_db_t, afs_config_t; + type afs_logfile_t, afs_cache_t, afs_files_t; + ') + + allow $1 afs_domain:process { ptrace signal_perms }; + ps_process_pattern($1, afs_domain) + + init_startstop_service($1, $2, afs_domain, afs_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, afs_config_t) + + files_search_var($1) + admin_pattern($1, afs_cache_t) + + files_search_var_lib($1) + admin_pattern($1, { afs_dbdir_t afs_pt_db_t afs_ka_db_t }) + admin_pattern($1, afs_vl_db_t) + + logging_search_logs($1) + admin_pattern($1, afs_logfile_t) + + admin_pattern($1, afs_files_t) +') diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te new file mode 100644 index 000000000..9ebe863ac --- /dev/null +++ b/policy/modules/services/afs.te @@ -0,0 +1,325 @@ +policy_module(afs, 1.11.0) + +######################################## +# +# Declarations +# + +attribute afs_domain; + +type afs_t, afs_domain; +type afs_exec_t; +init_daemon_domain(afs_t, afs_exec_t) + +type afs_bosserver_t, afs_domain; +type afs_bosserver_exec_t; +init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) + +type afs_cache_t; +files_type(afs_cache_t) + +type afs_config_t; +files_type(afs_config_t) + +type afs_dbdir_t; +files_type(afs_dbdir_t) + +# exported files +type afs_files_t; +files_type(afs_files_t) + +type afs_fsserver_t, afs_domain; +type afs_fsserver_exec_t; +domain_type(afs_fsserver_t) +domain_entry_file(afs_fsserver_t, afs_fsserver_exec_t) +role system_r types afs_fsserver_t; + +type afs_initrc_exec_t; +init_script_file(afs_initrc_exec_t) + +type afs_ka_db_t; +files_type(afs_ka_db_t) + +type afs_kaserver_t, afs_domain; +type afs_kaserver_exec_t; +domain_type(afs_kaserver_t) +domain_entry_file(afs_kaserver_t, afs_kaserver_exec_t) +role system_r types afs_kaserver_t; + +type afs_logfile_t; +logging_log_file(afs_logfile_t) + +type afs_pt_db_t; +files_type(afs_pt_db_t) + +type afs_ptserver_t, afs_domain; +type afs_ptserver_exec_t; +domain_type(afs_ptserver_t) +domain_entry_file(afs_ptserver_t, afs_ptserver_exec_t) +role system_r types afs_ptserver_t; + +type afs_vl_db_t; +files_type(afs_vl_db_t) + +type afs_vlserver_t, afs_domain; +type afs_vlserver_exec_t; +domain_type(afs_vlserver_t) +domain_entry_file(afs_vlserver_t, afs_vlserver_exec_t) +role system_r types afs_vlserver_t; + +######################################## +# +# afs client local policy +# + +allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config }; +allow afs_t self:process { setsched signal }; +allow afs_t self:fifo_file rw_fifo_file_perms; +allow afs_t self:unix_stream_socket { accept listen }; + +manage_files_pattern(afs_t, afs_cache_t, afs_cache_t) +manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t) +files_var_filetrans(afs_t, afs_cache_t, { file dir }) + +kernel_rw_afs_state(afs_t) + +files_mounton_mnt(afs_t) +files_read_usr_files(afs_t) +files_rw_etc_runtime_files(afs_t) + +fs_getattr_xattr_fs(afs_t) +fs_mount_nfs(afs_t) +fs_read_nfs_symlinks(afs_t) + +logging_send_syslog_msg(afs_t) + +######################################## +# +# AFS bossserver local policy +# + +allow afs_bosserver_t self:process { setsched signal_perms }; +allow afs_bosserver_t self:tcp_socket create_stream_socket_perms; + +can_exec(afs_bosserver_t, afs_bosserver_exec_t) + +manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t) +manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t) + +allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms; + +allow afs_bosserver_t afs_fsserver_t:process signal_perms; +domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t) + +allow afs_bosserver_t afs_kaserver_t:process signal_perms; +domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t) + +allow afs_bosserver_t afs_logfile_t:file manage_file_perms; +allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms; + +allow afs_bosserver_t afs_ptserver_t:process signal_perms; +domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t) + +allow afs_bosserver_t afs_vlserver_t:process signal_perms; +domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) + +kernel_read_kernel_sysctls(afs_bosserver_t) + +corenet_all_recvfrom_unlabeled(afs_bosserver_t) +corenet_all_recvfrom_netlabel(afs_bosserver_t) +corenet_udp_sendrecv_generic_if(afs_bosserver_t) +corenet_udp_sendrecv_generic_node(afs_bosserver_t) +corenet_udp_bind_generic_node(afs_bosserver_t) + +corenet_udp_bind_afs_bos_port(afs_bosserver_t) +corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) +corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t) + +dev_read_urand(afs_bosserver_t) + +files_list_home(afs_bosserver_t) +files_read_usr_files(afs_bosserver_t) + +seutil_read_config(afs_bosserver_t) + +######################################## +# +# fileserver local policy +# + +allow afs_fsserver_t self:capability { chown dac_override fowner kill sys_nice }; +dontaudit afs_fsserver_t self:capability fsetid; +allow afs_fsserver_t self:process { setsched signal_perms }; +allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; +allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t) +manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) + +manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t) +manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) +manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) +manage_fifo_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) +manage_sock_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) +filetrans_pattern(afs_fsserver_t, afs_config_t, afs_files_t, { file lnk_file sock_file fifo_file }) + +can_exec(afs_fsserver_t, afs_fsserver_exec_t) + +manage_dirs_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t) +manage_files_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t) + +kernel_read_system_state(afs_fsserver_t) +kernel_read_kernel_sysctls(afs_fsserver_t) + +corenet_all_recvfrom_unlabeled(afs_fsserver_t) +corenet_all_recvfrom_netlabel(afs_fsserver_t) +corenet_tcp_sendrecv_generic_if(afs_fsserver_t) +corenet_udp_sendrecv_generic_if(afs_fsserver_t) +corenet_tcp_sendrecv_generic_node(afs_fsserver_t) +corenet_udp_sendrecv_generic_node(afs_fsserver_t) +corenet_tcp_bind_generic_node(afs_fsserver_t) +corenet_udp_bind_generic_node(afs_fsserver_t) + +corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) +corenet_tcp_bind_afs_fs_port(afs_fsserver_t) +corenet_udp_bind_afs_fs_port(afs_fsserver_t) +corenet_tcp_sendrecv_afs_fs_port(afs_fsserver_t) +corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t) + +dev_read_urand(afs_fsserver_t) + +files_read_etc_runtime_files(afs_fsserver_t) +files_list_home(afs_fsserver_t) +files_read_usr_files(afs_fsserver_t) +files_list_pids(afs_fsserver_t) +files_dontaudit_search_mnt(afs_fsserver_t) + +fs_getattr_xattr_fs(afs_fsserver_t) + +term_dontaudit_use_console(afs_fsserver_t) + +init_dontaudit_use_script_fds(afs_fsserver_t) + +logging_send_syslog_msg(afs_fsserver_t) + +seutil_read_config(afs_fsserver_t) + +userdom_dontaudit_use_user_terminals(afs_fsserver_t) + +######################################## +# +# kaserver local policy +# + +allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms; +allow afs_kaserver_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(afs_kaserver_t, afs_config_t, afs_config_t) + +manage_files_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t) +filetrans_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t, file) + +manage_dirs_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) +manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) + +kernel_read_kernel_sysctls(afs_kaserver_t) + +corenet_all_recvfrom_unlabeled(afs_kaserver_t) +corenet_all_recvfrom_netlabel(afs_kaserver_t) +corenet_udp_sendrecv_generic_if(afs_kaserver_t) +corenet_udp_sendrecv_generic_node(afs_kaserver_t) +corenet_udp_bind_generic_node(afs_kaserver_t) + +corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t) +corenet_udp_bind_afs_ka_port(afs_kaserver_t) +corenet_udp_sendrecv_afs_ka_port(afs_kaserver_t) + +corenet_sendrecv_kerberos_server_packets(afs_kaserver_t) +corenet_udp_bind_kerberos_port(afs_kaserver_t) +corenet_udp_sendrecv_kerberos_port(afs_kaserver_t) + +files_list_home(afs_kaserver_t) +files_read_usr_files(afs_kaserver_t) + +seutil_read_config(afs_kaserver_t) + +userdom_dontaudit_use_user_terminals(afs_kaserver_t) + +######################################## +# +# ptserver local policy +# + +allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; +allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; + +read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t) +allow afs_ptserver_t afs_config_t:dir list_dir_perms; + +manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) +manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) + +manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) +filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) + +corenet_all_recvfrom_unlabeled(afs_ptserver_t) +corenet_all_recvfrom_netlabel(afs_ptserver_t) +corenet_tcp_sendrecv_generic_if(afs_ptserver_t) +corenet_udp_sendrecv_generic_if(afs_ptserver_t) +corenet_tcp_sendrecv_generic_node(afs_ptserver_t) +corenet_udp_sendrecv_generic_node(afs_ptserver_t) +corenet_tcp_sendrecv_all_ports(afs_ptserver_t) +corenet_udp_sendrecv_all_ports(afs_ptserver_t) +corenet_udp_bind_generic_node(afs_ptserver_t) +corenet_udp_bind_afs_pt_port(afs_ptserver_t) +corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) + +dev_read_urand(afs_ptserver_t) + +userdom_dontaudit_use_user_terminals(afs_ptserver_t) + +######################################## +# +# vlserver local policy +# + +allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; +allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; + +read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t) +allow afs_vlserver_t afs_config_t:dir list_dir_perms; + +manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) +manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) + +manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) +filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) + +corenet_all_recvfrom_unlabeled(afs_vlserver_t) +corenet_all_recvfrom_netlabel(afs_vlserver_t) +corenet_tcp_sendrecv_generic_if(afs_vlserver_t) +corenet_udp_sendrecv_generic_if(afs_vlserver_t) +corenet_tcp_sendrecv_generic_node(afs_vlserver_t) +corenet_udp_sendrecv_generic_node(afs_vlserver_t) +corenet_tcp_sendrecv_all_ports(afs_vlserver_t) +corenet_udp_sendrecv_all_ports(afs_vlserver_t) +corenet_udp_bind_generic_node(afs_vlserver_t) +corenet_udp_bind_afs_vl_port(afs_vlserver_t) +corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t) + +dev_read_urand(afs_vlserver_t) + +userdom_dontaudit_use_user_terminals(afs_vlserver_t) + +######################################## +# +# Global local policy +# + +allow afs_domain self:udp_socket create_socket_perms; + +files_read_etc_files(afs_domain) + +miscfiles_read_localization(afs_domain) + +sysnet_read_config(afs_domain) diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc new file mode 100644 index 000000000..5fc50becc --- /dev/null +++ b/policy/modules/services/aiccu.fc @@ -0,0 +1,9 @@ +/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0) + +/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) + +/usr/bin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) + +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) + +/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if new file mode 100644 index 000000000..cd22faa1b --- /dev/null +++ b/policy/modules/services/aiccu.if @@ -0,0 +1,92 @@ +## <summary>Automatic IPv6 Connectivity Client Utility.</summary> + +######################################## +## <summary> +## Execute a domain transition to run aiccu. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`aiccu_domtrans',` + gen_require(` + type aiccu_t, aiccu_exec_t; + ') + + domtrans_pattern($1, aiccu_exec_t, aiccu_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute aiccu server in the aiccu domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`aiccu_initrc_domtrans',` + gen_require(` + type aiccu_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, aiccu_initrc_exec_t) +') + +######################################## +## <summary> +## Read aiccu PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aiccu_read_pid_files',` + gen_require(` + type aiccu_var_run_t; + ') + + allow $1 aiccu_var_run_t:file read_file_perms; + files_search_pids($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an aiccu environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`aiccu_admin',` + gen_require(` + type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t; + type aiccu_var_run_t; + ') + + allow $1 aiccu_t:process { ptrace signal_perms }; + ps_process_pattern($1, aiccu_t) + + init_startstop_service($1, $2, aiccu_t, aiccu_initrc_exec_t) + + admin_pattern($1, aiccu_etc_t) + files_list_etc($1) + + admin_pattern($1, aiccu_var_run_t) + files_list_pids($1) +') diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te new file mode 100644 index 000000000..82c6dff34 --- /dev/null +++ b/policy/modules/services/aiccu.te @@ -0,0 +1,76 @@ +policy_module(aiccu, 1.4.0) + +######################################## +# +# Declarations +# + +type aiccu_t; +type aiccu_exec_t; +init_daemon_domain(aiccu_t, aiccu_exec_t) + +type aiccu_initrc_exec_t; +init_script_file(aiccu_initrc_exec_t) + +type aiccu_etc_t; +files_config_file(aiccu_etc_t) + +type aiccu_var_run_t; +files_pid_file(aiccu_var_run_t) + +######################################## +# +# Local policy +# + +allow aiccu_t self:capability { kill net_admin net_raw }; +dontaudit aiccu_t self:capability sys_tty_config; +allow aiccu_t self:process signal; +allow aiccu_t self:fifo_file rw_fifo_file_perms; +allow aiccu_t self:netlink_route_socket nlmsg_write; +allow aiccu_t self:tcp_socket { accept listen }; +allow aiccu_t self:tun_socket create_socket_perms; +allow aiccu_t self:udp_socket { accept listen }; +allow aiccu_t self:unix_stream_socket { accept listen }; + +allow aiccu_t aiccu_etc_t:file read_file_perms; + +manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) + +kernel_read_system_state(aiccu_t) + +corecmd_exec_shell(aiccu_t) + +corenet_all_recvfrom_netlabel(aiccu_t) +corenet_all_recvfrom_unlabeled(aiccu_t) +corenet_tcp_bind_generic_node(aiccu_t) +corenet_tcp_sendrecv_generic_if(aiccu_t) +corenet_tcp_sendrecv_generic_node(aiccu_t) + +corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) +corenet_tcp_connect_sixxsconfig_port(aiccu_t) +corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) + +corenet_rw_tun_tap_dev(aiccu_t) + +domain_use_interactive_fds(aiccu_t) + +dev_read_rand(aiccu_t) +dev_read_urand(aiccu_t) + +files_read_etc_files(aiccu_t) + +logging_send_syslog_msg(aiccu_t) + +miscfiles_read_localization(aiccu_t) + +optional_policy(` + modutils_domtrans(aiccu_t) +') + +optional_policy(` + sysnet_dns_name_resolve(aiccu_t) + sysnet_domtrans_ifconfig(aiccu_t) +') diff --git a/policy/modules/services/aisexec.fc b/policy/modules/services/aisexec.fc new file mode 100644 index 000000000..578f2d339 --- /dev/null +++ b/policy/modules/services/aisexec.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) + +/usr/bin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0) + +/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0) + +/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0) + +/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:aisexec_var_log_t,s0) + +/run/aisexec.* gen_context(system_u:object_r:aisexec_var_run_t,s0) diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if new file mode 100644 index 000000000..9e1a105ab --- /dev/null +++ b/policy/modules/services/aisexec.if @@ -0,0 +1,104 @@ +## <summary>Aisexec Cluster Engine.</summary> + +######################################## +## <summary> +## Execute a domain transition to run aisexec. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`aisexec_domtrans',` + gen_require(` + type aisexec_t, aisexec_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, aisexec_exec_t, aisexec_t) +') + +##################################### +## <summary> +## Connect to aisexec over a unix +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aisexec_stream_connect',` + gen_require(` + type aisexec_t, aisexec_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t) +') + +####################################### +## <summary> +## Read aisexec log files content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aisexec_read_log',` + gen_require(` + type aisexec_var_log_t; + ') + + logging_search_logs($1) + list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t) + read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t) +') + +###################################### +## <summary> +## All of the rules required to +## administrate an aisexec environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`aisexecd_admin',` + gen_require(` + type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t; + type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t; + type aisexec_initrc_exec_t; + ') + + allow $1 aisexec_t:process { ptrace signal_perms }; + ps_process_pattern($1, aisexec_t) + + init_startstop_service($1, $2, aisexec_t, aisexec_initrc_exec_t) + + files_list_var_lib($1) + admin_pattern($1, aisexec_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, aisexec_var_log_t) + + files_list_pids($1) + admin_pattern($1, aisexec_var_run_t) + + files_list_tmp($1) + admin_pattern($1, aisexec_tmp_t) + + admin_pattern($1, aisexec_tmpfs_t) +') diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te new file mode 100644 index 000000000..dfacbf519 --- /dev/null +++ b/policy/modules/services/aisexec.te @@ -0,0 +1,117 @@ +policy_module(aisexec, 1.5.0) + +######################################## +# +# Declarations +# + +type aisexec_t; +type aisexec_exec_t; +init_daemon_domain(aisexec_t, aisexec_exec_t) + +type aisexec_initrc_exec_t; +init_script_file(aisexec_initrc_exec_t) + +type aisexec_tmp_t; +files_tmp_file(aisexec_tmp_t) + +type aisexec_tmpfs_t; +files_tmpfs_file(aisexec_tmpfs_t) + +type aisexec_var_lib_t; +files_type(aisexec_var_lib_t) + +type aisexec_var_log_t; +logging_log_file(aisexec_var_log_t) + +type aisexec_var_run_t; +files_pid_file(aisexec_var_run_t) + +######################################## +# +# Local policy +# + +allow aisexec_t self:capability { ipc_lock ipc_owner sys_nice sys_resource }; +allow aisexec_t self:process { setrlimit setsched signal }; +allow aisexec_t self:fifo_file rw_fifo_file_perms; +allow aisexec_t self:sem create_sem_perms; +allow aisexec_t self:unix_stream_socket { accept listen connectto }; + +manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) +manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) +files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { dir file }) + +manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) +manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) +fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file }) + +manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) +manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) +manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) +files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, dir) + +append_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) +create_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) +setattr_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) +logging_log_filetrans(aisexec_t, aisexec_var_log_t, file) + +manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) +manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) +files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) + +kernel_read_system_state(aisexec_t) + +corecmd_exec_bin(aisexec_t) + +corenet_all_recvfrom_unlabeled(aisexec_t) +corenet_all_recvfrom_netlabel(aisexec_t) +corenet_tcp_sendrecv_generic_if(aisexec_t) +corenet_udp_sendrecv_generic_if(aisexec_t) +corenet_tcp_sendrecv_generic_node(aisexec_t) +corenet_udp_sendrecv_generic_node(aisexec_t) +corenet_tcp_bind_generic_node(aisexec_t) +corenet_udp_bind_generic_node(aisexec_t) + +corenet_sendrecv_netsupport_server_packets(aisexec_t) +corenet_udp_bind_netsupport_port(aisexec_t) +corenet_udp_sendrecv_netsupport_port(aisexec_t) + +corenet_sendrecv_generic_server_packets(aisexec_t) +corenet_tcp_bind_reserved_port(aisexec_t) +corenet_tcp_sendrecv_reserved_port(aisexec_t) + +corenet_sendrecv_cluster_server_packets(aisexec_t) +corenet_udp_bind_cluster_port(aisexec_t) +corenet_udp_sendrecv_cluster_port(aisexec_t) + +dev_read_urand(aisexec_t) + +files_manage_mounttab(aisexec_t) + +auth_use_nsswitch(aisexec_t) + +init_rw_script_tmp_files(aisexec_t) + +logging_send_syslog_msg(aisexec_t) + +miscfiles_read_localization(aisexec_t) + +userdom_rw_unpriv_user_semaphores(aisexec_t) +userdom_rw_unpriv_user_shared_mem(aisexec_t) + +optional_policy(` + ccs_stream_connect(aisexec_t) +') + +optional_policy(` + rhcs_rw_dlm_controld_semaphores(aisexec_t) + + rhcs_rw_fenced_semaphores(aisexec_t) + + rhcs_rw_gfs_controld_semaphores(aisexec_t) + rhcs_rw_gfs_controld_shm(aisexec_t) + + rhcs_rw_groupd_semaphores(aisexec_t) + rhcs_rw_groupd_shm(aisexec_t) +') diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc new file mode 100644 index 000000000..da86959bd --- /dev/null +++ b/policy/modules/services/amavis.fc @@ -0,0 +1,30 @@ +/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) +/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) + +/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) +/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) + +/usr/bin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) + +/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) + +/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) + +ifdef(`distro_debian',` +/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) +') + +/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) + +/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) + +/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) + +/var/log/amavisd\.log.* -- gen_context(system_u:object_r:amavis_var_log_t,s0) + +/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) +/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:amavis_var_run_t,s0) + +/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) + +/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if new file mode 100644 index 000000000..f8a810ceb --- /dev/null +++ b/policy/modules/services/amavis.if @@ -0,0 +1,261 @@ +## <summary>High-performance interface between an email server and content checkers.</summary> + +######################################## +## <summary> +## Execute a domain transition to run amavis. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`amavis_domtrans',` + gen_require(` + type amavis_t, amavis_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, amavis_exec_t, amavis_t) +') + +######################################## +## <summary> +## Execute amavis server in the amavis domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`amavis_initrc_domtrans',` + gen_require(` + type amavis_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, amavis_initrc_exec_t) +') + +######################################## +## <summary> +## Read amavis spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_read_spool_files',` + gen_require(` + type amavis_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, amavis_spool_t, amavis_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## amavis spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_manage_spool_files',` + gen_require(` + type amavis_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t) + manage_files_pattern($1, amavis_spool_t, amavis_spool_t) +') + +######################################## +## <summary> +## Create objects in the amavis spool directories +## with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## Private file type. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`amavis_spool_filetrans',` + gen_require(` + type amavis_spool_t; + ') + + files_search_spool($1) + filetrans_pattern($1, amavis_spool_t, $2, $3, $4) +') + +######################################## +## <summary> +## Search amavis lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_search_lib',` + gen_require(` + type amavis_var_lib_t; + ') + + allow $1 amavis_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read amavis lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_read_lib_files',` + gen_require(` + type amavis_var_lib_t; + ') + + read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) + allow $1 amavis_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## amavis lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_manage_lib_files',` + gen_require(` + type amavis_var_lib_t; + ') + + manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## Set attributes of amavis pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_setattr_pid_files',` + gen_require(` + type amavis_var_run_t; + ') + + allow $1 amavis_var_run_t:file setattr_file_perms; + files_search_pids($1) +') + +######################################## +## <summary> +## Create amavis pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_create_pid_files',` + gen_require(` + type amavis_var_run_t; + ') + + allow $1 amavis_var_run_t:dir add_entry_dir_perms; + allow $1 amavis_var_run_t:file create_file_perms; + files_search_pids($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an amavis environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`amavis_admin',` + gen_require(` + type amavis_t, amavis_tmp_t, amavis_var_log_t; + type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; + type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t; + ') + + allow $1 amavis_t:process { ptrace signal_perms }; + ps_process_pattern($1, amavis_t) + + init_startstop_service($1, $2, amavis_t, amavis_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, amavis_etc_t) + + admin_pattern($1, amavis_quarantine_t) + + files_list_spool($1) + admin_pattern($1, amavis_spool_t) + + files_list_tmp($1) + admin_pattern($1, amavis_tmp_t) + + files_list_var_lib($1) + admin_pattern($1, amavis_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, amavis_var_log_t) + + files_list_pids($1) + admin_pattern($1, amavis_var_run_t) +') diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te new file mode 100644 index 000000000..9517486ed --- /dev/null +++ b/policy/modules/services/amavis.te @@ -0,0 +1,199 @@ +policy_module(amavis, 1.18.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether amavis can +## use JIT compiler. +## </p> +## </desc> +gen_tunable(amavis_use_jit, false) + +type amavis_t; +type amavis_exec_t; +init_daemon_domain(amavis_t, amavis_exec_t) + +type amavis_etc_t; +files_config_file(amavis_etc_t) + +type amavis_initrc_exec_t; +init_script_file(amavis_initrc_exec_t) + +type amavis_var_run_t; +files_pid_file(amavis_var_run_t) + +type amavis_var_lib_t; +files_type(amavis_var_lib_t) + +type amavis_var_log_t; +logging_log_file(amavis_var_log_t) + +type amavis_tmp_t; +files_tmp_file(amavis_tmp_t) + +type amavis_quarantine_t; +files_type(amavis_quarantine_t) + +type amavis_spool_t; +files_type(amavis_spool_t) + +######################################## +# +# Local policy +# + +allow amavis_t self:capability { chown dac_override kill setgid setuid }; +dontaudit amavis_t self:capability sys_tty_config; +allow amavis_t self:process signal_perms; +allow amavis_t self:fifo_file rw_fifo_file_perms; +allow amavis_t self:unix_stream_socket { accept connectto listen }; +allow amavis_t self:tcp_socket { listen accept }; + +allow amavis_t amavis_etc_t:dir list_dir_perms; +read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) +read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) + +manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) +manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) +manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) + +manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t) +manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) +manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) +manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) +filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) + +manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) +allow amavis_t amavis_tmp_t:dir setattr_dir_perms; +files_tmp_filetrans(amavis_t, amavis_tmp_t, file) + +manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) +manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) +manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) + +allow amavis_t amavis_var_log_t:dir setattr_dir_perms; +manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) +manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) +logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) + +manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) +manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) +manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) +files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file }) + +can_exec(amavis_t, amavis_exec_t) + +kernel_read_kernel_sysctls(amavis_t) +kernel_read_system_state(amavis_t) +kernel_dontaudit_list_proc(amavis_t) +kernel_dontaudit_read_proc_symlinks(amavis_t) + +corecmd_exec_bin(amavis_t) +corecmd_exec_shell(amavis_t) + +corenet_all_recvfrom_unlabeled(amavis_t) +corenet_all_recvfrom_netlabel(amavis_t) +corenet_tcp_sendrecv_generic_if(amavis_t) +corenet_udp_sendrecv_generic_if(amavis_t) +corenet_tcp_sendrecv_generic_node(amavis_t) +corenet_udp_sendrecv_generic_node(amavis_t) +corenet_tcp_sendrecv_all_ports(amavis_t) +corenet_udp_sendrecv_all_ports(amavis_t) +corenet_tcp_bind_generic_node(amavis_t) +corenet_udp_bind_generic_node(amavis_t) + +corenet_sendrecv_amavisd_send_client_packets(amavis_t) +corenet_tcp_connect_amavisd_send_port(amavis_t) + +corenet_sendrecv_amavisd_recv_server_packets(amavis_t) +corenet_tcp_bind_amavisd_recv_port(amavis_t) + +corenet_sendrecv_generic_server_packets(amavis_t) +corenet_udp_bind_generic_port(amavis_t) +corenet_dontaudit_udp_bind_all_ports(amavis_t) + +corenet_sendrecv_razor_client_packets(amavis_t) +corenet_tcp_connect_razor_port(amavis_t) + +dev_read_rand(amavis_t) +dev_read_sysfs(amavis_t) +dev_read_urand(amavis_t) + +domain_use_interactive_fds(amavis_t) +domain_dontaudit_read_all_domains_state(amavis_t) + +files_read_etc_runtime_files(amavis_t) +files_read_usr_files(amavis_t) +files_search_spool(amavis_t) + +fs_getattr_xattr_fs(amavis_t) + +auth_use_nsswitch(amavis_t) +auth_dontaudit_read_shadow(amavis_t) + +init_read_state(amavis_t) +init_read_utmp(amavis_t) +init_stream_connect_script(amavis_t) + +logging_send_syslog_msg(amavis_t) + +miscfiles_read_localization(amavis_t) + +userdom_dontaudit_search_user_home_dirs(amavis_t) + +tunable_policy(`amavis_use_jit',` + allow amavis_t self:process execmem; +',` + dontaudit amavis_t self:process execmem; +') + +optional_policy(` + clamav_stream_connect(amavis_t) + clamav_domtrans_clamscan(amavis_t) + clamav_read_state_clamd(amavis_t) +') + +optional_policy(` + cron_use_fds(amavis_t) + cron_use_system_job_fds(amavis_t) + cron_rw_pipes(amavis_t) +') + +optional_policy(` + dcc_domtrans_client(amavis_t) + dcc_stream_connect_dccifd(amavis_t) +') + +optional_policy(` + mta_read_config(amavis_t) +') + +optional_policy(` + postfix_read_config(amavis_t) + postfix_list_spool(amavis_t) +') + +optional_policy(` + pyzor_domtrans(amavis_t) + pyzor_signal(amavis_t) +') + +optional_policy(` + razor_domtrans(amavis_t) +') + +optional_policy(` + snmp_manage_var_lib_dirs(amavis_t) + snmp_manage_var_lib_files(amavis_t) + snmp_stream_connect(amavis_t) +') + +optional_policy(` + spamassassin_exec(amavis_t) + spamassassin_exec_client(amavis_t) + spamassassin_read_lib_files(amavis_t) +') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc new file mode 100644 index 000000000..f3202453d --- /dev/null +++ b/policy/modules/services/apache.fc @@ -0,0 +1,204 @@ +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0) + +/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) +/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) +/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) +/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) + +/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) +/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) + +/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + +/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) +/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) +/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0) + +/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib/systemd/system/apache[^/]*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0) +/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0) +/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0) + +/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) + +/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) +/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0) + +ifdef(`distro_suse',` +/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) +') + +#/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) + +/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) +/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/var/lock/apache2(/.*)? gen_context(system_u:object_r:httpd_lock_t,s0) + +/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) +/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) +/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) +/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) + +/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) + +/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0) +/var/www(/.*)?/roundcubemail/logs(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www(/.*)?/roundcubemail/temp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0) +/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www(/.*)?/nextcloud/config(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www(/.*)?/nextcloud/data(.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www(/.*)?/nextcloud/apps(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/sessions(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/uploads(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if new file mode 100644 index 000000000..94878d663 --- /dev/null +++ b/policy/modules/services/apache.if @@ -0,0 +1,1402 @@ +## <summary>Various web servers.</summary> + +######################################## +## <summary> +## Create a set of derived types for +## httpd web content. +## </summary> +## <param name="prefix"> +## <summary> +## The prefix to be used for deriving type names. +## </summary> +## </param> +# +template(`apache_content_template',` + gen_require(` + attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; + attribute httpd_script_domains, httpd_htaccess_type; + attribute httpd_rw_content, httpd_ra_content; + type httpd_t, httpd_suexec_t; + ') + + ######################################## + # + # Declarations + # + + ## <desc> + ## <p> + ## Determine whether the script domain can + ## modify public files used for public file + ## transfer services. Directories/Files must + ## be labeled public_content_rw_t. + ## </p> + ## </desc> + gen_tunable(allow_httpd_$1_script_anon_write, false) + + type httpd_$1_content_t, httpdcontent; # customizable + typealias httpd_$1_content_t alias httpd_$1_script_ro_t; + files_type(httpd_$1_content_t) + + type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable; + files_type(httpd_$1_htaccess_t) + + type httpd_$1_script_t, httpd_script_domains; + domain_type(httpd_$1_script_t) + role system_r types httpd_$1_script_t; + + type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; + corecmd_shell_entry_type(httpd_$1_script_t) + domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) + + type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable + typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; + files_type(httpd_$1_rw_content_t) + + type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable + typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; + files_type(httpd_$1_ra_content_t) + + ######################################## + # + # Policy + # + + can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) + + allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; + allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; + allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; + + allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; + allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; + allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) + + allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; + allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; + allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; + + tunable_policy(`allow_httpd_$1_script_anon_write',` + miscfiles_manage_public_files(httpd_$1_script_t) + ') + + tunable_policy(`httpd_builtin_scripting',` + manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + + allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; + allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; + allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; + ') + + tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` + can_exec(httpd_t, httpd_$1_rw_content_t) + ') + + tunable_policy(`httpd_enable_cgi',` + allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; + domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) + ') + + tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',` + can_exec(httpd_$1_script_t, httpd_$1_rw_content_t) + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint; + allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms; + allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms; + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` + filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) + ') +') + +######################################## +## <summary> +## Role access for apache. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`apache_role',` + gen_require(` + attribute httpdcontent; + type httpd_user_content_t, httpd_user_htaccess_t; + type httpd_user_script_t, httpd_user_script_exec_t; + type httpd_user_ra_content_t, httpd_user_rw_content_t; + ') + + role $1 types httpd_user_script_t; + + allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; + + allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms }; + allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + + allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms }; + allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + + allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms }; + allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + + allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms }; + allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + + userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html") + userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web") + userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www") + + filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess") + filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") + filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs") + + tunable_policy(`httpd_enable_cgi',` + domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` + domtrans_pattern($2, httpdcontent, httpd_user_script_t) + ') +') + +######################################## +## <summary> +## Read user httpd script executable files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_user_scripts',` + gen_require(` + type httpd_user_script_exec_t; + ') + + allow $1 httpd_user_script_exec_t:dir list_dir_perms; + read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) + read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) +') + +######################################## +## <summary> +## Read user httpd content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_user_content',` + gen_require(` + type httpd_user_content_t; + ') + + allow $1 httpd_user_content_t:dir list_dir_perms; + read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) + read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) +') + +######################################## +## <summary> +## Execute httpd with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apache_domtrans',` + gen_require(` + type httpd_t, httpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, httpd_exec_t, httpd_t) +') + +######################################## +## <summary> +## Execute httpd server in the httpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apache_initrc_domtrans',` + gen_require(` + type httpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, httpd_initrc_exec_t) +') + +####################################### +## <summary> +## Send generic signals to httpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_signal',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:process signal; +') + +######################################## +## <summary> +## Send null signals to httpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_signull',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:process signull; +') + +######################################## +## <summary> +## Send child terminated signals to httpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_sigchld',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:process sigchld; +') + +######################################## +## <summary> +## Inherit and use file descriptors +## from httpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_use_fds',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write httpd unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_rw_fifo_file',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write httpd unix domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_rw_stream_sockets',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Read and write httpd unix domain +## stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_rw_stream_sockets',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:unix_stream_socket rw_stream_socket_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write httpd TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_rw_tcp_sockets',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Reload the httpd service (systemd). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_reload',` + gen_require(` + type httpd_unit_t; + class service { reload status }; + ') + + allow $1 httpd_unit_t:service { reload status }; +') + +######################################## +## <summary> +## Read all appendable content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_all_ra_content',` + gen_require(` + attribute httpd_ra_content; + ') + + read_files_pattern($1, httpd_ra_content, httpd_ra_content) + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content) +') + +######################################## +## <summary> +## Append to all appendable web content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_append_all_ra_content',` + gen_require(` + attribute httpd_ra_content; + ') + + append_files_pattern($1, httpd_ra_content, httpd_ra_content) +') + +######################################## +## <summary> +## Read all read/write content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_all_rw_content',` + gen_require(` + attribute httpd_rw_content; + ') + + read_files_pattern($1, httpd_rw_content, httpd_rw_content) + read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) +') + +######################################## +## <summary> +## Manage all read/write content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_manage_all_rw_content',` + gen_require(` + attribute httpd_rw_content; + ') + + manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content) + manage_files_pattern($1, httpd_rw_content, httpd_rw_content) + manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) +') +######################################## +## <summary> +## Read all web content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_all_content',` + gen_require(` + attribute httpdcontent, httpd_script_exec_type; + ') + + read_files_pattern($1, httpdcontent, httpdcontent) + read_lnk_files_pattern($1, httpdcontent, httpdcontent) + + read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) + read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) +') + +####################################### +## <summary> +## Search all apache content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_search_all_content',` + gen_require(` + attribute httpdcontent; + ') + + allow $1 httpdcontent:dir search_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## all httpd content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_manage_all_content',` + gen_require(` + attribute httpdcontent, httpd_script_exec_type; + ') + + manage_dirs_pattern($1, httpdcontent, httpdcontent) + manage_files_pattern($1, httpdcontent, httpdcontent) + manage_lnk_files_pattern($1, httpdcontent, httpdcontent) + + manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) + manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) + manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) +') + +######################################## +## <summary> +## Set attributes httpd cache directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_setattr_cache_dirs',` + gen_require(` + type httpd_cache_t; + ') + + allow $1 httpd_cache_t:dir setattr_dir_perms; +') + +######################################## +## <summary> +## List httpd cache directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_list_cache',` + gen_require(` + type httpd_cache_t; + ') + + list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) +') + +######################################## +## <summary> +## Read and write httpd cache files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_rw_cache_files',` + gen_require(` + type httpd_cache_t; + ') + + allow $1 httpd_cache_t:file rw_file_perms; +') + +######################################## +## <summary> +## Delete httpd cache directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_delete_cache_dirs',` + gen_require(` + type httpd_cache_t; + ') + + delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) +') + +######################################## +## <summary> +## Delete httpd cache files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_delete_cache_files',` + gen_require(` + type httpd_cache_t; + ') + + delete_files_pattern($1, httpd_cache_t, httpd_cache_t) +') + +######################################## +## <summary> +## Read httpd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_read_config',` + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) + allow $1 httpd_config_t:dir list_dir_perms; + read_files_pattern($1, httpd_config_t, httpd_config_t) + read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) +') + +######################################## +## <summary> +## Search httpd configuration directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_search_config',` + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) + allow $1 httpd_config_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## httpd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_manage_config',` + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, httpd_config_t, httpd_config_t) + manage_files_pattern($1, httpd_config_t, httpd_config_t) + read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) +') + +######################################## +## <summary> +## Execute the Apache helper program +## with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_domtrans_helper',` + gen_require(` + type httpd_helper_t, httpd_helper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) +') + +######################################## +## <summary> +## Execute the Apache helper program with +## a domain transition, and allow the +## specified role the Apache helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_run_helper',` + gen_require(` + attribute_role httpd_helper_roles; + ') + + apache_domtrans_helper($1) + roleattribute $2 httpd_helper_roles; +') + +######################################## +## <summary> +## Read httpd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_read_log',` + gen_require(` + type httpd_log_t; + ') + + logging_search_logs($1) + allow $1 httpd_log_t:dir list_dir_perms; + read_files_pattern($1, httpd_log_t, httpd_log_t) + read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) +') + +######################################## +## <summary> +## Append httpd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_append_log',` + gen_require(` + type httpd_log_t; + ') + + logging_search_logs($1) + allow $1 httpd_log_t:dir list_dir_perms; + append_files_pattern($1, httpd_log_t, httpd_log_t) +') + +######################################## +## <summary> +## Do not audit attempts to append +## httpd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_append_log',` + gen_require(` + type httpd_log_t; + ') + + dontaudit $1 httpd_log_t:file append_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## httpd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_manage_log',` + gen_require(` + type httpd_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, httpd_log_t, httpd_log_t) + manage_files_pattern($1, httpd_log_t, httpd_log_t) + read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) +') + +####################################### +## <summary> +## Write apache log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_write_log',` + gen_require(` + type httpd_log_t; + ') + + logging_search_logs($1) + write_files_pattern($1, httpd_log_t, httpd_log_t) +') + +######################################## +## <summary> +## Do not audit attempts to search +## httpd module directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_search_modules',` + gen_require(` + type httpd_modules_t; + ') + + dontaudit $1 httpd_modules_t:dir search_dir_perms; +') + +######################################## +## <summary> +## List httpd module directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_list_modules',` + gen_require(` + type httpd_modules_t; + ') + + allow $1 httpd_modules_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Execute httpd module files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_exec_modules',` + gen_require(` + type httpd_modules_t; + ') + + allow $1 httpd_modules_t:dir list_dir_perms; + allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; + can_exec($1, httpd_modules_t) +') + +######################################## +## <summary> +## Read httpd module files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_module_files',` + gen_require(` + type httpd_modules_t; + ') + + libs_search_lib($1) + read_files_pattern($1, httpd_modules_t, httpd_modules_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run httpd_rotatelogs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apache_domtrans_rotatelogs',` + gen_require(` + type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) +') + +######################################## +## <summary> +## List httpd system content directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_list_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + files_search_var($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## httpd system content files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_manage_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + files_search_var($1) + manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## httpd system rw content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_manage_sys_rw_content',` + gen_require(` + type httpd_sys_rw_content_t; + ') + + apache_search_sys_content($1) + manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + +######################################## +## <summary> +## Execute all httpd scripts in the +## system script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apache_domtrans_sys_script',` + gen_require(` + attribute httpdcontent; + type httpd_sys_script_t; + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` + domtrans_pattern($1, httpdcontent, httpd_sys_script_t) + ') +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write httpd system script unix +## domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_rw_sys_script_stream_sockets',` + gen_require(` + type httpd_sys_script_t; + ') + + dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Execute all user scripts in the user +## script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apache_domtrans_all_scripts',` + gen_require(` + attribute httpd_exec_scripts; + ') + + typeattribute $1 httpd_exec_scripts; +') + +######################################## +## <summary> +## Execute all user scripts in the user +## script domain. Add user script domains +## to the specified role. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`apache_run_all_scripts',` + gen_require(` + attribute httpd_exec_scripts, httpd_script_domains; + ') + + role $2 types httpd_script_domains; + apache_domtrans_all_scripts($1) +') + +######################################## +## <summary> +## Read httpd squirrelmail data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_squirrelmail_data',` + gen_require(` + type httpd_squirrelmail_t; + ') + + allow $1 httpd_squirrelmail_t:file read_file_perms; +') + +######################################## +## <summary> +## Append httpd squirrelmail data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_append_squirrelmail_data',` + gen_require(` + type httpd_squirrelmail_t; + ') + + allow $1 httpd_squirrelmail_t:file append_file_perms; +') + +######################################## +## <summary> +## Search httpd system content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_search_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + files_search_var($1) + allow $1 httpd_sys_content_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read httpd system content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + allow $1 httpd_sys_content_t:dir list_dir_perms; + read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) +') + +######################################## +## <summary> +## Search httpd system CGI directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_search_sys_scripts',` + gen_require(` + type httpd_sys_content_t, httpd_sys_script_exec_t; + ') + + search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) +') + +######################################## +## <summary> +## Create, read, write, and delete all +## user httpd content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_manage_all_user_content',` + gen_require(` + type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t; + type httpd_user_htaccess_t, httpd_user_script_exec_t; + ') + + manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }) + manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }) + manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }) +') + +######################################## +## <summary> +## Search system script state directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_search_sys_script_state',` + gen_require(` + type httpd_sys_script_t; + ') + + allow $1 httpd_sys_script_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read httpd tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_tmp_files',` + gen_require(` + type httpd_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) +') + +######################################## +## <summary> +## Do not audit attempts to write +## httpd tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_write_tmp_files',` + gen_require(` + type httpd_tmp_t; + ') + + dontaudit $1 httpd_tmp_t:file write_file_perms; +') + +######################################## +## <summary> +## Delete httpd_var_lib_t files +## </summary> +## <param name="domain"> +## <summary> +## Domain that can delete the files +## </summary> +## </param> +# +interface(`apache_delete_lib_files',` + gen_require(` + type httpd_var_lib_t; + ') + + files_search_var_lib($1) + delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) +') + +######################################## +## <summary> +## Execute CGI in the specified domain. +## </summary> +## <desc> +## <p> +## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain run the cgi script in. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## Type of the executable to enter the cgi domain. +## </summary> +## </param> +# +interface(`apache_cgi_domain',` + gen_require(` + type httpd_t, httpd_sys_script_exec_t; + ') + + domtrans_pattern(httpd_t, $2, $1) + apache_search_sys_scripts($1) + + allow httpd_t $1:process signal; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an apache environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_admin',` + gen_require(` + attribute httpdcontent, httpd_script_exec_type; + attribute httpd_script_domains, httpd_htaccess_type; + type httpd_t, httpd_config_t, httpd_log_t; + type httpd_modules_t, httpd_lock_t, httpd_helper_t; + type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t; + type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; + type httpd_initrc_exec_t, httpd_keytab_t; + ') + + allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms }; + allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) + ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }) + + init_startstop_service($1, $2, httpd_t, httpd_initrc_exec_t) + + apache_manage_all_content($1) + miscfiles_manage_public_files($1) + + files_search_etc($1) + admin_pattern($1, { httpd_keytab_t httpd_config_t }) + + logging_search_logs($1) + admin_pattern($1, httpd_log_t) + + admin_pattern($1, httpd_modules_t) + + admin_pattern($1, httpd_lock_t) + files_lock_filetrans($1, httpd_lock_t, file) + + admin_pattern($1, httpd_var_run_t) + files_pid_filetrans($1, httpd_var_run_t, file) + + admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type }) + admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t }) + + apache_run_all_scripts($1, $2) + apache_run_helper($1, $2) +') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te new file mode 100644 index 000000000..f04ba5c3a --- /dev/null +++ b/policy/modules/services/apache.te @@ -0,0 +1,1479 @@ +policy_module(apache, 2.14.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether httpd can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_httpd_anon_write, false) + +## <desc> +## <p> +## Determine whether httpd can use mod_auth_pam. +## </p> +## </desc> +gen_tunable(allow_httpd_mod_auth_pam, false) + +## <desc> +## <p> +## Determine whether httpd can use built in scripting. +## </p> +## </desc> +gen_tunable(httpd_builtin_scripting, false) + +## <desc> +## <p> +## Determine whether httpd can check spam. +## </p> +## </desc> +gen_tunable(httpd_can_check_spam, false) + +## <desc> +## <p> +## Determine whether httpd scripts and modules +## can connect to the network using TCP. +## </p> +## </desc> +gen_tunable(httpd_can_network_connect, false) + +## <desc> +## <p> +## Determine whether httpd scripts and modules +## can connect to cobbler over the network. +## </p> +## </desc> +gen_tunable(httpd_can_network_connect_cobbler, false) + +## <desc> +## <p> +## Determine whether scripts and modules can +## connect to databases over the network. +## </p> +## </desc> +gen_tunable(httpd_can_network_connect_db, false) + +## <desc> +## <p> +## Determine whether httpd can connect to +## ldap over the network. +## </p> +## </desc> +gen_tunable(httpd_can_network_connect_ldap, false) + +## <desc> +## <p> +## Determine whether httpd can connect +## to memcache server over the network. +## </p> +## </desc> +gen_tunable(httpd_can_network_connect_memcache, false) + +## <desc> +## <p> +## Determine whether httpd can act as a relay. +## </p> +## </desc> +gen_tunable(httpd_can_network_relay, false) + +## <desc> +## <p> +## Determine whether httpd daemon can +## connect to zabbix over the network. +## </p> +## </desc> +gen_tunable(httpd_can_network_connect_zabbix, false) + +## <desc> +## <p> +## Determine whether httpd can send mail. +## </p> +## </desc> +gen_tunable(httpd_can_sendmail, false) + +## <desc> +## <p> +## Determine whether httpd can communicate +## with avahi service via dbus. +## </p> +## </desc> +gen_tunable(httpd_dbus_avahi, false) + +## <desc> +## <p> +## Determine wether httpd can use support. +## </p> +## </desc> +gen_tunable(httpd_enable_cgi, false) + +## <desc> +## <p> +## Determine whether httpd can act as a +## FTP server by listening on the ftp port. +## </p> +## </desc> +gen_tunable(httpd_enable_ftp_server, false) + +## <desc> +## <p> +## Determine whether httpd can traverse +## user home directories. +## </p> +## </desc> +gen_tunable(httpd_enable_homedirs, false) + +## <desc> +## <p> +## Determine whether httpd gpg can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(httpd_gpg_anon_write, false) + +## <desc> +## <p> +## Determine whether httpd can execute +## its temporary content. +## </p> +## </desc> +gen_tunable(httpd_tmp_exec, false) + +## <desc> +## <p> +## Determine whether httpd scripts and +## modules can use execmem and execstack. +## </p> +## </desc> +gen_tunable(httpd_execmem, false) + +## <desc> +## <p> +## Determine whether httpd can connect +## to port 80 for graceful shutdown. +## </p> +## </desc> +gen_tunable(httpd_graceful_shutdown, false) + +## <desc> +## <p> +## Determine whether httpd can +## manage IPA content files. +## </p> +## </desc> +gen_tunable(httpd_manage_ipa, false) + +## <desc> +## <p> +## Determine whether httpd can use mod_auth_ntlm_winbind. +## </p> +## </desc> +gen_tunable(httpd_mod_auth_ntlm_winbind, false) + +## <desc> +## <p> +## Determine whether httpd can read +## generic user home content files. +## </p> +## </desc> +gen_tunable(httpd_read_user_content, false) + +## <desc> +## <p> +## Determine whether httpd can change +## its resource limits. +## </p> +## </desc> +gen_tunable(httpd_setrlimit, false) + +## <desc> +## <p> +## Determine whether httpd can run +## SSI executables in the same domain +## as system CGI scripts. +## </p> +## </desc> +gen_tunable(httpd_ssi_exec, false) + +## <desc> +## <p> +## Determine whether httpd can communicate +## with the terminal. Needed for entering the +## passphrase for certificates at the terminal. +## </p> +## </desc> +gen_tunable(httpd_tty_comm, false) + +## <desc> +## <p> +## Determine whether httpd can have full access +## to its content types. +## </p> +## </desc> +gen_tunable(httpd_unified, false) + +## <desc> +## <p> +## Determine whether httpd can use +## cifs file systems. +## </p> +## </desc> +gen_tunable(httpd_use_cifs, false) + +## <desc> +## <p> +## Determine whether httpd can +## use fuse file systems. +## </p> +## </desc> +gen_tunable(httpd_use_fusefs, false) + +## <desc> +## <p> +## Determine whether httpd can use gpg. +## </p> +## </desc> +gen_tunable(httpd_use_gpg, false) + +## <desc> +## <p> +## Determine whether httpd can use +## nfs file systems. +## </p> +## </desc> +gen_tunable(httpd_use_nfs, false) + +attribute httpdcontent; +attribute httpd_htaccess_type; + +# domains that can exec all scripts +attribute httpd_exec_scripts; + +attribute httpd_ra_content; +attribute httpd_rw_content; + +attribute httpd_script_exec_type; + +# all script domains +attribute httpd_script_domains; + +attribute_role httpd_helper_roles; +roleattribute system_r httpd_helper_roles; + +type httpd_t; +type httpd_exec_t; +init_daemon_domain(httpd_t, httpd_exec_t) + +type httpd_cache_t; +files_type(httpd_cache_t) + +type httpd_config_t; +files_config_file(httpd_config_t) + +type httpd_helper_t; +type httpd_helper_exec_t; +application_domain(httpd_helper_t, httpd_helper_exec_t) +role httpd_helper_roles types httpd_helper_t; + +type httpd_initrc_exec_t; +init_script_file(httpd_initrc_exec_t) + +type httpd_keytab_t; +files_type(httpd_keytab_t) + +type httpd_lock_t; +files_lock_file(httpd_lock_t) + +type httpd_log_t; +logging_log_file(httpd_log_t) + +type httpd_modules_t; +files_type(httpd_modules_t) + +type httpd_rotatelogs_t; +type httpd_rotatelogs_exec_t; +init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) + +type httpd_squirrelmail_t; +files_type(httpd_squirrelmail_t) + +type squirrelmail_spool_t; +files_tmp_file(squirrelmail_spool_t) + +type httpd_suexec_t; +type httpd_suexec_exec_t; +domain_type(httpd_suexec_t) +domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) +role system_r types httpd_suexec_t; + +type httpd_suexec_tmp_t; +files_tmp_file(httpd_suexec_tmp_t) + +apache_content_template(sys) +corecmd_shell_entry_type(httpd_sys_script_t) +typealias httpd_sys_content_t alias ntop_http_content_t; + +type httpd_tmp_t; +files_tmp_file(httpd_tmp_t) + +type httpd_tmpfs_t; +files_tmpfs_file(httpd_tmpfs_t) + +type httpd_unit_t; +init_unit_file(httpd_unit_t) + +apache_content_template(user) +ubac_constrained(httpd_user_script_t) +userdom_user_home_content(httpd_user_content_t) +userdom_user_home_content(httpd_user_htaccess_t) +userdom_user_home_content(httpd_user_script_exec_t) +userdom_user_home_content(httpd_user_ra_content_t) +userdom_user_home_content(httpd_user_rw_content_t) +typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; +typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; +typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; +typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; +typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; +typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; +typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; +typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; +typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; +typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; +typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; +typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; +typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; +typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; + +type httpd_var_lib_t; +files_type(httpd_var_lib_t) + +type httpd_var_run_t; +files_pid_file(httpd_var_run_t) + +type httpd_passwd_t; +type httpd_passwd_exec_t; +domain_type(httpd_passwd_t) +domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t) +role system_r types httpd_passwd_t; + +type httpd_gpg_t; +domain_type(httpd_gpg_t) +role system_r types httpd_gpg_t; + +optional_policy(` + prelink_object_file(httpd_modules_t) +') + +######################################## +# +# Local policy +# + +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; +dontaudit httpd_t self:capability net_admin; +allow httpd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow httpd_t self:fd use; +allow httpd_t self:sock_file read_sock_file_perms; +allow httpd_t self:fifo_file rw_fifo_file_perms; +allow httpd_t self:shm create_shm_perms; +allow httpd_t self:sem create_sem_perms; +allow httpd_t self:msgq create_msgq_perms; +allow httpd_t self:msg { send receive }; +allow httpd_t self:unix_dgram_socket sendto; +allow httpd_t self:unix_stream_socket { accept connectto listen }; +allow httpd_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +files_var_filetrans(httpd_t, httpd_cache_t, dir) + +allow httpd_t httpd_config_t:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) +read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) + +allow httpd_t httpd_keytab_t:file read_file_perms; + +allow httpd_t httpd_lock_t:dir manage_dir_perms; +allow httpd_t httpd_lock_t:file manage_file_perms; +files_lock_filetrans(httpd_t, httpd_lock_t, { file dir }) + +manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +logging_log_filetrans(httpd_t, httpd_log_t, file) + +allow httpd_t httpd_modules_t:dir list_dir_perms; +mmap_exec_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + +allow httpd_t httpd_rotatelogs_t:process signal_perms; + +manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) + +allow httpd_t httpd_suexec_exec_t:file read_file_perms; + +allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +allow httpd_t httpd_sys_script_t:process signull; + + +manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) +userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir) + +manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) +manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) +manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) +files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) + +setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) + +manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + +can_exec(httpd_t, httpd_exec_t) + +domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) +domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) + +kernel_read_kernel_sysctls(httpd_t) +kernel_read_vm_sysctls(httpd_t) +kernel_read_vm_overcommit_sysctl(httpd_t) +kernel_read_network_state(httpd_t) +kernel_read_system_state(httpd_t) +kernel_search_network_sysctl(httpd_t) + +corenet_all_recvfrom_unlabeled(httpd_t) +corenet_all_recvfrom_netlabel(httpd_t) +corenet_tcp_sendrecv_generic_if(httpd_t) +corenet_tcp_sendrecv_generic_node(httpd_t) +corenet_tcp_bind_generic_node(httpd_t) + +corenet_sendrecv_http_server_packets(httpd_t) +corenet_tcp_bind_http_port(httpd_t) +corenet_tcp_sendrecv_http_port(httpd_t) + +corenet_sendrecv_http_cache_server_packets(httpd_t) +corenet_tcp_bind_http_cache_port(httpd_t) +corenet_tcp_sendrecv_http_cache_port(httpd_t) + +corecmd_exec_bin(httpd_t) +corecmd_exec_shell(httpd_t) + +dev_read_sysfs(httpd_t) +dev_read_rand(httpd_t) +dev_read_urand(httpd_t) +dev_rw_crypto(httpd_t) + +domain_use_interactive_fds(httpd_t) + +fs_getattr_all_fs(httpd_t) +fs_search_auto_mountpoints(httpd_t) + +fs_getattr_all_fs(httpd_t) +fs_read_anon_inodefs_files(httpd_t) +fs_rw_inherited_hugetlbfs_files(httpd_t) +fs_read_iso9660_files(httpd_t) +fs_search_auto_mountpoints(httpd_t) + +files_dontaudit_getattr_all_pids(httpd_t) +files_read_usr_files(httpd_t) +files_list_mnt(httpd_t) +files_search_spool(httpd_t) +files_read_var_symlinks(httpd_t) +files_read_var_lib_files(httpd_t) +files_search_home(httpd_t) +files_getattr_home_dir(httpd_t) +files_read_etc_runtime_files(httpd_t) +files_read_var_lib_symlinks(httpd_t) + +auth_use_nsswitch(httpd_t) + +init_rw_inherited_script_tmp_files(httpd_t) + +libs_read_lib_files(httpd_t) + +logging_send_syslog_msg(httpd_t) + +miscfiles_read_localization(httpd_t) +miscfiles_read_fonts(httpd_t) +miscfiles_read_public_files(httpd_t) +miscfiles_read_generic_certs(httpd_t) +miscfiles_read_generic_tls_privkey(httpd_t) +miscfiles_read_tetex_data(httpd_t) + +seutil_dontaudit_search_config(httpd_t) + +ifdef(`TODO',` + tunable_policy(`allow_httpd_mod_auth_pam',` + auth_domtrans_chk_passwd(httpd_t) + + logging_send_audit_msgs(httpd_t) + ') +') + +ifdef(`hide_broken_symptoms',` + libs_exec_lib_files(httpd_t) +') + +ifdef(`init_systemd', ` + systemd_use_passwd_agent(httpd_t) +') + +tunable_policy(`allow_httpd_anon_write',` + miscfiles_manage_public_files(httpd_t) +') + +tunable_policy(`httpd_can_network_connect',` + corenet_sendrecv_all_client_packets(httpd_t) + corenet_tcp_connect_all_ports(httpd_t) + corenet_tcp_sendrecv_all_ports(httpd_t) +') + +tunable_policy(`httpd_can_network_connect_db',` + corenet_sendrecv_gds_db_client_packets(httpd_t) + corenet_tcp_connect_gds_db_port(httpd_t) + corenet_tcp_sendrecv_gds_db_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) + corenet_tcp_connect_mssql_port(httpd_t) + corenet_tcp_sendrecv_mssql_port(httpd_t) + corenet_sendrecv_oracledb_client_packets(httpd_t) + corenet_tcp_connect_oracledb_port(httpd_t) + corenet_tcp_sendrecv_oracledb_port(httpd_t) +') + +tunable_policy(`httpd_can_network_relay',` + corenet_sendrecv_gopher_client_packets(httpd_t) + corenet_tcp_connect_gopher_port(httpd_t) + corenet_tcp_sendrecv_gopher_port(httpd_t) + corenet_sendrecv_ftp_client_packets(httpd_t) + corenet_tcp_connect_ftp_port(httpd_t) + corenet_tcp_sendrecv_ftp_port(httpd_t) + corenet_sendrecv_http_client_packets(httpd_t) + corenet_tcp_connect_http_port(httpd_t) + corenet_tcp_sendrecv_http_port(httpd_t) + corenet_sendrecv_http_cache_client_packets(httpd_t) + corenet_tcp_connect_http_cache_port(httpd_t) + corenet_tcp_sendrecv_http_cache_port(httpd_t) + corenet_sendrecv_squid_client_packets(httpd_t) + corenet_tcp_connect_squid_port(httpd_t) + corenet_tcp_sendrecv_squid_port(httpd_t) +') + +tunable_policy(`httpd_builtin_scripting',` + exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type) + + allow httpd_t httpdcontent:dir list_dir_perms; + allow httpd_t httpdcontent:file read_file_perms; + allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; +') + +tunable_policy(`httpd_enable_cgi',` + allow httpd_t httpd_script_domains:process { signal sigkill sigstop }; + allow httpd_t httpd_script_exec_type:dir list_dir_perms; + allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; +') + +tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` + fs_nfs_domtrans(httpd_t, httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` + fs_cifs_domtrans(httpd_t, httpd_sys_script_t) +') + +# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` +# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) +# ') + +tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` + domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + + manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_t, httpdcontent, httpdcontent) + manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) + manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) +') + +tunable_policy(`httpd_enable_ftp_server',` + corenet_sendrecv_ftp_server_packets(httpd_t) + corenet_tcp_bind_ftp_port(httpd_t) + corenet_tcp_sendrecv_ftp_port(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_dirs(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_list_auto_mountpoints(httpd_t) + fs_read_nfs_files(httpd_t) + fs_read_nfs_symlinks(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` + fs_exec_nfs_files(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_list_auto_mountpoints(httpd_t) + fs_read_cifs_files(httpd_t) + fs_read_cifs_symlinks(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` + fs_exec_cifs_files(httpd_t) +') + +tunable_policy(`httpd_execmem',` + allow httpd_t self:process { execmem execstack }; +',` + dontaudit httpd_t self:process { execmem execstack }; +') + +tunable_policy(`httpd_can_sendmail',` + corenet_sendrecv_smtp_client_packets(httpd_t) + corenet_tcp_connect_smtp_port(httpd_t) + corenet_tcp_sendrecv_smtp_port(httpd_t) + corenet_sendrecv_pop_client_packets(httpd_t) + corenet_tcp_connect_pop_port(httpd_t) + corenet_tcp_sendrecv_pop_port(httpd_t) + + mta_send_mail(httpd_t) + mta_signal_system_mail(httpd_t) +') + +optional_policy(` + tunable_policy(`httpd_can_network_connect_zabbix',` + zabbix_tcp_connect(httpd_t) + ') +') + +optional_policy(` + tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` + spamassassin_domtrans_client(httpd_t) + ') +') + +tunable_policy(`httpd_graceful_shutdown',` + corenet_sendrecv_http_client_packets(httpd_t) + corenet_tcp_connect_http_port(httpd_t) + corenet_tcp_sendrecv_http_port(httpd_t) +') + +optional_policy(` + tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` + gpg_spec_domtrans(httpd_t, httpd_gpg_t) + ') +') + +optional_policy(` + tunable_policy(`httpd_mod_auth_ntlm_winbind',` + samba_domtrans_winbind_helper(httpd_t) + ') +') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_t) +') + +tunable_policy(`httpd_setrlimit',` + allow httpd_t self:process setrlimit; + allow httpd_t self:capability sys_resource; +',` + dontaudit httpd_t self:process setrlimit; + dontaudit httpd_t self:capability sys_resource; +') + +tunable_policy(`httpd_ssi_exec',` + corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) +') + +tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` + can_exec(httpd_t, httpd_tmp_t) +') + +tunable_policy(`httpd_tty_comm',` + userdom_use_inherited_user_terminals(httpd_t) +',` + userdom_dontaudit_use_user_terminals(httpd_t) +') + +tunable_policy(`httpd_use_cifs',` + fs_list_auto_mountpoints(httpd_t) + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) +') + +tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` + fs_exec_cifs_files(httpd_t) +') + +tunable_policy(`httpd_use_fusefs',` + fs_list_auto_mountpoints(httpd_t) + fs_manage_fusefs_dirs(httpd_t) + fs_manage_fusefs_files(httpd_t) + fs_read_fusefs_symlinks(httpd_t) +') + +tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` + fs_exec_fusefs_files(httpd_t) +') + +tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` + fs_exec_nfs_files(httpd_t) +') + +optional_policy(` + calamaris_read_www_files(httpd_t) +') + +optional_policy(` + ccs_read_config(httpd_t) +') + +optional_policy(` + clamav_domtrans_clamscan(httpd_t) +') + +optional_policy(` + cobbler_read_config(httpd_t) + cobbler_read_lib_files(httpd_t) +') + +optional_policy(` + cron_system_entry(httpd_t, httpd_exec_t) +') + +optional_policy(` + cvs_read_data(httpd_t) +') + +optional_policy(` + daemontools_service_domain(httpd_t, httpd_exec_t) +') + +optional_policy(` + dbus_system_bus_client(httpd_t) + + tunable_policy(`httpd_dbus_avahi',` + avahi_dbus_chat(httpd_t) + ') +') + +optional_policy(` + git_read_generic_sys_content_files(httpd_t) +') + +optional_policy(` + gitosis_read_lib_files(httpd_t) +') + +optional_policy(` + kerberos_manage_host_rcache(httpd_t) + kerberos_read_keytab(httpd_t) + kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48") + kerberos_use(httpd_t) +') + +optional_policy(` + ldap_stream_connect(httpd_t) + + tunable_policy(`httpd_can_network_connect_ldap',` + ldap_tcp_connect(httpd_t) + ') +') + +optional_policy(` + mailman_signal_cgi(httpd_t) + mailman_domtrans_cgi(httpd_t) + mailman_read_data_files(httpd_t) + mailman_search_data(httpd_t) + mailman_read_archive(httpd_t) +') + +optional_policy(` + memcached_stream_connect(httpd_t) + + tunable_policy(`httpd_can_network_connect_memcache',` + memcached_tcp_connect(httpd_t) + ') + + tunable_policy(`httpd_manage_ipa',` + memcached_manage_pid_files(httpd_t) + ') +') + +optional_policy(` + mysql_read_config(httpd_t) + mysql_stream_connect(httpd_t) + + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_t) + ') +') + +optional_policy(` + nagios_read_config(httpd_t) +') + +optional_policy(` + openca_domtrans(httpd_t) + openca_signal(httpd_t) + openca_sigstop(httpd_t) + openca_kill(httpd_t) +') + +optional_policy(` + pcscd_read_pid_files(httpd_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_t) + postgresql_unpriv_client(httpd_t) + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_t) + ') +') + +optional_policy(` + puppet_read_lib_files(httpd_t) +') + +optional_policy(` + rpc_search_nfs_state_data(httpd_t) + + tunable_policy(`httpd_use_nfs',` + fs_list_auto_mountpoints(httpd_t) + rpc_manage_nfs_rw_content(httpd_t) + rpc_read_nfs_content(httpd_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(httpd_t) +') + +optional_policy(` + shibboleth_read_config(httpd_t) + shibboleth_stream_connect(httpd_t) +') + +optional_policy(` + smokeping_read_lib_files(httpd_t) +') + +optional_policy(` + snmp_dontaudit_read_snmp_var_lib_files(httpd_t) + snmp_dontaudit_write_snmp_var_lib_files(httpd_t) +') + +optional_policy(` + udev_read_db(httpd_t) +') + +optional_policy(` + yam_read_content(httpd_t) +') + +######################################## +# +# Helper local policy +# + +read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) + +append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) +read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) + +files_search_etc(httpd_helper_t) + +logging_search_logs(httpd_helper_t) +logging_send_syslog_msg(httpd_helper_t) + +tunable_policy(`httpd_tty_comm',` + userdom_use_inherited_user_terminals(httpd_helper_t) +',` + userdom_dontaudit_use_user_terminals(httpd_helper_t) +') + +######################################## +# +# Suexec local policy +# + +allow httpd_suexec_t self:capability { setgid setuid }; +allow httpd_suexec_t self:process signal_perms; +allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; +allow httpd_suexec_t self:tcp_socket { accept listen }; +allow httpd_suexec_t self:unix_stream_socket { accept listen }; + +create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) +append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) +read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) +read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) + +manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(httpd_suexec_t) +kernel_list_proc(httpd_suexec_t) +kernel_read_proc_symlinks(httpd_suexec_t) + +corenet_all_recvfrom_unlabeled(httpd_suexec_t) +corenet_all_recvfrom_netlabel(httpd_suexec_t) +corenet_tcp_sendrecv_generic_if(httpd_suexec_t) +corenet_tcp_sendrecv_generic_node(httpd_suexec_t) + +corecmd_exec_bin(httpd_suexec_t) +corecmd_exec_shell(httpd_suexec_t) + +dev_read_urand(httpd_suexec_t) + +fs_read_iso9660_files(httpd_suexec_t) +fs_search_auto_mountpoints(httpd_suexec_t) + +files_read_usr_files(httpd_suexec_t) +files_dontaudit_search_pids(httpd_suexec_t) +files_search_home(httpd_suexec_t) + +auth_use_nsswitch(httpd_suexec_t) + +logging_search_logs(httpd_suexec_t) +logging_send_syslog_msg(httpd_suexec_t) + +miscfiles_read_localization(httpd_suexec_t) +miscfiles_read_public_files(httpd_suexec_t) + +tunable_policy(`httpd_builtin_scripting',` + exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type) + + allow httpd_suexec_t httpdcontent:dir list_dir_perms; + allow httpd_suexec_t httpdcontent:file read_file_perms; + allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms; +') + +tunable_policy(`httpd_can_network_connect',` + corenet_tcp_connect_all_ports(httpd_suexec_t) + corenet_sendrecv_all_client_packets(httpd_suexec_t) + corenet_tcp_sendrecv_all_ports(httpd_suexec_t) +') + +tunable_policy(`httpd_can_network_connect_db',` + corenet_sendrecv_gds_db_client_packets(httpd_suexec_t) + corenet_tcp_connect_gds_db_port(httpd_suexec_t) + corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_tcp_sendrecv_mssql_port(httpd_suexec_t) + corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) + corenet_tcp_connect_oracledb_port(httpd_suexec_t) + corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t) +') + +tunable_policy(`httpd_can_sendmail',` + corenet_sendrecv_smtp_client_packets(httpd_suexec_t) + corenet_tcp_connect_smtp_port(httpd_suexec_t) + corenet_tcp_sendrecv_smtp_port(httpd_suexec_t) + corenet_sendrecv_pop_client_packets(httpd_suexec_t) + corenet_tcp_connect_pop_port(httpd_suexec_t) + corenet_tcp_sendrecv_pop_port(httpd_suexec_t) + mta_send_mail(httpd_suexec_t) + mta_signal_system_mail(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_unified',` + domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_dirs(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_list_auto_mountpoints(httpd_suexec_t) + fs_read_cifs_files(httpd_suexec_t) + fs_read_cifs_symlinks(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` + fs_exec_cifs_files(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_list_auto_mountpoints(httpd_suexec_t) + fs_read_nfs_files(httpd_suexec_t) + fs_read_nfs_symlinks(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` + fs_exec_nfs_files(httpd_suexec_t) +') + +tunable_policy(`httpd_execmem',` + allow httpd_suexec_t self:process { execmem execstack }; +') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_suexec_t) +') + +tunable_policy(`httpd_tmp_exec',` + can_exec(httpd_suexec_t, httpd_suexec_tmp_t) +') + +tunable_policy(`httpd_tty_comm',` + userdom_use_inherited_user_terminals(httpd_suexec_t) +',` + userdom_dontaudit_use_user_terminals(httpd_suexec_t) +') + +tunable_policy(`httpd_use_cifs',` + fs_list_auto_mountpoints(httpd_suexec_t) + fs_manage_cifs_dirs(httpd_suexec_t) + fs_manage_cifs_files(httpd_suexec_t) + fs_manage_cifs_symlinks(httpd_suexec_t) +') + +tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` + fs_exec_cifs_files(httpd_suexec_t) +') + +tunable_policy(`httpd_use_fusefs',` + fs_list_auto_mountpoints(httpd_suexec_t) + fs_manage_fusefs_dirs(httpd_suexec_t) + fs_manage_fusefs_files(httpd_suexec_t) + fs_read_fusefs_symlinks(httpd_suexec_t) +') + +tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` + fs_exec_fusefs_files(httpd_suexec_t) +') + +tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` + fs_exec_nfs_files(httpd_suexec_t) +') + +optional_policy(` + mailman_domtrans_cgi(httpd_suexec_t) +') + +optional_policy(` + mysql_stream_connect(httpd_suexec_t) + mysql_read_config(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_suexec_t) + ') +') + +optional_policy(` + postgresql_stream_connect(httpd_suexec_t) + postgresql_unpriv_client(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_suexec_t) + ') +') + +optional_policy(` + tunable_policy(`httpd_use_nfs',` + fs_list_auto_mountpoints(httpd_suexec_t) + rpc_manage_nfs_rw_content(httpd_t) + rpc_read_nfs_content(httpd_t) + ') +') + +######################################## +# +# Common script local policy +# + +allow httpd_script_domains self:fifo_file rw_file_perms; +allow httpd_script_domains self:unix_stream_socket connectto; + +allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; + +append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) + +kernel_dontaudit_search_sysctl(httpd_script_domains) +kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) + +corenet_all_recvfrom_unlabeled(httpd_script_domains) +corenet_all_recvfrom_netlabel(httpd_script_domains) +corenet_tcp_sendrecv_generic_if(httpd_script_domains) +corenet_tcp_sendrecv_generic_node(httpd_script_domains) + +corecmd_exec_all_executables(httpd_script_domains) + +dev_read_rand(httpd_script_domains) +dev_read_urand(httpd_script_domains) + +files_exec_etc_files(httpd_script_domains) +files_read_etc_files(httpd_script_domains) +files_search_home(httpd_script_domains) + +libs_exec_ld_so(httpd_script_domains) +libs_exec_lib_files(httpd_script_domains) + +logging_search_logs(httpd_script_domains) + +miscfiles_read_fonts(httpd_script_domains) +miscfiles_read_public_files(httpd_script_domains) + +seutil_dontaudit_search_config(httpd_script_domains) + +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_script_domains httpdcontent:file entrypoint; + + manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent) + manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) + + can_exec(httpd_script_domains, httpdcontent) +') + +tunable_policy(`httpd_enable_cgi',` + allow httpd_script_domains self:process { setsched signal_perms }; + allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms; + + kernel_read_system_state(httpd_script_domains) + + fs_getattr_all_fs(httpd_script_domains) + + files_read_etc_runtime_files(httpd_script_domains) + files_read_usr_files(httpd_script_domains) + + libs_read_lib_files(httpd_script_domains) + + miscfiles_read_localization(httpd_script_domains) +') + +optional_policy(` + tunable_policy(`httpd_enable_cgi && allow_ypbind',` + nis_use_ypbind_uncond(httpd_script_domains) + ') +') + +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` + corenet_sendrecv_gds_db_client_packets(httpd_script_domains) + corenet_tcp_connect_gds_db_port(httpd_script_domains) + corenet_tcp_sendrecv_gds_db_port(httpd_script_domains) + corenet_sendrecv_mssql_client_packets(httpd_script_domains) + corenet_tcp_connect_mssql_port(httpd_script_domains) + corenet_tcp_sendrecv_mssql_port(httpd_script_domains) + corenet_sendrecv_oracledb_client_packets(httpd_script_domains) + corenet_tcp_connect_oracledb_port(httpd_script_domains) + corenet_tcp_sendrecv_oracledb_port(httpd_script_domains) +') + +optional_policy(` + mysql_read_config(httpd_script_domains) + mysql_stream_connect(httpd_script_domains) + + tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_script_domains) + ') +') + +optional_policy(` + postgresql_stream_connect(httpd_script_domains) + + tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_script_domains) + ') +') + +optional_policy(` + nscd_use(httpd_script_domains) +') + +######################################## +# +# System script local policy +# + +allow httpd_sys_script_t self:tcp_socket { accept listen }; +allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms }; + + +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; +allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl }; + +dontaudit httpd_sys_script_t httpd_config_t:dir search; + +allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; + +allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; +allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms; +allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; + +kernel_read_kernel_sysctls(httpd_sys_script_t) + +dev_read_sysfs(httpd_sys_script_t) + +fs_search_auto_mountpoints(httpd_sys_script_t) + +files_read_var_symlinks(httpd_sys_script_t) +files_search_var_lib(httpd_sys_script_t) +files_search_spool(httpd_sys_script_t) + +apache_domtrans_rotatelogs(httpd_sys_script_t) + +auth_use_nsswitch(httpd_sys_script_t) + +logging_send_syslog_msg(httpd_sys_script_t) + +ifdef(`init_systemd', ` + init_search_pids(httpd_sys_script_t) +') + +tunable_policy(`httpd_can_sendmail',` + corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) + corenet_tcp_connect_smtp_port(httpd_sys_script_t) + corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t) + corenet_sendrecv_pop_client_packets(httpd_sys_script_t) + corenet_tcp_connect_pop_port(httpd_sys_script_t) + corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) + + mta_send_mail(httpd_sys_script_t) + mta_signal_system_mail(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_dirs(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + corenet_tcp_connect_all_ports(httpd_sys_script_t) + corenet_sendrecv_all_client_packets(httpd_sys_script_t) + corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) +') + +tunable_policy(`httpd_execmem',` + allow httpd_sys_script_t self:process { execmem execstack }; +') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_sys_script_t) +') + +tunable_policy(`httpd_use_cifs',` + fs_list_auto_mountpoints(httpd_sys_script_t) + fs_manage_cifs_dirs(httpd_sys_script_t) + fs_manage_cifs_files(httpd_sys_script_t) + fs_manage_cifs_symlinks(httpd_sys_script_t) +') + +tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` + fs_exec_cifs_files(httpd_sys_script_t) +') + +tunable_policy(`httpd_use_fusefs',` + fs_list_auto_mountpoints(httpd_sys_script_t) + fs_manage_fusefs_dirs(httpd_sys_script_t) + fs_manage_fusefs_files(httpd_sys_script_t) + fs_read_fusefs_symlinks(httpd_sys_script_t) +') + +tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` + fs_exec_fusefs_files(httpd_sys_script_t) +') + +tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` + fs_exec_nfs_files(httpd_sys_script_t) +') + +optional_policy(` + clamav_domtrans_clamscan(httpd_sys_script_t) +') + +optional_policy(` + postgresql_unpriv_client(httpd_sys_script_t) +') + +optional_policy(` + tunable_policy(`httpd_use_nfs',` + fs_list_auto_mountpoints(httpd_sys_script_t) + rpc_manage_nfs_rw_content(httpd_t) + rpc_read_nfs_content(httpd_t) + ') +') + +######################################## +# +# Rotatelogs local policy +# + +allow httpd_rotatelogs_t self:capability dac_override; + +manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) +read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) + +kernel_read_kernel_sysctls(httpd_rotatelogs_t) +kernel_dontaudit_list_proc(httpd_rotatelogs_t) + +files_read_etc_files(httpd_rotatelogs_t) + +logging_search_logs(httpd_rotatelogs_t) + +miscfiles_read_localization(httpd_rotatelogs_t) + +######################################## +# +# Unconfined script local policy +# + +optional_policy(` + apache_content_template(unconfined) + unconfined_domain(httpd_unconfined_script_t) +') + +######################################## +# +# User content local policy +# + +tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_dirs(httpd_user_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_list_auto_mountpoints(httpd_user_script_t) + fs_read_cifs_files(httpd_user_script_t) + fs_read_cifs_symlinks(httpd_user_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` + fs_exec_cifs_files(httpd_user_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_list_auto_mountpoints(httpd_user_script_t) + fs_read_nfs_files(httpd_user_script_t) + fs_read_nfs_symlinks(httpd_user_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` + fs_exec_nfs_files(httpd_user_script_t) +') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) +') + +optional_policy(` + postgresql_unpriv_client(httpd_user_script_t) +') + +######################################## +# +# Passwd local policy +# + +allow httpd_passwd_t self:fifo_file manage_fifo_file_perms; +allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms; +allow httpd_passwd_t self:unix_dgram_socket create_socket_perms; + +dontaudit httpd_passwd_t httpd_config_t:file read_file_perms; + +kernel_read_system_state(httpd_passwd_t) + +corecmd_exec_bin(httpd_passwd_t) +corecmd_exec_shell(httpd_passwd_t) + +dev_read_urand(httpd_passwd_t) + +domain_use_interactive_fds(httpd_passwd_t) + +auth_use_nsswitch(httpd_passwd_t) + +miscfiles_read_generic_certs(httpd_passwd_t) +miscfiles_read_localization(httpd_passwd_t) +miscfiles_read_generic_tls_privkey(httpd_passwd_t) + +######################################## +# +# GPG local policy +# + +allow httpd_gpg_t self:process setrlimit; + +allow httpd_gpg_t httpd_t:fd use; +allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; +allow httpd_gpg_t httpd_t:process sigchld; + +dev_read_rand(httpd_gpg_t) +dev_read_urand(httpd_gpg_t) + +files_read_usr_files(httpd_gpg_t) + +miscfiles_read_localization(httpd_gpg_t) + +tunable_policy(`httpd_gpg_anon_write',` + miscfiles_manage_public_files(httpd_gpg_t) +') + +optional_policy(` + apache_manage_sys_rw_content(httpd_gpg_t) +') + +optional_policy(` + gpg_entry_type(httpd_gpg_t) + gpg_exec(httpd_gpg_t) +') + +ifdef(`distro_gentoo',` +## <desc> +## <p> +## Enable specific permissions for the Hiawatha web server +## </p> +## </desc> +gen_tunable(hiawatha_httpd, false) + +init_daemon_pid_file(httpd_var_run_t, dir, "apache_ssl_mutex") +init_daemon_pid_file(httpd_var_run_t, dir, "apache2") + +tunable_policy(`hiawatha_httpd',` + # bug 513362 + allow httpd_t self:capability fowner; +') + +') diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc new file mode 100644 index 000000000..43666b342 --- /dev/null +++ b/policy/modules/services/apcupsd.fc @@ -0,0 +1,20 @@ +/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) + +/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0) + +/usr/bin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) + +/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) + +/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0) + +/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) +/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) + +/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) + +/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if new file mode 100644 index 000000000..3dda63454 --- /dev/null +++ b/policy/modules/services/apcupsd.if @@ -0,0 +1,165 @@ +## <summary>APC UPS monitoring daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to +## run apcupsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apcupsd_domtrans',` + gen_require(` + type apcupsd_t, apcupsd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, apcupsd_exec_t, apcupsd_t) +') + +######################################## +## <summary> +## Execute apcupsd server in the +## apcupsd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apcupsd_initrc_domtrans',` + gen_require(` + type apcupsd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, apcupsd_initrc_exec_t) +') + +######################################## +## <summary> +## Read apcupsd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apcupsd_read_pid_files',` + gen_require(` + type apcupsd_var_run_t; + ') + + files_search_pids($1) + allow $1 apcupsd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Read apcupsd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apcupsd_read_log',` + gen_require(` + type apcupsd_log_t; + ') + + logging_search_logs($1) + allow $1 apcupsd_log_t:dir list_dir_perms; + allow $1 apcupsd_log_t:file read_file_perms; +') + +######################################## +## <summary> +## Append apcupsd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apcupsd_append_log',` + gen_require(` + type apcupsd_log_t; + ') + + logging_search_logs($1) + allow $1 apcupsd_log_t:dir list_dir_perms; + allow $1 apcupsd_log_t:file append_file_perms; +') + +######################################## +## <summary> +## Execute a domain transition to +## run httpd_apcupsd_cgi_script. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apcupsd_cgi_script_domtrans',` + gen_require(` + type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; + ') + + files_search_var($1) + domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) + + optional_policy(` + apache_search_sys_content($1) + ') +') + +######################################## +## <summary> +## All of the rules required to +## administrate an apcupsd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apcupsd_admin',` + gen_require(` + type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; + type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t; + ') + + allow $1 apcupsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, apcupsd_t) + + init_startstop_service($1, $2, apcupsd_t, apcupsd_initrc_exec_t) + + files_list_var($1) + admin_pattern($1, apcupsd_lock_t) + + logging_list_logs($1) + admin_pattern($1, apcupsd_log_t) + + files_list_tmp($1) + admin_pattern($1, apcupsd_tmp_t) + + files_list_pids($1) + admin_pattern($1, apcupsd_var_run_t) +') diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te new file mode 100644 index 000000000..3e4a24650 --- /dev/null +++ b/policy/modules/services/apcupsd.te @@ -0,0 +1,130 @@ +policy_module(apcupsd, 1.13.0) + +######################################## +# +# Declarations +# + +type apcupsd_t; +type apcupsd_exec_t; +init_daemon_domain(apcupsd_t, apcupsd_exec_t) + +type apcupsd_lock_t; +files_lock_file(apcupsd_lock_t) + +type apcupsd_initrc_exec_t; +init_script_file(apcupsd_initrc_exec_t) + +type apcupsd_log_t; +logging_log_file(apcupsd_log_t) + +type apcupsd_tmp_t; +files_tmp_file(apcupsd_tmp_t) + +type apcupsd_unit_t; +init_unit_file(apcupsd_unit_t) + +type apcupsd_var_run_t; +files_pid_file(apcupsd_var_run_t) + +######################################## +# +# Local policy +# + +allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; +allow apcupsd_t self:process signal; +allow apcupsd_t self:fifo_file rw_file_perms; +allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; +allow apcupsd_t self:tcp_socket create_stream_socket_perms; + +allow apcupsd_t apcupsd_lock_t:file manage_file_perms; +files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) + +append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) +create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) +setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) +logging_log_filetrans(apcupsd_t, apcupsd_log_t, file) + +manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) +files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file) + +manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t) +files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file) + +kernel_read_system_state(apcupsd_t) + +corecmd_exec_bin(apcupsd_t) +corecmd_exec_shell(apcupsd_t) + +corenet_all_recvfrom_unlabeled(apcupsd_t) +corenet_all_recvfrom_netlabel(apcupsd_t) +corenet_tcp_sendrecv_generic_if(apcupsd_t) +corenet_tcp_sendrecv_generic_node(apcupsd_t) +corenet_tcp_bind_generic_node(apcupsd_t) +corenet_udp_sendrecv_generic_if(apcupsd_t) +corenet_udp_sendrecv_generic_node(apcupsd_t) +corenet_udp_bind_generic_node(apcupsd_t) + +corenet_tcp_bind_apcupsd_port(apcupsd_t) +corenet_sendrecv_apcupsd_server_packets(apcupsd_t) +corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) +corenet_tcp_connect_apcupsd_port(apcupsd_t) + +corenet_udp_bind_snmp_port(apcupsd_t) +corenet_sendrecv_snmp_server_packets(apcupsd_t) +corenet_udp_sendrecv_snmp_port(apcupsd_t) + +dev_rw_generic_usb_dev(apcupsd_t) + +files_read_etc_files(apcupsd_t) +files_manage_etc_runtime_files(apcupsd_t) +files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin") + +term_use_unallocated_ttys(apcupsd_t) + +logging_send_syslog_msg(apcupsd_t) + +miscfiles_read_localization(apcupsd_t) + +sysnet_dns_name_resolve(apcupsd_t) + +userdom_use_user_ttys(apcupsd_t) + +optional_policy(` + hostname_exec(apcupsd_t) +') + +optional_policy(` + mta_send_mail(apcupsd_t) + mta_system_content(apcupsd_tmp_t) +') + +optional_policy(` + shutdown_domtrans(apcupsd_t) +') + +######################################## +# +# CGI local policy +# + +optional_policy(` + apache_content_template(apcupsd_cgi) + + allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t) + corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) + corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) + corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) + corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) + corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t) + corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t) + corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) + corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) + corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) + + sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t) +') diff --git a/policy/modules/services/arpwatch.fc b/policy/modules/services/arpwatch.fc new file mode 100644 index 000000000..9b0eadc88 --- /dev/null +++ b/policy/modules/services/arpwatch.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) + +/usr/lib/systemd/system/arpwatch[^/]*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0) + +/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) + +/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) + +/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) + +/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) + +/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_pid_t,s0) diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if new file mode 100644 index 000000000..63e1b5717 --- /dev/null +++ b/policy/modules/services/arpwatch.if @@ -0,0 +1,155 @@ +## <summary>Ethernet activity monitor.</summary> + +######################################## +## <summary> +## Execute arpwatch server in the +## arpwatch domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`arpwatch_initrc_domtrans',` + gen_require(` + type arpwatch_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) +') + +######################################## +## <summary> +## Search arpwatch data file directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`arpwatch_search_data',` + gen_require(` + type arpwatch_data_t; + ') + + files_search_var_lib($1) + allow $1 arpwatch_data_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## arpwatch data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`arpwatch_manage_data_files',` + gen_require(` + type arpwatch_data_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t) +') + +######################################## +## <summary> +## Read and write arpwatch temporary +## files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`arpwatch_rw_tmp_files',` + gen_require(` + type arpwatch_tmp_t; + ') + + files_search_tmp($1) + allow $1 arpwatch_tmp_t:file rw_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## arpwatch temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`arpwatch_manage_tmp_files',` + gen_require(` + type arpwatch_tmp_t; + ') + + files_search_tmp($1) + allow $1 arpwatch_tmp_t:file manage_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write arpwatch packet sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`arpwatch_dontaudit_rw_packet_sockets',` + gen_require(` + type arpwatch_t; + ') + + dontaudit $1 arpwatch_t:packet_socket { read write }; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an arpwatch environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`arpwatch_admin',` + gen_require(` + type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; + type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t; + ') + + admin_process_pattern($1, arpwatch_t) + + init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t) + + files_search_tmp($1) + admin_pattern($1, arpwatch_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, arpwatch_data_t) + + files_search_pids($1) + admin_pattern($1, arpwatch_pid_t) +') diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te new file mode 100644 index 000000000..87aed96fc --- /dev/null +++ b/policy/modules/services/arpwatch.te @@ -0,0 +1,90 @@ +policy_module(arpwatch, 1.15.0) + +######################################## +# +# Declarations +# + +type arpwatch_t; +type arpwatch_exec_t; +init_daemon_domain(arpwatch_t, arpwatch_exec_t) + +type arpwatch_initrc_exec_t; +init_script_file(arpwatch_initrc_exec_t) + +type arpwatch_data_t; +files_type(arpwatch_data_t) + +type arpwatch_tmp_t; +files_tmp_file(arpwatch_tmp_t) + +type arpwatch_unit_t; +init_unit_file(arpwatch_unit_t) + +type arpwatch_pid_t alias arpwatch_var_run_t; +files_pid_file(arpwatch_pid_t) + +######################################## +# +# Local policy +# + +allow arpwatch_t self:capability { dac_override net_admin net_raw setgid setuid }; +allow arpwatch_t self:process signal_perms; +allow arpwatch_t self:unix_stream_socket { accept listen }; +allow arpwatch_t self:tcp_socket { accept listen }; +allow arpwatch_t self:packet_socket create_socket_perms; +allow arpwatch_t self:socket { create ioctl }; +allow arpwatch_t self:netlink_netfilter_socket { create read write }; + +manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) +manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) +manage_lnk_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) + +manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) +manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) +files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) + +manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t) +files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file) + +kernel_read_kernel_sysctls(arpwatch_t) +kernel_read_network_state(arpwatch_t) +kernel_read_system_state(arpwatch_t) +kernel_request_load_module(arpwatch_t) +# /sys/kernel/debug/usb/usbmon/\d+t +kernel_dontaudit_search_debugfs(arpwatch_t) + +# /sys/class/net +dev_read_sysfs(arpwatch_t) +dev_read_usbmon_dev(arpwatch_t) +dev_rw_generic_usb_dev(arpwatch_t) + +fs_getattr_all_fs(arpwatch_t) +fs_search_auto_mountpoints(arpwatch_t) + +domain_use_interactive_fds(arpwatch_t) + +files_read_usr_files(arpwatch_t) +files_search_var_lib(arpwatch_t) + +auth_use_nsswitch(arpwatch_t) + +logging_send_syslog_msg(arpwatch_t) + +miscfiles_read_localization(arpwatch_t) + +userdom_dontaudit_search_user_home_dirs(arpwatch_t) +userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) + +optional_policy(` + mta_send_mail(arpwatch_t) +') + +optional_policy(` + seutil_sigchld_newrole(arpwatch_t) +') + +optional_policy(` + udev_read_db(arpwatch_t) +') diff --git a/policy/modules/services/asterisk.fc b/policy/modules/services/asterisk.fc new file mode 100644 index 000000000..337bf6017 --- /dev/null +++ b/policy/modules/services/asterisk.fc @@ -0,0 +1,15 @@ +/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0) + +/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0) + +/usr/bin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0) + +/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0) + +/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0) + +/var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0) + +/run/asterisk.* gen_context(system_u:object_r:asterisk_var_run_t,s0) + +/var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0) diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if new file mode 100644 index 000000000..2e3f5a4b8 --- /dev/null +++ b/policy/modules/services/asterisk.if @@ -0,0 +1,151 @@ +## <summary>Asterisk IP telephony server.</summary> + +###################################### +## <summary> +## Execute asterisk in the asterisk domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`asterisk_domtrans',` + gen_require(` + type asterisk_t, asterisk_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, asterisk_exec_t, asterisk_t) +') + +###################################### +## <summary> +## Execute asterisk in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`asterisk_exec',` + gen_require(` + type asterisk_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, asterisk_exec_t) +') + +##################################### +## <summary> +## Connect to asterisk over a unix domain. +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`asterisk_stream_connect',` + gen_require(` + type asterisk_t, asterisk_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) +') + +####################################### +## <summary> +## Set attributes of asterisk log +## files and directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`asterisk_setattr_logs',` + gen_require(` + type asterisk_log_t; + ') + + setattr_files_pattern($1, asterisk_log_t, asterisk_log_t) + setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t) + logging_search_logs($1) +') + +####################################### +## <summary> +## Set attributes of the asterisk +## PID content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`asterisk_setattr_pid_files',` + gen_require(` + type asterisk_var_run_t; + ') + + setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t) + setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t) + files_search_pids($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an asterisk environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`asterisk_admin',` + gen_require(` + type asterisk_t, asterisk_var_run_t, asterisk_spool_t; + type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t; + type asterisk_var_lib_t, asterisk_initrc_exec_t; + ') + + allow $1 asterisk_t:process { ptrace signal_perms }; + ps_process_pattern($1, asterisk_t) + + init_startstop_service($1, $2, asterisk_t, asterisk_initrc_exec_t) + + asterisk_exec($1) + + files_list_tmp($1) + admin_pattern($1, asterisk_tmp_t) + + files_list_etc($1) + admin_pattern($1, asterisk_etc_t) + + logging_list_logs($1) + admin_pattern($1, asterisk_log_t) + + files_list_spool($1) + admin_pattern($1, asterisk_spool_t) + + files_list_var_lib($1) + admin_pattern($1, asterisk_var_lib_t) + + files_list_pids($1) + admin_pattern($1, asterisk_var_run_t) +') diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te new file mode 100644 index 000000000..2e0a687cb --- /dev/null +++ b/policy/modules/services/asterisk.te @@ -0,0 +1,193 @@ +policy_module(asterisk, 1.18.0) + +######################################## +# +# Declarations +# + +type asterisk_t; +type asterisk_exec_t; +init_daemon_domain(asterisk_t, asterisk_exec_t) + +type asterisk_initrc_exec_t; +init_script_file(asterisk_initrc_exec_t) + +type asterisk_etc_t; +files_config_file(asterisk_etc_t) + +type asterisk_log_t; +logging_log_file(asterisk_log_t) + +type asterisk_spool_t; +files_type(asterisk_spool_t) + +type asterisk_tmp_t; +files_tmp_file(asterisk_tmp_t) + +type asterisk_tmpfs_t; +files_tmpfs_file(asterisk_tmpfs_t) + +type asterisk_var_lib_t; +files_type(asterisk_var_lib_t) + +type asterisk_var_run_t; +files_pid_file(asterisk_var_run_t) +init_daemon_pid_file(asterisk_var_run_t, dir, "asterisk") + +######################################## +# +# Local policy +# + +allow asterisk_t self:capability { chown dac_override net_admin setgid setuid sys_nice }; +dontaudit asterisk_t self:capability { sys_module sys_tty_config }; +allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; +allow asterisk_t self:fifo_file rw_fifo_file_perms; +allow asterisk_t self:sem create_sem_perms; +allow asterisk_t self:shm create_shm_perms; +allow asterisk_t self:unix_stream_socket { accept connectto listen }; +allow asterisk_t self:tcp_socket { accept listen }; + +allow asterisk_t asterisk_etc_t:dir list_dir_perms; +read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) +read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) + +manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) +manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) +logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir }) + +manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) +manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) +manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) +files_spool_filetrans(asterisk_t, asterisk_spool_t, { dir file }) + +manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) +manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) +files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir }) + +manage_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) +manage_lnk_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) +manage_fifo_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) +manage_sock_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) +fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) + +manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) +manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) +manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) +files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) + +can_exec(asterisk_t, asterisk_exec_t) + +kernel_read_kernel_sysctls(asterisk_t) +kernel_read_network_state(asterisk_t) +kernel_read_system_state(asterisk_t) +kernel_request_load_module(asterisk_t) + +corecmd_exec_bin(asterisk_t) +corecmd_exec_shell(asterisk_t) + +corenet_all_recvfrom_unlabeled(asterisk_t) +corenet_all_recvfrom_netlabel(asterisk_t) +corenet_tcp_sendrecv_generic_if(asterisk_t) +corenet_udp_sendrecv_generic_if(asterisk_t) +corenet_tcp_sendrecv_generic_node(asterisk_t) +corenet_udp_sendrecv_generic_node(asterisk_t) +corenet_tcp_sendrecv_all_ports(asterisk_t) +corenet_udp_sendrecv_all_ports(asterisk_t) +corenet_tcp_bind_generic_node(asterisk_t) +corenet_udp_bind_generic_node(asterisk_t) + +corenet_sendrecv_asterisk_server_packets(asterisk_t) +corenet_tcp_bind_asterisk_port(asterisk_t) +corenet_udp_bind_asterisk_port(asterisk_t) + +corenet_sendrecv_embrace_dp_c_client_packets(asterisk_t) +corenet_tcp_connect_embrace_dp_c_port(asterisk_t) + +corenet_sendrecv_sip_server_packets(asterisk_t) +corenet_tcp_bind_sip_port(asterisk_t) +corenet_udp_bind_sip_port(asterisk_t) + +corenet_sendrecv_generic_server_packets(asterisk_t) +corenet_tcp_bind_generic_port(asterisk_t) +corenet_udp_bind_generic_port(asterisk_t) +corenet_dontaudit_udp_bind_all_ports(asterisk_t) + +corenet_sendrecv_jabber_client_client_packets(asterisk_t) +corenet_tcp_connect_jabber_client_port(asterisk_t) + +corenet_sendrecv_pdps_client_packets(asterisk_t) +corenet_tcp_connect_pdps_port(asterisk_t) + +corenet_sendrecv_pktcable_cops_client_packets(asterisk_t) +corenet_tcp_connect_pktcable_cops_port(asterisk_t) + +corenet_sendrecv_sip_client_packets(asterisk_t) +corenet_tcp_connect_sip_port(asterisk_t) + +dev_rw_generic_usb_dev(asterisk_t) +dev_read_sysfs(asterisk_t) +dev_read_sound(asterisk_t) +dev_write_sound(asterisk_t) +dev_read_rand(asterisk_t) +dev_read_urand(asterisk_t) + +domain_use_interactive_fds(asterisk_t) + +files_read_usr_files(asterisk_t) +files_search_spool(asterisk_t) +files_dontaudit_search_home(asterisk_t) + +fs_getattr_all_fs(asterisk_t) +fs_list_inotifyfs(asterisk_t) +fs_read_anon_inodefs_files(asterisk_t) +fs_search_auto_mountpoints(asterisk_t) + +auth_use_nsswitch(asterisk_t) + +logging_search_logs(asterisk_t) +logging_send_syslog_msg(asterisk_t) + +miscfiles_read_localization(asterisk_t) + +userdom_dontaudit_use_unpriv_user_fds(asterisk_t) +userdom_dontaudit_search_user_home_dirs(asterisk_t) + +optional_policy(` + alsa_read_config(asterisk_t) +') + +optional_policy(` + mysql_stream_connect(asterisk_t) + mysql_tcp_connect(asterisk_t) +') + +optional_policy(` + mta_send_mail(asterisk_t) + mta_system_content(asterisk_tmp_t) +') + +optional_policy(` + postfix_domtrans_postdrop(asterisk_t) +') + +optional_policy(` + postgresql_stream_connect(asterisk_t) + postgresql_tcp_connect(asterisk_t) +') + +optional_policy(` + seutil_sigchld_newrole(asterisk_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(asterisk_t) + snmp_stream_connect(asterisk_t) + snmp_tcp_connect(asterisk_t) +') + +optional_policy(` + udev_read_db(asterisk_t) +') diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc new file mode 100644 index 000000000..dadd3a9f8 --- /dev/null +++ b/policy/modules/services/automount.fc @@ -0,0 +1,12 @@ +/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) +/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0) + +/usr/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_t,s0) + +/usr/bin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) + +/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) + +/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) + +/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if new file mode 100644 index 000000000..fbaa32205 --- /dev/null +++ b/policy/modules/services/automount.if @@ -0,0 +1,160 @@ +## <summary>Filesystem automounter service.</summary> + +######################################## +## <summary> +## Execute automount in the automount domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`automount_domtrans',` + gen_require(` + type automount_t, automount_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, automount_exec_t, automount_t) +') + +######################################## +## <summary> +## Send generic signals to automount. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`automount_signal',` + gen_require(` + type automount_t; + ') + + allow $1 automount_t:process signal; +') + +######################################## +## <summary> +## Read automount process state. +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow access. +## </summary> +## </param> +# +interface(`automount_read_state',` + gen_require(` + type automount_t; + ') + + kernel_search_proc($1) + allow $1 automount_t:dir list_dir_perms; + read_files_pattern($1, automount_t, automount_t) + read_lnk_files_pattern($1, automount_t, automount_t) +') + +######################################## +## <summary> +## Do not audit attempts to use +## automount file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`automount_dontaudit_use_fds',` + gen_require(` + type automount_t; + ') + + dontaudit $1 automount_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to write +## automount unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`automount_dontaudit_write_pipes',` + gen_require(` + type automount_t; + ') + + dontaudit $1 automount_t:fifo_file write; +') + +######################################## +## <summary> +## Do not audit attempts to get +## attributes of automount temporary +## directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`automount_dontaudit_getattr_tmp_dirs',` + gen_require(` + type automount_tmp_t; + ') + + dontaudit $1 automount_tmp_t:dir getattr_dir_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an automount environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`automount_admin',` + gen_require(` + type automount_t, automount_lock_t, automount_tmp_t; + type automount_var_run_t, automount_initrc_exec_t; + type automount_keytab_t; + ') + + allow $1 automount_t:process { ptrace signal_perms }; + ps_process_pattern($1, automount_t) + + init_startstop_service($1, $2, automount_t, automount_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, automount_keytab_t) + + files_list_var($1) + admin_pattern($1, automount_lock_t) + + files_list_tmp($1) + admin_pattern($1, automount_tmp_t) + + files_list_pids($1) + admin_pattern($1, automount_var_run_t) +') diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te new file mode 100644 index 000000000..349222816 --- /dev/null +++ b/policy/modules/services/automount.te @@ -0,0 +1,171 @@ +policy_module(automount, 1.19.0) + +######################################## +# +# Declarations +# + +type automount_t; +type automount_exec_t; +init_daemon_domain(automount_t, automount_exec_t) + +type automount_initrc_exec_t; +init_script_file(automount_initrc_exec_t) + +type automount_keytab_t; +files_type(automount_keytab_t) + +type automount_lock_t; +files_lock_file(automount_lock_t) + +type automount_tmp_t; +files_tmp_file(automount_tmp_t) +files_mountpoint(automount_tmp_t) + +type automount_unit_t; +init_unit_file(automount_unit_t) + +type automount_var_run_t; +files_pid_file(automount_var_run_t) + +######################################## +# +# Local policy +# + +allow automount_t self:capability { dac_override setgid setuid sys_admin sys_nice sys_resource }; +dontaudit automount_t self:capability sys_tty_config; +allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; +allow automount_t self:fifo_file rw_fifo_file_perms; +allow automount_t self:tcp_socket { accept listen }; +allow automount_t self:rawip_socket create_socket_perms; + +can_exec(automount_t, automount_exec_t) + +allow automount_t automount_keytab_t:file read_file_perms; + +allow automount_t automount_lock_t:file manage_file_perms; +files_lock_filetrans(automount_t, automount_lock_t, file) + +manage_dirs_pattern(automount_t, automount_tmp_t, automount_tmp_t) +manage_files_pattern(automount_t, automount_tmp_t, automount_tmp_t) +files_tmp_filetrans(automount_t, automount_tmp_t, { file dir }) +files_home_filetrans(automount_t, automount_tmp_t, dir) +files_root_filetrans(automount_t, automount_tmp_t, dir) + +manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) +manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) +files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file }) + +kernel_read_kernel_sysctls(automount_t) +kernel_read_irq_sysctls(automount_t) +kernel_read_fs_sysctls(automount_t) +kernel_read_vm_sysctls(automount_t) +kernel_read_proc_symlinks(automount_t) +kernel_read_system_state(automount_t) +kernel_read_network_state(automount_t) +kernel_list_proc(automount_t) +kernel_getattr_unlabeled_dirs(automount_t) +kernel_dontaudit_search_xen_state(automount_t) + +corecmd_exec_bin(automount_t) +corecmd_exec_shell(automount_t) + +corenet_all_recvfrom_unlabeled(automount_t) +corenet_all_recvfrom_netlabel(automount_t) +corenet_tcp_sendrecv_generic_if(automount_t) +corenet_udp_sendrecv_generic_if(automount_t) +corenet_tcp_sendrecv_generic_node(automount_t) +corenet_udp_sendrecv_generic_node(automount_t) +corenet_tcp_sendrecv_all_ports(automount_t) +corenet_udp_sendrecv_all_ports(automount_t) +corenet_tcp_bind_generic_node(automount_t) +corenet_udp_bind_generic_node(automount_t) + +corenet_sendrecv_all_client_packets(automount_t) +corenet_sendrecv_all_server_packets(automount_t) +corenet_tcp_connect_portmap_port(automount_t) +corenet_tcp_connect_all_ports(automount_t) +# Automount execs showmount when you browse /net. This is required until +# Someone writes a showmount policy +corenet_tcp_bind_reserved_port(automount_t) +corenet_tcp_bind_all_rpc_ports(automount_t) +corenet_udp_bind_reserved_port(automount_t) +corenet_udp_bind_all_rpc_ports(automount_t) + +files_dontaudit_write_var_dirs(automount_t) +files_getattr_all_dirs(automount_t) +files_getattr_default_dirs(automount_t) +files_getattr_home_dir(automount_t) +files_exec_etc_files(automount_t) +files_list_mnt(automount_t) +files_manage_non_security_dirs(automount_t) +files_mount_all_file_type_fs(automount_t) +files_mounton_all_mountpoints(automount_t) +files_mounton_mnt(automount_t) +files_read_etc_runtime_files(automount_t) +files_read_usr_files(automount_t) +files_search_boot(automount_t) +files_search_all(automount_t) +files_unmount_all_file_type_fs(automount_t) + +fs_getattr_all_dirs(automount_t) +fs_getattr_all_fs(automount_t) +fs_manage_auto_mountpoints(automount_t) +fs_manage_autofs_symlinks(automount_t) +fs_mount_all_fs(automount_t) +fs_mount_autofs(automount_t) +fs_read_nfs_files(automount_t) +fs_search_all(automount_t) +fs_search_auto_mountpoints(automount_t) +fs_unmount_all_fs(automount_t) +fs_unmount_autofs(automount_t) + +dev_read_rand(automount_t) +dev_read_sysfs(automount_t) +dev_read_urand(automount_t) +dev_rw_autofs(automount_t) + +domain_use_interactive_fds(automount_t) +domain_dontaudit_read_all_domains_state(automount_t) + +storage_rw_fuse(automount_t) + +term_dontaudit_getattr_pty_dirs(automount_t) + +auth_use_nsswitch(automount_t) + +logging_send_syslog_msg(automount_t) +logging_search_logs(automount_t) + +miscfiles_read_localization(automount_t) +miscfiles_read_generic_certs(automount_t) + +mount_domtrans(automount_t) +mount_signal(automount_t) + +userdom_dontaudit_use_unpriv_user_fds(automount_t) + +optional_policy(` + fstools_domtrans(automount_t) +') + +optional_policy(` + kerberos_read_config(automount_t) + kerberos_read_keytab(automount_t) + kerberos_use(automount_t) + kerberos_dontaudit_write_config(automount_t) +') + +optional_policy(` + samba_read_config(automount_t) + samba_manage_var_files(automount_t) +') + +optional_policy(` + seutil_sigchld_newrole(automount_t) +') + +optional_policy(` + udev_read_db(automount_t) +') diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc new file mode 100644 index 000000000..2f72be4ab --- /dev/null +++ b/policy/modules/services/avahi.fc @@ -0,0 +1,15 @@ +/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) + +/usr/bin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) +/usr/bin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) +/usr/bin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) + +/usr/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_t,s0) + +/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) +/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) +/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) + +/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) + +/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if new file mode 100644 index 000000000..4652358fa --- /dev/null +++ b/policy/modules/services/avahi.if @@ -0,0 +1,274 @@ +## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture.</summary> + +######################################## +## <summary> +## Execute avahi server in the avahi domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`avahi_domtrans',` + gen_require(` + type avahi_exec_t, avahi_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, avahi_exec_t, avahi_t) +') + +######################################## +## <summary> +## Execute avahi init scripts in the +## init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`avahi_initrc_domtrans',` + gen_require(` + type avahi_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, avahi_initrc_exec_t) +') + +######################################## +## <summary> +## Send generic signals to avahi. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_signal',` + gen_require(` + type avahi_t; + ') + + allow $1 avahi_t:process signal; +') + +######################################## +## <summary> +## Send kill signals to avahi. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_kill',` + gen_require(` + type avahi_t; + ') + + allow $1 avahi_t:process sigkill; +') + +######################################## +## <summary> +## Send null signals to avahi. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_signull',` + gen_require(` + type avahi_t; + ') + + allow $1 avahi_t:process signull; +') + +######################################## +## <summary> +## Send and receive messages from +## avahi over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_dbus_chat',` + gen_require(` + type avahi_t; + class dbus send_msg; + ') + + allow $1 avahi_t:dbus send_msg; + allow avahi_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Connect to avahi using a unix +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_stream_connect',` + gen_require(` + type avahi_t, avahi_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t) +') + +######################################## +## <summary> +## Create avahi pid directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_create_pid_dirs',` + gen_require(` + type avahi_var_run_t; + ') + + files_search_pids($1) + allow $1 avahi_var_run_t:dir create_dir_perms; +') + +######################################## +## <summary> +## Set attributes of avahi pid directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_setattr_pid_dirs',` + gen_require(` + type avahi_var_run_t; + ') + + files_search_pids($1) + allow $1 avahi_var_run_t:dir setattr_dir_perms; +') + +######################################## +## <summary> +## Create, read, and write avahi pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_manage_pid_files',` + gen_require(` + type avahi_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, avahi_var_run_t, avahi_var_run_t) +') + +######################################## +## <summary> +## Do not audit attempts to search +## avahi pid directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`avahi_dontaudit_search_pid',` + gen_require(` + type avahi_var_run_t; + ') + + dontaudit $1 avahi_var_run_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create specified objects in generic +## pid directories with the avahi pid file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`avahi_filetrans_pid',` + gen_require(` + type avahi_var_run_t; + ') + + files_pid_filetrans($1, avahi_var_run_t, $2, $3) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an avahi environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`avahi_admin',` + gen_require(` + type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; + type avahi_var_lib_t; + ') + + allow $1 avahi_t:process { ptrace signal_perms }; + ps_process_pattern($1, avahi_t) + + init_startstop_service($1, $2, avahi_t, avahi_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, avahi_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, avahi_var_lib_t) +') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te new file mode 100644 index 000000000..c90208263 --- /dev/null +++ b/policy/modules/services/avahi.te @@ -0,0 +1,118 @@ +policy_module(avahi, 1.19.0) + +######################################## +# +# Declarations +# + +type avahi_t; +type avahi_exec_t; +init_daemon_domain(avahi_t, avahi_exec_t) +init_named_socket_activation(avahi_t, avahi_var_run_t) + +type avahi_initrc_exec_t; +init_script_file(avahi_initrc_exec_t) + +type avahi_unit_t; +init_unit_file(avahi_unit_t) + +type avahi_var_lib_t; +files_pid_file(avahi_var_lib_t) + +type avahi_var_run_t; +files_pid_file(avahi_var_run_t) + +######################################## +# +# Local policy +# + +allow avahi_t self:capability { chown dac_override fowner kill net_admin net_raw setgid setuid sys_chroot }; +dontaudit avahi_t self:capability sys_tty_config; +allow avahi_t self:process { setrlimit signal_perms getcap setcap }; +allow avahi_t self:fifo_file rw_fifo_file_perms; +allow avahi_t self:unix_stream_socket { accept connectto listen }; +allow avahi_t self:tcp_socket { accept listen }; +allow avahi_t self:packet_socket create_socket_perms; + +manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) +manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) +files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) + +manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) +manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) +manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) +allow avahi_t avahi_var_run_t:dir setattr_dir_perms; +files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) + +kernel_read_kernel_sysctls(avahi_t) +kernel_read_network_state(avahi_t) +kernel_read_system_state(avahi_t) +kernel_request_load_module(avahi_t) + +corecmd_exec_bin(avahi_t) +corecmd_exec_shell(avahi_t) + +corenet_all_recvfrom_unlabeled(avahi_t) +corenet_all_recvfrom_netlabel(avahi_t) +corenet_tcp_sendrecv_generic_if(avahi_t) +corenet_udp_sendrecv_generic_if(avahi_t) +corenet_tcp_sendrecv_generic_node(avahi_t) +corenet_udp_sendrecv_generic_node(avahi_t) +corenet_tcp_sendrecv_all_ports(avahi_t) +corenet_udp_sendrecv_all_ports(avahi_t) +corenet_tcp_bind_generic_node(avahi_t) +corenet_udp_bind_generic_node(avahi_t) + +corenet_sendrecv_howl_server_packets(avahi_t) +corenet_tcp_bind_howl_port(avahi_t) +corenet_udp_bind_howl_port(avahi_t) + +dev_read_sysfs(avahi_t) +dev_read_urand(avahi_t) + +fs_getattr_all_fs(avahi_t) +fs_search_auto_mountpoints(avahi_t) +fs_list_inotifyfs(avahi_t) + +domain_use_interactive_fds(avahi_t) + +files_read_etc_runtime_files(avahi_t) +files_read_usr_files(avahi_t) + +auth_use_nsswitch(avahi_t) + +init_signal_script(avahi_t) +init_signull_script(avahi_t) + +logging_send_syslog_msg(avahi_t) + +miscfiles_read_localization(avahi_t) +miscfiles_read_generic_certs(avahi_t) + +sysnet_domtrans_ifconfig(avahi_t) +sysnet_manage_config(avahi_t) +sysnet_etc_filetrans_config(avahi_t) + +userdom_dontaudit_use_unpriv_user_fds(avahi_t) +userdom_dontaudit_search_user_home_dirs(avahi_t) + +optional_policy(` + dbus_system_domain(avahi_t, avahi_exec_t) + + optional_policy(` + init_dbus_chat_script(avahi_t) + ') +') + +optional_policy(` + rpcbind_signull(avahi_t) +') + +optional_policy(` + seutil_sigchld_newrole(avahi_t) +') + +optional_policy(` + udev_read_db(avahi_t) +') diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc new file mode 100644 index 000000000..b4879dc1b --- /dev/null +++ b/policy/modules/services/bind.fc @@ -0,0 +1,66 @@ +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) + +/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) + +/usr/bin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/bin/named -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/bin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) +/usr/bin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/bin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) + +/usr/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_t,s0) +/usr/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_t,s0) + +/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) +/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) + +/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) + +/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + +/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + +/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) + +/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/proc(/.*)? <<none>> +/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) +/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) +/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + +/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) +/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +/run/lwresd/lwresd\.pid -s gen_context(system_u:object_r:named_var_run_t,s0) +/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if new file mode 100644 index 000000000..a99bae9c6 --- /dev/null +++ b/policy/modules/services/bind.if @@ -0,0 +1,376 @@ +## <summary>Berkeley Internet name domain DNS server.</summary> + +######################################## +## <summary> +## Execute bind init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bind_initrc_domtrans',` + gen_require(` + type named_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, named_initrc_exec_t) +') + +######################################## +## <summary> +## Execute ndc in the ndc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bind_domtrans_ndc',` + gen_require(` + type ndc_t, ndc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ndc_exec_t, ndc_t) +') + +######################################## +## <summary> +## Send generic signals to bind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_signal',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process signal; +') + +######################################## +## <summary> +## Send null signals to bind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_signull',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process signull; +') + +######################################## +## <summary> +## Send kill signals to bind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_kill',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process sigkill; +') + +######################################## +## <summary> +## Execute ndc in the ndc domain, and +## allow the specified role the ndc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bind_run_ndc',` + gen_require(` + attribute_role ndc_roles; + ') + + bind_domtrans_ndc($1) + roleattribute $2 ndc_roles; +') + +######################################## +## <summary> +## Execute bind in the named domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bind_domtrans',` + gen_require(` + type named_t, named_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, named_exec_t, named_t) +') + +######################################## +## <summary> +## Read dnssec key files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_read_dnssec_keys',` + gen_require(` + type named_conf_t, named_zone_t, dnssec_t; + ') + + read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t) +') + +######################################## +## <summary> +## Read bind named configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_read_config',` + gen_require(` + type named_conf_t; + ') + + read_files_pattern($1, named_conf_t, named_conf_t) +') + +######################################## +## <summary> +## Write bind named configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_write_config',` + gen_require(` + type named_conf_t; + ') + + write_files_pattern($1, named_conf_t, named_conf_t) + allow $1 named_conf_t:file setattr_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## bind configuration directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_manage_config_dirs',` + gen_require(` + type named_conf_t; + ') + + manage_dirs_pattern($1, named_conf_t, named_conf_t) +') + +######################################## +## <summary> +## Search bind cache directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_search_cache',` + gen_require(` + type named_conf_t, named_cache_t, named_zone_t; + ') + + files_search_var($1) + allow $1 named_conf_t:dir search_dir_perms; + allow $1 named_zone_t:dir search_dir_perms; + allow $1 named_cache_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## bind cache files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_manage_cache',` + gen_require(` + type named_cache_t, named_zone_t; + ') + + files_search_var($1) + allow $1 named_zone_t:dir search_dir_perms; + manage_files_pattern($1, named_cache_t, named_cache_t) + manage_lnk_files_pattern($1, named_cache_t, named_cache_t) +') + +######################################## +## <summary> +## Set attributes of bind pid directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_setattr_pid_dirs',` + gen_require(` + type named_var_run_t; + ') + + allow $1 named_var_run_t:dir setattr_dir_perms; +') + +######################################## +## <summary> +## Set attributes of bind zone directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_setattr_zone_dirs',` + gen_require(` + type named_zone_t; + ') + + allow $1 named_zone_t:dir setattr_dir_perms; +') + +######################################## +## <summary> +## Read bind zone files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_read_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + read_files_pattern($1, named_zone_t, named_zone_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## bind zone files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_manage_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + manage_files_pattern($1, named_zone_t, named_zone_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an bind environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bind_admin',` + gen_require(` + type named_t, named_tmp_t, named_log_t; + type named_cache_t, named_zone_t, named_initrc_exec_t; + type dnssec_t, ndc_t, named_conf_t, named_var_run_t; + type named_keytab_t; + ') + + allow $1 { named_t ndc_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { named_t ndc_t }) + + init_startstop_service($1, $2, named_t, named_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, named_tmp_t) + + logging_list_logs($1) + admin_pattern($1, named_log_t) + + files_list_etc($1) + admin_pattern($1, { named_keytab_t named_conf_t }) + + files_list_var($1) + admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) + + files_list_pids($1) + admin_pattern($1, named_var_run_t) +') diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te new file mode 100644 index 000000000..c96d0b828 --- /dev/null +++ b/policy/modules/services/bind.te @@ -0,0 +1,279 @@ +policy_module(bind, 1.20.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether Bind can bind tcp socket to http ports. +## </p> +## </desc> +gen_tunable(named_tcp_bind_http_port, false) + +## <desc> +## <p> +## Determine whether Bind can write to master zone files. +## Generally this is used for dynamic DNS or zone transfers. +## </p> +## </desc> +gen_tunable(named_write_master_zones, false) + +attribute_role ndc_roles; + +type dnssec_t; +files_security_file(dnssec_t) +files_mountpoint(dnssec_t) + +type named_t; +type named_exec_t; +init_daemon_domain(named_t, named_exec_t) + +type named_checkconf_exec_t; +init_system_domain(named_t, named_checkconf_exec_t) + +type named_conf_t; +files_type(named_conf_t) +files_mountpoint(named_conf_t) + +# for secondary zone files +type named_cache_t; +files_type(named_cache_t) + +type named_initrc_exec_t; +init_script_file(named_initrc_exec_t) + +type named_keytab_t; +files_type(named_keytab_t) + +type named_log_t; +logging_log_file(named_log_t) + +type named_tmp_t; +files_tmp_file(named_tmp_t) + +type named_unit_t; +init_unit_file(named_unit_t) + +type named_var_run_t; +files_pid_file(named_var_run_t) +init_daemon_pid_file(named_var_run_t, dir, "named") + +# for primary zone files +type named_zone_t; +files_type(named_zone_t) + +type ndc_t; +type ndc_exec_t; +init_system_domain(ndc_t, ndc_exec_t) +role ndc_roles types ndc_t; + +######################################## +# +# Local policy +# + +allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; +dontaudit named_t self:capability sys_tty_config; +allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; +allow named_t self:fifo_file rw_fifo_file_perms; +allow named_t self:unix_stream_socket { accept listen }; +allow named_t self:tcp_socket { accept listen }; + +allow named_t dnssec_t:file read_file_perms; + +allow named_t named_conf_t:dir list_dir_perms; +read_files_pattern(named_t, named_conf_t, named_conf_t) +read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) + +manage_files_pattern(named_t, named_cache_t, named_cache_t) +manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) + +allow named_t named_keytab_t:file read_file_perms; + +append_files_pattern(named_t, named_log_t, named_log_t) +create_files_pattern(named_t, named_log_t, named_log_t) +setattr_files_pattern(named_t, named_log_t, named_log_t) +logging_log_filetrans(named_t, named_log_t, file) + +manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) +manage_files_pattern(named_t, named_tmp_t, named_tmp_t) +files_tmp_filetrans(named_t, named_tmp_t, { file dir }) + +manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t) +manage_files_pattern(named_t, named_var_run_t, named_var_run_t) +manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) +files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file }) + +can_exec(named_t, named_exec_t) + +allow named_t named_zone_t:dir list_dir_perms; +read_files_pattern(named_t, named_zone_t, named_zone_t) +read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) + +kernel_read_net_sysctls(named_t) +kernel_read_vm_sysctls(named_t) +kernel_read_kernel_sysctls(named_t) +kernel_read_vm_overcommit_sysctl(named_t) +kernel_read_system_state(named_t) +kernel_read_network_state(named_t) + +corecmd_search_bin(named_t) + +corenet_all_recvfrom_unlabeled(named_t) +corenet_all_recvfrom_netlabel(named_t) +corenet_tcp_sendrecv_generic_if(named_t) +corenet_udp_sendrecv_generic_if(named_t) +corenet_tcp_sendrecv_generic_node(named_t) +corenet_udp_sendrecv_generic_node(named_t) +corenet_tcp_bind_generic_node(named_t) +corenet_udp_bind_generic_node(named_t) + +corenet_sendrecv_all_server_packets(named_t) +corenet_tcp_bind_dns_port(named_t) +corenet_udp_bind_dns_port(named_t) +corenet_tcp_sendrecv_dns_port(named_t) +corenet_udp_sendrecv_dns_port(named_t) + +corenet_tcp_bind_rndc_port(named_t) +corenet_tcp_sendrecv_rndc_port(named_t) + +corenet_dontaudit_udp_bind_all_reserved_ports(named_t) +corenet_udp_bind_all_unreserved_ports(named_t) +corenet_udp_sendrecv_all_ports(named_t) + +corenet_sendrecv_all_client_packets(named_t) +corenet_tcp_connect_all_ports(named_t) +corenet_tcp_sendrecv_all_ports(named_t) + +dev_read_sysfs(named_t) +dev_read_rand(named_t) +dev_read_urand(named_t) + +domain_use_interactive_fds(named_t) + +files_read_etc_runtime_files(named_t) +files_read_usr_files(named_t) + +fs_getattr_all_fs(named_t) +fs_search_auto_mountpoints(named_t) + +auth_use_nsswitch(named_t) + +logging_send_syslog_msg(named_t) + +miscfiles_read_generic_certs(named_t) +miscfiles_read_localization(named_t) +miscfiles_read_generic_tls_privkey(named_t) + +userdom_dontaudit_use_unpriv_user_fds(named_t) +userdom_dontaudit_search_user_home_dirs(named_t) + +tunable_policy(`named_tcp_bind_http_port',` + corenet_sendrecv_http_server_packets(named_t) + corenet_tcp_bind_http_port(named_t) + corenet_tcp_sendrecv_http_port(named_t) +') + +tunable_policy(`named_write_master_zones',` + manage_dirs_pattern(named_t, named_zone_t, named_zone_t) + manage_files_pattern(named_t, named_zone_t, named_zone_t) + manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t) +') + +optional_policy(` + dbus_system_domain(named_t, named_exec_t) + + init_dbus_chat_script(named_t) + + sysnet_dbus_chat_dhcpc(named_t) + + optional_policy(` + networkmanager_dbus_chat(named_t) + ') +') + +optional_policy(` + kerberos_read_keytab(named_t) + kerberos_use(named_t) +') + +optional_policy(` + ldap_stream_connect(named_t) +') + +optional_policy(` + networkmanager_rw_udp_sockets(named_t) + networkmanager_rw_packet_sockets(named_t) + networkmanager_rw_routing_sockets(named_t) +') + +optional_policy(` + seutil_sigchld_newrole(named_t) +') + +optional_policy(` + udev_read_db(named_t) +') + +######################################## +# +# NDC local policy +# + +allow ndc_t self:capability { dac_override net_admin }; +allow ndc_t self:capability2 block_suspend; +allow ndc_t self:process signal_perms; +allow ndc_t self:fifo_file rw_fifo_file_perms; +allow ndc_t self:unix_stream_socket { accept listen }; + +allow ndc_t dnssec_t:file read_file_perms; +allow ndc_t dnssec_t:lnk_file read_lnk_file_perms; + +stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) + +allow ndc_t named_conf_t:file read_file_perms; +allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; + +allow ndc_t named_zone_t:dir search_dir_perms; + +kernel_read_kernel_sysctls(ndc_t) +kernel_read_system_state(ndc_t) + +corenet_all_recvfrom_unlabeled(ndc_t) +corenet_all_recvfrom_netlabel(ndc_t) +corenet_tcp_sendrecv_generic_if(ndc_t) +corenet_tcp_sendrecv_generic_node(ndc_t) +corenet_tcp_sendrecv_all_ports(ndc_t) +corenet_tcp_bind_generic_node(ndc_t) + +corenet_tcp_connect_rndc_port(ndc_t) +corenet_sendrecv_rndc_client_packets(ndc_t) + +domain_use_interactive_fds(ndc_t) + +files_search_pids(ndc_t) + +fs_getattr_xattr_fs(ndc_t) + +term_dontaudit_use_console(ndc_t) + +auth_use_nsswitch(ndc_t) + +init_use_fds(ndc_t) +init_use_script_ptys(ndc_t) + +logging_send_syslog_msg(ndc_t) + +miscfiles_read_localization(ndc_t) + +userdom_use_user_terminals(ndc_t) + +ifdef(`distro_redhat',` + allow ndc_t named_conf_t:dir search_dir_perms; +') + +optional_policy(` + ppp_dontaudit_use_fds(ndc_t) +') diff --git a/policy/modules/services/bird.fc b/policy/modules/services/bird.fc new file mode 100644 index 000000000..d415fdf3c --- /dev/null +++ b/policy/modules/services/bird.fc @@ -0,0 +1,13 @@ +/etc/bird\.conf -- gen_context(system_u:object_r:bird_etc_t,s0) + +/etc/default/bird -- gen_context(system_u:object_r:bird_etc_t,s0) + +/etc/rc\.d/init\.d/bird -- gen_context(system_u:object_r:bird_initrc_exec_t,s0) + +/usr/bin/bird -- gen_context(system_u:object_r:bird_exec_t,s0) + +/usr/sbin/bird -- gen_context(system_u:object_r:bird_exec_t,s0) + +/var/log/bird\.log.* -- gen_context(system_u:object_r:bird_log_t,s0) + +/run/bird\.ctl -s gen_context(system_u:object_r:bird_var_run_t,s0) diff --git a/policy/modules/services/bird.if b/policy/modules/services/bird.if new file mode 100644 index 000000000..d744d6b8f --- /dev/null +++ b/policy/modules/services/bird.if @@ -0,0 +1,39 @@ +## <summary>BIRD Internet Routing Daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an bird environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bird_admin',` + gen_require(` + type bird_t, bird_etc_t, bird_log_t; + type bird_var_run_t, bird_initrc_exec_t; + ') + + allow $1 bird_t:process { ptrace signal_perms }; + ps_process_pattern($1, bird_t) + + init_startstop_service($1, $2, bird_t, bird_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, bird_etc_t) + + logging_list_logs($1) + admin_pattern($1, bird_log_t) + + files_list_pids($1) + admin_pattern($1, bird_var_run_t) +') diff --git a/policy/modules/services/bird.te b/policy/modules/services/bird.te new file mode 100644 index 000000000..e525f326b --- /dev/null +++ b/policy/modules/services/bird.te @@ -0,0 +1,58 @@ +policy_module(bird, 1.4.0) + +######################################## +# +# Declarations +# + +type bird_t; +type bird_exec_t; +init_daemon_domain(bird_t, bird_exec_t) + +type bird_initrc_exec_t; +init_script_file(bird_initrc_exec_t) + +type bird_etc_t; +files_config_file(bird_etc_t) + +type bird_log_t; +logging_log_file(bird_log_t) + +type bird_var_run_t; +files_pid_file(bird_var_run_t) + +######################################## +# +# Local policy +# + +allow bird_t self:capability net_admin; +allow bird_t self:netlink_route_socket create_netlink_socket_perms; +allow bird_t self:tcp_socket create_stream_socket_perms; + +allow bird_t bird_etc_t:file read_file_perms; + +allow bird_t bird_log_t:file { create_file_perms append_file_perms setattr_file_perms }; +logging_log_filetrans(bird_t, bird_log_t, file) + +allow bird_t bird_var_run_t:sock_file manage_sock_file_perms; +files_pid_filetrans(bird_t, bird_var_run_t, sock_file) + +corenet_all_recvfrom_unlabeled(bird_t) +corenet_all_recvfrom_netlabel(bird_t) +corenet_tcp_sendrecv_generic_if(bird_t) +corenet_tcp_bind_generic_node(bird_t) +corenet_tcp_sendrecv_generic_node(bird_t) + +corenet_sendrecv_bgp_client_packets(bird_t) +corenet_sendrecv_bgp_server_packets(bird_t) +corenet_tcp_bind_bgp_port(bird_t) +corenet_tcp_connect_bgp_port(bird_t) +corenet_tcp_sendrecv_bgp_port(bird_t) + +# /etc/iproute2/rt_realms +files_read_etc_files(bird_t) + +logging_send_syslog_msg(bird_t) + +miscfiles_read_localization(bird_t) diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc new file mode 100644 index 000000000..e7b0aa607 --- /dev/null +++ b/policy/modules/services/bitlbee.fc @@ -0,0 +1,15 @@ +/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) + +/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0) + +/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0) +/usr/bin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) +/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) + +/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) + +/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0) + +/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) +/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) +/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if new file mode 100644 index 000000000..3409d80d0 --- /dev/null +++ b/policy/modules/services/bitlbee.if @@ -0,0 +1,66 @@ +## <summary>Tunnels instant messaging traffic to a virtual IRC channel.</summary> + +######################################## +## <summary> +## Read bitlbee configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bitlbee_read_config',` + gen_require(` + type bitlbee_conf_t; + ') + + files_search_etc($1) + allow $1 bitlbee_conf_t:dir list_dir_perms; + allow $1 bitlbee_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an bitlbee environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bitlbee_admin',` + gen_require(` + type bitlbee_t, bitlbee_conf_t, bitlbee_var_t; + type bitlbee_initrc_exec_t, bitlbee_var_run_t; + type bitlbee_log_t, bitlbee_tmp_t; + ') + + allow $1 bitlbee_t:process { ptrace signal_perms }; + ps_process_pattern($1, bitlbee_t) + + init_startstop_service($1, $2, bitlbee_t, bitlbee_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, bitlbee_conf_t) + + logging_search_logs($1) + admin_pattern($1, bitlbee_log_t) + + files_search_tmp($1) + admin_pattern($1, bitlbee_tmp_t) + + files_search_pids($1) + admin_pattern($1, bitlbee_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, bitlbee_var_t) +') diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te new file mode 100644 index 000000000..b71fff2d3 --- /dev/null +++ b/policy/modules/services/bitlbee.te @@ -0,0 +1,125 @@ +policy_module(bitlbee, 1.8.0) + +######################################## +# +# Declarations +# + +type bitlbee_t; +type bitlbee_exec_t; +init_daemon_domain(bitlbee_t, bitlbee_exec_t) +inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) + +type bitlbee_conf_t; +files_config_file(bitlbee_conf_t) + +type bitlbee_initrc_exec_t; +init_script_file(bitlbee_initrc_exec_t) + +type bitlbee_tmp_t; +files_tmp_file(bitlbee_tmp_t) + +type bitlbee_var_t; +files_type(bitlbee_var_t) + +type bitlbee_log_t; +logging_log_file(bitlbee_log_t) + +type bitlbee_var_run_t; +files_pid_file(bitlbee_var_run_t) + +######################################## +# +# Local policy +# + +allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; +allow bitlbee_t self:process { setsched signal }; +allow bitlbee_t self:fifo_file rw_fifo_file_perms; +allow bitlbee_t self:tcp_socket { accept listen }; +allow bitlbee_t self:unix_stream_socket { accept listen }; + +allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; +allow bitlbee_t bitlbee_conf_t:file read_file_perms; + +manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) +append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) +create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) +setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) + +manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) +manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) +files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) + +manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) +files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) + +manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) +manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) +manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) +files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) + +kernel_read_kernel_sysctls(bitlbee_t) +kernel_read_system_state(bitlbee_t) +kernel_read_crypto_sysctls(bitlbee_t) + +corenet_all_recvfrom_unlabeled(bitlbee_t) +corenet_all_recvfrom_netlabel(bitlbee_t) +corenet_tcp_sendrecv_generic_if(bitlbee_t) +corenet_tcp_sendrecv_generic_node(bitlbee_t) +corenet_tcp_bind_generic_node(bitlbee_t) + +corenet_sendrecv_jabber_client_client_packets(bitlbee_t) +corenet_tcp_connect_jabber_client_port(bitlbee_t) +corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) + +corenet_sendrecv_aol_client_packets(bitlbee_t) +corenet_tcp_connect_aol_port(bitlbee_t) +corenet_tcp_sendrecv_aol_port(bitlbee_t) + +corenet_sendrecv_gatekeeper_client_packets(bitlbee_t) +corenet_tcp_connect_gatekeeper_port(bitlbee_t) +corenet_tcp_sendrecv_gatekeeper_port(bitlbee_t) + +corenet_sendrecv_mmcc_client_packets(bitlbee_t) +corenet_tcp_connect_mmcc_port(bitlbee_t) +corenet_tcp_sendrecv_mmcc_port(bitlbee_t) + +corenet_sendrecv_msnp_client_packets(bitlbee_t) +corenet_tcp_connect_msnp_port(bitlbee_t) +corenet_tcp_sendrecv_msnp_port(bitlbee_t) + +corenet_sendrecv_http_client_packets(bitlbee_t) +corenet_tcp_connect_http_port(bitlbee_t) +corenet_tcp_sendrecv_http_port(bitlbee_t) + +corenet_sendrecv_http_cache_client_packets(bitlbee_t) +corenet_tcp_connect_http_cache_port(bitlbee_t) +corenet_tcp_sendrecv_http_cache_port(bitlbee_t) + +corenet_sendrecv_ircd_server_packets(bitlbee_t) +corenet_tcp_bind_ircd_port(bitlbee_t) +corenet_sendrecv_ircd_client_packets(bitlbee_t) +corenet_tcp_connect_ircd_port(bitlbee_t) +corenet_tcp_sendrecv_ircd_port(bitlbee_t) + +corenet_sendrecv_interwise_server_packets(bitlbee_t) +corenet_tcp_bind_interwise_port(bitlbee_t) +corenet_tcp_sendrecv_interwise_port(bitlbee_t) + +dev_read_rand(bitlbee_t) +dev_read_urand(bitlbee_t) + +files_read_usr_files(bitlbee_t) + +libs_legacy_use_shared_libs(bitlbee_t) + +auth_use_nsswitch(bitlbee_t) + +logging_send_syslog_msg(bitlbee_t) + +miscfiles_read_localization(bitlbee_t) + +optional_policy(` + tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) +') diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc new file mode 100644 index 000000000..4fbe7955a --- /dev/null +++ b/policy/modules/services/bluetooth.fc @@ -0,0 +1,37 @@ +/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) +/etc/bluetooth/link_key -- gen_context(system_u:object_r:bluetooth_conf_rw_t,s0) + +/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) +/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) + +/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) +/usr/bin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0) + +/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + +/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) + +/var/lock/subsys/bluetoothd -- gen_context(system_u:object_r:bluetooth_lock_t,s0) + +/run/bluetoothd_address -- gen_context(system_u:object_r:bluetooth_var_run_t,s0) +/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) + + +ifdef(`distro_gentoo',` +/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +') diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if new file mode 100644 index 000000000..dc61988c0 --- /dev/null +++ b/policy/modules/services/bluetooth.if @@ -0,0 +1,195 @@ +## <summary>Bluetooth tools and system services.</summary> + +######################################## +## <summary> +## Role access for bluetooth. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`bluetooth_role',` + gen_require(` + attribute_role bluetooth_helper_roles; + type bluetooth_t, bluetooth_helper_t, bluetooth_helper_exec_t; + type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_var_run_t; + ') + + ######################################## + # + # Declarations + # + + roleattribute $1 bluetooth_helper_roles; + + ######################################## + # + # Policy + # + + domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) + + ps_process_pattern($2, bluetooth_helper_t) + allow $2 bluetooth_helper_t:process { ptrace signal_perms }; + + allow $2 bluetooth_t:socket rw_socket_perms; + + allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) + files_search_pids($2) +') + +##################################### +## <summary> +## Connect to bluetooth over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bluetooth_stream_connect',` + gen_require(` + type bluetooth_t, bluetooth_var_run_t; + ') + + files_search_pids($1) + allow $1 bluetooth_t:socket rw_socket_perms; + stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) +') + +######################################## +## <summary> +## Execute bluetooth in the bluetooth domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bluetooth_domtrans',` + gen_require(` + type bluetooth_t, bluetooth_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, bluetooth_exec_t, bluetooth_t) +') + +######################################## +## <summary> +## Read bluetooth configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bluetooth_read_config',` + gen_require(` + type bluetooth_conf_t; + ') + + allow $1 bluetooth_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## Send and receive messages from +## bluetooth over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bluetooth_dbus_chat',` + gen_require(` + type bluetooth_t; + class dbus send_msg; + ') + + allow $1 bluetooth_t:dbus send_msg; + allow bluetooth_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Do not audit attempts to read +## bluetooth process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`bluetooth_dontaudit_read_helper_state',` + gen_require(` + type bluetooth_helper_t; + ') + + dontaudit $1 bluetooth_helper_t:dir search_dir_perms; + dontaudit $1 bluetooth_helper_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an bluetooth environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bluetooth_admin',` + gen_require(` + type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; + type bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; + type bluetooth_initrc_exec_t; + ') + + allow $1 bluetooth_t:process { ptrace signal_perms }; + ps_process_pattern($1, bluetooth_t) + + init_startstop_service($1, $2, bluetooth_t, bluetooth_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, bluetooth_tmp_t) + + files_list_var($1) + admin_pattern($1, bluetooth_lock_t) + + files_list_etc($1) + admin_pattern($1, { bluetooth_conf_t bluetooth_conf_rw_t }) + + files_list_var_lib($1) + admin_pattern($1, bluetooth_var_lib_t) + + files_list_pids($1) + admin_pattern($1, bluetooth_var_run_t) +') diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te new file mode 100644 index 000000000..45e5a361f --- /dev/null +++ b/policy/modules/services/bluetooth.te @@ -0,0 +1,228 @@ +policy_module(bluetooth, 3.8.0) + +######################################## +# +# Declarations +# + +attribute_role bluetooth_helper_roles; + +type bluetooth_t; +type bluetooth_exec_t; +init_daemon_domain(bluetooth_t, bluetooth_exec_t) + +type bluetooth_conf_t; +files_config_file(bluetooth_conf_t) + +type bluetooth_conf_rw_t; +files_type(bluetooth_conf_rw_t) + +type bluetooth_helper_t; +type bluetooth_helper_exec_t; +typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t }; +typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t }; +userdom_user_application_domain(bluetooth_helper_t, bluetooth_helper_exec_t) +role bluetooth_helper_roles types bluetooth_helper_t; + +type bluetooth_helper_tmp_t; +typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t }; +typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t }; +userdom_user_tmp_file(bluetooth_helper_tmp_t) + +type bluetooth_helper_tmpfs_t; +typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t }; +typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t }; +userdom_user_tmpfs_file(bluetooth_helper_tmpfs_t) + +type bluetooth_initrc_exec_t; +init_script_file(bluetooth_initrc_exec_t) + +type bluetooth_lock_t; +files_lock_file(bluetooth_lock_t) + +type bluetooth_tmp_t; +files_tmp_file(bluetooth_tmp_t) + +type bluetooth_unit_t; +init_unit_file(bluetooth_unit_t) + +type bluetooth_var_lib_t; +files_type(bluetooth_var_lib_t) + +type bluetooth_var_run_t; +files_pid_file(bluetooth_var_run_t) + +######################################## +# +# Local policy +# + +allow bluetooth_t self:capability { dac_override ipc_lock net_admin net_bind_service net_raw setpcap sys_admin sys_tty_config }; +dontaudit bluetooth_t self:capability sys_tty_config; +allow bluetooth_t self:process { getcap setcap getsched signal_perms }; +allow bluetooth_t self:fifo_file rw_fifo_file_perms; +allow bluetooth_t self:shm create_shm_perms; +allow bluetooth_t self:socket create_stream_socket_perms; +allow bluetooth_t self:unix_stream_socket { accept connectto listen }; +allow bluetooth_t self:tcp_socket { accept listen }; +allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; + +read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) + +manage_dirs_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) +manage_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) +manage_lnk_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) +manage_fifo_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) +manage_sock_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) +filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file lnk_file sock_file fifo_file }) + +allow bluetooth_t bluetooth_lock_t:file manage_file_perms; +files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) + +manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) +manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) +files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file }) + +manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) +manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) +files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } ) + +manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) +manage_sock_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) +files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) + +can_exec(bluetooth_t, bluetooth_helper_exec_t) + +kernel_read_kernel_sysctls(bluetooth_t) +kernel_read_system_state(bluetooth_t) +kernel_read_network_state(bluetooth_t) +kernel_request_load_module(bluetooth_t) +kernel_search_debugfs(bluetooth_t) + +corecmd_exec_bin(bluetooth_t) +corecmd_exec_shell(bluetooth_t) + +dev_read_sysfs(bluetooth_t) +dev_rw_usbfs(bluetooth_t) +dev_rw_generic_usb_dev(bluetooth_t) +dev_read_urand(bluetooth_t) +dev_rw_input_dev(bluetooth_t) +dev_rw_wireless(bluetooth_t) + +domain_use_interactive_fds(bluetooth_t) +domain_dontaudit_search_all_domains_state(bluetooth_t) + +files_read_etc_runtime_files(bluetooth_t) +files_read_usr_files(bluetooth_t) + +fs_getattr_all_fs(bluetooth_t) +fs_search_auto_mountpoints(bluetooth_t) +fs_list_inotifyfs(bluetooth_t) + +term_use_unallocated_ttys(bluetooth_t) + +auth_use_nsswitch(bluetooth_t) + +logging_send_syslog_msg(bluetooth_t) + +miscfiles_read_localization(bluetooth_t) +miscfiles_read_fonts(bluetooth_t) +miscfiles_read_hwdata(bluetooth_t) + +userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) +userdom_dontaudit_use_user_terminals(bluetooth_t) +userdom_dontaudit_search_user_home_dirs(bluetooth_t) + +optional_policy(` + dbus_system_bus_client(bluetooth_t) + dbus_connect_system_bus(bluetooth_t) + + optional_policy(` + cups_dbus_chat(bluetooth_t) + ') + + optional_policy(` + devicekit_dbus_chat_power(bluetooth_t) + ') + + optional_policy(` + hal_dbus_chat(bluetooth_t) + ') + + optional_policy(` + networkmanager_dbus_chat(bluetooth_t) + ') + + optional_policy(` + pulseaudio_dbus_chat(bluetooth_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(bluetooth_t) +') + +optional_policy(` + udev_read_db(bluetooth_t) +') + +optional_policy(` + ppp_domtrans(bluetooth_t) +') + +######################################## +# +# Helper local policy +# + +allow bluetooth_helper_t self:capability sys_nice; +allow bluetooth_helper_t self:process getsched; +allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; +allow bluetooth_helper_t self:shm create_shm_perms; +allow bluetooth_helper_t self:unix_stream_socket { accept connectto listen }; + +allow bluetooth_helper_t bluetooth_t:socket { read write }; + +manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) +manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) +manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) +files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { dir file sock_file }) + +manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) +manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) +fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file }) + +kernel_read_system_state(bluetooth_helper_t) +kernel_read_kernel_sysctls(bluetooth_helper_t) + +corecmd_exec_bin(bluetooth_helper_t) +corecmd_exec_shell(bluetooth_helper_t) + +dev_read_urand(bluetooth_helper_t) + +domain_read_all_domains_state(bluetooth_helper_t) + +files_read_etc_runtime_files(bluetooth_helper_t) +files_read_usr_files(bluetooth_helper_t) +files_dontaudit_list_default(bluetooth_helper_t) + +term_dontaudit_use_all_ttys(bluetooth_helper_t) + +auth_use_nsswitch(bluetooth_helper_t) + +locallogin_dontaudit_use_fds(bluetooth_helper_t) + +logging_send_syslog_msg(bluetooth_helper_t) + +miscfiles_read_localization(bluetooth_helper_t) + +optional_policy(` + bluetooth_dbus_chat(bluetooth_helper_t) + + dbus_system_bus_client(bluetooth_helper_t) + dbus_connect_system_bus(bluetooth_helper_t) +') + +optional_policy(` + xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t) +') diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc new file mode 100644 index 000000000..e1e53a60c --- /dev/null +++ b/policy/modules/services/boinc.fc @@ -0,0 +1,13 @@ +/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0) +/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) + +/usr/bin/boinc -- gen_context(system_u:object_r:boinc_exec_t,s0) +/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) + +/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) +/var/lib/boinc-client(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) +/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) +/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) + +/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) +/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if new file mode 100644 index 000000000..464a8968d --- /dev/null +++ b/policy/modules/services/boinc.if @@ -0,0 +1,41 @@ +## <summary>Platform for computing using volunteered resources.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an boinc environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`boinc_admin',` + gen_require(` + + type boinc_t, boinc_project_t, boinc_log_t; + type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t; + type boinc_project_var_lib_t, boinc_project_tmp_t; + ') + + allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { boinc_t boinc_project_t }) + + init_startstop_service($1, $2, boinc_t, boinc_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, boinc_log_t) + + files_search_tmp($1) + admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t }) + + files_search_var_lib($1) + admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t }) +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 index 000000000..ed1aaf348 --- /dev/null +++ b/policy/modules/services/boinc.te @@ -0,0 +1,214 @@ +policy_module(boinc, 1.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether boinc can execmem/execstack. +## </p> +## </desc> +gen_tunable(boinc_execmem, true) + +type boinc_t; +type boinc_exec_t; +init_daemon_domain(boinc_t, boinc_exec_t) + +type boinc_initrc_exec_t; +init_script_file(boinc_initrc_exec_t) + +type boinc_tmp_t; +files_tmp_file(boinc_tmp_t) + +type boinc_tmpfs_t; +files_tmpfs_file(boinc_tmpfs_t) + +type boinc_var_lib_t; +files_type(boinc_var_lib_t) + +type boinc_project_var_lib_t; +files_type(boinc_project_var_lib_t) + +type boinc_log_t; +logging_log_file(boinc_log_t) + +type boinc_project_t; +domain_type(boinc_project_t) +domain_entry_file(boinc_project_t, boinc_project_var_lib_t) +role system_r types boinc_project_t; + +type boinc_project_tmp_t; +files_tmp_file(boinc_project_tmp_t) + +######################################## +# +# Local policy +# + +allow boinc_t self:process { setsched setpgid signull sigkill }; +allow boinc_t self:unix_stream_socket { accept listen }; +allow boinc_t self:tcp_socket { accept listen }; +allow boinc_t self:shm create_shm_perms; +allow boinc_t self:fifo_file rw_fifo_file_perms; +allow boinc_t self:sem create_sem_perms; + +can_exec(boinc_t, boinc_exec_t) + +manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) +manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) +files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) + +manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) +fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) + +manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) + +# entry files to the boinc_project_t domain +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots") +filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects") + +manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +create_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +logging_log_filetrans(boinc_t, boinc_log_t, file) + +can_exec(boinc_t, boinc_var_lib_t) +libs_exec_lib_files(boinc_t) + +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) + +kernel_read_system_state(boinc_t) +kernel_search_vm_sysctl(boinc_t) +kernel_read_crypto_sysctls(boinc_t) + +corenet_all_recvfrom_unlabeled(boinc_t) +corenet_all_recvfrom_netlabel(boinc_t) +corenet_tcp_sendrecv_generic_if(boinc_t) +corenet_tcp_sendrecv_generic_node(boinc_t) +corenet_tcp_bind_generic_node(boinc_t) + +corenet_sendrecv_boinc_client_packets(boinc_t) +corenet_sendrecv_boinc_server_packets(boinc_t) +corenet_tcp_bind_boinc_port(boinc_t) +corenet_tcp_connect_boinc_port(boinc_t) +corenet_tcp_sendrecv_boinc_port(boinc_t) + +corenet_sendrecv_boinc_client_server_packets(boinc_t) +corenet_tcp_bind_boinc_client_port(boinc_t) +corenet_tcp_sendrecv_boinc_client_port(boinc_t) + +corenet_sendrecv_http_client_packets(boinc_t) +corenet_tcp_connect_http_port(boinc_t) +corenet_tcp_sendrecv_http_port(boinc_t) + +corenet_sendrecv_http_cache_client_packets(boinc_t) +corenet_tcp_connect_http_cache_port(boinc_t) +corenet_tcp_sendrecv_http_cache_port(boinc_t) + +corenet_sendrecv_squid_client_packets(boinc_t) +corenet_tcp_connect_squid_port(boinc_t) +corenet_tcp_sendrecv_squid_port(boinc_t) + +corecmd_exec_bin(boinc_t) +corecmd_exec_shell(boinc_t) + +dev_read_rand(boinc_t) +dev_read_urand(boinc_t) +dev_read_sysfs(boinc_t) +dev_rw_xserver_misc(boinc_t) + +domain_read_all_domains_state(boinc_t) + +files_dontaudit_getattr_boot_dirs(boinc_t) +files_getattr_all_dirs(boinc_t) +files_getattr_all_files(boinc_t) +files_read_etc_files(boinc_t) +files_read_etc_runtime_files(boinc_t) +files_read_usr_files(boinc_t) + +fs_getattr_all_fs(boinc_t) + +term_getattr_all_ptys(boinc_t) +term_getattr_unallocated_ttys(boinc_t) + +init_read_utmp(boinc_t) + +logging_send_syslog_msg(boinc_t) + +miscfiles_read_fonts(boinc_t) +miscfiles_read_localization(boinc_t) + +tunable_policy(`boinc_execmem',` + allow boinc_t self:process { execstack execmem }; +') + +optional_policy(` + mta_send_mail(boinc_t) +') + +optional_policy(` + sysnet_dns_name_resolve(boinc_t) +') + +optional_policy(` + corenet_tcp_connect_xserver_port(boinc_t) + + xserver_list_xdm_tmp(boinc_t) + xserver_non_drawing_client(boinc_t) +') + +######################################## +# +# Project local policy +# + +allow boinc_project_t self:capability { setgid setuid }; +allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms }; + +manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) +manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) +manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) +files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file}) + +manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + +allow boinc_project_t boinc_project_var_lib_t:file execmod; +can_exec(boinc_project_t, boinc_project_var_lib_t) + +allow boinc_project_t boinc_t:shm rw_shm_perms; +allow boinc_project_t boinc_tmpfs_t:file { read write }; + +kernel_read_kernel_sysctls(boinc_project_t) +kernel_read_network_state(boinc_project_t) +kernel_search_vm_sysctl(boinc_project_t) + +corenet_all_recvfrom_unlabeled(boinc_project_t) +corenet_all_recvfrom_netlabel(boinc_project_t) +corenet_tcp_sendrecv_generic_if(boinc_project_t) +corenet_tcp_sendrecv_generic_node(boinc_project_t) +corenet_tcp_bind_generic_node(boinc_project_t) + +corenet_sendrecv_boinc_client_packets(boinc_project_t) +corenet_tcp_connect_boinc_port(boinc_project_t) +corenet_tcp_sendrecv_boinc_port(boinc_project_t) + +dev_getattr_input_dev(boinc_t) +dev_getattr_mouse_dev(boinc_t) + +files_dontaudit_search_home(boinc_project_t) + +term_getattr_ptmx(boinc_t) +term_getattr_generic_ptys(boinc_t) + +userdom_getattr_user_ttys(boinc_t) + +optional_policy(` + java_exec(boinc_project_t) +') diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc new file mode 100644 index 000000000..fce0b6ebf --- /dev/null +++ b/policy/modules/services/bugzilla.fc @@ -0,0 +1,4 @@ +/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) +/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) + +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if new file mode 100644 index 000000000..19fce8e0b --- /dev/null +++ b/policy/modules/services/bugzilla.if @@ -0,0 +1,80 @@ +## <summary>Bugtracker.</summary> + +######################################## +## <summary> +## Search bugzilla directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bugzilla_search_content',` + gen_require(` + type httpd_bugzilla_content_t; + ') + + allow $1 httpd_bugzilla_content_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write bugzilla script unix domain +## stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`bugzilla_dontaudit_rw_stream_sockets',` + gen_require(` + type httpd_bugzilla_script_t; + ') + + dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an bugzilla environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role" unused="true"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bugzilla_admin',` + gen_require(` + type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; + type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; + type httpd_bugzilla_htaccess_t; + ') + + allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; + ps_process_pattern($1, httpd_bugzilla_script_t) + + files_search_usr($1) + admin_pattern($1, httpd_bugzilla_script_exec_t) + admin_pattern($1, httpd_bugzilla_script_t) + admin_pattern($1, httpd_bugzilla_content_t) + admin_pattern($1, httpd_bugzilla_htaccess_t) + admin_pattern($1, httpd_bugzilla_ra_content_t) + + files_search_tmp($1) + files_search_var_lib($1) + admin_pattern($1, httpd_bugzilla_rw_content_t) + + apache_list_sys_content($1) +') diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te new file mode 100644 index 000000000..1ff9613fc --- /dev/null +++ b/policy/modules/services/bugzilla.te @@ -0,0 +1,47 @@ +policy_module(bugzilla, 1.1.1) + +######################################## +# +# Declarations +# + +apache_content_template(bugzilla) + +######################################## +# +# Local policy +# + +allow httpd_bugzilla_script_t self:tcp_socket { accept listen }; + +corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) +corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) + +corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t) +corenet_tcp_connect_http_port(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t) + +corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) +corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) + +files_search_var_lib(httpd_bugzilla_script_t) + +sysnet_dns_name_resolve(httpd_bugzilla_script_t) +sysnet_use_ldap(httpd_bugzilla_script_t) + +optional_policy(` + mta_send_mail(httpd_bugzilla_script_t) +') + +optional_policy(` + mysql_stream_connect(httpd_bugzilla_script_t) + mysql_tcp_connect(httpd_bugzilla_script_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) + postgresql_tcp_connect(httpd_bugzilla_script_t) +') diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc new file mode 100644 index 000000000..f58be76be --- /dev/null +++ b/policy/modules/services/cachefilesd.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0) + +/usr/bin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) + +/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) + +/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0) + +/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if new file mode 100644 index 000000000..c4084b91b --- /dev/null +++ b/policy/modules/services/cachefilesd.if @@ -0,0 +1,36 @@ +## <summary>CacheFiles user-space management daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an cachefilesd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cachefilesd_admin',` + gen_require(` + type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t; + type cachefilesd_var_run_t; + ') + + allow $1 cachefilesd_t:process { ptrace signal_perms }; + ps_process_pattern($1, cachefilesd_t) + + init_startstop_service($1, $2, cachefilesd_t, cachefilesd_initrc_exec_t) + + files_search_var($1) + admin_pattern($1, cachefilesd_cache_t) + + files_search_pids($1) + admin_pattern($1, cachefilesd_var_run_t) +') diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te new file mode 100644 index 000000000..cf1e03371 --- /dev/null +++ b/policy/modules/services/cachefilesd.te @@ -0,0 +1,76 @@ +policy_module(cachefilesd, 1.5.0) + +######################################## +# +# Declarations +# + +type cachefilesd_t; +type cachefilesd_exec_t; +init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) + +type cachefilesd_initrc_exec_t; +init_script_file(cachefilesd_initrc_exec_t) + +type cachefilesd_cache_t; +files_mountpoint(cachefilesd_cache_t) + +type cachefilesd_var_run_t; +files_pid_file(cachefilesd_var_run_t) + +type cachefiles_kernel_t; +domain_type(cachefiles_kernel_t) +role system_r types cachefiles_kernel_t; + +######################################## +# +# Cachefilesd local policy +# + +allow cachefilesd_t self:capability { dac_override setgid setuid sys_admin }; + +allow cachefilesd_t cachefiles_kernel_t:kernel_service use_as_override; + +manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) +files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) + +allow cachefilesd_t cachefilesd_cache_t:kernel_service create_files_as; +manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) +manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) + +dev_rw_cachefiles(cachefilesd_t) + +files_read_etc_files(cachefilesd_t) + +fs_getattr_xattr_fs(cachefilesd_t) + +term_dontaudit_use_generic_ptys(cachefilesd_t) +term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) + +logging_send_syslog_msg(cachefilesd_t) + +miscfiles_read_localization(cachefilesd_t) + +init_dontaudit_use_script_ptys(cachefilesd_t) + +optional_policy(` + rpm_use_script_fds(cachefilesd_t) +') + +######################################## +# +# Cachefiles_kernel local policy +# + +allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; + +manage_dirs_pattern(cachefiles_kernel_t, cachefilesd_cache_t, cachefilesd_cache_t) +manage_files_pattern(cachefiles_kernel_t, cachefilesd_cache_t, cachefilesd_cache_t) + +dev_search_sysfs(cachefiles_kernel_t) + +domain_obj_id_change_exemption(cachefiles_kernel_t) + +fs_getattr_xattr_fs(cachefiles_kernel_t) + +init_sigchld_script(cachefiles_kernel_t) diff --git a/policy/modules/services/callweaver.fc b/policy/modules/services/callweaver.fc new file mode 100644 index 000000000..3cdd635b3 --- /dev/null +++ b/policy/modules/services/callweaver.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0) + +/usr/bin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0) + +/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0) + +/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0) + +/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0) + +/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0) + +/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0) diff --git a/policy/modules/services/callweaver.if b/policy/modules/services/callweaver.if new file mode 100644 index 000000000..f89bf39ad --- /dev/null +++ b/policy/modules/services/callweaver.if @@ -0,0 +1,78 @@ +## <summary>PBX software.</summary> + +######################################## +## <summary> +## Execute callweaver in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`callweaver_exec',` + gen_require(` + type callweaver_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, callweaver_exec_t) +') + +######################################## +## <summary> +## Connect to callweaver over a +## unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`callweaver_stream_connect',` + gen_require(` + type callweaver_t, callweaver_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an callweaver environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`callweaver_admin',` + gen_require(` + type callweaver_t, callweaver_initrc_exec_t, callweaver_log_t; + type callweaver_var_lib_t, callweaver_var_run_t, callweaver_spool_t; + ') + + allow $1 callweaver_t:process { ptrace signal_perms }; + ps_process_pattern($1, callweaver_t) + + init_startstop_service($1, $2, callweaver_t, callweaver_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, callweaver_log_t) + + files_search_pids($1) + admin_pattern($1, callweaver_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, { callweaver_spool_t callweaver_var_lib_t }) +') diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te new file mode 100644 index 000000000..3c8fff6fe --- /dev/null +++ b/policy/modules/services/callweaver.te @@ -0,0 +1,87 @@ +policy_module(callweaver, 1.4.0) + +######################################## +# +# Declarations +# + +type callweaver_t; +type callweaver_exec_t; +init_daemon_domain(callweaver_t, callweaver_exec_t) + +type callweaver_initrc_exec_t; +init_script_file(callweaver_initrc_exec_t) + +type callweaver_log_t; +logging_log_file(callweaver_log_t) + +type callweaver_var_lib_t; +files_type(callweaver_var_lib_t) + +type callweaver_var_run_t; +files_pid_file(callweaver_var_run_t) + +type callweaver_spool_t; +files_type(callweaver_spool_t) + +######################################## +# +# Local policy +# + +allow callweaver_t self:capability { setgid setuid sys_nice }; +allow callweaver_t self:process { setsched signal }; +allow callweaver_t self:fifo_file rw_fifo_file_perms; +allow callweaver_t self:tcp_socket { accept listen }; +allow callweaver_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) +append_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) +create_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) +setattr_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) +logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file }) + +manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t) +manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t) +files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file }) + +manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) +manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) +manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) +files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) +manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) +manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) +files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file }) + +kernel_read_kernel_sysctls(callweaver_t) +kernel_read_sysctl(callweaver_t) + +corenet_all_recvfrom_unlabeled(callweaver_t) +corenet_all_recvfrom_netlabel(callweaver_t) +corenet_udp_sendrecv_generic_if(callweaver_t) +corenet_udp_sendrecv_generic_node(callweaver_t) +corenet_udp_sendrecv_all_ports(callweaver_t) +corenet_udp_bind_generic_node(callweaver_t) + +corenet_sendrecv_asterisk_server_packets(callweaver_t) +corenet_udp_bind_asterisk_port(callweaver_t) + +corenet_sendrecv_generic_server_packets(callweaver_t) +corenet_udp_bind_generic_port(callweaver_t) + +corenet_sendrecv_sip_server_packets(callweaver_t) +corenet_udp_bind_sip_port(callweaver_t) + +dev_manage_generic_symlinks(callweaver_t) + +domain_use_interactive_fds(callweaver_t) + +term_getattr_pty_fs(callweaver_t) +term_use_generic_ptys(callweaver_t) +term_use_ptmx(callweaver_t) + +auth_use_nsswitch(callweaver_t) + +miscfiles_read_localization(callweaver_t) diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc new file mode 100644 index 000000000..7688d0ecb --- /dev/null +++ b/policy/modules/services/canna.fc @@ -0,0 +1,19 @@ +/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0) + +/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0) +/usr/bin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0) +/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0) +/usr/bin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0) + +/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0) +/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0) + +/var/lib/canna/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0) +/var/lib/wnn/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0) + +/var/log/canna(/.*)? gen_context(system_u:object_r:canna_log_t,s0) +/var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0) + +/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) +/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) +/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if new file mode 100644 index 000000000..e3fd19939 --- /dev/null +++ b/policy/modules/services/canna.if @@ -0,0 +1,59 @@ +## <summary>Kana-kanji conversion server.</summary> + +######################################## +## <summary> +## Connect to Canna using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`canna_stream_connect',` + gen_require(` + type canna_t, canna_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an canna environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`canna_admin',` + gen_require(` + type canna_t, canna_log_t, canna_var_lib_t; + type canna_var_run_t, canna_initrc_exec_t; + ') + + allow $1 canna_t:process { ptrace signal_perms }; + ps_process_pattern($1, canna_t) + + init_startstop_service($1, $2, canna_t, canna_initrc_exec_t) + + logging_list_logs($1) + admin_pattern($1, canna_log_t) + + files_list_var_lib($1) + admin_pattern($1, canna_var_lib_t) + + files_list_pids($1) + admin_pattern($1, canna_var_run_t) +') diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te new file mode 100644 index 000000000..d4a2b7872 --- /dev/null +++ b/policy/modules/services/canna.te @@ -0,0 +1,96 @@ +policy_module(canna, 1.15.0) + +######################################## +# +# Declarations +# + +type canna_t; +type canna_exec_t; +init_daemon_domain(canna_t, canna_exec_t) + +type canna_initrc_exec_t; +init_script_file(canna_initrc_exec_t) + +type canna_log_t; +logging_log_file(canna_log_t) + +type canna_var_lib_t; +files_type(canna_var_lib_t) + +type canna_var_run_t; +files_pid_file(canna_var_run_t) + +######################################## +# +# Local policy +# + +allow canna_t self:capability { net_bind_service setgid setuid }; +dontaudit canna_t self:capability sys_tty_config; +allow canna_t self:process signal_perms; +allow canna_t self:unix_stream_socket { accept connectto listen }; +allow canna_t self:unix_dgram_socket { accept listen }; +allow canna_t self:tcp_socket create_stream_socket_perms; + +allow canna_t canna_log_t:dir setattr_dir_perms; +append_files_pattern(canna_t, canna_log_t, canna_log_t) +create_files_pattern(canna_t, canna_log_t, canna_log_t) +setattr_files_pattern(canna_t, canna_log_t, canna_log_t) +logging_log_filetrans(canna_t, canna_log_t, file) + +manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) +manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) +manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) +files_var_lib_filetrans(canna_t, canna_var_lib_t, file) + +manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t) +manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) +manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) +files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) + +kernel_read_kernel_sysctls(canna_t) +kernel_read_system_state(canna_t) + +corenet_all_recvfrom_unlabeled(canna_t) +corenet_all_recvfrom_netlabel(canna_t) +corenet_tcp_sendrecv_generic_if(canna_t) +corenet_tcp_sendrecv_generic_node(canna_t) + +corenet_sendrecv_all_client_packets(canna_t) +corenet_tcp_connect_all_ports(canna_t) +corenet_tcp_sendrecv_all_ports(canna_t) + +dev_read_sysfs(canna_t) + +fs_getattr_all_fs(canna_t) +fs_search_auto_mountpoints(canna_t) + +domain_use_interactive_fds(canna_t) + +files_read_etc_files(canna_t) +files_read_etc_runtime_files(canna_t) +files_read_usr_files(canna_t) +files_search_tmp(canna_t) +files_dontaudit_read_root_files(canna_t) + +logging_send_syslog_msg(canna_t) + +miscfiles_read_localization(canna_t) + +sysnet_read_config(canna_t) + +userdom_dontaudit_use_unpriv_user_fds(canna_t) +userdom_dontaudit_search_user_home_dirs(canna_t) + +optional_policy(` + nis_use_ypbind(canna_t) +') + +optional_policy(` + seutil_sigchld_newrole(canna_t) +') + +optional_policy(` + udev_read_db(canna_t) +') diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc new file mode 100644 index 000000000..f428bee05 --- /dev/null +++ b/policy/modules/services/ccs.fc @@ -0,0 +1,14 @@ +/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0) + +/etc/rc\.d/init\.d/((ccs)|(ccsd)) -- gen_context(system_u:object_r:ccs_initrc_exec_t,s0) + +/usr/bin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) + +/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) + +/var/lib/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_lib_t,s0) + +/var/log/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_log_t,s0) + +/run/cluster/((ccs)|(ccsd))\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) +/run/cluster/((ccs)|(ccsd))\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if new file mode 100644 index 000000000..767fb7127 --- /dev/null +++ b/policy/modules/services/ccs.if @@ -0,0 +1,124 @@ +## <summary>Cluster Configuration System.</summary> + +######################################## +## <summary> +## Execute a domain transition to run ccs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ccs_domtrans',` + gen_require(` + type ccs_t, ccs_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ccs_exec_t, ccs_t) +') + +######################################## +## <summary> +## Connect to ccs over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ccs_stream_connect',` + gen_require(` + type ccs_t, ccs_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, ccs_var_run_t, ccs_var_run_t, ccs_t) +') + +######################################## +## <summary> +## Read cluster configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ccs_read_config',` + gen_require(` + type cluster_conf_t; + ') + + files_search_etc($1) + read_files_pattern($1, cluster_conf_t, cluster_conf_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## cluster configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ccs_manage_config',` + gen_require(` + type cluster_conf_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t) + manage_files_pattern($1, cluster_conf_t, cluster_conf_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ccs environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ccs_admin',` + gen_require(` + type ccs_t, ccs_initrc_exec_t, cluster_conf_t; + type ccs_var_lib_t, ccs_var_log_t; + type ccs_var_run_t, ccs_tmp_t; + ') + + allow $1 ccs_t:process { ptrace signal_perms }; + ps_process_pattern($1, ccs_t) + + init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, cluster_conf_t) + + files_search_var_lib($1) + admin_pattern($1, ccs_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, ccs_var_log_t) + + files_search_pids($1) + admin_pattern($1, ccs_var_run_t) + + files_search_tmp($1) + admin_pattern($1, ccs_tmp_t) +') diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te new file mode 100644 index 000000000..12865a834 --- /dev/null +++ b/policy/modules/services/ccs.te @@ -0,0 +1,129 @@ +policy_module(ccs, 1.11.1) + +######################################## +# +# Declarations +# + +type ccs_t; +type ccs_exec_t; +init_daemon_domain(ccs_t, ccs_exec_t) + +type ccs_initrc_exec_t; +init_script_file(ccs_initrc_exec_t) + +type cluster_conf_t; +files_config_file(cluster_conf_t) + +type ccs_tmp_t; +files_tmp_file(ccs_tmp_t) + +type ccs_tmpfs_t; +files_tmpfs_file(ccs_tmpfs_t) + +type ccs_var_lib_t; +logging_log_file(ccs_var_lib_t) + +type ccs_var_log_t; +logging_log_file(ccs_var_log_t) + +type ccs_var_run_t; +files_pid_file(ccs_var_run_t) + +######################################## +# +# Local policy +# + +allow ccs_t self:capability { ipc_lock ipc_owner sys_admin sys_nice sys_resource }; +allow ccs_t self:process { signal setrlimit setsched }; +dontaudit ccs_t self:process ptrace; +allow ccs_t self:fifo_file rw_fifo_file_perms; +allow ccs_t self:unix_stream_socket { accept connectto listen }; +allow ccs_t self:tcp_socket { accept listen }; +allow ccs_t self:udp_socket { accept listen recv_msg send_msg }; +allow ccs_t self:socket create_socket_perms; + +manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t) + +allow ccs_t ccs_tmp_t:dir manage_dir_perms; +manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) +manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) +files_tmp_filetrans(ccs_t, ccs_tmp_t, { dir file }) + +manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) +manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) +fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file }) + +manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) +manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) +files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { dir file }) + +allow ccs_t ccs_var_log_t:dir setattr_dir_perms; +append_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) +create_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) +setattr_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) +manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) +logging_log_filetrans(ccs_t, ccs_var_log_t, { file sock_file }) + +manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) +manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) +files_pid_filetrans(ccs_t, ccs_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(ccs_t) + +corecmd_list_bin(ccs_t) +corecmd_exec_bin(ccs_t) + +corenet_all_recvfrom_unlabeled(ccs_t) +corenet_all_recvfrom_netlabel(ccs_t) +corenet_tcp_sendrecv_generic_if(ccs_t) +corenet_udp_sendrecv_generic_if(ccs_t) +corenet_tcp_sendrecv_generic_node(ccs_t) +corenet_udp_sendrecv_generic_node(ccs_t) +corenet_tcp_bind_generic_node(ccs_t) +corenet_udp_bind_generic_node(ccs_t) + +corenet_sendrecv_cluster_server_packets(ccs_t) +corenet_tcp_bind_cluster_port(ccs_t) +corenet_tcp_sendrecv_cluster_port(ccs_t) +corenet_udp_bind_cluster_port(ccs_t) +corenet_udp_sendrecv_cluster_port(ccs_t) + +corenet_sendrecv_netsupport_server_packets(ccs_t) +corenet_udp_bind_netsupport_port(ccs_t) + +dev_read_urand(ccs_t) + +files_read_etc_files(ccs_t) +files_read_etc_runtime_files(ccs_t) + +init_rw_script_tmp_files(ccs_t) + +logging_send_syslog_msg(ccs_t) + +miscfiles_read_localization(ccs_t) + +sysnet_dns_name_resolve(ccs_t) + +userdom_manage_unpriv_user_shared_mem(ccs_t) +userdom_manage_unpriv_user_semaphores(ccs_t) + +ifdef(`hide_broken_symptoms',` + kernel_manage_unlabeled_files(ccs_t) + corecmd_dontaudit_write_bin_dirs(ccs_t) +') + +optional_policy(` + aisexec_stream_connect(ccs_t) + corosync_stream_connect(ccs_t) +') + +optional_policy(` + qpidd_rw_semaphores(ccs_t) + qpidd_rw_shm(ccs_t) +') + +optional_policy(` + unconfined_use_fds(ccs_t) +') diff --git a/policy/modules/services/certmaster.fc b/policy/modules/services/certmaster.fc new file mode 100644 index 000000000..8322c3487 --- /dev/null +++ b/policy/modules/services/certmaster.fc @@ -0,0 +1,11 @@ +/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) + +/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) + +/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) + +/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) + +/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) + +/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if new file mode 100644 index 000000000..965755cdb --- /dev/null +++ b/policy/modules/services/certmaster.if @@ -0,0 +1,143 @@ +## <summary>Remote certificate distribution framework.</summary> + +######################################## +## <summary> +## Execute a domain transition to run certmaster. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`certmaster_domtrans',` + gen_require(` + type certmaster_t, certmaster_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, certmaster_exec_t, certmaster_t) +') + +#################################### +## <summary> +## Execute certmaster in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmaster_exec',` + gen_require(` + type certmaster_exec_t; + ') + + can_exec($1, certmaster_exec_t) + corecmd_search_bin($1) +') + +####################################### +## <summary> +## read certmaster logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmaster_read_log',` + gen_require(` + type certmaster_var_log_t; + ') + + read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + logging_search_logs($1) +') + +####################################### +## <summary> +## Append certmaster log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmaster_append_log',` + gen_require(` + type certmaster_var_log_t; + ') + + append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + logging_search_logs($1) +') + +####################################### +## <summary> +## Create, read, write, and delete +## certmaster log content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmaster_manage_log',` + gen_require(` + type certmaster_var_log_t; + ') + + manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an certmaster environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`certmaster_admin',` + gen_require(` + type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; + type certmaster_etc_rw_t, certmaster_var_log_t; + type certmaster_initrc_exec_t; + ') + + allow $1 certmaster_t:process { ptrace signal_perms }; + ps_process_pattern($1, certmaster_t) + + init_startstop_service($1, $2, certmaster_t, certmaster_initrc_exec_t) + + files_list_etc($1) + miscfiles_manage_generic_cert_dirs($1) + miscfiles_manage_generic_cert_files($1) + + admin_pattern($1, certmaster_etc_rw_t) + + files_list_pids($1) + admin_pattern($1, certmaster_var_run_t) + + logging_list_logs($1) + admin_pattern($1, certmaster_var_log_t) + + files_list_var_lib($1) + admin_pattern($1, certmaster_var_lib_t) +') diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te new file mode 100644 index 000000000..daeb417df --- /dev/null +++ b/policy/modules/services/certmaster.te @@ -0,0 +1,75 @@ +policy_module(certmaster, 1.5.0) + +######################################## +# +# Declarations +# + +type certmaster_t; +type certmaster_exec_t; +init_daemon_domain(certmaster_t, certmaster_exec_t) + +type certmaster_initrc_exec_t; +init_script_file(certmaster_initrc_exec_t) + +type certmaster_etc_rw_t; +files_type(certmaster_etc_rw_t) + +type certmaster_var_lib_t; +files_type(certmaster_var_lib_t) + +type certmaster_var_log_t; +logging_log_file(certmaster_var_log_t) + +type certmaster_var_run_t; +files_pid_file(certmaster_var_run_t) + +########################################### +# +# Local policy +# + +allow certmaster_t self:capability { dac_override dac_read_search sys_tty_config }; +allow certmaster_t self:tcp_socket { accept listen }; + +list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) +manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) + +manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) +manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) +files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { dir file }) + +append_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) +create_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) +setattr_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) +logging_log_filetrans(certmaster_t, certmaster_var_log_t, file ) + +manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) +manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) +files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file }) + +kernel_read_system_state(certmaster_t) + +corecmd_exec_bin(certmaster_t) + +corenet_all_recvfrom_unlabeled(certmaster_t) +corenet_all_recvfrom_netlabel(certmaster_t) +corenet_tcp_sendrecv_generic_if(certmaster_t) +corenet_tcp_sendrecv_generic_node(certmaster_t) +corenet_tcp_bind_generic_node(certmaster_t) + +corenet_sendrecv_certmaster_server_packets(certmaster_t) +corenet_tcp_bind_certmaster_port(certmaster_t) +corenet_tcp_sendrecv_certmaster_port(certmaster_t) + +dev_read_urand(certmaster_t) + +files_list_var(certmaster_t) +files_search_etc(certmaster_t) +files_read_usr_files(certmaster_t) + +auth_use_nsswitch(certmaster_t) + +miscfiles_read_localization(certmaster_t) +miscfiles_manage_generic_cert_dirs(certmaster_t) +miscfiles_manage_generic_cert_files(certmaster_t) diff --git a/policy/modules/services/certmonger.fc b/policy/modules/services/certmonger.fc new file mode 100644 index 000000000..7d357324c --- /dev/null +++ b/policy/modules/services/certmonger.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) + +/usr/bin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) + +/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) + +/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) + +/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0) diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if new file mode 100644 index 000000000..3a456b70d --- /dev/null +++ b/policy/modules/services/certmonger.if @@ -0,0 +1,172 @@ +## <summary>Certificate status monitor and PKI enrollment client.</summary> + +######################################## +## <summary> +## Execute a domain transition to run certmonger. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`certmonger_domtrans',` + gen_require(` + type certmonger_t, certmonger_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, certmonger_exec_t, certmonger_t) +') + +######################################## +## <summary> +## Send and receive messages from +## certmonger over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmonger_dbus_chat',` + gen_require(` + type certmonger_t; + class dbus send_msg; + ') + + allow $1 certmonger_t:dbus send_msg; + allow certmonger_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute certmonger server in +## the certmonger domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`certmonger_initrc_domtrans',` + gen_require(` + type certmonger_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, certmonger_initrc_exec_t) +') + +######################################## +## <summary> +## Read certmonger PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmonger_read_pid_files',` + gen_require(` + type certmonger_var_run_t; + ') + + files_search_pids($1) + allow $1 certmonger_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Search certmonger lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmonger_search_lib',` + gen_require(` + type certmonger_var_lib_t; + ') + + allow $1 certmonger_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read certmonger lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmonger_read_lib_files',` + gen_require(` + type certmonger_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## certmonger lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmonger_manage_lib_files',` + gen_require(` + type certmonger_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an certmonger environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`certmonger_admin',` + gen_require(` + type certmonger_t, certmonger_initrc_exec_t; + type certmonger_var_lib_t, certmonger_var_run_t; + ') + + ps_process_pattern($1, certmonger_t) + allow $1 certmonger_t:process { ptrace signal_perms }; + + init_startstop_service($1, $2, certmonger_t, certmonger_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, certmonger_var_lib_t) + + files_search_pids($1) + admin_pattern($1, certmonger_var_run_t) +') diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te new file mode 100644 index 000000000..6e569dff8 --- /dev/null +++ b/policy/modules/services/certmonger.te @@ -0,0 +1,102 @@ +policy_module(certmonger, 1.6.0) + +######################################## +# +# Declarations +# + +type certmonger_t; +type certmonger_exec_t; +init_daemon_domain(certmonger_t, certmonger_exec_t) + +type certmonger_initrc_exec_t; +init_script_file(certmonger_initrc_exec_t) + +type certmonger_var_lib_t; +files_type(certmonger_var_lib_t) + +type certmonger_var_run_t; +files_pid_file(certmonger_var_run_t) + +######################################## +# +# Local policy +# + +allow certmonger_t self:capability { chown dac_override dac_read_search kill setgid setuid sys_nice }; +dontaudit certmonger_t self:capability sys_tty_config; +allow certmonger_t self:capability2 block_suspend; +allow certmonger_t self:process { getsched setsched sigkill signal }; +allow certmonger_t self:fifo_file rw_fifo_file_perms; +allow certmonger_t self:unix_stream_socket { accept listen }; +allow certmonger_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) +manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) +files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, dir) + +manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) +manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) +files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file }) + +kernel_read_kernel_sysctls(certmonger_t) +kernel_read_system_state(certmonger_t) + +corenet_all_recvfrom_unlabeled(certmonger_t) +corenet_all_recvfrom_netlabel(certmonger_t) +corenet_tcp_sendrecv_generic_if(certmonger_t) +corenet_tcp_sendrecv_generic_node(certmonger_t) + +corenet_sendrecv_certmaster_client_packets(certmonger_t) +corenet_tcp_connect_certmaster_port(certmonger_t) +corenet_tcp_sendrecv_certmaster_port(certmonger_t) + +corecmd_exec_bin(certmonger_t) +corecmd_exec_shell(certmonger_t) + +dev_read_urand(certmonger_t) + +domain_use_interactive_fds(certmonger_t) + +files_read_usr_files(certmonger_t) +files_list_tmp(certmonger_t) + +fs_search_cgroup_dirs(certmonger_t) + +auth_use_nsswitch(certmonger_t) +auth_rw_cache(certmonger_t) + +init_getattr_all_script_files(certmonger_t) + +logging_send_syslog_msg(certmonger_t) + +miscfiles_read_localization(certmonger_t) +miscfiles_manage_generic_cert_files(certmonger_t) + +userdom_search_user_home_content(certmonger_t) + +optional_policy(` + apache_initrc_domtrans(certmonger_t) + apache_search_config(certmonger_t) + apache_signal(certmonger_t) + apache_signull(certmonger_t) +') + +optional_policy(` + bind_search_cache(certmonger_t) +') + +optional_policy(` + dbus_connect_system_bus(certmonger_t) + dbus_system_bus_client(certmonger_t) +') + +optional_policy(` + kerberos_read_keytab(certmonger_t) + kerberos_use(certmonger_t) +') + +optional_policy(` + pcscd_read_pid_files(certmonger_t) + pcscd_stream_connect(certmonger_t) +') diff --git a/policy/modules/services/cgmanager.fc b/policy/modules/services/cgmanager.fc new file mode 100644 index 000000000..d638d1967 --- /dev/null +++ b/policy/modules/services/cgmanager.fc @@ -0,0 +1,10 @@ +/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0) + +/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0) +/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0) +/run/cgmanager/fs(/.*)? <<none>> + +/usr/libexec/cgmanager/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0) + +/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0) +/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0) diff --git a/policy/modules/services/cgmanager.if b/policy/modules/services/cgmanager.if new file mode 100644 index 000000000..ad459a689 --- /dev/null +++ b/policy/modules/services/cgmanager.if @@ -0,0 +1,22 @@ +## <summary>Control Group manager daemon.</summary> + +######################################## +## <summary> +## Connect to cgmanager with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cgmanager_stream_connect',` + gen_require(` + type cgmanager_t, cgmanager_cgroup_t; + ') + + fs_search_cgroup_dirs($1) + list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t) + stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t) +') diff --git a/policy/modules/services/cgmanager.te b/policy/modules/services/cgmanager.te new file mode 100644 index 000000000..2faf6b792 --- /dev/null +++ b/policy/modules/services/cgmanager.te @@ -0,0 +1,66 @@ +policy_module(cgmanager, 1.1.0) + +######################################## +# +# Declarations +# + +type cgmanager_t; +type cgmanager_exec_t; +init_daemon_domain(cgmanager_t, cgmanager_exec_t) + +type cgmanager_cgroup_t; +files_type(cgmanager_cgroup_t) + +type cgmanager_run_t; +files_pid_file(cgmanager_run_t) + +######################################## +# +# CGManager local policy +# + +allow cgmanager_t self:capability { sys_admin dac_override }; +allow cgmanager_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t) +manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t) +manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t) +fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager") + +can_exec(cgmanager_t, cgmanager_exec_t) + +manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t) +manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t) +manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t) +files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir }) +allow cgmanager_t cgmanager_run_t:dir mounton; + +# for the release agent +kernel_domtrans_to(cgmanager_t, cgmanager_exec_t) +kernel_read_system_state(cgmanager_t) + +auth_use_nsswitch(cgmanager_t) + +corecmd_exec_bin(cgmanager_t) + +domain_read_all_domains_state(cgmanager_t) + +files_read_etc_files(cgmanager_t) +# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things +files_mounton_all_mountpoints(cgmanager_t) +files_unmount_all_file_type_fs(cgmanager_t) + +fs_unmount_xattr_fs(cgmanager_t) +fs_manage_cgroup_dirs(cgmanager_t) +fs_manage_cgroup_files(cgmanager_t) +fs_getattr_tmpfs(cgmanager_t) +fs_manage_tmpfs_dirs(cgmanager_t) +fs_manage_tmpfs_files(cgmanager_t) +fs_mount_cgroup(cgmanager_t) +fs_mount_tmpfs(cgmanager_t) +fs_mounton_tmpfs(cgmanager_t) +fs_remount_cgroup(cgmanager_t) +fs_remount_tmpfs(cgmanager_t) +fs_unmount_cgroup(cgmanager_t) +fs_unmount_tmpfs(cgmanager_t) diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc new file mode 100644 index 000000000..f631358ec --- /dev/null +++ b/policy/modules/services/cgroup.fc @@ -0,0 +1,19 @@ +/etc/cgconfig\.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0) +/etc/cgrules\.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) + +/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0) +/etc/sysconfig/cgred\.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) + +/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0) +/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0) + +/usr/bin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) +/usr/bin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) +/usr/bin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) + +/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) +/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) +/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) + +/var/log/cgrulesengd\.log.* -- gen_context(system_u:object_r:cgred_log_t,s0) +/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if new file mode 100644 index 000000000..a8870b96c --- /dev/null +++ b/policy/modules/services/cgroup.if @@ -0,0 +1,187 @@ +## <summary>libcg is a library that abstracts the control group file system in Linux.</summary> + +######################################## +## <summary> +## Execute a domain transition to run +## CG Clear. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_domtrans_cgclear',` + gen_require(` + type cgclear_t, cgclear_exec_t; + ') + + domtrans_pattern($1, cgclear_exec_t, cgclear_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute a domain transition to run +## CG config parser. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_domtrans_cgconfig',` + gen_require(` + type cgconfig_t, cgconfig_exec_t; + ') + + domtrans_pattern($1, cgconfig_exec_t, cgconfig_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute CG config init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_initrc_domtrans_cgconfig',` + gen_require(` + type cgconfig_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run +## CG rules engine daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_domtrans_cgred',` + gen_require(` + type cgred_t, cgred_exec_t; + ') + + domtrans_pattern($1, cgred_exec_t, cgred_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute a domain transition to run +## CG rules engine daemon. +## domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_initrc_domtrans_cgred',` + gen_require(` + type cgred_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cgred_initrc_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run CG Clear and allow the +## specified role the CG Clear +## domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cgroup_run_cgclear',` + gen_require(` + type cgclear_t; + ') + + cgroup_domtrans_cgclear($1) + role $2 types cgclear_t; +') + +######################################## +## <summary> +## Connect to CG rules engine daemon +## over unix stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cgroup_stream_connect_cgred', ` + gen_require(` + type cgred_var_run_t, cgred_t; + ') + + stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) + files_search_pids($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an cgroup environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cgroup_admin',` + gen_require(` + type cgred_t, cgconfig_t, cgred_var_run_t; + type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; + type cgrules_etc_t, cgclear_t; + ') + + allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t }) + + admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) + files_list_etc($1) + + admin_pattern($1, cgred_var_run_t) + files_list_pids($1) + + init_startstop_service($1, $2, cgred_t, cgred_initrc_exec_t) + init_startstop_service($1, $2, cgconfig_t, cgconfig_initrc_exec_t) + + cgroup_run_cgclear($1, $2) +') diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te new file mode 100644 index 000000000..ac7294a2e --- /dev/null +++ b/policy/modules/services/cgroup.te @@ -0,0 +1,108 @@ +policy_module(cgroup, 1.6.0) + +######################################## +# +# Declarations +# + +type cgclear_t; +type cgclear_exec_t; +init_daemon_domain(cgclear_t, cgclear_exec_t) + +type cgred_t; +type cgred_exec_t; +init_daemon_domain(cgred_t, cgred_exec_t) + +type cgred_initrc_exec_t; +init_script_file(cgred_initrc_exec_t) + +type cgred_log_t; +logging_log_file(cgred_log_t) + +type cgred_var_run_t; +files_pid_file(cgred_var_run_t) + +type cgrules_etc_t; +files_config_file(cgrules_etc_t) + +type cgconfig_t; +type cgconfig_exec_t; +init_daemon_domain(cgconfig_t, cgconfig_exec_t) + +type cgconfig_initrc_exec_t; +init_script_file(cgconfig_initrc_exec_t) + +type cgconfig_etc_t; +files_config_file(cgconfig_etc_t) + +######################################## +# +# cgclear local policy +# + +allow cgclear_t self:capability { dac_override dac_read_search sys_admin }; + +allow cgclear_t cgconfig_etc_t:file read_file_perms; + +kernel_read_system_state(cgclear_t) + +domain_setpriority_all_domains(cgclear_t) + +fs_manage_cgroup_dirs(cgclear_t) +fs_manage_cgroup_files(cgclear_t) +fs_unmount_cgroup(cgclear_t) + +######################################## +# +# cgconfig local policy +# + +allow cgconfig_t self:capability { chown dac_override fowner fsetid sys_admin sys_tty_config }; + +allow cgconfig_t cgconfig_etc_t:file read_file_perms; + +kernel_list_unlabeled(cgconfig_t) +kernel_read_system_state(cgconfig_t) + +files_read_etc_files(cgconfig_t) + +fs_manage_cgroup_dirs(cgconfig_t) +fs_manage_cgroup_files(cgconfig_t) +fs_mount_cgroup(cgconfig_t) +fs_mounton_cgroup(cgconfig_t) +fs_unmount_cgroup(cgconfig_t) + +######################################## +# +# cgred local policy +# + +allow cgred_t self:capability { chown dac_override fsetid net_admin sys_admin sys_ptrace }; +allow cgred_t self:netlink_socket { write bind create read }; +allow cgred_t self:unix_dgram_socket { write create connect }; + +allow cgred_t cgrules_etc_t:file read_file_perms; + +allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(cgred_t, cgred_log_t, file) + +manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) +manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) +files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) + +kernel_read_all_sysctls(cgred_t) +kernel_read_system_state(cgred_t) + +domain_read_all_domains_state(cgred_t) +domain_setpriority_all_domains(cgred_t) + +files_getattr_all_files(cgred_t) +files_getattr_all_sockets(cgred_t) +files_read_all_symlinks(cgred_t) +files_read_etc_files(cgred_t) + +fs_write_cgroup_files(cgred_t) + +logging_send_syslog_msg(cgred_t) + +miscfiles_read_localization(cgred_t) diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc new file mode 100644 index 000000000..7153deee0 --- /dev/null +++ b/policy/modules/services/chronyd.fc @@ -0,0 +1,25 @@ +/etc/chrony\.conf -- gen_context(system_u:object_r:chronyd_conf_t,s0) +/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) + +/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) + +/usr/bin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) + +# Systend unit files +/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0) +/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0) + +/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) +/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) + +/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) + +/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0) + +/run/chronyd?(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0) +/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) +/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0) + +ifdef(`distro_gentoo',` +/etc/chrony/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) +') diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if new file mode 100644 index 000000000..bc4ba6916 --- /dev/null +++ b/policy/modules/services/chronyd.if @@ -0,0 +1,361 @@ +## <summary>Chrony NTP background daemon.</summary> + +##################################### +## <summary> +## Execute chronyd in the chronyd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`chronyd_domtrans',` + gen_require(` + type chronyd_t, chronyd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chronyd_exec_t, chronyd_t) +') + +##################################### +## <summary> +## Execute chronyc in the chronyc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`chronyd_domtrans_cli',` + gen_require(` + type chronyc_t, chronyc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chronyc_exec_t, chronyc_t) +') + +######################################## +## <summary> +## Execute chronyd server in the +## chronyd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`chronyd_initrc_domtrans',` + gen_require(` + type chronyd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, chronyd_initrc_exec_t) +') + +#################################### +## <summary> +## Execute chronyd in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_exec',` + gen_require(` + type chronyd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, chronyd_exec_t) +') + +######################################## +## <summary> +## Execute chronyc in the chronyc domain, +## and allow the specified roles the +## chronyc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`chronyd_run_cli',` + gen_require(` + attribute_role chronyc_roles; + ') + + chronyd_domtrans_cli($1) + roleattribute $2 chronyc_roles; +') + +##################################### +## <summary> +## Read chronyd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_read_log',` + gen_require(` + type chronyd_var_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) +') + +##################################### +## <summary> +## Read chronyd config file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_read_config',` + gen_require(` + type chronyd_conf_t; + ') + + files_search_etc($1) + allow $1 chronyd_conf_t:file read_file_perms; +') + +##################################### +## <summary> +## Read and write chronyd config file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_rw_config',` + gen_require(` + type chronyd_conf_t; + ') + + files_search_etc($1) + allow $1 chronyd_conf_t:file rw_file_perms; +') + +######################################## +## <summary> +## Read and write chronyd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_rw_shm',` + gen_require(` + type chronyd_t, chronyd_tmpfs_t; + ') + + allow $1 chronyd_t:shm rw_shm_perms; + allow $1 chronyd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) + read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## <summary> +## Connect to chronyd using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_stream_connect',` + gen_require(` + type chronyd_t, chronyd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) +') + +######################################## +## <summary> +## Send to chronyd using a unix domain +## datagram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_dgram_send',` + gen_require(` + type chronyd_t, chronyd_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) +') + +######################################## +## <summary> +## Read chronyd key files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_read_key_files',` + gen_require(` + type chronyd_keys_t; + ') + + files_search_etc($1) + read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) +') + +######################################## +## <summary> +## Allow specified domain to enable and disable chronyd unit +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_enabledisable',` + gen_require(` + type chronyd_unit_t; + class service { enable disable }; + ') + + allow $1 chronyd_unit_t:service { enable disable }; +') + +######################################## +## <summary> +## Allow specified domain to start and stop chronyd unit +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_startstop',` + gen_require(` + type chronyd_unit_t; + class service { start stop }; + ') + + allow $1 chronyd_unit_t:service { start stop }; +') + +######################################## +## <summary> +## Allow specified domain to get status of chronyd unit +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_status',` + gen_require(` + type chronyd_unit_t; + class service status; + ') + + allow $1 chronyd_unit_t:service status; +') + +######################################## +## <summary> +## Send to chronyd command line interface using a unix domain +## datagram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_dgram_send_cli',` + gen_require(` + type chronyc_t, chronyd_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyc_t) +') + +#################################### +## <summary> +## All of the rules required to +## administrate an chronyd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`chronyd_admin',` + gen_require(` + type chronyd_t, chronyd_var_log_t; + type chronyd_var_run_t, chronyd_var_lib_t; + type chronyd_initrc_exec_t, chronyd_keys_t; + ') + + allow $1 chronyd_t:process { ptrace signal_perms }; + ps_process_pattern($1, chronyd_t) + + init_startstop_service($1, $2, chronyd_t, chronyd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, chronyd_keys_t) + + logging_search_logs($1) + admin_pattern($1, chronyd_var_log_t) + + files_search_var_lib($1) + admin_pattern($1, chronyd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, chronyd_var_run_t) +') diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te new file mode 100644 index 000000000..e89aa2feb --- /dev/null +++ b/policy/modules/services/chronyd.te @@ -0,0 +1,152 @@ +policy_module(chronyd, 1.5.1) + +######################################## +# +# Declarations +# + +attribute_role chronyc_roles; + +type chronyd_t; +type chronyd_exec_t; +init_daemon_domain(chronyd_t, chronyd_exec_t) + +type chronyc_t; +type chronyc_exec_t; +init_daemon_domain(chronyc_t, chronyc_exec_t) +application_domain(chronyc_t, chronyc_exec_t) +role chronyc_roles types chronyc_t; + +type chronyd_conf_t; +files_config_file(chronyd_conf_t) + +type chronyd_initrc_exec_t; +init_script_file(chronyd_initrc_exec_t) + +type chronyd_keys_t; +files_type(chronyd_keys_t) + +type chronyd_tmpfs_t; +files_tmpfs_file(chronyd_tmpfs_t) + +type chronyd_unit_t; +init_unit_file(chronyd_unit_t) + +type chronyd_var_lib_t; +files_type(chronyd_var_lib_t) + +type chronyd_var_log_t; +logging_log_file(chronyd_var_log_t) + +type chronyd_var_run_t; +init_daemon_pid_file(chronyd_var_run_t, dir, "chrony") + +######################################## +# +# chronyd local policy +# + +allow chronyd_t self:capability { chown dac_override ipc_lock setgid setuid sys_resource sys_time }; +allow chronyd_t self:process { getcap setcap setrlimit signal }; +allow chronyd_t self:shm create_shm_perms; +allow chronyd_t self:fifo_file rw_fifo_file_perms; + +allow chronyd_t chronyd_keys_t:file read_file_perms; + +manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) +manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) +fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file }) + +manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) +manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) +manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) +files_var_lib_filetrans(chronyd_t, chronyd_var_lib_t, dir) + +manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) +append_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) +create_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) +setattr_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) +logging_log_filetrans(chronyd_t, chronyd_var_log_t, dir) + +manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) +manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) +manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) +files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) + +kernel_read_system_state(chronyd_t) +kernel_read_network_state(chronyd_t) + +corenet_all_recvfrom_unlabeled(chronyd_t) +corenet_all_recvfrom_netlabel(chronyd_t) +corenet_udp_sendrecv_generic_if(chronyd_t) +corenet_udp_sendrecv_generic_node(chronyd_t) +corenet_udp_bind_generic_node(chronyd_t) + +corenet_sendrecv_ntp_client_packets(chronyd_t) +corenet_sendrecv_ntp_server_packets(chronyd_t) +corenet_udp_bind_ntp_port(chronyd_t) +corenet_udp_sendrecv_ntp_port(chronyd_t) + +corenet_sendrecv_chronyd_server_packets(chronyd_t) +corenet_udp_bind_chronyd_port(chronyd_t) +corenet_udp_sendrecv_chronyd_port(chronyd_t) + +dev_rw_realtime_clock(chronyd_t) + +auth_use_nsswitch(chronyd_t) + +logging_send_syslog_msg(chronyd_t) + +miscfiles_read_localization(chronyd_t) + +chronyd_dgram_send_cli(chronyd_t) +chronyd_read_config(chronyd_t) + +optional_policy(` + gpsd_rw_shm(chronyd_t) +') + +optional_policy(` + mta_send_mail(chronyd_t) +') + +######################################## +# +# chronyc local policy +# + +allow chronyc_t self:capability { dac_override }; +allow chronyc_t self:process { signal }; +allow chronyc_t self:udp_socket create_socket_perms; +allow chronyc_t self:netlink_route_socket create_netlink_socket_perms; + +manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) +manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) +manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) +files_pid_filetrans(chronyc_t, chronyd_var_run_t, { dir file sock_file }) + +corenet_all_recvfrom_unlabeled(chronyc_t) +corenet_all_recvfrom_netlabel(chronyc_t) +corenet_udp_sendrecv_generic_if(chronyc_t) +corenet_udp_sendrecv_generic_node(chronyc_t) + +corenet_sendrecv_chronyd_client_packets(chronyc_t) +corenet_udp_sendrecv_chronyd_port(chronyc_t) + +files_read_etc_files(chronyc_t) +files_read_usr_files(chronyc_t) + +locallogin_use_fds(chronyc_t) + +logging_send_syslog_msg(chronyc_t) + +sysnet_read_config(chronyc_t) +sysnet_dns_name_resolve(chronyc_t) + +miscfiles_read_localization(chronyc_t) + +userdom_use_user_ttys(chronyc_t) + +chronyd_dgram_send(chronyc_t) +chronyd_read_config(chronyc_t) + diff --git a/policy/modules/services/cipe.fc b/policy/modules/services/cipe.fc new file mode 100644 index 000000000..2cfb0ae90 --- /dev/null +++ b/policy/modules/services/cipe.fc @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/ciped.* -- gen_context(system_u:object_r:ciped_initrc_exec_t,s0) + +/usr/bin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0) + +/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0) diff --git a/policy/modules/services/cipe.if b/policy/modules/services/cipe.if new file mode 100644 index 000000000..11ec9dc5b --- /dev/null +++ b/policy/modules/services/cipe.if @@ -0,0 +1,29 @@ +## <summary>Encrypted tunnel daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an cipe environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cipe_admin',` + gen_require(` + type ciped_t, ciped_initrc_exec_t; + ') + + allow $1 ciped_t:process { ptrace signal_perms }; + ps_process_pattern($1, ciped_t) + + init_startstop_service($1, $2, ciped_t, ciped_initrc_exec_t) +') diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te new file mode 100644 index 000000000..18e06be98 --- /dev/null +++ b/policy/modules/services/cipe.te @@ -0,0 +1,72 @@ +policy_module(cipe, 1.8.0) + +######################################## +# +# Declarations +# + +type ciped_t; +type ciped_exec_t; +init_daemon_domain(ciped_t, ciped_exec_t) + +type ciped_initrc_exec_t; +init_script_file(ciped_initrc_exec_t) + +######################################## +# +# Local policy +# + +allow ciped_t self:capability { ipc_lock net_admin sys_tty_config }; +dontaudit ciped_t self:capability sys_tty_config; +allow ciped_t self:process signal_perms; +allow ciped_t self:fifo_file rw_fifo_file_perms; +allow ciped_t self:udp_socket create_socket_perms; + +kernel_read_kernel_sysctls(ciped_t) +kernel_read_system_state(ciped_t) + +corecmd_exec_shell(ciped_t) +corecmd_exec_bin(ciped_t) + +corenet_all_recvfrom_unlabeled(ciped_t) +corenet_all_recvfrom_netlabel(ciped_t) +corenet_udp_sendrecv_generic_if(ciped_t) +corenet_udp_sendrecv_generic_node(ciped_t) +corenet_udp_bind_generic_node(ciped_t) + +corenet_sendrecv_afs_bos_server_packets(ciped_t) +corenet_udp_bind_afs_bos_port(ciped_t) +corenet_udp_sendrecv_afs_bos_port(ciped_t) + +dev_read_rand(ciped_t) +dev_read_sysfs(ciped_t) +dev_read_urand(ciped_t) + +domain_use_interactive_fds(ciped_t) + +files_read_etc_files(ciped_t) +files_read_etc_runtime_files(ciped_t) +files_dontaudit_search_var(ciped_t) + +fs_search_auto_mountpoints(ciped_t) + +logging_send_syslog_msg(ciped_t) + +miscfiles_read_localization(ciped_t) + +sysnet_read_config(ciped_t) + +userdom_dontaudit_use_unpriv_user_fds(ciped_t) + +optional_policy(` + nis_use_ypbind(ciped_t) +') + +optional_policy(` + seutil_sigchld_newrole(ciped_t) +') + +optional_policy(` + udev_read_db(ciped_t) +') diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc new file mode 100644 index 000000000..70fb22e69 --- /dev/null +++ b/policy/modules/services/clamav.fc @@ -0,0 +1,30 @@ +/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) + +/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) + +/usr/bin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) +/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) +/usr/bin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) +/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) +/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) + +/usr/lib/systemd/system/clamd.*\.service -- gen_context(system_u:object_r:clamd_unit_t,s0) + +/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) +/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) + +/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) + +/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) +/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0) + +/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) +/var/log/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) +/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) +/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) + +/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) +/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) +/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) + +/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if new file mode 100644 index 000000000..7ad8e800c --- /dev/null +++ b/policy/modules/services/clamav.if @@ -0,0 +1,224 @@ +## <summary>ClamAV Virus Scanner.</summary> + +######################################## +## <summary> +## Execute a domain transition to run clamd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`clamav_domtrans',` + gen_require(` + type clamd_t, clamd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, clamd_exec_t, clamd_t) +') + +######################################## +## <summary> +## Connect to clamd using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_stream_connect',` + gen_require(` + type clamd_t, clamd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) +') + +######################################## +## <summary> +## Append clamav log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_append_log',` + gen_require(` + type clamd_var_log_t; + ') + + logging_search_logs($1) + allow $1 clamd_var_log_t:dir list_dir_perms; + append_files_pattern($1, clamd_var_log_t, clamd_var_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## clamav pid content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_manage_pid_content',` + gen_require(` + type clamd_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) + manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) +') + +######################################## +## <summary> +## Read clamav configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_read_config',` + gen_require(` + type clamd_etc_t; + ') + + files_search_etc($1) + allow $1 clamd_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Search clamav library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_search_lib',` + gen_require(` + type clamd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 clamd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Execute a domain transition to run clamscan. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`clamav_domtrans_clamscan',` + gen_require(` + type clamscan_t, clamscan_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, clamscan_exec_t, clamscan_t) +') + +######################################## +## <summary> +## Execute clamscan in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_exec_clamscan',` + gen_require(` + type clamscan_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, clamscan_exec_t) +') + +####################################### +## <summary> +## Read clamd process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_read_state_clamd',` + gen_require(` + type clamd_t; + ') + + kernel_search_proc($1) + allow $1 clamd_t:dir list_dir_perms; + read_files_pattern($1, clamd_t, clamd_t) + read_lnk_files_pattern($1, clamd_t, clamd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an clamav environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`clamav_admin',` + gen_require(` + type clamd_t, clamd_etc_t, clamd_tmp_t; + type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t; + type clamd_var_run_t, clamscan_t, clamscan_tmp_t; + type freshclam_t, freshclam_var_log_t; + ') + + allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { clamd_t clamscan_t freshclam_t }) + + init_startstop_service($1, $2, clamd_t, clamd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, clamd_etc_t) + + files_list_var_lib($1) + admin_pattern($1, clamd_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, { clamd_var_log_t freshclam_var_log_t }) + + files_list_pids($1) + admin_pattern($1, clamd_var_run_t) + + files_list_tmp($1) + admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) +') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te new file mode 100644 index 000000000..2f78260fb --- /dev/null +++ b/policy/modules/services/clamav.te @@ -0,0 +1,337 @@ +policy_module(clamav, 1.15.0) + +## <desc> +## <p> +## Determine whether clamscan can +## read user content files. +## </p> +## </desc> +gen_tunable(clamav_read_user_content_files_clamscan, false) + +## <desc> +## <p> +## Determine whether clamscan can read +## all non-security files. +## </p> +## </desc> +gen_tunable(clamav_read_all_non_security_files_clamscan, false) + +## <desc> +## <p> +## Determine whether can clamd use JIT compiler. +## </p> +## </desc> +gen_tunable(clamd_use_jit, false) + +######################################## +# +# Declarations +# + +type clamd_t; +type clamd_exec_t; +init_daemon_domain(clamd_t, clamd_exec_t) + +type clamd_etc_t; +files_config_file(clamd_etc_t) + +type clamd_initrc_exec_t; +init_script_file(clamd_initrc_exec_t) + +type clamd_tmp_t; +files_tmp_file(clamd_tmp_t) + +type clamd_unit_t; +init_unit_file(clamd_unit_t) + +type clamd_var_log_t; +logging_log_file(clamd_var_log_t) + +type clamd_var_lib_t; +files_type(clamd_var_lib_t) + +type clamd_var_run_t; +files_pid_file(clamd_var_run_t) +typealias clamd_var_run_t alias clamd_sock_t; + +type clamscan_t; +type clamscan_exec_t; +init_daemon_domain(clamscan_t, clamscan_exec_t) + +type clamscan_tmp_t; +files_tmp_file(clamscan_tmp_t) + +type freshclam_t; +type freshclam_exec_t; +init_daemon_domain(freshclam_t, freshclam_exec_t) + +type freshclam_var_log_t; +logging_log_file(freshclam_var_log_t) + +######################################## +# +# Clamd local policy +# + +allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override }; +dontaudit clamd_t self:capability sys_tty_config; +allow clamd_t self:process signal; +allow clamd_t self:fifo_file rw_fifo_file_perms; +allow clamd_t self:unix_stream_socket { accept connectto listen }; +allow clamd_t self:tcp_socket { listen accept }; + +allow clamd_t clamd_etc_t:dir list_dir_perms; +read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) +read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) + +manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) +manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) +files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) + +manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) +manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) +manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) + +manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) +append_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) +create_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) +setattr_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) +logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) + +manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) +manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) +manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) +files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file }) + +kernel_dontaudit_list_proc(clamd_t) +kernel_read_sysctl(clamd_t) +kernel_read_kernel_sysctls(clamd_t) +kernel_read_system_state(clamd_t) +kernel_read_vm_sysctls(clamd_t) +kernel_read_vm_overcommit_sysctl(clamd_t) + +corecmd_exec_shell(clamd_t) + +corenet_all_recvfrom_unlabeled(clamd_t) +corenet_all_recvfrom_netlabel(clamd_t) +corenet_tcp_sendrecv_generic_if(clamd_t) +corenet_tcp_sendrecv_generic_node(clamd_t) +corenet_tcp_sendrecv_all_ports(clamd_t) +corenet_tcp_bind_generic_node(clamd_t) + +corenet_sendrecv_generic_server_packets(clamd_t) +corenet_tcp_bind_generic_port(clamd_t) + +corenet_sendrecv_generic_client_packets(clamd_t) +corenet_tcp_connect_generic_port(clamd_t) + +corenet_sendrecv_clamd_server_packets(clamd_t) +corenet_tcp_bind_clamd_port(clamd_t) + +dev_read_rand(clamd_t) +dev_read_urand(clamd_t) +dev_read_sysfs(clamd_t) + +domain_use_interactive_fds(clamd_t) + +files_read_etc_runtime_files(clamd_t) +files_search_spool(clamd_t) + +auth_use_nsswitch(clamd_t) + +logging_send_syslog_msg(clamd_t) + +miscfiles_read_localization(clamd_t) + +tunable_policy(`clamd_use_jit',` + allow clamd_t self:process execmem; +',` + dontaudit clamd_t self:process execmem; +') + +optional_policy(` + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) + amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) + amavis_create_pid_files(clamd_t) +') + +optional_policy(` + cron_use_fds(clamd_t) + cron_use_system_job_fds(clamd_t) + cron_rw_pipes(clamd_t) +') + +optional_policy(` + exim_read_spool_files(clamd_t) +') + +optional_policy(` + mta_read_config(clamd_t) + mta_send_mail(clamd_t) +') + +######################################## +# +# Freshclam local policy +# + +allow freshclam_t self:capability { dac_override setgid setuid }; +allow freshclam_t self:fifo_file rw_fifo_file_perms; +allow freshclam_t self:unix_stream_socket { accept listen }; +allow freshclam_t self:tcp_socket { accept listen }; + +allow freshclam_t clamd_etc_t:dir list_dir_perms; +read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) +read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) + +manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) +manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) + +manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) +files_pid_filetrans(freshclam_t, clamd_var_run_t, file) + +append_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) +create_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) +setattr_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) +logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) + +stream_connect_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t, clamd_t) + +read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) + +kernel_dontaudit_list_proc(freshclam_t) +kernel_read_kernel_sysctls(freshclam_t) +kernel_read_network_state(freshclam_t) +kernel_read_system_state(freshclam_t) + +corenet_all_recvfrom_unlabeled(freshclam_t) +corenet_all_recvfrom_netlabel(freshclam_t) +corenet_tcp_sendrecv_generic_if(freshclam_t) +corenet_tcp_sendrecv_generic_node(freshclam_t) + +corenet_sendrecv_clamd_client_packets(freshclam_t) +corenet_tcp_connect_clamd_port(freshclam_t) +corenet_tcp_sendrecv_clamd_port(freshclam_t) + +corenet_sendrecv_http_client_packets(freshclam_t) +corenet_tcp_connect_http_port(freshclam_t) +corenet_tcp_sendrecv_http_port(freshclam_t) + +corenet_sendrecv_http_cache_client_packets(freshclam_t) +corenet_tcp_connect_http_cache_port(freshclam_t) +corenet_tcp_sendrecv_http_cache_port(freshclam_t) + +corenet_sendrecv_squid_client_packets(freshclam_t) +corenet_tcp_connect_squid_port(freshclam_t) +corenet_tcp_sendrecv_squid_port(freshclam_t) + +dev_read_rand(freshclam_t) +dev_read_urand(freshclam_t) + +domain_use_interactive_fds(freshclam_t) + +files_read_etc_runtime_files(freshclam_t) +files_search_var_lib(freshclam_t) + +auth_use_nsswitch(freshclam_t) + +logging_send_syslog_msg(freshclam_t) + +miscfiles_read_localization(freshclam_t) + +tunable_policy(`clamd_use_jit',` + allow freshclam_t self:process execmem; +',` + dontaudit freshclam_t self:process execmem; +') + +optional_policy(` + amavis_manage_spool_files(freshclam_t) +') + +optional_policy(` + cron_system_entry(freshclam_t, freshclam_exec_t) +') + +######################################## +# +# Clamscam local policy +# + +allow clamscan_t self:capability { dac_override setgid setuid }; +allow clamscan_t self:fifo_file rw_fifo_file_perms; +allow clamscan_t self:unix_stream_socket create_stream_socket_perms; +allow clamscan_t self:unix_dgram_socket create_socket_perms; +allow clamscan_t self:tcp_socket { accept listen }; + +allow clamscan_t clamd_etc_t:dir list_dir_perms; +read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) +read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) + +manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) +manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) +files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { dir file }) + +allow clamscan_t clamd_var_lib_t:dir list_dir_perms; +manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) + +allow clamscan_t clamd_var_run_t:dir list_dir_perms; +read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t) + +stream_connect_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t, clamd_t) + +kernel_dontaudit_list_proc(clamscan_t) +kernel_read_kernel_sysctls(clamscan_t) +kernel_read_system_state(clamscan_t) + +corenet_all_recvfrom_unlabeled(clamscan_t) +corenet_all_recvfrom_netlabel(clamscan_t) +corenet_tcp_sendrecv_generic_if(clamscan_t) +corenet_tcp_sendrecv_generic_node(clamscan_t) + +corenet_sendrecv_clamd_client_packets(clamscan_t) +corenet_tcp_connect_clamd_port(clamscan_t) +corenet_tcp_sendrecv_clamd_port(clamscan_t) + +corecmd_read_all_executables(clamscan_t) + +files_read_etc_files(clamscan_t) +files_read_etc_runtime_files(clamscan_t) +files_search_var_lib(clamscan_t) + +init_read_utmp(clamscan_t) +init_dontaudit_write_utmp(clamscan_t) + +miscfiles_read_localization(clamscan_t) +miscfiles_read_public_files(clamscan_t) + +sysnet_dns_name_resolve(clamscan_t) + +tunable_policy(`clamav_read_user_content_files_clamscan',` + userdom_read_user_home_content_files(clamscan_t) + userdom_dontaudit_read_user_home_content_files(clamscan_t) +') + +tunable_policy(`clamav_read_all_non_security_files_clamscan',` + files_read_non_security_files(clamscan_t) + files_getattr_all_pipes(clamscan_t) + files_getattr_all_sockets(clamscan_t) +') + +optional_policy(` + amavis_read_spool_files(clamscan_t) +') + +optional_policy(` + apache_read_sys_content(clamscan_t) +') + +optional_policy(` + mta_send_mail(clamscan_t) + mta_read_queue(clamscan_t) +') + +ifdef(`distro_gentoo',` + init_daemon_pid_file(clamd_var_run_t, dir, "clamav") +') diff --git a/policy/modules/services/clockspeed.fc b/policy/modules/services/clockspeed.fc new file mode 100644 index 000000000..093366f16 --- /dev/null +++ b/policy/modules/services/clockspeed.fc @@ -0,0 +1,7 @@ +/usr/bin/clockadd -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) +/usr/bin/clockspeed -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) +/usr/bin/sntpclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) +/usr/bin/taiclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) +/usr/bin/taiclockd -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) + +/var/lib/clockspeed(/.*)? gen_context(system_u:object_r:clockspeed_var_lib_t,s0) diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if new file mode 100644 index 000000000..2cb7bf7c3 --- /dev/null +++ b/policy/modules/services/clockspeed.if @@ -0,0 +1,48 @@ +## <summary>Clock speed measurement and manipulation.</summary> + +######################################## +## <summary> +## Execute clockspeed utilities in +## the clockspeed_cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`clockspeed_domtrans_cli',` + gen_require(` + type clockspeed_cli_t, clockspeed_cli_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t) +') + +######################################## +## <summary> +## Execute clockspeed utilities in the +## clockspeed cli domain, and allow the +## specified role the clockspeed cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`clockspeed_run_cli',` + gen_require(` + attribute_role clockspeed_cli_roles; + ') + + clockspeed_domtrans_cli($1) + roleattribute $2 clockspeed_cli_roles; +') diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te new file mode 100644 index 000000000..6544d0069 --- /dev/null +++ b/policy/modules/services/clockspeed.te @@ -0,0 +1,77 @@ +policy_module(clockspeed, 1.6.0) + +######################################## +# +# Declarations +# + +attribute_role clockspeed_cli_roles; + +type clockspeed_cli_t; +type clockspeed_cli_exec_t; +application_domain(clockspeed_cli_t, clockspeed_cli_exec_t) +role clockspeed_cli_roles types clockspeed_cli_t; + +type clockspeed_srv_t; +type clockspeed_srv_exec_t; +init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t) + +type clockspeed_var_lib_t; +files_type(clockspeed_var_lib_t) + +######################################## +# +# Client local policy +# + +allow clockspeed_cli_t self:capability sys_time; +allow clockspeed_cli_t self:udp_socket create_socket_perms; + +read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + +corenet_all_recvfrom_unlabeled(clockspeed_cli_t) +corenet_all_recvfrom_netlabel(clockspeed_cli_t) +corenet_udp_sendrecv_generic_if(clockspeed_cli_t) +corenet_udp_sendrecv_generic_node(clockspeed_cli_t) + +corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) +corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) + +files_list_var_lib(clockspeed_cli_t) +files_read_etc_files(clockspeed_cli_t) + +miscfiles_read_localization(clockspeed_cli_t) + +userdom_use_user_terminals(clockspeed_cli_t) + +######################################## +# +# Server local policy +# + +allow clockspeed_srv_t self:capability { net_bind_service sys_time }; +allow clockspeed_srv_t self:udp_socket create_socket_perms; +allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms; +allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; + +manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) +manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + +corenet_all_recvfrom_unlabeled(clockspeed_srv_t) +corenet_all_recvfrom_netlabel(clockspeed_srv_t) +corenet_udp_sendrecv_generic_if(clockspeed_srv_t) +corenet_udp_sendrecv_generic_node(clockspeed_srv_t) +corenet_udp_bind_generic_node(clockspeed_srv_t) + +corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t) +corenet_udp_bind_clockspeed_port(clockspeed_srv_t) +corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t) + +files_list_var_lib(clockspeed_srv_t) +files_read_etc_files(clockspeed_srv_t) + +miscfiles_read_localization(clockspeed_srv_t) + +optional_policy(` + daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) +') diff --git a/policy/modules/services/clogd.fc b/policy/modules/services/clogd.fc new file mode 100644 index 000000000..6c5de73b9 --- /dev/null +++ b/policy/modules/services/clogd.fc @@ -0,0 +1,5 @@ +/usr/bin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if new file mode 100644 index 000000000..dce4cb19d --- /dev/null +++ b/policy/modules/services/clogd.if @@ -0,0 +1,59 @@ +## <summary>Clustered Mirror Log Server.</summary> + +###################################### +## <summary> +## Execute a domain transition to run clogd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`clogd_domtrans',` + gen_require(` + type clogd_t, clogd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, clogd_exec_t, clogd_t) +') + +##################################### +## <summary> +## Read and write clogd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clogd_rw_semaphores',` + gen_require(` + type clogd_t; + ') + + allow $1 clogd_t:sem rw_sem_perms; +') + +######################################## +## <summary> +## Read and write clogd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clogd_rw_shm',` + gen_require(` + type clogd_t, clogd_tmpfs_t; + ') + + allow $1 clogd_t:shm rw_shm_perms; + allow $1 clogd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) + fs_search_tmpfs($1) +') diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te new file mode 100644 index 000000000..3f0c47ff7 --- /dev/null +++ b/policy/modules/services/clogd.te @@ -0,0 +1,49 @@ +policy_module(clogd, 1.3.0) + +######################################## +# +# Declarations +# + +type clogd_t; +type clogd_exec_t; +init_daemon_domain(clogd_t, clogd_exec_t) + +type clogd_tmpfs_t; +files_tmpfs_file(clogd_tmpfs_t) + +type clogd_var_run_t; +files_pid_file(clogd_var_run_t) + +######################################## +# +# Local policy +# + +allow clogd_t self:capability { mknod net_admin }; +allow clogd_t self:process signal; +allow clogd_t self:sem create_sem_perms; +allow clogd_t self:shm create_shm_perms; +allow clogd_t self:netlink_socket create_socket_perms; + +manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) +manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) +fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file }) + +manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) +files_pid_filetrans(clogd_t, clogd_var_run_t, file) + +dev_manage_generic_blk_files(clogd_t) +dev_read_lvm_control(clogd_t) + +storage_raw_read_fixed_disk(clogd_t) +storage_raw_write_fixed_disk(clogd_t) + +logging_send_syslog_msg(clogd_t) + +miscfiles_read_localization(clogd_t) + +optional_policy(` + aisexec_stream_connect(clogd_t) + corosync_stream_connect(clogd_t) +') diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc new file mode 100644 index 000000000..c948aacf9 --- /dev/null +++ b/policy/modules/services/cmirrord.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0) + +/usr/bin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) + +/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) + +/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if new file mode 100644 index 000000000..0785068f5 --- /dev/null +++ b/policy/modules/services/cmirrord.if @@ -0,0 +1,113 @@ +## <summary>Cluster mirror log daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to +## run cmirrord. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cmirrord_domtrans',` + gen_require(` + type cmirrord_t, cmirrord_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cmirrord_exec_t, cmirrord_t) +') + +######################################## +## <summary> +## Execute cmirrord server in the +## cmirrord domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cmirrord_initrc_domtrans',` + gen_require(` + type cmirrord_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cmirrord_initrc_exec_t) +') + +######################################## +## <summary> +## Read cmirrord PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cmirrord_read_pid_files',` + gen_require(` + type cmirrord_var_run_t; + ') + + files_search_pids($1) + allow $1 cmirrord_var_run_t:file read_file_perms; +') + +####################################### +## <summary> +## Read and write cmirrord shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cmirrord_rw_shm',` + gen_require(` + type cmirrord_t, cmirrord_tmpfs_t; + ') + + allow $1 cmirrord_t:shm rw_shm_perms; + + allow $1 cmirrord_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an cmirrord environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cmirrord_admin',` + gen_require(` + type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; + ') + + allow $1 cmirrord_t:process { ptrace signal_perms }; + ps_process_pattern($1, cmirrord_t) + + init_startstop_service($1, $2, cmirrord_t, cmirrord_initrc_exec_t) + + files_list_pids($1) + admin_pattern($1, cmirrord_var_run_t) +') diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te new file mode 100644 index 000000000..612477472 --- /dev/null +++ b/policy/modules/services/cmirrord.te @@ -0,0 +1,57 @@ +policy_module(cmirrord, 1.4.0) + +######################################## +# +# Declarations +# + +type cmirrord_t; +type cmirrord_exec_t; +init_daemon_domain(cmirrord_t, cmirrord_exec_t) + +type cmirrord_initrc_exec_t; +init_script_file(cmirrord_initrc_exec_t) + +type cmirrord_tmpfs_t; +files_tmpfs_file(cmirrord_tmpfs_t) + +type cmirrord_var_run_t; +files_pid_file(cmirrord_var_run_t) + +######################################## +# +# Local policy +# + +allow cmirrord_t self:capability { kill net_admin }; +dontaudit cmirrord_t self:capability sys_tty_config; +allow cmirrord_t self:process { setfscreate signal }; +allow cmirrord_t self:fifo_file rw_fifo_file_perms; +allow cmirrord_t self:sem create_sem_perms; +allow cmirrord_t self:shm create_shm_perms; +allow cmirrord_t self:netlink_socket create_socket_perms; +allow cmirrord_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) +manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) +fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file }) + +manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) +files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) + +domain_use_interactive_fds(cmirrord_t) +domain_obj_id_change_exemption(cmirrord_t) + +files_read_etc_files(cmirrord_t) + +storage_create_fixed_disk_dev(cmirrord_t) + +seutil_read_file_contexts(cmirrord_t) + +logging_send_syslog_msg(cmirrord_t) + +miscfiles_read_localization(cmirrord_t) + +optional_policy(` + corosync_stream_connect(cmirrord_t) +') diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc new file mode 100644 index 000000000..973d208ff --- /dev/null +++ b/policy/modules/services/cobbler.fc @@ -0,0 +1,22 @@ +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0) + +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0) + +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) + +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) + +/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) + +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0) + +/var/www/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if new file mode 100644 index 000000000..6c6b57574 --- /dev/null +++ b/policy/modules/services/cobbler.if @@ -0,0 +1,180 @@ +## <summary>Cobbler installation server.</summary> + +######################################## +## <summary> +## Execute a domain transition to run cobblerd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cobblerd_domtrans',` + gen_require(` + type cobblerd_t, cobblerd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) +') + +######################################## +## <summary> +## Execute cobblerd init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cobblerd_initrc_domtrans',` + gen_require(` + type cobblerd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) +') + +######################################## +## <summary> +## Read cobbler configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_read_config',` + gen_require(` + type cobbler_etc_t; + ') + + read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) + files_search_etc($1) +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## cobbler log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cobbler_dontaudit_rw_log',` + gen_require(` + type cobbler_var_log_t; + ') + + dontaudit $1 cobbler_var_log_t:file rw_file_perms; +') + +######################################## +## <summary> +## Search cobbler lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_search_lib',` + gen_require(` + type cobbler_var_lib_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) +') + +######################################## +## <summary> +## Read cobbler lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_read_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## cobbler lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_manage_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an cobbler environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cobbler_admin',` + gen_require(` + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; + type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t; + type cobbler_tmp_t; + ') + + allow $1 cobblerd_t:process { ptrace signal_perms }; + ps_process_pattern($1, cobblerd_t) + + init_startstop_service($1, $2, cobblerd_t, cobblerd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, cobbler_etc_t) + + files_search_tmp($1) + admin_pattern($1, cobbler_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, cobbler_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, cobbler_var_log_t) + + apache_search_sys_content($1) + admin_pattern($1, cobbler_content_t) +') diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te new file mode 100644 index 000000000..5e8425c1a --- /dev/null +++ b/policy/modules/services/cobbler.te @@ -0,0 +1,204 @@ +policy_module(cobbler, 1.3.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether Cobbler can modify +## public files used for public file +## transfer services. +## </p> +## </desc> +gen_tunable(cobbler_anon_write, false) + +## <desc> +## <p> +## Determine whether Cobbler can connect +## to the network using TCP. +## </p> +## </desc> +gen_tunable(cobbler_can_network_connect, false) + +## <desc> +## <p> +## Determine whether Cobbler can access +## cifs file systems. +## </p> +## </desc> +gen_tunable(cobbler_use_cifs, false) + +## <desc> +## <p> +## Determine whether Cobbler can access +## nfs file systems. +## </p> +## </desc> +gen_tunable(cobbler_use_nfs, false) + +type cobblerd_t; +type cobblerd_exec_t; +init_daemon_domain(cobblerd_t, cobblerd_exec_t) + +type cobblerd_initrc_exec_t; +init_script_file(cobblerd_initrc_exec_t) + +type cobbler_etc_t; +files_config_file(cobbler_etc_t) + +type cobbler_var_log_t; +logging_log_file(cobbler_var_log_t) + +type cobbler_var_lib_t alias cobbler_content_t; +files_type(cobbler_var_lib_t) + +type cobbler_tmp_t; +files_tmp_file(cobbler_tmp_t) + +######################################## +# +# Local policy +# + +allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; +dontaudit cobblerd_t self:capability sys_tty_config; +allow cobblerd_t self:process { getsched setsched signal }; +allow cobblerd_t self:fifo_file rw_fifo_file_perms; +allow cobblerd_t self:tcp_socket { accept listen }; + +allow cobblerd_t cobbler_etc_t:dir list_dir_perms; +allow cobblerd_t cobbler_etc_t:file read_file_perms; +allow cobblerd_t cobbler_etc_t:lnk_file read_lnk_file_perms; + +allow cobblerd_t cobbler_tmp_t:file mmap_exec_file_perms; +manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) +manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) +files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file }) + +manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir) + +append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) + +kernel_read_system_state(cobblerd_t) +kernel_dontaudit_search_network_state(cobblerd_t) + +corecmd_exec_bin(cobblerd_t) +corecmd_exec_shell(cobblerd_t) + +corenet_all_recvfrom_netlabel(cobblerd_t) +corenet_all_recvfrom_unlabeled(cobblerd_t) +corenet_tcp_sendrecv_generic_if(cobblerd_t) +corenet_tcp_sendrecv_generic_node(cobblerd_t) +corenet_tcp_bind_generic_node(cobblerd_t) + +corenet_sendrecv_cobbler_server_packets(cobblerd_t) +corenet_tcp_bind_cobbler_port(cobblerd_t) +corenet_tcp_sendrecv_cobbler_port(cobblerd_t) + +corenet_sendrecv_ftp_client_packets(cobblerd_t) +corenet_tcp_connect_ftp_port(cobblerd_t) +corenet_tcp_sendrecv_ftp_port(cobblerd_t) + +corenet_tcp_sendrecv_http_port(cobblerd_t) +corenet_tcp_connect_http_port(cobblerd_t) +corenet_sendrecv_http_client_packets(cobblerd_t) + +dev_read_urand(cobblerd_t) + +files_list_boot(cobblerd_t) +files_list_tmp(cobblerd_t) +files_read_boot_files(cobblerd_t) +files_read_etc_files(cobblerd_t) +files_read_etc_runtime_files(cobblerd_t) +files_read_usr_files(cobblerd_t) + +fs_getattr_all_fs(cobblerd_t) +fs_read_iso9660_files(cobblerd_t) + +selinux_get_enforce_mode(cobblerd_t) + +term_use_console(cobblerd_t) + +logging_send_syslog_msg(cobblerd_t) + +miscfiles_read_localization(cobblerd_t) +miscfiles_read_public_files(cobblerd_t) + +sysnet_dns_name_resolve(cobblerd_t) +sysnet_rw_dhcp_config(cobblerd_t) +sysnet_write_config(cobblerd_t) + +tunable_policy(`cobbler_anon_write',` + miscfiles_manage_public_files(cobblerd_t) +') + +tunable_policy(`cobbler_can_network_connect',` + corenet_sendrecv_all_client_packets(cobblerd_t) + corenet_tcp_connect_all_ports(cobblerd_t) + corenet_tcp_sendrecv_all_ports(cobblerd_t) +') + +tunable_policy(`cobbler_use_cifs',` + fs_manage_cifs_dirs(cobblerd_t) + fs_manage_cifs_files(cobblerd_t) + fs_manage_cifs_symlinks(cobblerd_t) +') + +tunable_policy(`cobbler_use_nfs',` + fs_manage_nfs_dirs(cobblerd_t) + fs_manage_nfs_files(cobblerd_t) + fs_manage_nfs_symlinks(cobblerd_t) +') + +optional_policy(` + apache_search_sys_content(cobblerd_t) +') + +optional_policy(` + bind_read_config(cobblerd_t) + bind_write_config(cobblerd_t) + bind_domtrans_ndc(cobblerd_t) + bind_domtrans(cobblerd_t) + bind_initrc_domtrans(cobblerd_t) + bind_manage_zone(cobblerd_t) +') + +optional_policy(` + certmaster_exec(cobblerd_t) +') + +optional_policy(` + dhcpd_domtrans(cobblerd_t) + dhcpd_initrc_domtrans(cobblerd_t) +') + +optional_policy(` + dnsmasq_domtrans(cobblerd_t) + dnsmasq_initrc_domtrans(cobblerd_t) + dnsmasq_write_config(cobblerd_t) +') + +optional_policy(` + rpm_exec(cobblerd_t) +') + +optional_policy(` + rsync_read_config(cobblerd_t) + rsync_manage_config_files(cobblerd_t) + rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf") +') + +optional_policy(` + tftp_manage_config_files(cobblerd_t) + tftp_etc_filetrans_config(cobblerd_t, file, "tftp") + tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) +') diff --git a/policy/modules/services/collectd.fc b/policy/modules/services/collectd.fc new file mode 100644 index 000000000..4e9b367e3 --- /dev/null +++ b/policy/modules/services/collectd.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0) + +/usr/bin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0) + +/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0) + +/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) + +/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0) +/run/collectd(/.*)? gen_context(system_u:object_r:collectd_var_run_t,s0) + +/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0) diff --git a/policy/modules/services/collectd.if b/policy/modules/services/collectd.if new file mode 100644 index 000000000..a55db07b4 --- /dev/null +++ b/policy/modules/services/collectd.if @@ -0,0 +1,36 @@ +## <summary>Statistics collection daemon for filling RRD files.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an collectd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`collectd_admin',` + gen_require(` + type collectd_t, collectd_initrc_exec_t, collectd_var_run_t; + type collectd_var_lib_t; + ') + + allow $1 collectd_t:process { ptrace signal_perms }; + ps_process_pattern($1, collectd_t) + + init_startstop_service($1, $2, collectd_t, collectd_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, collectd_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, collectd_var_lib_t) +') diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te new file mode 100644 index 000000000..5feefa30c --- /dev/null +++ b/policy/modules/services/collectd.te @@ -0,0 +1,95 @@ +policy_module(collectd, 1.4.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether collectd can connect +## to the network using TCP. +## </p> +## </desc> +gen_tunable(collectd_tcp_network_connect, false) + +type collectd_t; +type collectd_exec_t; +init_daemon_domain(collectd_t, collectd_exec_t) + +type collectd_initrc_exec_t; +init_script_file(collectd_initrc_exec_t) + +type collectd_var_lib_t; +files_type(collectd_var_lib_t) + +type collectd_var_run_t; +files_pid_file(collectd_var_run_t) + +apache_content_template(collectd) + +######################################## +# +# Local policy +# + +allow collectd_t self:capability { ipc_lock net_raw sys_nice }; +allow collectd_t self:process { getsched setsched signal }; +allow collectd_t self:fifo_file rw_fifo_file_perms; +allow collectd_t self:packet_socket create_socket_perms; +allow collectd_t self:rawip_socket create_socket_perms; +allow collectd_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) +manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) +files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) + +manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) +manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) +files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file }) + +domain_use_interactive_fds(collectd_t) + +kernel_read_kernel_sysctls(collectd_t) +kernel_read_network_state(collectd_t) +kernel_read_net_sysctls(collectd_t) +kernel_read_system_state(collectd_t) + +dev_read_rand(collectd_t) +dev_read_sysfs(collectd_t) +dev_read_urand(collectd_t) + +files_getattr_all_dirs(collectd_t) +files_read_etc_files(collectd_t) +files_read_usr_files(collectd_t) + +fs_getattr_all_fs(collectd_t) + +init_read_utmp(collectd_t) + +miscfiles_read_localization(collectd_t) + +logging_send_syslog_msg(collectd_t) + +sysnet_dns_name_resolve(collectd_t) + +tunable_policy(`collectd_tcp_network_connect',` + corenet_sendrecv_all_client_packets(collectd_t) + corenet_tcp_connect_all_ports(collectd_t) + corenet_tcp_sendrecv_all_ports(collectd_t) +') + +optional_policy(` + virt_read_config(collectd_t) +') + +######################################## +# +# Web local policy +# + +optional_policy(` + read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) + list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) + miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) +') diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc new file mode 100644 index 000000000..71639eb54 --- /dev/null +++ b/policy/modules/services/colord.fc @@ -0,0 +1,11 @@ +/usr/lib/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0) +/usr/lib/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) + +/usr/lib/[^/]*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0) +/usr/lib/[^/]*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) + +/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) +/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) + +/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) +/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if new file mode 100644 index 000000000..8e27a37c1 --- /dev/null +++ b/policy/modules/services/colord.if @@ -0,0 +1,60 @@ +## <summary>GNOME color manager.</summary> + +######################################## +## <summary> +## Execute a domain transition to run colord. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_domtrans',` + gen_require(` + type colord_t, colord_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, colord_exec_t, colord_t) +') + +######################################## +## <summary> +## Send and receive messages from +## colord over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_dbus_chat',` + gen_require(` + type colord_t; + class dbus send_msg; + ') + + allow $1 colord_t:dbus send_msg; + allow colord_t $1:dbus send_msg; +') + +###################################### +## <summary> +## Read colord lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_read_lib_files',` + gen_require(` + type colord_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 index 000000000..d03335b7b --- /dev/null +++ b/policy/modules/services/colord.te @@ -0,0 +1,145 @@ +policy_module(colord, 1.3.1) + +######################################## +# +# Declarations +# + +type colord_t; +type colord_exec_t; +dbus_system_domain(colord_t, colord_exec_t) + +type colord_tmp_t; +files_tmp_file(colord_tmp_t) + +type colord_tmpfs_t; +files_tmpfs_file(colord_tmpfs_t) + +type colord_var_lib_t; +files_type(colord_var_lib_t) + +######################################## +# +# Local policy +# + +allow colord_t self:capability { dac_override dac_read_search }; +dontaudit colord_t self:capability sys_admin; +allow colord_t self:process signal; +allow colord_t self:fifo_file rw_fifo_file_perms; +allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; +allow colord_t self:tcp_socket { accept listen }; +allow colord_t self:shm create_shm_perms; + +manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) +manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) +files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) + +manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) +manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) +fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file }) + +manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +files_var_lib_filetrans(colord_t, colord_var_lib_t, dir) + +kernel_read_crypto_sysctls(colord_t) +kernel_read_device_sysctls(colord_t) +kernel_read_network_state(colord_t) +kernel_read_system_state(colord_t) +kernel_request_load_module(colord_t) + +corenet_all_recvfrom_netlabel(colord_t) +corenet_all_recvfrom_unlabeled(colord_t) +corenet_tcp_sendrecv_generic_if(colord_t) +corenet_udp_sendrecv_generic_if(colord_t) +corenet_tcp_sendrecv_generic_node(colord_t) +corenet_udp_sendrecv_generic_node(colord_t) +corenet_udp_bind_generic_node(colord_t) + +corenet_sendrecv_ipp_server_packets(colord_t) +corenet_udp_bind_ipp_port(colord_t) +corenet_udp_sendrecv_ipp_port(colord_t) + +corenet_sendrecv_ipp_client_packets(colord_t) +corenet_tcp_connect_ipp_port(colord_t) +corenet_tcp_sendrecv_ipp_port(colord_t) + +corecmd_exec_bin(colord_t) +corecmd_exec_shell(colord_t) + +dev_read_raw_memory(colord_t) +dev_write_raw_memory(colord_t) +dev_read_video_dev(colord_t) +dev_write_video_dev(colord_t) +dev_rw_printer(colord_t) +dev_read_rand(colord_t) +dev_read_sysfs(colord_t) +dev_read_urand(colord_t) +dev_list_sysfs(colord_t) +dev_rw_generic_usb_dev(colord_t) + +domain_use_interactive_fds(colord_t) + +files_list_mnt(colord_t) +files_read_usr_files(colord_t) +files_map_usr_files(colord_t) + +fs_getattr_noxattr_fs(colord_t) +fs_getattr_tmpfs(colord_t) +fs_list_noxattr_fs(colord_t) +fs_read_noxattr_fs_files(colord_t) +fs_search_all(colord_t) +fs_dontaudit_getattr_all_fs(colord_t) + +storage_getattr_fixed_disk_dev(colord_t) +storage_getattr_removable_dev(colord_t) +storage_read_scsi_generic(colord_t) +storage_write_scsi_generic(colord_t) + +init_read_state(colord_t) + +auth_use_nsswitch(colord_t) + +logging_send_syslog_msg(colord_t) + +miscfiles_read_localization(colord_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(colord_t) + fs_read_nfs_files(colord_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_getattr_cifs(colord_t) + fs_read_cifs_files(colord_t) +') + +optional_policy(` + cups_read_config(colord_t) + cups_read_rw_config(colord_t) + cups_read_state(colord_t) + cups_stream_connect(colord_t) + cups_dbus_chat(colord_t) +') + +optional_policy(` + policykit_dbus_chat(colord_t) + policykit_domtrans_auth(colord_t) + policykit_read_lib(colord_t) + policykit_read_reload(colord_t) +') + +optional_policy(` + sysnet_exec_ifconfig(colord_t) +') + +optional_policy(` + udev_read_db(colord_t) + udev_read_pid_files(colord_t) +') + +optional_policy(` + xserver_read_xdm_lib_files(colord_t) + xserver_use_xdm_fds(colord_t) +') diff --git a/policy/modules/services/comsat.fc b/policy/modules/services/comsat.fc new file mode 100644 index 000000000..63e733638 --- /dev/null +++ b/policy/modules/services/comsat.fc @@ -0,0 +1,3 @@ +/usr/bin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0) + +/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0) diff --git a/policy/modules/services/comsat.if b/policy/modules/services/comsat.if new file mode 100644 index 000000000..afc4dfe7c --- /dev/null +++ b/policy/modules/services/comsat.if @@ -0,0 +1 @@ +## <summary>Comsat, a biff server.</summary> diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te new file mode 100644 index 000000000..763235286 --- /dev/null +++ b/policy/modules/services/comsat.te @@ -0,0 +1,59 @@ +policy_module(comsat, 1.9.0) + +######################################## +# +# Declarations +# + +type comsat_t; +type comsat_exec_t; +inetd_udp_service_domain(comsat_t, comsat_exec_t) + +type comsat_tmp_t; +files_tmp_file(comsat_tmp_t) + +type comsat_var_run_t; +files_pid_file(comsat_var_run_t) + +######################################## +# +# Local policy +# + +allow comsat_t self:capability { setgid setuid }; +allow comsat_t self:process signal_perms; +allow comsat_t self:fifo_file rw_fifo_file_perms; +allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow comsat_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) +manage_files_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) +files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir }) + +manage_files_pattern(comsat_t, comsat_var_run_t, comsat_var_run_t) +files_pid_filetrans(comsat_t, comsat_var_run_t, file) + +kernel_read_kernel_sysctls(comsat_t) +kernel_read_network_state(comsat_t) +kernel_read_system_state(comsat_t) + +dev_read_urand(comsat_t) + +fs_getattr_xattr_fs(comsat_t) + +files_list_usr(comsat_t) +files_search_spool(comsat_t) +files_search_home(comsat_t) + +auth_use_nsswitch(comsat_t) + +init_read_utmp(comsat_t) +init_dontaudit_write_utmp(comsat_t) + +logging_send_syslog_msg(comsat_t) + +miscfiles_read_localization(comsat_t) + +userdom_dontaudit_getattr_user_ttys(comsat_t) + +mta_getattr_spool(comsat_t) diff --git a/policy/modules/services/condor.fc b/policy/modules/services/condor.fc new file mode 100644 index 000000000..eed1e3414 --- /dev/null +++ b/policy/modules/services/condor.fc @@ -0,0 +1,31 @@ +/etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0) + +/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0) + +/usr/bin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) +/usr/bin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) +/usr/bin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0) +/usr/bin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0) +/usr/bin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0) +/usr/bin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0) +/usr/bin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0) + +/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) +/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) +/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0) +/usr/sbin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0) +/usr/sbin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0) +/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0) +/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0) + +/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) + +/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) + +/var/lib/condor/spool(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) + +/var/lock/condor(/.*)? gen_context(system_u:object_r:condor_var_lock_t,s0) + +/var/log/condor(/.*)? gen_context(system_u:object_r:condor_log_t,s0) + +/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0) diff --git a/policy/modules/services/condor.if b/policy/modules/services/condor.if new file mode 100644 index 000000000..b2af357a4 --- /dev/null +++ b/policy/modules/services/condor.if @@ -0,0 +1,88 @@ +## <summary>High-Throughput Computing System.</summary> + +####################################### +## <summary> +## The template to define a condor domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`condor_domain_template',` + gen_require(` + attribute condor_domain; + type condor_master_t; + ') + + ############################# + # + # Declarations + # + + type condor_$1_t, condor_domain; + type condor_$1_exec_t; + domain_type(condor_$1_t) + domain_entry_file(condor_$1_t, condor_$1_exec_t) + role system_r types condor_$1_t; + + ############################# + # + # Policy + # + + domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) + allow condor_master_t condor_$1_exec_t:file ioctl; + + auth_use_nsswitch(condor_$1_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an condor environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`condor_admin',` + gen_require(` + attribute condor_domain; + type condor_initrc_exec_t, condor_log_t; + type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; + type condor_var_run_t, condor_startd_tmp_t, condor_conf_t; + ') + + allow $1 condor_domain:process { ptrace signal_perms }; + ps_process_pattern($1, condor_domain) + + init_startstop_service($1, $2, condor_domain, condor_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, condor_conf_t) + + logging_search_logs($1) + admin_pattern($1, condor_log_t) + + files_search_locks($1) + admin_pattern($1, condor_var_lock_t) + + files_search_var_lib($1) + admin_pattern($1, condor_var_lib_t) + + files_search_pids($1) + admin_pattern($1, condor_var_run_t) + + files_search_tmp($1) + admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) +') diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te new file mode 100644 index 000000000..0d04d4cbc --- /dev/null +++ b/policy/modules/services/condor.te @@ -0,0 +1,256 @@ +policy_module(condor, 1.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether Condor can connect +## to the network using TCP. +## </p> +## </desc> +gen_tunable(condor_tcp_network_connect, false) + +attribute condor_domain; + +type condor_master_t, condor_domain; +type condor_master_exec_t; +init_daemon_domain(condor_master_t, condor_master_exec_t) + +type condor_master_tmp_t; +files_tmp_file(condor_master_tmp_t) + +type condor_initrc_exec_t; +init_script_file(condor_initrc_exec_t) + +type condor_schedd_tmp_t; +files_tmp_file(condor_schedd_tmp_t) + +type condor_startd_tmp_t; +files_tmp_file(condor_startd_tmp_t) + +type condor_startd_tmpfs_t; +files_tmpfs_file(condor_startd_tmpfs_t) + +type condor_conf_t; +files_config_file(condor_conf_t) + +type condor_log_t; +logging_log_file(condor_log_t) + +type condor_var_lib_t; +files_type(condor_var_lib_t) + +type condor_var_lock_t; +files_lock_file(condor_var_lock_t) + +type condor_var_run_t; +files_pid_file(condor_var_run_t) + +condor_domain_template(collector) +condor_domain_template(negotiator) +condor_domain_template(procd) +condor_domain_template(schedd) +condor_domain_template(startd) + +##################################### +# +# Global local policy +# + +allow condor_domain self:process signal_perms; +allow condor_domain self:fifo_file rw_fifo_file_perms; +allow condor_domain self:tcp_socket { accept listen }; +allow condor_domain self:unix_stream_socket { accept listen }; + +rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t) + +manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) +manage_files_pattern(condor_domain, condor_log_t, condor_log_t) +logging_log_filetrans(condor_domain, condor_log_t, { dir file }) + +manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) +manage_files_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) +files_var_lib_filetrans(condor_domain, condor_var_lib_t, { dir file }) + +manage_dirs_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t) +manage_files_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t) +files_lock_filetrans(condor_domain, condor_var_lock_t, { dir file }) + +manage_dirs_pattern(condor_domain, condor_var_run_t, condor_var_run_t) +manage_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t) +manage_fifo_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t) +files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) + +allow condor_domain condor_master_t:process signull; +allow condor_domain condor_master_t:tcp_socket getattr; + +kernel_read_kernel_sysctls(condor_domain) +kernel_read_network_state(condor_domain) +kernel_read_system_state(condor_domain) + +corecmd_exec_bin(condor_domain) +corecmd_exec_shell(condor_domain) + +corenet_all_recvfrom_netlabel(condor_domain) +corenet_all_recvfrom_unlabeled(condor_domain) +corenet_tcp_sendrecv_generic_if(condor_domain) +corenet_tcp_sendrecv_generic_node(condor_domain) + +corenet_sendrecv_condor_client_packets(condor_domain) +corenet_tcp_connect_condor_port(condor_domain) +corenet_tcp_sendrecv_condor_port(condor_domain) + +domain_use_interactive_fds(condor_domain) + +dev_read_rand(condor_domain) +dev_read_sysfs(condor_domain) +dev_read_urand(condor_domain) + +logging_send_syslog_msg(condor_domain) + +miscfiles_read_localization(condor_domain) + +sysnet_dns_name_resolve(condor_domain) + +tunable_policy(`condor_tcp_network_connect',` + corenet_sendrecv_all_client_packets(condor_domain) + corenet_tcp_connect_all_ports(condor_domain) + corenet_tcp_sendrecv_all_ports(condor_domain) +') + +optional_policy(` + rhcs_stream_connect_cluster(condor_domain) +') + +##################################### +# +# Master local policy +# + +allow condor_master_t self:capability { dac_override setgid setuid sys_ptrace }; + +allow condor_master_t condor_domain:process { sigkill signal }; + +manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) + +corenet_udp_sendrecv_generic_if(condor_master_t) +corenet_udp_sendrecv_generic_node(condor_master_t) +corenet_tcp_bind_generic_node(condor_master_t) +corenet_udp_bind_generic_node(condor_master_t) + +corenet_sendrecv_condor_server_packets(condor_master_t) +corenet_tcp_bind_condor_port(condor_master_t) +corenet_tcp_sendrecv_condor_port(condor_master_t) +corenet_udp_bind_condor_port(condor_master_t) +corenet_udp_sendrecv_condor_port(condor_master_t) + +corenet_sendrecv_amqp_client_packets(condor_master_t) +corenet_tcp_connect_amqp_port(condor_master_t) +corenet_tcp_sendrecv_amqp_port(condor_master_t) + +domain_read_all_domains_state(condor_master_t) + +auth_use_nsswitch(condor_master_t) + +optional_policy(` + mta_send_mail(condor_master_t) + mta_read_config(condor_master_t) +') + +###################################### +# +# Collector local policy +# + +allow condor_collector_t self:capability { setgid setuid }; + +allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms; +allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; + +kernel_read_network_state(condor_collector_t) + +##################################### +# +# Negotiator local policy +# + +allow condor_negotiator_t self:capability { setgid setuid }; +allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; +allow condor_negotiator_t condor_master_t:udp_socket getattr; + +###################################### +# +# Procd local policy +# + +allow condor_procd_t self:capability { chown dac_override fowner kill sys_ptrace }; + +allow condor_procd_t condor_domain:process sigkill; + +domain_read_all_domains_state(condor_procd_t) + +####################################### +# +# Schedd local policy +# + +allow condor_schedd_t self:capability { chown dac_override setgid setuid }; + +allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms; +allow condor_schedd_t condor_master_t:udp_socket getattr; + +allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; + +domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) +domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) + +manage_dirs_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) + +##################################### +# +# Startd local policy +# + +allow condor_startd_t self:capability { dac_override net_admin setgid setuid }; +allow condor_startd_t self:process execmem; + +manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) +manage_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) +relabel_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) +files_tmp_filetrans(condor_startd_t, condor_startd_tmp_t, { file dir }) + +manage_dirs_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t) +manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t) +fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file }) + +can_exec(condor_startd_t, condor_startd_exec_t) + +domain_read_all_domains_state(condor_startd_t) + +mcs_process_set_categories(condor_startd_t) + +init_domtrans_script(condor_startd_t) + +libs_exec_lib_files(condor_startd_t) + +files_read_usr_files(condor_startd_t) + +optional_policy(` + ssh_basic_client_template(condor_startd, condor_startd_t, system_r) + ssh_domtrans(condor_startd_t) + + manage_files_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t) + manage_dirs_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t) + + optional_policy(` + kerberos_use(condor_startd_ssh_t) + ') +') diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc new file mode 100644 index 000000000..d4623586e --- /dev/null +++ b/policy/modules/services/consolekit.fc @@ -0,0 +1,11 @@ +/usr/bin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) + +/usr/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_t,s0) + +/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) + +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) + +/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) +/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if new file mode 100644 index 000000000..e5cc8434b --- /dev/null +++ b/policy/modules/services/consolekit.if @@ -0,0 +1,123 @@ +## <summary>Framework for facilitating multiple user sessions on desktops.</summary> + +######################################## +## <summary> +## Execute a domain transition to run consolekit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`consolekit_domtrans',` + gen_require(` + type consolekit_t, consolekit_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, consolekit_exec_t, consolekit_t) +') + +######################################## +## <summary> +## Send and receive messages from +## consolekit over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`consolekit_dbus_chat',` + gen_require(` + type consolekit_t; + class dbus send_msg; + ') + + allow $1 consolekit_t:dbus send_msg; + allow consolekit_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Use consolekit inhibit locks. +## +## The program gets passed an FD to a fifo_file to hold. +## When the application is done with the lock, it closes the FD. +## Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/ +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`consolekit_use_inhibit_lock',` + gen_require(` + type consolekit_t, consolekit_var_run_t; + ') + + allow $1 consolekit_t:fd use; + allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## <summary> +## Read consolekit log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`consolekit_read_log',` + gen_require(` + type consolekit_log_t; + ') + + read_files_pattern($1, consolekit_log_t, consolekit_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## consolekit log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`consolekit_manage_log',` + gen_require(` + type consolekit_log_t; + ') + + manage_files_pattern($1, consolekit_log_t, consolekit_log_t) + files_search_pids($1) +') + +######################################## +## <summary> +## Read consolekit PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`consolekit_read_pid_files',` + gen_require(` + type consolekit_var_run_t; + ') + + files_search_pids($1) + allow $1 consolekit_var_run_t:dir list_dir_perms; + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te new file mode 100644 index 000000000..0a10396ad --- /dev/null +++ b/policy/modules/services/consolekit.te @@ -0,0 +1,176 @@ +policy_module(consolekit, 1.13.0) + +######################################## +# +# Declarations +# + +type consolekit_t; +type consolekit_exec_t; +init_daemon_domain(consolekit_t, consolekit_exec_t) + +type consolekit_log_t; +logging_log_file(consolekit_log_t) + +type consolekit_tmpfs_t; +files_tmpfs_file(consolekit_tmpfs_t) + +type consolekit_unit_t; +init_unit_file(consolekit_unit_t) + +type consolekit_var_run_t; +files_pid_file(consolekit_var_run_t) +init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit") + +######################################## +# +# Local policy +# + +allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config }; +allow consolekit_t self:process { getsched signal setfscreate }; +allow consolekit_t self:fifo_file rw_fifo_file_perms; +allow consolekit_t self:unix_stream_socket { accept listen }; + +create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +logging_log_filetrans(consolekit_t, consolekit_log_t, file) + +manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) +manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) +manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) +files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file }) + +kernel_read_system_state(consolekit_t) + +corenet_all_recvfrom_unlabeled(consolekit_t) +corenet_all_recvfrom_netlabel(consolekit_t) +corenet_tcp_sendrecv_generic_if(consolekit_t) +corenet_tcp_sendrecv_generic_node(consolekit_t) + +corecmd_exec_bin(consolekit_t) +corecmd_exec_shell(consolekit_t) + +dev_read_urand(consolekit_t) +dev_rw_sysfs(consolekit_t) +dev_setattr_all_chr_files(consolekit_t) + +domain_read_all_domains_state(consolekit_t) +domain_use_interactive_fds(consolekit_t) +domain_dontaudit_ptrace_all_domains(consolekit_t) + +files_read_usr_files(consolekit_t) +files_read_var_lib_files(consolekit_t) +files_search_all_mountpoints(consolekit_t) +files_purge_tmp(consolekit_t) + +fs_list_inotifyfs(consolekit_t) +fs_mount_tmpfs(consolekit_t) +fs_unmount_tmpfs(consolekit_t) +fs_relabelfrom_tmpfs(consolekit_t) + +mcs_ptrace_all(consolekit_t) + +seutil_libselinux_linked(consolekit_t) +seutil_read_file_contexts(consolekit_t) + +term_use_all_terms(consolekit_t) + +auth_use_nsswitch(consolekit_t) +auth_manage_pam_console_data(consolekit_t) +auth_write_login_records(consolekit_t) +auth_create_pam_console_data_dirs(consolekit_t) +auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console") + +logging_send_syslog_msg(consolekit_t) +logging_send_audit_msgs(consolekit_t) + +miscfiles_read_localization(consolekit_t) + +userdom_dontaudit_read_user_home_content_files(consolekit_t) +userdom_read_user_tmp_files(consolekit_t) +userdom_manage_user_runtime_root_dirs(consolekit_t) +userdom_manage_user_runtime_dirs(consolekit_t) +userdom_mounton_user_runtime_dirs(consolekit_t) +userdom_relabelto_user_runtime_dirs(consolekit_t) +userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user") +userdom_user_runtime_root_filetrans_user_runtime(consolekit_t, dir) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(consolekit_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(consolekit_t) +') + +optional_policy(` + cgmanager_stream_connect(consolekit_t) +') + +optional_policy(` + dbus_read_lib_files(consolekit_t) + dbus_system_domain(consolekit_t, consolekit_exec_t) + + optional_policy(` + hal_dbus_chat(consolekit_t) + ') + + optional_policy(` + policykit_dbus_chat(consolekit_t) + ') + + optional_policy(` + rpm_dbus_chat(consolekit_t) + ') + + optional_policy(` + unconfined_dbus_chat(consolekit_t) + ') +') + +optional_policy(` + devicekit_manage_log_files(consolekit_t) +') + +optional_policy(` + hal_ptrace(consolekit_t) +') + +optional_policy(` + networkmanager_append_log_files(consolekit_t) +') + +optional_policy(` + policykit_domtrans_auth(consolekit_t) + policykit_read_lib(consolekit_t) + policykit_read_reload(consolekit_t) +') + +optional_policy(` + shutdown_domtrans(consolekit_t) +') + +optional_policy(` + corenet_sendrecv_xserver_client_packets(consolekit_t) + corenet_tcp_connect_xserver_port(consolekit_t) + corenet_tcp_sendrecv_xserver_port(consolekit_t) + xserver_non_drawing_client(consolekit_t) + xserver_read_xdm_pid(consolekit_t) + xserver_read_user_xauth(consolekit_t) + xserver_stream_connect(consolekit_t) + xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t) +') + +optional_policy(` + udev_domtrans(consolekit_t) + udev_read_db(consolekit_t) + udev_read_pid_files(consolekit_t) + udev_signal(consolekit_t) +') + +optional_policy(` + unconfined_stream_connect(consolekit_t) +') diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc new file mode 100644 index 000000000..3671df610 --- /dev/null +++ b/policy/modules/services/corosync.fc @@ -0,0 +1,15 @@ +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) + +/usr/bin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/bin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) + +/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) + +/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) + +/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:corosync_var_log_t,s0) + +/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) +/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) +/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if new file mode 100644 index 000000000..2b2d11af9 --- /dev/null +++ b/policy/modules/services/corosync.if @@ -0,0 +1,161 @@ +## <summary>Corosync Cluster Engine.</summary> + +######################################## +## <summary> +## Execute a domain transition to run corosync. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`corosync_domtrans',` + gen_require(` + type corosync_t, corosync_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, corosync_exec_t, corosync_t) +') + +######################################## +## <summary> +## Execute corosync init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`corosync_initrc_domtrans',` + gen_require(` + type corosync_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, corosync_initrc_exec_t) +') + +###################################### +## <summary> +## Execute corosync in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corosync_exec',` + gen_require(` + type corosync_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, corosync_exec_t) +') + +####################################### +## <summary> +## Read corosync log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corosync_read_log',` + gen_require(` + type corosync_var_log_t; + ') + + logging_search_logs($1) + list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t) + read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) +') + +##################################### +## <summary> +## Connect to corosync over a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corosync_stream_connect',` + gen_require(` + type corosync_t, corosync_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) +') + +###################################### +## <summary> +## Read and write corosync tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corosync_rw_tmpfs',` + gen_require(` + type corosync_tmpfs_t; + ') + + fs_search_tmpfs($1) + rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) +') + +###################################### +## <summary> +## All of the rules required to +## administrate an corosync environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`corosync_admin',` + gen_require(` + type corosync_t, corosync_var_lib_t, corosync_var_log_t; + type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; + type corosync_initrc_exec_t; + ') + + allow $1 corosync_t:process { ptrace signal_perms }; + ps_process_pattern($1, corosync_t) + + init_startstop_service($1, $2, corosync_t, corosync_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, corosync_tmp_t) + + admin_pattern($1, corosync_tmpfs_t) + + files_list_var_lib($1) + admin_pattern($1, corosync_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, corosync_var_log_t) + + files_list_pids($1) + admin_pattern($1, corosync_var_run_t) +') diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te new file mode 100644 index 000000000..6f8d20c68 --- /dev/null +++ b/policy/modules/services/corosync.te @@ -0,0 +1,148 @@ +policy_module(corosync, 1.4.0) + +######################################## +# +# Declarations +# + +type corosync_t; +type corosync_exec_t; +init_daemon_domain(corosync_t, corosync_exec_t) +domain_obj_id_change_exemption(corosync_t) + +type corosync_initrc_exec_t; +init_script_file(corosync_initrc_exec_t) + +type corosync_tmp_t; +files_tmp_file(corosync_tmp_t) + +type corosync_tmpfs_t; +files_tmpfs_file(corosync_tmpfs_t) + +type corosync_var_lib_t; +files_type(corosync_var_lib_t) + +type corosync_var_log_t; +logging_log_file(corosync_var_log_t) + +type corosync_var_run_t; +files_pid_file(corosync_var_run_t) + +######################################## +# +# Local policy +# + +allow corosync_t self:capability { dac_override fowner ipc_lock setgid setuid sys_admin sys_nice sys_resource }; +# for hearbeat +allow corosync_t self:capability { chown net_raw }; +allow corosync_t self:process { setpgid setrlimit setsched signal signull }; +allow corosync_t self:fifo_file rw_fifo_file_perms; +allow corosync_t self:sem create_sem_perms; +allow corosync_t self:shm create_shm_perms; +allow corosync_t self:unix_dgram_socket sendto; +allow corosync_t self:unix_stream_socket { accept connectto listen }; + +manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) +manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) +relabel_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) +files_tmp_filetrans(corosync_t, corosync_tmp_t, { dir file }) + +manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) +manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) +fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file }) + +manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) +manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) +manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) +manage_fifo_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t) +files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { dir fifo_file file sock_file }) + +create_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) +append_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) +setattr_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) +logging_log_filetrans(corosync_t, corosync_var_log_t, file) + +manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) +manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) +manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t) +files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir }) + +can_exec(corosync_t, corosync_exec_t) + +kernel_read_all_sysctls(corosync_t) +kernel_read_network_state(corosync_t) +kernel_read_system_state(corosync_t) + +corecmd_exec_bin(corosync_t) +corecmd_exec_shell(corosync_t) + +corenet_all_recvfrom_unlabeled(corosync_t) +corenet_all_recvfrom_netlabel(corosync_t) +corenet_udp_sendrecv_generic_if(corosync_t) +corenet_udp_sendrecv_generic_node(corosync_t) +corenet_udp_bind_generic_node(corosync_t) + +corenet_sendrecv_netsupport_server_packets(corosync_t) +corenet_udp_bind_netsupport_port(corosync_t) +corenet_udp_sendrecv_netsupport_port(corosync_t) + +dev_read_sysfs(corosync_t) +dev_read_urand(corosync_t) + +domain_read_all_domains_state(corosync_t) + +files_manage_mounttab(corosync_t) +files_read_usr_files(corosync_t) + +auth_use_nsswitch(corosync_t) + +init_domtrans_script(corosync_t) +init_read_script_state(corosync_t) +init_rw_script_tmp_files(corosync_t) + +logging_send_syslog_msg(corosync_t) + +miscfiles_read_localization(corosync_t) + +userdom_read_user_tmp_files(corosync_t) +userdom_manage_user_tmpfs_files(corosync_t) + +optional_policy(` + ccs_read_config(corosync_t) +') + +optional_policy(` + cmirrord_rw_shm(corosync_t) +') + +optional_policy(` + consoletype_exec(corosync_t) +') + +optional_policy(` + dbus_system_bus_client(corosync_t) +') + +optional_policy(` + drbd_domtrans(corosync_t) +') + +optional_policy(` + qpidd_rw_shm(corosync_t) +') + +optional_policy(` + rhcs_getattr_fenced_exec_files(corosync_t) + rhcs_rw_cluster_shm(corosync_t) + rhcs_rw_cluster_semaphores(corosync_t) + rhcs_stream_connect_cluster(corosync_t) +') + +optional_policy(` + rgmanager_manage_tmpfs_files(corosync_t) +') + +optional_policy(` + rpc_search_nfs_state_data(corosync_t) +')
\ No newline at end of file diff --git a/policy/modules/services/couchdb.fc b/policy/modules/services/couchdb.fc new file mode 100644 index 000000000..620bb5c92 --- /dev/null +++ b/policy/modules/services/couchdb.fc @@ -0,0 +1,9 @@ +/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0) +/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) + +/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0) +/usr/lib/couchdb/bin/couchjs -- gen_context(system_u:object_r:couchdb_js_exec_t,s0) + +/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0) +/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0) +/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0) diff --git a/policy/modules/services/couchdb.if b/policy/modules/services/couchdb.if new file mode 100644 index 000000000..830c271f3 --- /dev/null +++ b/policy/modules/services/couchdb.if @@ -0,0 +1,122 @@ +## <summary>Document database server.</summary> + +######################################## +## <summary> +## Read couchdb log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`couchdb_read_log_files',` + gen_require(` + type couchdb_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, couchdb_log_t, couchdb_log_t) +') + +######################################## +## <summary> +## Read, write, and create couchdb lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`couchdb_manage_lib_files',` + gen_require(` + type couchdb_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) +') + +######################################## +## <summary> +## Read couchdb config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`couchdb_read_conf_files',` + gen_require(` + type couchdb_conf_t; + ') + + files_search_etc($1) + read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) +') + +######################################## +## <summary> +## Read couchdb pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`couchdb_read_pid_files',` + gen_require(` + type couchdb_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an couchdb environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`couchdb_admin',` + gen_require(` + type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t; + type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t; + type couchdb_tmp_t; + ') + + allow $1 couchdb_t:process { ptrace signal_perms }; + ps_process_pattern($1, couchdb_t) + + init_startstop_service($1, $2, couchdb_t, couchdb_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, couchdb_conf_t) + + logging_search_logs($1) + admin_pattern($1, couchdb_log_t) + + files_search_tmp($1) + admin_pattern($1, couchdb_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, couchdb_var_lib_t) + + files_search_pids($1) + admin_pattern($1, couchdb_var_run_t) +') diff --git a/policy/modules/services/couchdb.te b/policy/modules/services/couchdb.te new file mode 100644 index 000000000..dbb4cf9ae --- /dev/null +++ b/policy/modules/services/couchdb.te @@ -0,0 +1,113 @@ +policy_module(couchdb, 1.5.0) + +######################################## +# +# Declarations +# + +type couchdb_t; +type couchdb_exec_t; +init_daemon_domain(couchdb_t, couchdb_exec_t) + +type couchdb_js_t; +type couchdb_js_exec_t; +init_daemon_domain(couchdb_js_t, couchdb_js_exec_t) + +type couchdb_initrc_exec_t; +init_script_file(couchdb_initrc_exec_t) + +type couchdb_conf_t; +files_config_file(couchdb_conf_t) + +type couchdb_log_t; +logging_log_file(couchdb_log_t) + +type couchdb_tmp_t; +files_tmp_file(couchdb_tmp_t) + +type couchdb_var_lib_t; +files_type(couchdb_var_lib_t) + +type couchdb_var_run_t; +files_pid_file(couchdb_var_run_t) +init_daemon_pid_file(couchdb_var_run_t, dir, "couchdb") + +######################################## +# +# couchdb policy +# + +allow couchdb_t self:process { getsched setsched signal signull sigkill }; +allow couchdb_t self:fifo_file rw_fifo_file_perms; +allow couchdb_t self:unix_stream_socket create_stream_socket_perms; +allow couchdb_t self:tcp_socket { accept listen }; + +allow couchdb_t couchdb_conf_t:dir list_dir_perms; +allow couchdb_t couchdb_conf_t:file read_file_perms; + +can_exec(couchdb_t, couchdb_exec_t) + +domtrans_pattern(couchdb_t, couchdb_js_exec_t, couchdb_js_t) + +manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) +append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) +create_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) +setattr_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) +logging_log_filetrans(couchdb_t, couchdb_log_t, dir) + +manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) +manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) +files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file }) + +manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t) +manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t) +files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir) + +manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) +manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) +files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir) + +kernel_read_system_state(couchdb_t) + +corecmd_exec_bin(couchdb_t) +corecmd_exec_shell(couchdb_t) + +corenet_all_recvfrom_unlabeled(couchdb_t) +corenet_all_recvfrom_netlabel(couchdb_t) +corenet_tcp_sendrecv_generic_if(couchdb_t) +corenet_tcp_sendrecv_generic_node(couchdb_t) +corenet_tcp_bind_generic_node(couchdb_t) +corenet_udp_bind_generic_node(couchdb_t) + +corenet_sendrecv_couchdb_server_packets(couchdb_t) +corenet_tcp_bind_couchdb_port(couchdb_t) +corenet_tcp_sendrecv_couchdb_port(couchdb_t) + +dev_list_sysfs(couchdb_t) +dev_read_sysfs(couchdb_t) +dev_read_urand(couchdb_t) + +files_read_usr_files(couchdb_t) + +# disksup tries to monitor the local disks +fs_getattr_xattr_fs(couchdb_t) +fs_dontaudit_getattr_all_fs(couchdb_t) +files_dontaudit_getattr_lost_found_dirs(couchdb_t) +files_dontaudit_list_var(couchdb_t) +files_dontaudit_search_all_mountpoints(couchdb_t) + +auth_use_nsswitch(couchdb_t) + +miscfiles_read_localization(couchdb_t) + +######################################## +# +# couchdb_js policy +# + +# this is a complete policy. It processes the javascript +# ouside the main process, passing data via FIFO. +allow couchdb_js_t self:process { execmem getsched setsched }; + +files_read_usr_files(couchdb_js_t) +miscfiles_read_localization(couchdb_js_t) diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc new file mode 100644 index 000000000..c28b22092 --- /dev/null +++ b/policy/modules/services/courier.fc @@ -0,0 +1,39 @@ +/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/etc/courier-imap(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) + +/usr/bin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/bin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/bin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/bin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/bin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) +/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/bin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + + +/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) +/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + +/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) +/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) +/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) + + +/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) +/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) + +/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) + +/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) +/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if new file mode 100644 index 000000000..db4d192be --- /dev/null +++ b/policy/modules/services/courier.if @@ -0,0 +1,190 @@ +## <summary>Courier IMAP and POP3 email servers.</summary> + +####################################### +## <summary> +## The template to define a courier domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`courier_domain_template',` + gen_require(` + attribute courier_domain; + ') + + ######################################## + # + # Declarations + # + + type courier_$1_t, courier_domain; + type courier_$1_exec_t; + init_daemon_domain(courier_$1_t, courier_$1_exec_t) + + ######################################## + # + # Policy + # + + can_exec(courier_$1_t, courier_$1_exec_t) +') + +######################################## +## <summary> +## Execute the courier authentication +## daemon with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`courier_domtrans_authdaemon',` + gen_require(` + type courier_authdaemon_t, courier_authdaemon_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) +') + +####################################### +## <summary> +## Connect to courier-authdaemon over +## a unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_stream_connect_authdaemon',` + gen_require(` + type courier_authdaemon_t, courier_var_run_t; + ') + + files_search_spool($1) + stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t) +') + +######################################## +## <summary> +## Execute the courier POP3 and IMAP +## server with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`courier_domtrans_pop',` + gen_require(` + type courier_pop_t, courier_pop_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) +') + +######################################## +## <summary> +## Read courier config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_read_config',` + gen_require(` + type courier_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, courier_etc_t, courier_etc_t) +') + +######################################## +## <summary> +## Create, read, write, and delete courier +## spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_manage_spool_dirs',` + gen_require(` + type courier_spool_t; + ') + + files_search_var($1) + manage_dirs_pattern($1, courier_spool_t, courier_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete courier +## spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_manage_spool_files',` + gen_require(` + type courier_spool_t; + ') + + files_search_var($1) + manage_files_pattern($1, courier_spool_t, courier_spool_t) +') + +######################################## +## <summary> +## Read courier spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_read_spool',` + gen_require(` + type courier_spool_t; + ') + + files_search_var($1) + read_files_pattern($1, courier_spool_t, courier_spool_t) +') + +######################################## +## <summary> +## Read and write courier spool pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_rw_spool_pipes',` + gen_require(` + type courier_spool_t; + ') + + files_search_var($1) + allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; +') diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te new file mode 100644 index 000000000..1d873ae45 --- /dev/null +++ b/policy/modules/services/courier.te @@ -0,0 +1,215 @@ +policy_module(courier, 1.17.0) + +######################################## +# +# Declarations +# + +attribute courier_domain; + +courier_domain_template(authdaemon) +courier_domain_template(pcp) +courier_domain_template(pop) +courier_domain_template(tcpd) +courier_domain_template(sqwebmail) +typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; + +type courier_etc_t; +files_config_file(courier_etc_t) + +type courier_spool_t; +files_type(courier_spool_t) + +type courier_var_lib_t; +files_type(courier_var_lib_t) + +type courier_var_run_t; +files_pid_file(courier_var_run_t) + +type courier_exec_t; +mta_agent_executable(courier_exec_t) + +######################################## +# +# Common local policy +# + +allow courier_domain self:capability dac_override; +dontaudit courier_domain self:capability sys_tty_config; +allow courier_domain self:process { setpgid signal_perms }; +allow courier_domain self:fifo_file rw_fifo_file_perms; +allow courier_domain self:tcp_socket create_stream_socket_perms; +allow courier_domain self:udp_socket create_socket_perms; + +read_files_pattern(courier_domain, courier_etc_t, courier_etc_t) +allow courier_domain courier_etc_t:dir list_dir_perms; + +manage_dirs_pattern(courier_domain, courier_var_run_t, courier_var_run_t) +manage_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) +manage_lnk_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) +manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) +files_pid_filetrans(courier_domain, courier_var_run_t, dir) + +kernel_read_kernel_sysctls(courier_domain) +kernel_read_system_state(courier_domain) + +corecmd_exec_bin(courier_domain) + +dev_read_sysfs(courier_domain) + +domain_use_interactive_fds(courier_domain) + +files_read_etc_files(courier_domain) +files_read_etc_runtime_files(courier_domain) +files_read_usr_files(courier_domain) + +fs_getattr_xattr_fs(courier_domain) +fs_search_auto_mountpoints(courier_domain) + +logging_send_syslog_msg(courier_domain) + +sysnet_read_config(courier_domain) + +userdom_dontaudit_use_unpriv_user_fds(courier_domain) + +optional_policy(` + seutil_sigchld_newrole(courier_domain) +') + +optional_policy(` + udev_read_db(courier_domain) +') + +######################################## +# +# Authdaemon local policy +# + +allow courier_authdaemon_t self:capability { setgid setuid sys_tty_config }; +allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen }; + +create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) +manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) + +manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) + +allow courier_authdaemon_t courier_tcpd_t:process sigchld; +allow courier_authdaemon_t courier_tcpd_t:fd use; +allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; +allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; + +can_exec(courier_authdaemon_t, courier_exec_t) + +corecmd_exec_shell(courier_authdaemon_t) + +domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) + +dev_read_urand(courier_authdaemon_t) + +files_getattr_tmp_dirs(courier_authdaemon_t) +files_search_spool(courier_authdaemon_t) + +auth_domtrans_chk_passwd(courier_authdaemon_t) + +libs_read_lib_files(courier_authdaemon_t) + +miscfiles_read_localization(courier_authdaemon_t) + +selinux_getattr_fs(courier_authdaemon_t) + +userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) + +######################################## +# +# Calendar (PCP) local policy +# + +allow courier_pcp_t self:capability { setgid setuid }; + +dev_read_rand(courier_pcp_t) + +######################################## +# +# POP3/IMAP local policy +# + +allow courier_pop_t self:capability { setgid setuid }; +allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; +allow courier_pop_t courier_authdaemon_t:process sigchld; + +allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; + +allow courier_pop_t courier_var_lib_t:file { read write }; + +stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t) + +domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) + +corecmd_exec_shell(courier_pop_t) + +miscfiles_read_localization(courier_pop_t) + +mta_manage_mail_home_rw_content(courier_pop_t) + +######################################## +# +# TCPd local policy +# + +allow courier_tcpd_t self:capability kill; + +manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) +manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) +files_search_var_lib(courier_tcpd_t) + +can_exec(courier_tcpd_t, courier_exec_t) + +domtrans_pattern(courier_tcpd_t, courier_pop_exec_t, courier_pop_t) + +corenet_all_recvfrom_unlabeled(courier_tcpd_t) +corenet_all_recvfrom_netlabel(courier_tcpd_t) +corenet_tcp_sendrecv_generic_if(courier_tcpd_t) +corenet_tcp_sendrecv_generic_node(courier_tcpd_t) +corenet_tcp_bind_generic_node(courier_tcpd_t) + +corenet_sendrecv_pop_server_packets(courier_tcpd_t) +corenet_tcp_bind_pop_port(courier_tcpd_t) +corenet_tcp_sendrecv_pop_port(courier_tcpd_t) + +dev_read_rand(courier_tcpd_t) +dev_read_urand(courier_tcpd_t) + +miscfiles_read_localization(courier_tcpd_t) + +######################################## +# +# Webmail local policy +# + +kernel_read_kernel_sysctls(courier_sqwebmail_t) + +dev_read_urand(courier_sqwebmail_t) + +optional_policy(` + cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) +') + +ifdef(`distro_gentoo',` + ######################################## + # + # Courier tcpd daemon policy + # + + # Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock (bug 534030) + files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file) + + ######################################## + # + # Courier authdaemon policy + # + + # Grant authdaemon getattr rights on security_t so that it can check if SELinux is enabled (needed through pam support) (bug 534030) + # Handled through pam use + auth_use_pam(courier_authdaemon_t) +') diff --git a/policy/modules/services/cpucontrol.fc b/policy/modules/services/cpucontrol.fc new file mode 100644 index 000000000..d01f23501 --- /dev/null +++ b/policy/modules/services/cpucontrol.fc @@ -0,0 +1,13 @@ +/usr/lib/firmware/microcode.*\.dat -- gen_context(system_u:object_r:cpucontrol_conf_t,s0) + +/usr/bin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) +/usr/bin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) +/usr/bin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) +/usr/bin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) + +/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) +/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) +/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) +/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) + +/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0) diff --git a/policy/modules/services/cpucontrol.if b/policy/modules/services/cpucontrol.if new file mode 100644 index 000000000..ff6310d4e --- /dev/null +++ b/policy/modules/services/cpucontrol.if @@ -0,0 +1,17 @@ +## <summary>Services for loading CPU microcode and CPU frequency scaling.</summary> + +######################################## +## <summary> +## CPUcontrol stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cpucontrol_stub',` + gen_require(` + type cpucontrol_t; + ') +') diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te new file mode 100644 index 000000000..aee03750c --- /dev/null +++ b/policy/modules/services/cpucontrol.te @@ -0,0 +1,104 @@ +policy_module(cpucontrol, 1.7.0) + +######################################## +# +# Declarations +# + +attribute cpucontrol_domain; + +type cpucontrol_t, cpucontrol_domain; +type cpucontrol_exec_t; +init_system_domain(cpucontrol_t, cpucontrol_exec_t) + +type cpucontrol_conf_t; +files_config_file(cpucontrol_conf_t) + +type cpuspeed_t, cpucontrol_domain; +type cpuspeed_exec_t; +init_system_domain(cpuspeed_t, cpuspeed_exec_t) + +type cpuspeed_var_run_t; +files_pid_file(cpuspeed_var_run_t) + +######################################## +# +# Common local policy +# + +dontaudit cpucontrol_domain self:capability sys_tty_config; +allow cpucontrol_domain self:process signal_perms; + +kernel_read_kernel_sysctls(cpucontrol_domain) + +domain_use_interactive_fds(cpucontrol_domain) + +files_list_usr(cpucontrol_domain) + +fs_search_auto_mountpoints(cpucontrol_domain) + +term_dontaudit_use_console(cpucontrol_domain) + +init_use_fds(cpucontrol_domain) +init_use_script_ptys(cpucontrol_domain) + +logging_send_syslog_msg(cpucontrol_domain) + +userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain) + +optional_policy(` + nscd_use(cpucontrol_domain) +') + +optional_policy(` + seutil_sigchld_newrole(cpucontrol_domain) +') + +optional_policy(` + udev_read_db(cpucontrol_domain) +') + +######################################## +# +# Loader local policy +# + +allow cpucontrol_t self:capability { ipc_lock sys_rawio }; + +allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms; +read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) +read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) + +kernel_list_proc(cpucontrol_t) +kernel_read_proc_symlinks(cpucontrol_t) + +dev_read_sysfs(cpucontrol_t) +dev_rw_cpu_microcode(cpucontrol_t) + +optional_policy(` + rhgb_use_ptys(cpucontrol_t) +') + +######################################## +# +# Scaling local policy +# + +allow cpuspeed_t self:process setsched; +allow cpuspeed_t self:unix_dgram_socket create_socket_perms; + +allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms; +files_pid_filetrans(cpuspeed_t, cpuspeed_var_run_t, file) + +kernel_read_system_state(cpuspeed_t) + +# This doesnt make sense +dev_write_sysfs_dirs(cpuspeed_t) +dev_rw_sysfs(cpuspeed_t) + +domain_read_all_domains_state(cpuspeed_t) + +files_read_etc_files(cpuspeed_t) +files_read_etc_runtime_files(cpuspeed_t) + +miscfiles_read_localization(cpuspeed_t) diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc new file mode 100644 index 000000000..ea6a0da8a --- /dev/null +++ b/policy/modules/services/cron.fc @@ -0,0 +1,75 @@ +/etc/rc\.d/init\.d/anacron -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) + +/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) +/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + +/usr/bin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) +#/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) +/usr/bin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/bin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/bin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/bin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) +/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) + +/usr/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0) +/usr/lib/systemd/system/crond.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0) + +/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) + +/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) +/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) + +/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) +/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) +/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) + +/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + +/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) +#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) +/var/spool/cron/[^/]* -- <<none>> + +/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/crontabs/.* -- <<none>> +#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) + +/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/fcron/.* <<none>> +/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + +ifdef(`distro_debian',` +/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/atjobs/[^/]* -- <<none>> +/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) +') + +ifdef(`distro_gentoo',` +/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +/var/spool/cron/lastrun/[^/]* -- <<none>> +') + +ifdef(`distro_suse',` +/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +/var/spool/cron/lastrun/[^/]* -- <<none>> +/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) +') + +ifdef(`distro_gentoo',` +# Fix bug 526532 - Workaround so that munin crontab gets a system_u label assigned +/var/spool/cron/crontabs/munin -- gen_context(system_u:object_r:system_cron_spool_t,s0) +') diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if new file mode 100644 index 000000000..7bb6065b2 --- /dev/null +++ b/policy/modules/services/cron.if @@ -0,0 +1,965 @@ +## <summary>Periodic execution of scheduled commands.</summary> + +####################################### +## <summary> +## The template to define a crontab domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`cron_common_crontab_template',` + gen_require(` + attribute crontab_domain; + type crontab_exec_t; + ') + + ############################## + # + # Declarations + # + + type $1_t, crontab_domain; + userdom_user_application_domain($1_t, crontab_exec_t) + + type $1_tmp_t; + userdom_user_tmp_file($1_tmp_t) + + ############################## + # + # Local policy + # + + manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) + + auth_domtrans_chk_passwd($1_t) + auth_use_nsswitch($1_t) +') + +######################################## +## <summary> +## Role access for cron. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +## <rolecap/> +# +interface(`cron_role',` + gen_require(` + type cronjob_t, crontab_t, crontab_exec_t; + type user_cron_spool_t, crond_t; + bool cron_userdomain_transition; + ') + + ############################## + # + # Declarations + # + + role $1 types { cronjob_t crontab_t }; + + ############################## + # + # Local policy + # + + domtrans_pattern($2, crontab_exec_t, crontab_t) + + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + allow $2 crond_t:process sigchld; + + allow $2 user_cron_spool_t:file { getattr read write ioctl }; + + allow $2 crontab_t:process { ptrace signal_perms }; + ps_process_pattern($2, crontab_t) + + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) + + tunable_policy(`cron_userdomain_transition',` + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; + + allow $2 user_cron_spool_t:file entrypoint; + + allow $2 crond_t:fifo_file rw_fifo_file_perms; + + allow $2 cronjob_t:process { ptrace signal_perms }; + ps_process_pattern($2, cronjob_t) + ',` + dontaudit crond_t $2:process transition; + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; + + dontaudit $2 user_cron_spool_t:file entrypoint; + + dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + + dontaudit $2 cronjob_t:process { ptrace signal_perms }; + ') + + optional_policy(` + gen_require(` + class dbus send_msg; + ') + + dbus_stub(cronjob_t) + + allow cronjob_t $2:dbus send_msg; + ') +') + +######################################## +## <summary> +## Role access for unconfined cron. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`cron_unconfined_role',` + gen_require(` + type unconfined_cronjob_t, crontab_t, crontab_exec_t; + type crond_t, user_cron_spool_t; + bool cron_userdomain_transition; + ') + + ############################## + # + # Declarations + # + + role $1 types { unconfined_cronjob_t crontab_t }; + + ############################## + # + # Local policy + # + + domtrans_pattern($2, crontab_exec_t, crontab_t) + + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + allow $2 crond_t:process sigchld; + + allow $2 user_cron_spool_t:file { getattr read write ioctl }; + + allow $2 crontab_t:process { ptrace signal_perms }; + ps_process_pattern($2, crontab_t) + + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) + + tunable_policy(`cron_userdomain_transition',` + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; + + allow $2 user_cron_spool_t:file entrypoint; + + allow $2 crond_t:fifo_file rw_fifo_file_perms; + + allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; + ps_process_pattern($2, unconfined_cronjob_t) + ',` + dontaudit crond_t $2:process transition; + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; + + dontaudit $2 user_cron_spool_t:file entrypoint; + + dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + + dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; +') + + optional_policy(` + gen_require(` + class dbus send_msg; + ') + + dbus_stub(unconfined_cronjob_t) + + allow unconfined_cronjob_t $2:dbus send_msg; + ') +') + +######################################## +## <summary> +## Role access for admin cron. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`cron_admin_role',` + gen_require(` + type cronjob_t, crontab_exec_t, admin_crontab_t; + class passwd crontab; + type crond_t, crond_var_run_t, user_cron_spool_t; + bool cron_userdomain_transition, fcron_crond; + ') + + ############################## + # + # Declarations + # + + role $1 types { cronjob_t admin_crontab_t }; + + ############################## + # + # Local policy + # + + domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + allow $2 crond_t:process sigchld; + + allow $2 user_cron_spool_t:file { getattr read write ioctl }; + + allow $2 admin_crontab_t:process { ptrace signal_perms }; + ps_process_pattern($2, admin_crontab_t) + + # Manipulate other users crontab. + allow $2 self:passwd crontab; + + corecmd_exec_bin(admin_crontab_t) + corecmd_exec_shell(admin_crontab_t) + + tunable_policy(`cron_userdomain_transition',` + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; + + allow $2 user_cron_spool_t:file entrypoint; + + allow $2 crond_t:fifo_file rw_fifo_file_perms; + + allow $2 cronjob_t:process { ptrace signal_perms }; + ps_process_pattern($2, cronjob_t) + ',` + dontaudit crond_t $2:process transition; + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; + + dontaudit $2 user_cron_spool_t:file entrypoint; + + dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + + dontaudit $2 cronjob_t:process { ptrace signal_perms }; + ') + + tunable_policy(`fcron_crond',` + # Support for fcrondyn + stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t) + ') + + optional_policy(` + gen_require(` + class dbus send_msg; + ') + + dbus_stub(admin_cronjob_t) + + allow cronjob_t $2:dbus send_msg; + ') +') + +######################################## +## <summary> +## Make the specified program domain +## accessable from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process to transition to. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type of the file used as an entrypoint to this domain. +## </summary> +## </param> +# +interface(`cron_system_entry',` + gen_require(` + type crond_t, system_cronjob_t; + ') + + domtrans_pattern(system_cronjob_t, $2, $1) + domtrans_pattern(crond_t, $2, $1) + + role system_r types $1; +') + +######################################## +## <summary> +## Execute cron in the cron system domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cron_domtrans',` + gen_require(` + type system_cronjob_t, crond_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, crond_exec_t, system_cronjob_t) +') + +######################################## +## <summary> +## Execute crond in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_exec',` + gen_require(` + type crond_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, crond_exec_t) +') + +######################################## +## <summary> +## Execute crond server in the crond domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cron_initrc_domtrans',` + gen_require(` + type crond_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, crond_initrc_exec_t) +') + +######################################## +## <summary> +## Use crond file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_use_fds',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:fd use; +') + +######################################## +## <summary> +## Send child terminated signals to crond. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_sigchld',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:process sigchld; +') + +######################################## +## <summary> +## Set the attributes of cron log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_setattr_log_files',` + gen_require(` + type cron_log_t; + ') + + allow $1 cron_log_t:file setattr_file_perms; +') + +######################################## +## <summary> +## Create cron log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_create_log_files',` + gen_require(` + type cron_log_t; + ') + + create_files_pattern($1, cron_log_t, cron_log_t) +') + +######################################## +## <summary> +## Write to cron log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_write_log_files',` + gen_require(` + type cron_log_t; + ') + + allow $1 cron_log_t:file write_file_perms; +') + +######################################## +## <summary> +## Create, read, write and delete +## cron log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_manage_log_files',` + gen_require(` + type cron_log_t; + ') + + manage_files_pattern($1, cron_log_t, cron_log_t) + + logging_search_logs($1) +') + +######################################## +## <summary> +## Create specified objects in generic +## log directories with the cron log file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`cron_generic_log_filetrans_log',` + gen_require(` + type cron_log_t; + ') + + logging_log_filetrans($1, cron_log_t, $2, $3) +') + +######################################## +## <summary> +## Read cron daemon unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_read_pipes',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:fifo_file read_fifo_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to write +## cron daemon unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_write_pipes',` + gen_require(` + type crond_t; + ') + + dontaudit $1 crond_t:fifo_file write; +') + +######################################## +## <summary> +## Read and write crond unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_pipes',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Read and write crond TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_tcp_sockets',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write cron daemon TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_rw_tcp_sockets',` + gen_require(` + type crond_t; + ') + + dontaudit $1 crond_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Search cron spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_search_spool',` + gen_require(` + type cron_spool_t; + ') + + files_search_spool($1) + allow $1 cron_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## crond pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_manage_pid_files',` + gen_require(` + type crond_var_run_t; + ') + + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) +') + +######################################## +## <summary> +## Execute anacron in the cron +## system domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cron_anacron_domtrans_system_job',` + gen_require(` + type system_cronjob_t, anacron_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, anacron_exec_t, system_cronjob_t) +') + +######################################## +## <summary> +## Use system cron job file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_use_system_job_fds',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:fd use; +') + +######################################## +## <summary> +## Create, read, write, and delete the system spool. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_manage_system_spool',` + gen_require(` + type system_cron_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, system_cron_spool_t, system_cron_spool_t) +') + +######################################## +## <summary> +## Read and write crond temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_file_perms; +') + +######################################## +## <summary> +## Read system cron job lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_read_system_job_lib_files',` + gen_require(` + type system_cronjob_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## system cron job lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_manage_system_job_lib_files',` + gen_require(` + type system_cronjob_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) +') + +######################################## +## <summary> +## Write system cron job unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_write_system_job_pipes',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:file write; +') + +######################################## +## <summary> +## Read and write system cron job +## unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_system_job_pipes',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Read and write inherited system cron +## job unix domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_system_job_stream_sockets',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Read system cron job temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_read_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + files_search_tmp($1) + allow $1 system_cronjob_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to append temporary +## system cron job files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_append_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + dontaudit $1 system_cronjob_tmp_t:file append_file_perms; +') + +######################################## +## <summary> +## Read and write to inherited system cron job temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_inherited_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to write temporary +## system cron job files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_write_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + dontaudit $1 system_cronjob_tmp_t:file write_file_perms; +') + +######################################## +## <summary> +## Execute crontab in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cron_exec_crontab',` + gen_require(` + type crontab_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, crontab_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate a cron environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cron_admin',` + gen_require(` + type crond_t, cronjob_t, crond_initrc_exec_t; + type cron_var_lib_t, system_cronjob_var_lib_t; + type crond_tmp_t, admin_crontab_tmp_t; + type crontab_tmp_t, system_cronjob_tmp_t; + type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t; + type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t; + attribute cron_spool_type; + ') + + allow $1 { crond_t cronjob_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { crond_t cronjob_t }) + + init_startstop_service($1, $2, crond_t, crond_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t }) + + files_search_tmp($1) + admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t }) + admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t }) + + files_search_pids($1) + admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t }) + + files_search_locks($1) + admin_pattern($1, system_cronjob_lock_t) + + logging_search_logs($1) + admin_pattern($1, { cron_log_t user_cron_spool_log_t }) + + files_search_spool($1) + admin_pattern($1, cron_spool_type) +') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te new file mode 100644 index 000000000..49a14a6a4 --- /dev/null +++ b/policy/modules/services/cron.te @@ -0,0 +1,768 @@ +policy_module(cron, 2.13.2) + +gen_require(` + class passwd rootok; +') + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether system cron jobs +## can relabel filesystem for +## restoring file contexts. +## </p> +## </desc> +gen_tunable(cron_can_relabel, false) + +## <desc> +## <p> +## Determine whether crond can execute jobs +## in the user domain as opposed to the +## the generic cronjob domain. +## </p> +## </desc> +gen_tunable(cron_userdomain_transition, false) + +## <desc> +## <p> +## Determine whether extra rules +## should be enabled to support fcron. +## </p> +## </desc> +gen_tunable(fcron_crond, false) + +attribute cron_spool_type; +attribute crontab_domain; + +type anacron_exec_t; +application_executable_file(anacron_exec_t) + +type cron_spool_t; +files_type(cron_spool_t) + +type cron_var_lib_t; +files_type(cron_var_lib_t) + +type cron_var_run_t; +files_pid_file(cron_var_run_t) + +type cron_log_t; +logging_log_file(cron_log_t) + +type cronjob_t; +typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t }; +typealias cronjob_t alias { auditadm_crond_t secadm_crond_t }; +domain_type(cronjob_t) +domain_cron_exemption_target(cronjob_t) +corecmd_shell_entry_type(cronjob_t) +ubac_constrained(cronjob_t) + +type crond_t; +type crond_exec_t; +init_daemon_domain(crond_t, crond_exec_t) +domain_interactive_fd(crond_t) +domain_cron_exemption_source(crond_t) + +type crond_initrc_exec_t; +init_script_file(crond_initrc_exec_t) + +type crond_tmp_t; +files_tmp_file(crond_tmp_t) +files_poly_parent(crond_tmp_t) + +type crond_unit_t; +init_unit_file(crond_unit_t) + +type crond_var_run_t; +files_pid_file(crond_var_run_t) + +type crontab_exec_t; +application_executable_file(crontab_exec_t) + +cron_common_crontab_template(admin_crontab) +typealias admin_crontab_t alias sysadm_crontab_t; +typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; + +cron_common_crontab_template(crontab) +typealias crontab_t alias { user_crontab_t staff_crontab_t }; +typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; +typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; +typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; + +type system_cron_spool_t, cron_spool_type; +files_type(system_cron_spool_t) + +type system_cronjob_t alias system_crond_t; +init_daemon_domain(system_cronjob_t, anacron_exec_t) +corecmd_shell_entry_type(system_cronjob_t) +domain_entry_file(system_cronjob_t, system_cron_spool_t) + +type system_cronjob_lock_t alias system_crond_lock_t; +files_lock_file(system_cronjob_lock_t) + +type system_cronjob_tmp_t alias system_crond_tmp_t; +files_tmp_file(system_cronjob_tmp_t) + +type system_cronjob_var_lib_t; +files_type(system_cronjob_var_lib_t) + +type system_cronjob_var_run_t; +files_pid_file(system_cronjob_var_run_t) + +type user_cron_spool_t, cron_spool_type; +typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; +typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; +files_type(user_cron_spool_t) +ubac_constrained(user_cron_spool_t) + +type user_cron_spool_log_t; +logging_log_file(user_cron_spool_log_t) +ubac_constrained(user_cron_spool_log_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) +') + +optional_policy(` + mta_system_content(cron_spool_t) + mta_system_content(crond_tmp_t) + mta_system_content(crond_var_run_t) + mta_system_content(system_cron_spool_t) + mta_system_content(user_cron_spool_t) + mta_system_content(user_cron_spool_log_t) +') + +ifdef(`distro_gentoo',` + # Logging for atd jobs + domain_interactive_fd(cronjob_t) + domain_interactive_fd(system_cronjob_t) + + logging_syslog_managed_log_file(cron_log_t, "cron.log") +') + +############################## +# +# Common crontab local policy +# + +allow crontab_domain self:capability { chown dac_override fowner setgid setuid }; +allow crontab_domain self:process { getcap setsched signal_perms }; +allow crontab_domain self:fifo_file rw_fifo_file_perms; + +manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) +filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) + +allow crontab_domain cron_spool_t:dir setattr_dir_perms; + +allow crontab_domain crond_t:process signal; +allow crontab_domain crond_var_run_t:file read_file_perms; + +kernel_read_system_state(crontab_domain) + +selinux_dontaudit_search_fs(crontab_domain) + +files_list_spool(crontab_domain) +files_read_etc_files(crontab_domain) +files_read_usr_files(crontab_domain) +files_search_pids(crontab_domain) + +fs_getattr_xattr_fs(crontab_domain) +fs_manage_cgroup_dirs(crontab_domain) +fs_rw_cgroup_files(crontab_domain) + +domain_use_interactive_fds(crontab_domain) + +fs_dontaudit_rw_anon_inodefs_files(crontab_domain) + +auth_rw_var_auth(crontab_domain) + +logging_send_syslog_msg(crontab_domain) +logging_send_audit_msgs(crontab_domain) +logging_set_loginuid(crontab_domain) + +init_dontaudit_write_utmp(crontab_domain) +init_read_utmp(crontab_domain) +init_read_state(crontab_domain) + +miscfiles_read_localization(crontab_domain) + +seutil_read_config(crontab_domain) + +userdom_manage_user_tmp_dirs(crontab_domain) +userdom_manage_user_tmp_files(crontab_domain) +userdom_use_user_terminals(crontab_domain) + +tunable_policy(`fcron_crond',` + dontaudit crontab_domain crond_t:process signal; +') + +######################################## +# +# Admin local policy +# + +allow admin_crontab_t crond_t:process signal; + +selinux_get_fs_mount(admin_crontab_t) +selinux_validate_context(admin_crontab_t) +selinux_compute_access_vector(admin_crontab_t) +selinux_compute_create_context(admin_crontab_t) +selinux_compute_relabel_context(admin_crontab_t) +selinux_compute_user_contexts(admin_crontab_t) + +tunable_policy(`fcron_crond',` + allow admin_crontab_t self:process setfscreate; +') + +######################################## +# +# Daemon local policy +# + +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; +dontaudit crond_t self:capability { sys_resource sys_tty_config }; + +allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow crond_t self:fd use; +allow crond_t self:fifo_file rw_fifo_file_perms; +allow crond_t self:unix_dgram_socket sendto; +allow crond_t self:unix_stream_socket { accept connectto listen }; +allow crond_t self:shm create_shm_perms; +allow crond_t self:sem create_sem_perms; +allow crond_t self:msgq create_msgq_perms; +allow crond_t self:msg { send receive }; +allow crond_t self:key { search write link }; +dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; + +allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(crond_t, cron_log_t, file) + +manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) +files_pid_filetrans(crond_t, crond_var_run_t, file) + +manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) + +manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) +manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) +files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) + +list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) + +rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) + +allow crond_t system_cronjob_t:process transition; +allow crond_t system_cronjob_t:fd use; +allow crond_t system_cronjob_t:key manage_key_perms; + +dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh }; + +domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) + +kernel_read_kernel_sysctls(crond_t) +kernel_read_fs_sysctls(crond_t) +kernel_search_key(crond_t) + +corecmd_exec_shell(crond_t) +corecmd_exec_bin(crond_t) +corecmd_list_bin(crond_t) + +dev_read_sysfs(crond_t) +dev_read_urand(crond_t) + +domain_use_interactive_fds(crond_t) +domain_subj_id_change_exemption(crond_t) +domain_role_change_exemption(crond_t) + +fs_getattr_all_fs(crond_t) +fs_list_inotifyfs(crond_t) +fs_manage_cgroup_dirs(crond_t) +fs_rw_cgroup_files(crond_t) +fs_search_auto_mountpoints(crond_t) + +files_read_usr_files(crond_t) +files_read_etc_runtime_files(crond_t) +files_read_generic_spool(crond_t) +files_list_usr(crond_t) +files_search_var_lib(crond_t) +files_search_default(crond_t) +files_read_all_locks(crond_t) + +mls_fd_share_all_levels(crond_t) +mls_file_read_all_levels(crond_t) +mls_file_write_all_levels(crond_t) +mls_process_set_level(crond_t) +mls_trusted_object(crond_t) + +selinux_get_fs_mount(crond_t) +selinux_validate_context(crond_t) +selinux_compute_access_vector(crond_t) +selinux_compute_create_context(crond_t) +selinux_compute_relabel_context(crond_t) +selinux_compute_user_contexts(crond_t) + +init_read_state(crond_t) +init_rw_utmp(crond_t) +init_spec_domtrans_script(crond_t) +init_stop_all_units(system_cronjob_t) +init_start_all_units(system_cronjob_t) +init_get_generic_units_status(system_cronjob_t) +init_get_system_status(system_cronjob_t) + +auth_domtrans_chk_passwd(crond_t) +auth_manage_var_auth(crond_t) +auth_use_nsswitch(crond_t) + +logging_send_audit_msgs(crond_t) +logging_send_syslog_msg(crond_t) +logging_set_loginuid(crond_t) + +seutil_read_config(crond_t) +seutil_read_default_contexts(crond_t) + +miscfiles_read_localization(crond_t) + +userdom_list_user_home_dirs(crond_t) + +tunable_policy(`cron_userdomain_transition',` + dontaudit crond_t cronjob_t:process transition; + dontaudit crond_t cronjob_t:fd use; + dontaudit crond_t cronjob_t:key manage_key_perms; +',` + allow crond_t cronjob_t:process transition; + allow crond_t cronjob_t:fd use; + allow crond_t cronjob_t:key manage_key_perms; +') + +ifdef(`distro_debian',` + allow crond_t self:process setrlimit; + + optional_policy(` + apt_manage_cache(system_cronjob_t) + apt_read_db(system_cronjob_t) + + dpkg_manage_db(system_cronjob_t) + ') + + optional_policy(` + logwatch_search_cache_dir(crond_t) + ') +') + +ifdef(`distro_redhat',` + optional_policy(` + rpm_manage_log(crond_t) + ') +') + +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(crond_t) +') + +tunable_policy(`fcron_crond',` + allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms; + allow crond_t crond_var_run_t:sock_file manage_sock_file_perms; + files_pid_filetrans(crond_t, crond_var_run_t, sock_file) +') + +optional_policy(` + apache_search_sys_content(crond_t) +') + +optional_policy(` + dbus_system_bus_client(crond_t) + + optional_policy(` + hal_dbus_chat(crond_t) + ') + + optional_policy(` + unconfined_dbus_send(crond_t) + ') +') + +optional_policy(` + amanda_search_var_lib(crond_t) +') + +optional_policy(` + amavis_search_lib(crond_t) +') + +optional_policy(` + djbdns_search_tinydns_keys(crond_t) + djbdns_link_tinydns_keys(crond_t) +') + +optional_policy(` + hal_write_log(crond_t) +') + +optional_policy(` + locallogin_search_keys(crond_t) + locallogin_link_keys(crond_t) +') + +optional_policy(` + mta_send_mail(crond_t) +') + +optional_policy(` + munin_search_lib(crond_t) +') + +optional_policy(` + postgresql_search_db(crond_t) +') + +optional_policy(` + rpc_search_nfs_state_data(crond_t) +') + +optional_policy(` + rpm_read_pipes(crond_t) +') + +optional_policy(` + seutil_sigchld_newrole(crond_t) +') + +optional_policy(` + systemd_write_inherited_logind_sessions_pipes(crond_t) +') + +optional_policy(` + systemd_dbus_chat_logind(system_cronjob_t) + systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) + # so cron jobs can restart daemons + init_stream_connect(system_cronjob_t) + init_manage_script_service(system_cronjob_t) +') + +optional_policy(` + udev_read_db(crond_t) +') + +######################################## +# +# System local policy +# + +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice }; +allow system_cronjob_t self:process { signal_perms getsched setsched }; +allow system_cronjob_t self:fd use; +allow system_cronjob_t self:fifo_file rw_fifo_file_perms; +allow system_cronjob_t self:passwd rootok; + +allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(system_cronjob_t, cron_log_t, file) + +allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; +files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) + +allow system_cronjob_t cron_var_run_t:file manage_file_perms; +files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) + +manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) + +allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; +allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms; +files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file }) + +manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir }) + +manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) + +allow system_cronjob_t crond_t:fd use; +allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms; +allow system_cronjob_t crond_t:process sigchld; + +allow system_cronjob_t cron_spool_t:dir list_dir_perms; +allow system_cronjob_t cron_spool_t:file rw_file_perms; + +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms; + +kernel_read_kernel_sysctls(system_cronjob_t) +kernel_read_network_state(system_cronjob_t) +kernel_read_system_state(system_cronjob_t) +kernel_read_software_raid_state(system_cronjob_t) + +files_dontaudit_search_boot(system_cronjob_t) + +corecmd_exec_all_executables(system_cronjob_t) + +corenet_all_recvfrom_unlabeled(system_cronjob_t) +corenet_all_recvfrom_netlabel(system_cronjob_t) +corenet_tcp_sendrecv_generic_if(system_cronjob_t) +corenet_udp_sendrecv_generic_if(system_cronjob_t) +corenet_tcp_sendrecv_generic_node(system_cronjob_t) +corenet_udp_sendrecv_generic_node(system_cronjob_t) +corenet_tcp_sendrecv_all_ports(system_cronjob_t) +corenet_udp_sendrecv_all_ports(system_cronjob_t) + +dev_getattr_all_blk_files(system_cronjob_t) +dev_getattr_all_chr_files(system_cronjob_t) +dev_read_urand(system_cronjob_t) +dev_read_sysfs(system_cronjob_t) + +fs_getattr_all_fs(system_cronjob_t) +fs_getattr_all_files(system_cronjob_t) +fs_getattr_all_symlinks(system_cronjob_t) +fs_getattr_all_pipes(system_cronjob_t) +fs_getattr_all_sockets(system_cronjob_t) + +domain_dontaudit_read_all_domains_state(system_cronjob_t) + +files_exec_etc_files(system_cronjob_t) +files_read_etc_runtime_files(system_cronjob_t) +files_list_all(system_cronjob_t) +files_getattr_all_dirs(system_cronjob_t) +files_getattr_all_files(system_cronjob_t) +files_getattr_all_symlinks(system_cronjob_t) +files_getattr_all_pipes(system_cronjob_t) +files_getattr_all_sockets(system_cronjob_t) +files_read_usr_files(system_cronjob_t) +files_read_var_files(system_cronjob_t) +files_dontaudit_search_pids(system_cronjob_t) +files_manage_generic_spool(system_cronjob_t) +files_create_boot_flag(system_cronjob_t) + +mls_file_read_to_clearance(system_cronjob_t) + +init_domtrans_script(system_cronjob_t) +init_read_utmp(system_cronjob_t) +init_use_script_fds(system_cronjob_t) + +auth_use_nsswitch(system_cronjob_t) + +libs_exec_lib_files(system_cronjob_t) +libs_exec_ld_so(system_cronjob_t) + +logging_read_generic_logs(system_cronjob_t) +logging_send_audit_msgs(system_cronjob_t) +logging_send_syslog_msg(system_cronjob_t) + +miscfiles_read_localization(system_cronjob_t) + +seutil_read_config(system_cronjob_t) + +ifdef(`distro_redhat',` + optional_policy(` + rpm_manage_log(system_cronjob_t) + ') +') + +tunable_policy(`cron_can_relabel',` + seutil_domtrans_setfiles(system_cronjob_t) +',` + selinux_get_fs_mount(system_cronjob_t) + selinux_validate_context(system_cronjob_t) + selinux_compute_access_vector(system_cronjob_t) + selinux_compute_create_context(system_cronjob_t) + selinux_compute_relabel_context(system_cronjob_t) + selinux_compute_user_contexts(system_cronjob_t) + seutil_read_file_contexts(system_cronjob_t) +') + +optional_policy(` + acct_manage_data(system_cronjob_t) +') + +optional_policy(` + apache_exec_modules(system_cronjob_t) + apache_read_config(system_cronjob_t) + apache_read_log(system_cronjob_t) + apache_read_sys_content(system_cronjob_t) + apache_delete_lib_files(system_cronjob_t) +') + +optional_policy(` + cyrus_manage_data(system_cronjob_t) +') + +optional_policy(` + dbus_system_bus_client(system_cronjob_t) + + optional_policy(` + networkmanager_dbus_chat(system_cronjob_t) + ') +') + +optional_policy(` + devicekit_read_pid_files(system_cronjob_t) + devicekit_append_inherited_log_files(system_cronjob_t) +') + +optional_policy(` + exim_read_spool_files(system_cronjob_t) +') + +optional_policy(` + ftp_read_log(system_cronjob_t) +') + +optional_policy(` + inn_manage_log(system_cronjob_t) + inn_manage_pid(system_cronjob_t) + inn_read_config(system_cronjob_t) +') + +optional_policy(` + livecd_read_tmp_files(system_cronjob_t) +') + +optional_policy(` + lpd_list_spool(system_cronjob_t) +') + +optional_policy(` + mrtg_append_create_logs(system_cronjob_t) + mrtg_read_config(system_cronjob_t) +') + +optional_policy(` + mta_read_config(system_cronjob_t) + mta_send_mail(system_cronjob_t) +') + +optional_policy(` + mysql_read_config(system_cronjob_t) +') + +optional_policy(` + postfix_read_config(system_cronjob_t) +') + +optional_policy(` + samba_read_config(system_cronjob_t) + samba_read_log(system_cronjob_t) +') + +optional_policy(` + spamassassin_manage_lib_files(system_cronjob_t) +') + +optional_policy(` + sysstat_manage_log(system_cronjob_t) +') + +optional_policy(` + userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) +') + +######################################## +# +# Cronjob local policy +# + +allow cronjob_t self:process { signal_perms setsched }; +allow cronjob_t self:fifo_file rw_fifo_file_perms; +allow cronjob_t self:unix_stream_socket create_stream_socket_perms; +allow cronjob_t self:unix_dgram_socket create_socket_perms; + +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms; + +kernel_read_system_state(cronjob_t) +kernel_read_kernel_sysctls(cronjob_t) + +files_dontaudit_search_boot(cronjob_t) + +corenet_all_recvfrom_unlabeled(cronjob_t) +corenet_all_recvfrom_netlabel(cronjob_t) +corenet_tcp_sendrecv_generic_if(cronjob_t) +corenet_udp_sendrecv_generic_if(cronjob_t) +corenet_tcp_sendrecv_generic_node(cronjob_t) +corenet_udp_sendrecv_generic_node(cronjob_t) +corenet_tcp_sendrecv_all_ports(cronjob_t) +corenet_udp_sendrecv_all_ports(cronjob_t) + +corenet_sendrecv_all_client_packets(cronjob_t) +corenet_tcp_connect_all_ports(cronjob_t) + +corecmd_exec_all_executables(cronjob_t) + +dev_read_urand(cronjob_t) + +fs_getattr_all_fs(cronjob_t) + +domain_dontaudit_read_all_domains_state(cronjob_t) +domain_dontaudit_getattr_all_domains(cronjob_t) + +files_exec_etc_files(cronjob_t) +files_read_etc_runtime_files(cronjob_t) +files_read_var_files(cronjob_t) +files_read_usr_files(cronjob_t) +files_search_spool(cronjob_t) +files_dontaudit_search_pids(cronjob_t) + +libs_exec_lib_files(cronjob_t) +libs_exec_ld_so(cronjob_t) + +logging_search_logs(cronjob_t) + +seutil_read_config(cronjob_t) + +miscfiles_read_localization(cronjob_t) + +userdom_exec_user_home_content_files(cronjob_t) +userdom_user_content_access_template(cron, { cronjob_t crontab_domain }) + +tunable_policy(`cron_manage_generic_user_content',` + userdom_manage_user_tmp_pipes(cronjob_t) + userdom_manage_user_tmp_sockets(cronjob_t) + userdom_manage_user_home_content_pipes(cronjob_t) + userdom_manage_user_home_content_sockets(cronjob_t) +') + +tunable_policy(`cron_userdomain_transition',` + dontaudit cronjob_t crond_t:fd use; + dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms; + dontaudit cronjob_t crond_t:process sigchld; + + dontaudit cronjob_t user_cron_spool_t:file entrypoint; +',` + allow cronjob_t crond_t:fd use; + allow cronjob_t crond_t:fifo_file rw_fifo_file_perms; + allow cronjob_t crond_t:process sigchld; + + allow cronjob_t user_cron_spool_t:file entrypoint; +') + +optional_policy(` + nis_use_ypbind(cronjob_t) +') + +######################################## +# +# Unconfined local policy +# + +type unconfined_cronjob_t; +domain_type(unconfined_cronjob_t) +domain_cron_exemption_target(unconfined_cronjob_t) + +dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; + +tunable_policy(`cron_userdomain_transition',` + dontaudit crond_t unconfined_cronjob_t:process transition; + dontaudit crond_t unconfined_cronjob_t:fd use; + dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; +',` + allow crond_t unconfined_cronjob_t:process transition; + allow crond_t unconfined_cronjob_t:fd use; + allow crond_t unconfined_cronjob_t:key manage_key_perms; +') + +optional_policy(` + unconfined_domain(unconfined_cronjob_t) +') diff --git a/policy/modules/services/ctdb.fc b/policy/modules/services/ctdb.fc new file mode 100644 index 000000000..984843412 --- /dev/null +++ b/policy/modules/services/ctdb.fc @@ -0,0 +1,14 @@ +/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0) + +/usr/bin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) + +/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) + +/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) + +/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) +/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) + +/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) + +/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) diff --git a/policy/modules/services/ctdb.if b/policy/modules/services/ctdb.if new file mode 100644 index 000000000..79b0c9abd --- /dev/null +++ b/policy/modules/services/ctdb.if @@ -0,0 +1,82 @@ +## <summary>Clustered Database based on Samba Trivial Database.</summary> + +######################################## +## <summary> +## Create, read, write, and delete +## ctdbd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ctdbd_manage_lib_files',` + gen_require(` + type ctdbd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) +') + +####################################### +## <summary> +## Connect to ctdbd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ctdbd_stream_connect',` + gen_require(` + type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ctdb environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ctdb_admin',` + gen_require(` + type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t; + type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; + ') + + allow $1 ctdbd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ctdbd_t) + + init_startstop_service($1, $2, ctdbd_t, ctdbd_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, ctdbd_log_t) + + files_search_tmp($1) + admin_pattern($1, ctdbd_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, ctdbd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, ctdbd_var_run_t) +') diff --git a/policy/modules/services/ctdb.te b/policy/modules/services/ctdb.te new file mode 100644 index 000000000..f52a9a4f8 --- /dev/null +++ b/policy/modules/services/ctdb.te @@ -0,0 +1,118 @@ +policy_module(ctdb, 1.5.0) + +######################################## +# +# Declarations +# + +type ctdbd_t; +type ctdbd_exec_t; +init_daemon_domain(ctdbd_t, ctdbd_exec_t) + +type ctdbd_initrc_exec_t; +init_script_file(ctdbd_initrc_exec_t) + +type ctdbd_log_t; +logging_log_file(ctdbd_log_t) + +type ctdbd_spool_t; +files_type(ctdbd_spool_t) + +type ctdbd_tmp_t; +files_tmp_file(ctdbd_tmp_t) + +type ctdbd_var_lib_t; +files_type(ctdbd_var_lib_t) + +type ctdbd_var_run_t; +files_pid_file(ctdbd_var_run_t) + +######################################## +# +# Local policy +# + +allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; +allow ctdbd_t self:process { setpgid signal_perms setsched }; +allow ctdbd_t self:fifo_file rw_fifo_file_perms; +allow ctdbd_t self:unix_stream_socket { accept connectto listen }; +allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; +allow ctdbd_t self:packet_socket create_socket_perms; +allow ctdbd_t self:tcp_socket create_stream_socket_perms; + +append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) +create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) +setattr_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) +logging_log_filetrans(ctdbd_t, ctdbd_log_t, file) + +manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) +manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) +files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file }) + +manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir) + +exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) + +manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) +manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) +files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) + +kernel_read_network_state(ctdbd_t) +kernel_read_system_state(ctdbd_t) +kernel_rw_net_sysctls(ctdbd_t) + +corenet_all_recvfrom_unlabeled(ctdbd_t) +corenet_all_recvfrom_netlabel(ctdbd_t) +corenet_tcp_sendrecv_generic_if(ctdbd_t) +corenet_tcp_sendrecv_generic_node(ctdbd_t) +corenet_tcp_bind_generic_node(ctdbd_t) + +corenet_sendrecv_ctdb_server_packets(ctdbd_t) +corenet_tcp_bind_ctdb_port(ctdbd_t) +corenet_tcp_sendrecv_ctdb_port(ctdbd_t) + +corecmd_exec_bin(ctdbd_t) +corecmd_exec_shell(ctdbd_t) + +dev_read_sysfs(ctdbd_t) +dev_read_urand(ctdbd_t) + +domain_dontaudit_read_all_domains_state(ctdbd_t) + +files_read_etc_files(ctdbd_t) +files_search_all_mountpoints(ctdbd_t) + +fs_getattr_all_fs(ctdbd_t) + +logging_send_syslog_msg(ctdbd_t) + +miscfiles_read_localization(ctdbd_t) +miscfiles_read_public_files(ctdbd_t) + +optional_policy(` + consoletype_exec(ctdbd_t) +') + +optional_policy(` + hostname_exec(ctdbd_t) +') + +optional_policy(` + iptables_domtrans(ctdbd_t) +') + +optional_policy(` + samba_initrc_domtrans(ctdbd_t) + samba_domtrans_net(ctdbd_t) + samba_rw_var_files(ctdbd_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(ctdbd_t) +') diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc new file mode 100644 index 000000000..43c4616a8 --- /dev/null +++ b/policy/modules/services/cups.fc @@ -0,0 +1,86 @@ +/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) +/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) + +/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) + +/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) + +/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/bin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/bin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0) +/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/bin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) +/usr/bin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/bin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/bin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/bin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) +/usr/bin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) +/usr/bin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) + +/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) +/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) +/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/lib/systemd/system/cups.*\.service -- gen_context(system_u:object_r:cupsd_unit_t,s0) +/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + +/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0) +/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) +/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) +/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) +/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) + +/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) +/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) + +/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) + +/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) + +/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) +/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) + +/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) +/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) +/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) +/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if new file mode 100644 index 000000000..e268b96f1 --- /dev/null +++ b/policy/modules/services/cups.if @@ -0,0 +1,384 @@ +## <summary>Common UNIX printing system.</summary> + +######################################## +## <summary> +## Create a domain which can be +## started by cupsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +# +interface(`cups_backend',` + gen_require(` + type cupsd_t; + ') + + domain_type($1) + domain_entry_file($1, $2) + role system_r types $1; + + domtrans_pattern(cupsd_t, $2, $1) + allow cupsd_t $1:process signal; + allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; + + cups_read_config($1) + cups_append_log($1) +') + +######################################## +## <summary> +## Execute cups in the cups domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cups_domtrans',` + gen_require(` + type cupsd_t, cupsd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cupsd_exec_t, cupsd_t) +') + +######################################## +## <summary> +## Connect to cupsd over an unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_stream_connect',` + gen_require(` + type cupsd_t, cupsd_var_run_t; + ') + + files_search_pids($1) + allow $1 cupsd_var_run_t:sock_file read_sock_file_perms; + stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +') + +######################################## +## <summary> +## Send and receive messages from +## cups over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_dbus_chat',` + gen_require(` + type cupsd_t; + class dbus send_msg; + ') + + allow $1 cupsd_t:dbus send_msg; + allow cupsd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Read cups PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_read_pid_files',` + gen_require(` + type cupsd_var_run_t; + ') + + files_search_pids($1) + allow $1 cupsd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute cups_config in the +## cups config domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cups_domtrans_config',` + gen_require(` + type cupsd_config_t, cupsd_config_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t) +') + +######################################## +## <summary> +## Send generic signals to the cups +## configuration daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_signal_config',` + gen_require(` + type cupsd_config_t; + ') + + allow $1 cupsd_config_t:process signal; +') + +######################################## +## <summary> +## Send and receive messages from +## cupsd_config over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_dbus_chat_config',` + gen_require(` + type cupsd_config_t; + class dbus send_msg; + ') + + allow $1 cupsd_config_t:dbus send_msg; + allow cupsd_config_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Read cups configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cups_read_config',` + gen_require(` + type cupsd_etc_t, cupsd_rw_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, { cupsd_etc_t cupsd_rw_etc_t }, { cupsd_etc_t cupsd_rw_etc_t }) +') + +######################################## +## <summary> +## Read cups-writable configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cups_read_rw_config',` + gen_require(` + type cupsd_etc_t, cupsd_rw_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, { cupsd_etc_t cupsd_rw_etc_t }, cupsd_rw_etc_t) +') + +######################################## +## <summary> +## Read cups log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cups_read_log',` + gen_require(` + type cupsd_log_t; + ') + + logging_search_logs($1) + allow $1 cupsd_log_t:file read_file_perms; +') + +######################################## +## <summary> +## Append cups log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_append_log',` + gen_require(` + type cupsd_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, cupsd_log_t, cupsd_log_t) +') + +######################################## +## <summary> +## Write cups log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_write_log',` + gen_require(` + type cupsd_log_t; + ') + + logging_search_logs($1) + allow $1 cupsd_log_t:file write_file_perms; +') + +######################################## +## <summary> +## Connect to ptal over an unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_stream_connect_ptal',` + gen_require(` + type ptal_t, ptal_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) +') + +######################################## +## <summary> +## Read the process state (/proc/pid) of cupsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_read_state',` + gen_require(` + type cupsd_t; + ') + + allow $1 cupsd_t:dir search_dir_perms; + allow $1 cupsd_t:file read_file_perms; + allow $1 cupsd_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Execute HP Linux Imaging and +## Printing applications in their +## own domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cups_domtrans_hplip',` + gen_require(` + type hplip_t, hplip_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, hplip_exec_t, hplip_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an cups environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cups_admin',` + gen_require(` + type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; + type cupsd_etc_t, cupsd_log_t; + type cupsd_config_var_run_t, cupsd_lpd_var_run_t; + type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; + type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; + type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; + type hplip_t, ptal_t; + ') + + allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms }; + allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) + ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) + + init_startstop_service($1, $2, cupsd_t, cupsd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t }) + + logging_list_logs($1) + admin_pattern($1, cupsd_log_t) + + files_list_spool($1) + + files_list_tmp($1) + admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) + + files_list_pids($1) + admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t }) + admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t }) +') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te new file mode 100644 index 000000000..ce2694e2c --- /dev/null +++ b/policy/modules/services/cups.te @@ -0,0 +1,799 @@ +policy_module(cups, 1.22.1) + +######################################## +# +# Declarations +# + +type cupsd_config_t; +type cupsd_config_exec_t; +init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) + +type cupsd_config_var_run_t; +files_pid_file(cupsd_config_var_run_t) + +type cupsd_t; +type cupsd_exec_t; +init_daemon_domain(cupsd_t, cupsd_exec_t) +init_named_socket_activation(cupsd_t, cupsd_var_run_t) +mls_trusted_object(cupsd_t) + +type cupsd_etc_t; +files_config_file(cupsd_etc_t) + +type cupsd_initrc_exec_t; +init_script_file(cupsd_initrc_exec_t) + +type cupsd_interface_t; +files_type(cupsd_interface_t) + +type cupsd_rw_etc_t; +files_config_file(cupsd_rw_etc_t) + +type cupsd_lock_t; +files_lock_file(cupsd_lock_t) + +type cupsd_log_t; +logging_log_file(cupsd_log_t) + +type cupsd_lpd_t; +type cupsd_lpd_exec_t; +domain_type(cupsd_lpd_t) +domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) +role system_r types cupsd_lpd_t; + +type cupsd_lpd_tmp_t; +files_tmp_file(cupsd_lpd_tmp_t) + +type cupsd_lpd_var_run_t; +files_pid_file(cupsd_lpd_var_run_t) + +type cups_pdf_t; +type cups_pdf_exec_t; +cups_backend(cups_pdf_t, cups_pdf_exec_t) + +type cups_pdf_tmp_t; +files_tmp_file(cups_pdf_tmp_t) + +type cupsd_tmp_t; +files_tmp_file(cupsd_tmp_t) + +type cupsd_unit_t; +init_unit_file(cupsd_unit_t) + +type cupsd_var_run_t; +files_pid_file(cupsd_var_run_t) +init_daemon_pid_file(cupsd_var_run_t, dir, "cups") +mls_trusted_object(cupsd_var_run_t) + +type hplip_t; +type hplip_exec_t; +init_daemon_domain(hplip_t, hplip_exec_t) +cups_backend(hplip_t, hplip_exec_t) + +type hplip_devpts_t; +term_pty(hplip_devpts_t) + +type hplip_etc_t; +files_config_file(hplip_etc_t) + +type hplip_tmp_t; +files_tmp_file(hplip_tmp_t) + +type hplip_var_lib_t; +files_type(hplip_var_lib_t) + +type hplip_var_run_t; +files_pid_file(hplip_var_run_t) + +type ptal_t; +type ptal_exec_t; +init_daemon_domain(ptal_t, ptal_exec_t) + +type ptal_etc_t; +files_config_file(ptal_etc_t) + +type ptal_var_run_t; +files_pid_file(ptal_var_run_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) +') + +######################################## +# +# Cups local policy +# + +allow cupsd_t self:capability { chown dac_override dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config }; +dontaudit cupsd_t self:capability { net_admin sys_tty_config }; +allow cupsd_t self:capability2 block_suspend; +allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; +allow cupsd_t self:fifo_file rw_fifo_file_perms; +allow cupsd_t self:unix_stream_socket { accept connectto listen }; +allow cupsd_t self:netlink_selinux_socket create_socket_perms; +allow cupsd_t self:shm create_shm_perms; +allow cupsd_t self:sem create_sem_perms; +allow cupsd_t self:tcp_socket { accept listen }; +allow cupsd_t self:appletalk_socket create_socket_perms; + +allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; +allow cupsd_t cupsd_etc_t:file setattr_file_perms; +read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) + +manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) + +manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) +manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) +filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) +files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) + +allow cupsd_t cupsd_exec_t:dir search_dir_perms; +allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; + +allow cupsd_t cupsd_lock_t:file manage_file_perms; +files_lock_filetrans(cupsd_t, cupsd_lock_t, file) + +manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) + +manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) +manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) +manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) +files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) + +manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file }) + +allow cupsd_t hplip_t:process { signal sigkill }; + +read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) + +allow cupsd_t hplip_var_run_t:file read_file_perms; + +# hpcups +read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t) +read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t) + +stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) +allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; + +can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) + +kernel_read_system_state(cupsd_t) +kernel_read_network_state(cupsd_t) +kernel_read_all_sysctls(cupsd_t) +kernel_request_load_module(cupsd_t) + +corenet_all_recvfrom_unlabeled(cupsd_t) +corenet_all_recvfrom_netlabel(cupsd_t) +corenet_tcp_sendrecv_generic_if(cupsd_t) +corenet_udp_sendrecv_generic_if(cupsd_t) +corenet_raw_sendrecv_generic_if(cupsd_t) +corenet_tcp_sendrecv_generic_node(cupsd_t) +corenet_udp_sendrecv_generic_node(cupsd_t) +corenet_raw_sendrecv_generic_node(cupsd_t) +corenet_tcp_sendrecv_all_ports(cupsd_t) +corenet_udp_sendrecv_all_ports(cupsd_t) +corenet_tcp_bind_generic_node(cupsd_t) +corenet_udp_bind_generic_node(cupsd_t) + +corenet_sendrecv_all_server_packets(cupsd_t) +corenet_sendrecv_all_client_packets(cupsd_t) +corenet_tcp_bind_ipp_port(cupsd_t) +corenet_udp_bind_ipp_port(cupsd_t) +corenet_udp_bind_howl_port(cupsd_t) +corenet_tcp_bind_reserved_port(cupsd_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +corenet_tcp_bind_all_rpc_ports(cupsd_t) +corenet_tcp_connect_all_ports(cupsd_t) + +corecmd_exec_bin(cupsd_t) +corecmd_exec_shell(cupsd_t) + +dev_rw_printer(cupsd_t) +dev_read_urand(cupsd_t) +dev_read_sysfs(cupsd_t) +dev_rw_input_dev(cupsd_t) +dev_rw_generic_usb_dev(cupsd_t) +dev_rw_usbfs(cupsd_t) +dev_getattr_printer_dev(cupsd_t) + +domain_read_all_domains_state(cupsd_t) +domain_use_interactive_fds(cupsd_t) + +files_getattr_boot_dirs(cupsd_t) +files_list_spool(cupsd_t) +files_read_etc_runtime_files(cupsd_t) +files_read_usr_files(cupsd_t) +files_exec_usr_files(cupsd_t) +# for /var/lib/defoma +files_read_var_lib_files(cupsd_t) +files_list_world_readable(cupsd_t) +files_read_world_readable_files(cupsd_t) +files_read_world_readable_symlinks(cupsd_t) +files_read_var_files(cupsd_t) +files_read_var_symlinks(cupsd_t) +files_write_generic_pid_pipes(cupsd_t) +files_dontaudit_getattr_all_tmp_files(cupsd_t) +files_dontaudit_list_home(cupsd_t) +# for /etc/printcap +files_dontaudit_write_etc_files(cupsd_t) + +fs_getattr_all_fs(cupsd_t) +fs_search_auto_mountpoints(cupsd_t) +fs_search_fusefs(cupsd_t) +fs_read_anon_inodefs_files(cupsd_t) + +mls_fd_use_all_levels(cupsd_t) +mls_file_downgrade(cupsd_t) +mls_file_write_all_levels(cupsd_t) +mls_file_read_all_levels(cupsd_t) +mls_rangetrans_target(cupsd_t) +mls_socket_write_all_levels(cupsd_t) + +term_search_ptys(cupsd_t) +term_use_unallocated_ttys(cupsd_t) + +selinux_compute_access_vector(cupsd_t) +selinux_validate_context(cupsd_t) + +init_exec_script_files(cupsd_t) +init_read_utmp(cupsd_t) + +auth_domtrans_chk_passwd(cupsd_t) +auth_dontaudit_read_pam_pid(cupsd_t) +auth_rw_faillog(cupsd_t) +auth_use_nsswitch(cupsd_t) + +libs_read_lib_files(cupsd_t) +libs_exec_lib_files(cupsd_t) + +logging_send_audit_msgs(cupsd_t) +logging_send_syslog_msg(cupsd_t) + +miscfiles_read_localization(cupsd_t) +miscfiles_read_fonts(cupsd_t) +miscfiles_setattr_fonts_cache_dirs(cupsd_t) + +seutil_read_config(cupsd_t) + +sysnet_exec_ifconfig(cupsd_t) + +userdom_dontaudit_use_unpriv_user_fds(cupsd_t) +userdom_dontaudit_search_user_home_content(cupsd_t) + +optional_policy(` + acpi_domtrans_client(cupsd_t) +') + +optional_policy(` + cron_system_entry(cupsd_t, cupsd_exec_t) +') + +optional_policy(` + dbus_system_bus_client(cupsd_t) + + userdom_dbus_send_all_users(cupsd_t) + + optional_policy(` + avahi_dbus_chat(cupsd_t) + ') + + optional_policy(` + hal_dbus_chat(cupsd_t) + ') + + optional_policy(` + unconfined_dbus_chat(cupsd_t) + ') +') + +optional_policy(` + hostname_exec(cupsd_t) +') + +optional_policy(` + inetd_core_service_domain(cupsd_t, cupsd_exec_t) +') + +optional_policy(` + init_dbus_chat_script(cupsd_t) +') + +optional_policy(` + kerberos_manage_host_rcache(cupsd_t) + kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0") +') + +optional_policy(` + logrotate_domtrans(cupsd_t) +') + +optional_policy(` + lpd_exec_lpr(cupsd_t) + lpd_manage_spool(cupsd_t) + lpd_read_config(cupsd_t) + lpd_relabel_spool(cupsd_t) +') + +optional_policy(` + mta_send_mail(cupsd_t) +') + +optional_policy(` + samba_read_config(cupsd_t) + samba_rw_var_files(cupsd_t) + samba_stream_connect_nmbd(cupsd_t) +') + +optional_policy(` + seutil_sigchld_newrole(cupsd_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(cupsd_t) +') + +optional_policy(` + udev_read_db(cupsd_t) +') + +optional_policy(` + virt_rw_all_image_chr_files(cupsd_t) +') + +######################################## +# +# Configuration daemon local policy +# + +allow cupsd_config_t self:capability { chown dac_override setgid setuid sys_tty_config }; +dontaudit cupsd_config_t self:capability sys_tty_config; +allow cupsd_config_t self:process { getsched signal_perms }; +allow cupsd_config_t self:fifo_file rw_fifo_file_perms; +allow cupsd_config_t self:tcp_socket { accept listen }; + +allow cupsd_config_t cupsd_t:process signal; +ps_process_pattern(cupsd_config_t, cupsd_t) + +manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) +manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) +filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) + +manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) +manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) +files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file) + +allow cupsd_config_t cupsd_log_t:file { append_file_perms read_file_perms }; + +manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) + +allow cupsd_config_t cupsd_var_run_t:file read_file_perms; + +manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) +manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) +files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) + +read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) + +stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + +can_exec(cupsd_config_t, cupsd_config_exec_t) + +domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) + +kernel_read_system_state(cupsd_config_t) +kernel_read_all_sysctls(cupsd_config_t) + +corenet_all_recvfrom_unlabeled(cupsd_config_t) +corenet_all_recvfrom_netlabel(cupsd_config_t) +corenet_tcp_sendrecv_generic_if(cupsd_config_t) +corenet_tcp_sendrecv_generic_node(cupsd_config_t) +corenet_tcp_sendrecv_all_ports(cupsd_config_t) + +corenet_sendrecv_all_client_packets(cupsd_config_t) +corenet_tcp_connect_all_ports(cupsd_config_t) + +corecmd_exec_bin(cupsd_config_t) +corecmd_exec_shell(cupsd_config_t) + +dev_read_sysfs(cupsd_config_t) +dev_read_urand(cupsd_config_t) +dev_read_rand(cupsd_config_t) +dev_rw_generic_usb_dev(cupsd_config_t) + +files_read_etc_runtime_files(cupsd_config_t) +files_read_usr_files(cupsd_config_t) +files_read_var_symlinks(cupsd_config_t) +files_search_all_mountpoints(cupsd_config_t) + +fs_getattr_all_fs(cupsd_config_t) +fs_search_auto_mountpoints(cupsd_config_t) + +domain_use_interactive_fds(cupsd_config_t) +domain_dontaudit_search_all_domains_state(cupsd_config_t) + +init_getattr_all_script_files(cupsd_config_t) + +auth_use_nsswitch(cupsd_config_t) + +logging_send_syslog_msg(cupsd_config_t) + +miscfiles_read_localization(cupsd_config_t) +miscfiles_read_hwdata(cupsd_config_t) + +seutil_dontaudit_search_config(cupsd_config_t) + +term_use_generic_ptys(cupsd_config_t) + +userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) +userdom_dontaudit_search_user_home_dirs(cupsd_config_t) +userdom_read_all_users_state(cupsd_config_t) +userdom_read_user_tmp_symlinks(cupsd_config_t) +userdom_rw_user_tmp_files(cupsd_config_t) + +optional_policy(` + cron_system_entry(cupsd_config_t, cupsd_config_exec_t) +') + +optional_policy(` + dbus_system_domain(cupsd_config_t, cupsd_config_exec_t) + + optional_policy(` + hal_dbus_chat(cupsd_config_t) + ') + + optional_policy(` + policykit_dbus_chat(cupsd_config_t) + ') +') + +optional_policy(` + hal_domtrans(cupsd_config_t) + hal_read_tmp_files(cupsd_config_t) + hal_dontaudit_use_fds(hplip_t) +') + +optional_policy(` + hostname_exec(cupsd_config_t) +') + +optional_policy(` + logrotate_use_fds(cupsd_config_t) +') + +optional_policy(` + lpd_read_config(cupsd_config_t) +') + +optional_policy(` + rpm_read_db(cupsd_config_t) +') + +optional_policy(` + seutil_sigchld_newrole(cupsd_config_t) +') + +optional_policy(` + udev_read_db(cupsd_config_t) +') + +optional_policy(` + unconfined_stream_connect(cupsd_config_t) +') + +######################################## +# +# Lpd local policy +# + +allow cupsd_lpd_t self:capability { setgid setuid }; +allow cupsd_lpd_t self:process signal_perms; +allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; +allow cupsd_lpd_t self:tcp_socket { accept listen }; +allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + +allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; +allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:file read_file_perms; +allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) +manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) +files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { dir file }) + +manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t) +files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file) + +stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + +kernel_read_kernel_sysctls(cupsd_lpd_t) +kernel_read_system_state(cupsd_lpd_t) +kernel_read_network_state(cupsd_lpd_t) + +corenet_all_recvfrom_unlabeled(cupsd_lpd_t) +corenet_all_recvfrom_netlabel(cupsd_lpd_t) +corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) +corenet_tcp_sendrecv_generic_node(cupsd_lpd_t) + +corenet_sendrecv_ipp_client_packets(cupsd_lpd_t) +corenet_tcp_connect_ipp_port(cupsd_lpd_t) +corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) + +corenet_sendrecv_printer_server_packets(cupsd_lpd_t) +corenet_tcp_bind_printer_port(cupsd_lpd_t) +corenet_tcp_sendrecv_printer_port(cupsd_lpd_t) + +corenet_sendrecv_printer_client_packets(cupsd_lpd_t) +corenet_tcp_connect_printer_port(cupsd_lpd_t) + +dev_read_urand(cupsd_lpd_t) +dev_read_rand(cupsd_lpd_t) + +fs_getattr_xattr_fs(cupsd_lpd_t) + +files_search_home(cupsd_lpd_t) + +auth_use_nsswitch(cupsd_lpd_t) + +logging_send_syslog_msg(cupsd_lpd_t) + +miscfiles_read_localization(cupsd_lpd_t) +miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) + +optional_policy(` + inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) +') + +######################################## +# +# Pdf local policy +# + +allow cups_pdf_t self:capability { chown dac_override fowner fsetid setgid setuid }; +allow cups_pdf_t self:fifo_file rw_fifo_file_perms; +allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; + +append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) +create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) +setattr_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) + +manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) +manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) +files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { dir file }) + +fs_rw_anon_inodefs_files(cups_pdf_t) +fs_search_auto_mountpoints(cups_pdf_t) + +kernel_read_system_state(cups_pdf_t) + +files_read_usr_files(cups_pdf_t) + +corecmd_exec_bin(cups_pdf_t) +corecmd_exec_shell(cups_pdf_t) + +auth_use_nsswitch(cups_pdf_t) + +miscfiles_read_localization(cups_pdf_t) +miscfiles_read_fonts(cups_pdf_t) +miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) + +userdom_manage_user_home_content_dirs(cups_pdf_t) +userdom_manage_user_home_content_files(cups_pdf_t) +userdom_home_filetrans_user_home_dir(cups_pdf_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(cups_pdf_t) + fs_manage_nfs_files(cups_pdf_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(cups_pdf_t) + fs_manage_cifs_files(cups_pdf_t) +') + +optional_policy(` + lpd_manage_spool(cups_pdf_t) +') + +######################################## +# +# HPLIP local policy +# + +allow hplip_t self:capability { dac_override dac_read_search net_raw }; +dontaudit hplip_t self:capability sys_tty_config; +allow hplip_t self:fifo_file rw_fifo_file_perms; +allow hplip_t self:process signal_perms; +allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms; +allow hplip_t self:tcp_socket { accept listen }; +allow hplip_t self:rawip_socket create_socket_perms; + +allow hplip_t hplip_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + +allow hplip_t cupsd_etc_t:dir search_dir_perms; + +manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file }) + +allow hplip_t hplip_etc_t:dir list_dir_perms; +allow hplip_t hplip_etc_t:file read_file_perms; +allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms; + +# e.g. execute python script to load the firmware +can_exec(hplip_t, hplip_exec_t) + +manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) + +manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) +files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) + +manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) +files_pid_filetrans(hplip_t, hplip_var_run_t, file) + +stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + +kernel_read_system_state(hplip_t) +kernel_read_kernel_sysctls(hplip_t) + +corenet_all_recvfrom_unlabeled(hplip_t) +corenet_all_recvfrom_netlabel(hplip_t) +corenet_tcp_sendrecv_generic_if(hplip_t) +corenet_udp_sendrecv_generic_if(hplip_t) +corenet_raw_sendrecv_generic_if(hplip_t) +corenet_tcp_sendrecv_generic_node(hplip_t) +corenet_udp_sendrecv_generic_node(hplip_t) +corenet_raw_sendrecv_generic_node(hplip_t) +corenet_tcp_sendrecv_all_ports(hplip_t) +corenet_udp_sendrecv_all_ports(hplip_t) +corenet_tcp_bind_generic_node(hplip_t) +corenet_udp_bind_generic_node(hplip_t) + +corenet_sendrecv_hplip_client_packets(hplip_t) +corenet_receive_hplip_server_packets(hplip_t) +corenet_tcp_bind_hplip_port(hplip_t) +corenet_tcp_connect_hplip_port(hplip_t) + +corenet_sendrecv_ipp_client_packets(hplip_t) +corenet_tcp_connect_ipp_port(hplip_t) + +corenet_sendrecv_howl_server_packets(hplip_t) +corenet_udp_bind_howl_port(hplip_t) + +corecmd_exec_bin(hplip_t) + +dev_read_sysfs(hplip_t) +dev_rw_printer(hplip_t) +dev_read_urand(hplip_t) +dev_read_rand(hplip_t) +dev_rw_generic_usb_dev(hplip_t) +dev_rw_usbfs(hplip_t) + +domain_use_interactive_fds(hplip_t) + +files_read_etc_files(hplip_t) +files_read_etc_runtime_files(hplip_t) +files_read_usr_files(hplip_t) + +fs_getattr_all_fs(hplip_t) +fs_search_auto_mountpoints(hplip_t) +fs_rw_anon_inodefs_files(hplip_t) + +logging_send_syslog_msg(hplip_t) + +miscfiles_read_localization(hplip_t) + +sysnet_dns_name_resolve(hplip_t) + +term_create_pty(hplip_t, hplip_devpts_t) +term_use_generic_ptys(hplip_t) +term_use_ptmx(hplip_t) + +userdom_dontaudit_use_unpriv_user_fds(hplip_t) +userdom_dontaudit_search_user_home_dirs(hplip_t) +userdom_dontaudit_search_user_home_content(hplip_t) + +optional_policy(` + dbus_system_bus_client(hplip_t) + + optional_policy(` + userdom_dbus_send_all_users(hplip_t) + ') +') + +optional_policy(` + lpd_read_config(hplip_t) + lpd_manage_spool(hplip_t) +') + +optional_policy(` + seutil_sigchld_newrole(hplip_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(hplip_t) +') + +optional_policy(` + udev_read_db(hplip_t) + udev_read_pid_files(hplip_t) +') + +######################################## +# +# PTAL local policy +# + +allow ptal_t self:capability { chown sys_rawio }; +dontaudit ptal_t self:capability sys_tty_config; +allow ptal_t self:fifo_file rw_fifo_file_perms; +allow ptal_t self:unix_stream_socket { accept listen }; +allow ptal_t self:tcp_socket create_stream_socket_perms; + +allow ptal_t ptal_etc_t:dir list_dir_perms; +read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) +read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) + +manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(ptal_t) +kernel_list_proc(ptal_t) +kernel_read_proc_symlinks(ptal_t) + +corenet_all_recvfrom_unlabeled(ptal_t) +corenet_all_recvfrom_netlabel(ptal_t) +corenet_tcp_sendrecv_generic_if(ptal_t) +corenet_tcp_sendrecv_generic_node(ptal_t) +corenet_tcp_bind_generic_node(ptal_t) + +corenet_sendrecv_ptal_server_packets(ptal_t) +corenet_tcp_bind_ptal_port(ptal_t) +corenet_tcp_sendrecv_ptal_port(ptal_t) + +dev_read_sysfs(ptal_t) +dev_read_usbfs(ptal_t) +dev_rw_printer(ptal_t) + +domain_use_interactive_fds(ptal_t) + +files_read_etc_files(ptal_t) +files_read_etc_runtime_files(ptal_t) + +fs_getattr_all_fs(ptal_t) +fs_search_auto_mountpoints(ptal_t) + +logging_send_syslog_msg(ptal_t) + +miscfiles_read_localization(ptal_t) + +sysnet_read_config(ptal_t) + +userdom_dontaudit_use_unpriv_user_fds(ptal_t) +userdom_dontaudit_search_user_home_content(ptal_t) + +optional_policy(` + seutil_sigchld_newrole(ptal_t) +') + +optional_policy(` + udev_read_db(ptal_t) +') diff --git a/policy/modules/services/cvs.fc b/policy/modules/services/cvs.fc new file mode 100644 index 000000000..67ba72b57 --- /dev/null +++ b/policy/modules/services/cvs.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0) + +/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) + +/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0) + +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) + +/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) + +/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0) + +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if new file mode 100644 index 000000000..49f6c1cb9 --- /dev/null +++ b/policy/modules/services/cvs.if @@ -0,0 +1,81 @@ +## <summary>Concurrent versions system.</summary> + +######################################## +## <summary> +## Read CVS data and metadata content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cvs_read_data',` + gen_require(` + type cvs_data_t; + ') + + list_dirs_pattern($1, cvs_data_t, cvs_data_t) + read_files_pattern($1, cvs_data_t, cvs_data_t) + read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) +') + +######################################## +## <summary> +## Execute cvs in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cvs_exec',` + gen_require(` + type cvs_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, cvs_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an cvs environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cvs_admin',` + gen_require(` + type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; + type cvs_data_t, cvs_var_run_t, cvs_keytab_t; + ') + + allow $1 cvs_t:process { ptrace signal_perms }; + ps_process_pattern($1, cvs_t) + + init_startstop_service($1, $2, cvs_t, cvs_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, cvs_keytab_t) + + files_list_tmp($1) + admin_pattern($1, cvs_tmp_t) + + files_search_usr($1) + admin_pattern($1, cvs_data_t) + + files_list_pids($1) + admin_pattern($1, cvs_var_run_t) +') diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te new file mode 100644 index 000000000..f090b62a4 --- /dev/null +++ b/policy/modules/services/cvs.te @@ -0,0 +1,125 @@ +policy_module(cvs, 1.13.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether cvs can read shadow +## password files. +## </p> +## </desc> +gen_tunable(allow_cvs_read_shadow, false) + +type cvs_t; +type cvs_exec_t; +inetd_tcp_service_domain(cvs_t, cvs_exec_t) +init_daemon_domain(cvs_t, cvs_exec_t) +application_executable_file(cvs_exec_t) + +type cvs_data_t; # customizable +files_type(cvs_data_t) + +type cvs_initrc_exec_t; +init_script_file(cvs_initrc_exec_t) + +type cvs_keytab_t; +files_type(cvs_keytab_t) + +type cvs_tmp_t; +files_tmp_file(cvs_tmp_t) + +type cvs_var_run_t; +files_pid_file(cvs_var_run_t) + +######################################## +# +# Local policy +# + +allow cvs_t self:capability { setgid setuid }; +allow cvs_t self:process signal_perms; +allow cvs_t self:fifo_file rw_fifo_file_perms; +allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow cvs_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) +manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) +manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t) + +allow cvs_t cvs_keytab_t:file read_file_perms; + +manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) +manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) +files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file }) + +manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t) +files_pid_filetrans(cvs_t, cvs_var_run_t, file) + +kernel_read_kernel_sysctls(cvs_t) +kernel_read_system_state(cvs_t) +kernel_read_network_state(cvs_t) + +corenet_all_recvfrom_unlabeled(cvs_t) +corenet_all_recvfrom_netlabel(cvs_t) +corenet_tcp_sendrecv_generic_if(cvs_t) +corenet_tcp_sendrecv_generic_node(cvs_t) + +corenet_sendrecv_cvs_server_packets(cvs_t) +corenet_tcp_bind_cvs_port(cvs_t) +corenet_tcp_sendrecv_cvs_port(cvs_t) + +corecmd_exec_bin(cvs_t) +corecmd_exec_shell(cvs_t) + +dev_read_urand(cvs_t) + +files_read_etc_runtime_files(cvs_t) +files_search_home(cvs_t) + +fs_getattr_xattr_fs(cvs_t) + +auth_domtrans_chk_passwd(cvs_t) +auth_use_nsswitch(cvs_t) + +init_read_utmp(cvs_t) + +logging_send_syslog_msg(cvs_t) +logging_send_audit_msgs(cvs_t) + +miscfiles_read_localization(cvs_t) + +userdom_dontaudit_search_user_home_dirs(cvs_t) + +# cjp: typeattribute doesnt work in conditionals yet +auth_can_read_shadow_passwords(cvs_t) +tunable_policy(`allow_cvs_read_shadow',` + allow cvs_t self:capability dac_override; + auth_tunable_read_shadow(cvs_t) +') + +optional_policy(` + kerberos_read_config(cvs_t) + kerberos_read_keytab(cvs_t) + kerberos_use(cvs_t) + kerberos_dontaudit_write_config(cvs_t) +') + +optional_policy(` + mta_send_mail(cvs_t) +') + +######################################## +# +# CVSWeb local policy +# + +optional_policy(` + apache_content_template(cvs) + + read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) + manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) +') diff --git a/policy/modules/services/cyphesis.fc b/policy/modules/services/cyphesis.fc new file mode 100644 index 000000000..5e9dd74e6 --- /dev/null +++ b/policy/modules/services/cyphesis.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/cyphesis -- gen_context(system_u:object_r:cyphesis_initrc_exec_t,s0) + +/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) + +/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0) + +/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if new file mode 100644 index 000000000..da37d4eea --- /dev/null +++ b/policy/modules/services/cyphesis.if @@ -0,0 +1,58 @@ +## <summary>Cyphesis WorldForge game server.</summary> + +######################################## +## <summary> +## Execute a domain transition to run cyphesis. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cyphesis_domtrans',` + gen_require(` + type cyphesis_t, cyphesis_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cyphesis_exec_t, cyphesis_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an cyphesis environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cyphesis_admin',` + gen_require(` + type cyphesis_t, cyphesis_initrc_exec_t, cyphesis_log_t; + type cyphesis_var_run_t, cyphesis_tmp_t; + ') + + allow $1 cyphesis_t:process { ptrace signal_perms }; + ps_process_pattern($1, cyphesis_t) + + init_startstop_service($1, $2, cyphesis_t, cyphesis_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, cyphesis_log_t) + + files_search_pids($1) + admin_pattern($1, cyphesis_var_run_t) + + files_search_tmp($1) + admin_pattern($1, cyphesis_tmp_t) +') diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te new file mode 100644 index 000000000..5707b6188 --- /dev/null +++ b/policy/modules/services/cyphesis.te @@ -0,0 +1,87 @@ +policy_module(cyphesis, 1.5.0) + +######################################## +# +# Declarations +# + +type cyphesis_t; +type cyphesis_exec_t; +init_daemon_domain(cyphesis_t, cyphesis_exec_t) +application_executable_file(cyphesis_exec_t) + +type cyphesis_initrc_exec_t; +init_script_file(cyphesis_initrc_exec_t) + +type cyphesis_log_t; +logging_log_file(cyphesis_log_t) + +type cyphesis_tmp_t; +files_tmp_file(cyphesis_tmp_t) + +type cyphesis_var_run_t; +files_pid_file(cyphesis_var_run_t) + +######################################## +# +# Local policy +# + +allow cyphesis_t self:process { setfscreate setsched signal }; +allow cyphesis_t self:fifo_file rw_fifo_file_perms; +allow cyphesis_t self:tcp_socket { accept listen }; +allow cyphesis_t self:unix_stream_socket { accept listen }; + +append_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) +create_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) +setattr_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) +logging_log_filetrans(cyphesis_t, cyphesis_log_t, file) + +manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) +manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) +manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) +files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, dir) + +kernel_read_system_state(cyphesis_t) +kernel_read_kernel_sysctls(cyphesis_t) + +corecmd_search_bin(cyphesis_t) +corecmd_getattr_bin_files(cyphesis_t) + +corenet_all_recvfrom_unlabeled(cyphesis_t) +corenet_tcp_sendrecv_generic_if(cyphesis_t) +corenet_tcp_sendrecv_generic_node(cyphesis_t) +corenet_tcp_bind_generic_node(cyphesis_t) + +corenet_sendrecv_cyphesis_server_packets(cyphesis_t) +corenet_tcp_bind_cyphesis_port(cyphesis_t) +corenet_tcp_sendrecv_cyphesis_port(cyphesis_t) + +dev_read_urand(cyphesis_t) + +domain_use_interactive_fds(cyphesis_t) + +files_read_etc_files(cyphesis_t) +files_read_usr_files(cyphesis_t) + +logging_send_syslog_msg(cyphesis_t) + +miscfiles_read_localization(cyphesis_t) + +sysnet_dns_name_resolve(cyphesis_t) + +optional_policy(` + dbus_system_bus_client(cyphesis_t) + + optional_policy(` + avahi_dbus_chat(cyphesis_t) + ') +') + +optional_policy(` + kerberos_use(cyphesis_t) +') + +optional_policy(` + postgresql_stream_connect(cyphesis_t) +') diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc new file mode 100644 index 000000000..36755fa2d --- /dev/null +++ b/policy/modules/services/cyrus.fc @@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/cyrus.* -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0) + +/usr/lib/cyrus/master -- gen_context(system_u:object_r:cyrus_exec_t,s0) +/usr/lib/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) + +/var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) + +/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) + +/run/cyrus.* gen_context(system_u:object_r:cyrus_var_run_t,s0) diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if new file mode 100644 index 000000000..759e074b8 --- /dev/null +++ b/policy/modules/services/cyrus.if @@ -0,0 +1,83 @@ +## <summary>Cyrus is an IMAP service intended to be run on sealed servers.</summary> + +######################################## +## <summary> +## Create, read, write, and delete +## cyrus data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cyrus_manage_data',` + gen_require(` + type cyrus_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) +') + +######################################## +## <summary> +## Connect to Cyrus using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cyrus_stream_connect',` + gen_require(` + type cyrus_t, cyrus_var_lib_t; + ') + + files_search_var_lib($1) + stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an cyrus environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cyrus_admin',` + gen_require(` + type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; + type cyrus_var_run_t, cyrus_initrc_exec_t; + type cyrus_keytab_t; + ') + + allow $1 cyrus_t:process { ptrace signal_perms }; + ps_process_pattern($1, cyrus_t) + + init_startstop_service($1, $2, cyrus_t, cyrus_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, cyrus_keytab_t) + + files_list_tmp($1) + admin_pattern($1, cyrus_tmp_t) + + files_list_var_lib($1) + admin_pattern($1, cyrus_var_lib_t) + + files_list_pids($1) + admin_pattern($1, cyrus_var_run_t) +') diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te new file mode 100644 index 000000000..af6b5b6ce --- /dev/null +++ b/policy/modules/services/cyrus.te @@ -0,0 +1,145 @@ +policy_module(cyrus, 1.17.0) + +######################################## +# +# Declarations +# + +type cyrus_t; +type cyrus_exec_t; +init_daemon_domain(cyrus_t, cyrus_exec_t) + +type cyrus_initrc_exec_t; +init_script_file(cyrus_initrc_exec_t) + +type cyrus_keytab_t; +files_type(cyrus_keytab_t) + +type cyrus_tmp_t; +files_tmp_file(cyrus_tmp_t) + +type cyrus_var_lib_t; +files_type(cyrus_var_lib_t) + +type cyrus_var_run_t; +files_pid_file(cyrus_var_run_t) + +######################################## +# +# Local policy +# + +allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; +dontaudit cyrus_t self:capability sys_tty_config; +allow cyrus_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow cyrus_t self:process setrlimit; +allow cyrus_t self:fd use; +allow cyrus_t self:fifo_file rw_fifo_file_perms; +allow cyrus_t self:sock_file read_sock_file_perms; +allow cyrus_t self:shm create_shm_perms; +allow cyrus_t self:sem create_sem_perms; +allow cyrus_t self:msgq create_msgq_perms; +allow cyrus_t self:msg { send receive }; +allow cyrus_t self:unix_dgram_socket sendto; +allow cyrus_t self:unix_stream_socket { accept connectto listen }; +allow cyrus_t self:tcp_socket { accept listen }; + +allow cyrus_t cyrus_keytab_t:file read_file_perms; + +manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) +manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) +files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file }) + +manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) +manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) +manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) +manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) + +manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) +manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) +files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(cyrus_t) +kernel_read_system_state(cyrus_t) +kernel_read_all_sysctls(cyrus_t) + +corenet_all_recvfrom_unlabeled(cyrus_t) +corenet_all_recvfrom_netlabel(cyrus_t) +corenet_tcp_sendrecv_generic_if(cyrus_t) +corenet_tcp_sendrecv_generic_node(cyrus_t) +corenet_tcp_sendrecv_all_ports(cyrus_t) +corenet_tcp_bind_generic_node(cyrus_t) + +corenet_sendrecv_mail_server_packets(cyrus_t) +corenet_tcp_bind_mail_port(cyrus_t) + +corenet_sendrecv_lmtp_server_packets(cyrus_t) +corenet_tcp_bind_lmtp_port(cyrus_t) + +corenet_sendrecv_pop_server_packets(cyrus_t) +corenet_tcp_bind_pop_port(cyrus_t) + +corenet_sendrecv_sieve_server_packets(cyrus_t) +corenet_tcp_bind_sieve_port(cyrus_t) + +corenet_sendrecv_all_client_packets(cyrus_t) +corenet_tcp_connect_all_ports(cyrus_t) + +corecmd_exec_bin(cyrus_t) + +dev_read_rand(cyrus_t) +dev_read_urand(cyrus_t) +dev_read_sysfs(cyrus_t) + +domain_use_interactive_fds(cyrus_t) + +files_list_var_lib(cyrus_t) +files_read_etc_runtime_files(cyrus_t) +files_read_usr_files(cyrus_t) +files_dontaudit_write_usr_dirs(cyrus_t) + +fs_getattr_all_fs(cyrus_t) +fs_search_auto_mountpoints(cyrus_t) + +auth_use_nsswitch(cyrus_t) + +libs_exec_lib_files(cyrus_t) + +logging_send_syslog_msg(cyrus_t) + +miscfiles_read_localization(cyrus_t) +miscfiles_read_generic_certs(cyrus_t) +miscfiles_read_generic_tls_privkey(cyrus_t) + +userdom_use_unpriv_users_fds(cyrus_t) +userdom_dontaudit_search_user_home_dirs(cyrus_t) + +mta_manage_spool(cyrus_t) +mta_send_mail(cyrus_t) + +optional_policy(` + cron_system_entry(cyrus_t, cyrus_exec_t) +') + +optional_policy(` + kerberos_read_keytab(cyrus_t) + kerberos_use(cyrus_t) +') + +optional_policy(` + sasl_connect(cyrus_t) +') + +optional_policy(` + seutil_sigchld_newrole(cyrus_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(cyrus_t) + snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) + snmp_stream_connect(cyrus_t) +') + +optional_policy(` + udev_read_db(cyrus_t) +') diff --git a/policy/modules/services/dante.fc b/policy/modules/services/dante.fc new file mode 100644 index 000000000..3aea91874 --- /dev/null +++ b/policy/modules/services/dante.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/danted -- gen_context(system_u:object_r:dante_initrc_exec_t,s0) + +/etc/danted\.conf -- gen_context(system_u:object_r:dante_conf_t,s0) +/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0) + +/usr/bin/danted -- gen_context(system_u:object_r:dante_exec_t,s0) +/usr/bin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0) + +/usr/sbin/danted -- gen_context(system_u:object_r:dante_exec_t,s0) +/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0) + +/run/danted\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) +/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) diff --git a/policy/modules/services/dante.if b/policy/modules/services/dante.if new file mode 100644 index 000000000..8d02f8c8b --- /dev/null +++ b/policy/modules/services/dante.if @@ -0,0 +1,36 @@ +## <summary>Dante msproxy and socks4/5 proxy server.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an dante environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dante_admin',` + gen_require(` + type dante_t, dante_conf_t, dante_var_run_t; + type dante_initrc_exec_t; + ') + + allow $1 dante_t:process { ptrace signal_perms }; + ps_process_pattern($1, dante_t) + + init_startstop_service($1, $2, dante_t, dante_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, dante_conf_t) + + files_search_pids($1) + admin_pattern($1, dante_var_run_t) +') diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te new file mode 100644 index 000000000..55d8dad35 --- /dev/null +++ b/policy/modules/services/dante.te @@ -0,0 +1,79 @@ +policy_module(dante, 1.12.0) + +######################################## +# +# Declarations +# + +type dante_t; +type dante_exec_t; +init_daemon_domain(dante_t, dante_exec_t) + +type dante_initrc_exec_t; +init_script_file(dante_initrc_exec_t) + +type dante_conf_t; +files_config_file(dante_conf_t) + +type dante_var_run_t; +files_pid_file(dante_var_run_t) + +######################################## +# +# Local policy +# + +allow dante_t self:capability { setgid setuid }; +dontaudit dante_t self:capability sys_tty_config; +allow dante_t self:process signal_perms; +allow dante_t self:fifo_file rw_fifo_file_perms; +allow dante_t self:tcp_socket { accept listen }; + +allow dante_t dante_conf_t:dir list_dir_perms; +allow dante_t dante_conf_t:file read_file_perms; + +manage_files_pattern(dante_t, dante_var_run_t, dante_var_run_t) +files_pid_filetrans(dante_t, dante_var_run_t, file) + +kernel_read_kernel_sysctls(dante_t) +kernel_list_proc(dante_t) +kernel_read_proc_symlinks(dante_t) + +corenet_all_recvfrom_unlabeled(dante_t) +corenet_all_recvfrom_netlabel(dante_t) +corenet_tcp_sendrecv_generic_if(dante_t) +corenet_tcp_sendrecv_generic_node(dante_t) +corenet_tcp_bind_generic_node(dante_t) + +corenet_sendrecv_socks_server_packets(dante_t) +corenet_tcp_bind_socks_port(dante_t) +corenet_tcp_sendrecv_socks_port(dante_t) + +dev_read_sysfs(dante_t) + +domain_use_interactive_fds(dante_t) + +files_read_etc_files(dante_t) +files_read_etc_runtime_files(dante_t) + +fs_getattr_all_fs(dante_t) +fs_search_auto_mountpoints(dante_t) + +init_write_utmp(dante_t) + +logging_send_syslog_msg(dante_t) + +miscfiles_read_localization(dante_t) + +sysnet_dns_name_resolve(dante_t) + +userdom_dontaudit_use_unpriv_user_fds(dante_t) +userdom_dontaudit_search_user_home_dirs(dante_t) + +optional_policy(` + seutil_sigchld_newrole(dante_t) +') + +optional_policy(` + udev_read_db(dante_t) +') diff --git a/policy/modules/services/dbskk.fc b/policy/modules/services/dbskk.fc new file mode 100644 index 000000000..a30287461 --- /dev/null +++ b/policy/modules/services/dbskk.fc @@ -0,0 +1,3 @@ +/usr/bin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0) + +/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0) diff --git a/policy/modules/services/dbskk.if b/policy/modules/services/dbskk.if new file mode 100644 index 000000000..9e7100483 --- /dev/null +++ b/policy/modules/services/dbskk.if @@ -0,0 +1 @@ +## <summary>Dictionary server for the SKK Japanese input method system.</summary> diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te new file mode 100644 index 000000000..41d6beb86 --- /dev/null +++ b/policy/modules/services/dbskk.te @@ -0,0 +1,58 @@ +policy_module(dbskk, 1.7.0) + +######################################## +# +# Declarations +# + +type dbskkd_t; +type dbskkd_exec_t; +inetd_service_domain(dbskkd_t, dbskkd_exec_t) +role system_r types dbskkd_t; + +type dbskkd_tmp_t; +files_tmp_file(dbskkd_tmp_t) + +type dbskkd_var_run_t; +files_pid_file(dbskkd_var_run_t) + +######################################## +# +# Local policy +# + +allow dbskkd_t self:process signal_perms; +allow dbskkd_t self:fifo_file rw_fifo_file_perms; +allow dbskkd_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) +manage_files_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) +files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir }) + +manage_files_pattern(dbskkd_t, dbskkd_var_run_t, dbskkd_var_run_t) +files_pid_filetrans(dbskkd_t, dbskkd_var_run_t, file) + +kernel_read_kernel_sysctls(dbskkd_t) +kernel_read_system_state(dbskkd_t) +kernel_read_network_state(dbskkd_t) + +corenet_all_recvfrom_unlabeled(dbskkd_t) +corenet_all_recvfrom_netlabel(dbskkd_t) +corenet_tcp_sendrecv_generic_if(dbskkd_t) +corenet_udp_sendrecv_generic_if(dbskkd_t) +corenet_tcp_sendrecv_generic_node(dbskkd_t) +corenet_udp_sendrecv_generic_node(dbskkd_t) +corenet_tcp_sendrecv_all_ports(dbskkd_t) +corenet_udp_sendrecv_all_ports(dbskkd_t) + +dev_read_urand(dbskkd_t) + +fs_getattr_xattr_fs(dbskkd_t) + +files_read_etc_files(dbskkd_t) + +auth_use_nsswitch(dbskkd_t) + +logging_send_syslog_msg(dbskkd_t) + +miscfiles_read_localization(dbskkd_t) diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc new file mode 100644 index 000000000..e9a13ee99 --- /dev/null +++ b/policy/modules/services/dbus.fc @@ -0,0 +1,32 @@ +HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) + +/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) + +/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0) +/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) + +/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) + +# needed by dbus-broker +/usr/bin/dbus-broker-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/usr/bin/dbus-broker -- gen_context(system_u:object_r:dbusd_exec_t,s0) + +/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*dbus.* -- gen_context(system_u:object_r:dbusd_unit_t,s0) + +/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) + +/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) + +/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) + +# /var/run prefix exception; https://dbus.freedesktop.org/doc/dbus-specification.html#idm2461 +/var/run/dbus/system_bus_socket gen_context(system_u:object_r:system_dbusd_var_run_t,s0) + +ifdef(`distro_debian',` +/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if new file mode 100644 index 000000000..01e353ed0 --- /dev/null +++ b/policy/modules/services/dbus.if @@ -0,0 +1,614 @@ +## <summary>Desktop messaging bus.</summary> + +######################################## +## <summary> +## DBUS stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`dbus_stub',` + gen_require(` + type system_dbusd_t; + class dbus all_dbus_perms; + ') +') + +######################################## +## <summary> +## Role access for dbus. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +template(`dbus_role_template',` + gen_require(` + class dbus { send_msg acquire_svc }; + attribute session_bus_type; + type system_dbusd_t, dbusd_exec_t; + type session_dbusd_tmp_t, session_dbusd_home_t; + ') + + ############################## + # + # Declarations + # + + type $1_dbusd_t, session_bus_type; + domain_type($1_dbusd_t) + domain_entry_file($1_dbusd_t, dbusd_exec_t) + ubac_constrained($1_dbusd_t) + + role $2 types $1_dbusd_t; + + ############################## + # + # Local policy + # + + allow $3 $1_dbusd_t:unix_stream_socket connectto; + allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $3 $1_dbusd_t:fd use; + + allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + + allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus") + + domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) + + ps_process_pattern($3, $1_dbusd_t) + allow $3 $1_dbusd_t:process { ptrace signal_perms }; + + allow $1_dbusd_t $3:process sigkill; + + corecmd_bin_domtrans($1_dbusd_t, $3) + corecmd_shell_domtrans($1_dbusd_t, $3) + + auth_use_nsswitch($1_dbusd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; + ') + + ifdef(`distro_gentoo',` + optional_policy(` + xdg_read_data_home_files($1_dbusd_t) + ') + ') + + optional_policy(` + systemd_read_logind_pids($1_dbusd_t) + ') +') + +####################################### +## <summary> +## Template for creating connections to +## the system bus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_system_bus_client',` + gen_require(` + attribute dbusd_system_bus_client; + type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t; + class dbus send_msg; + ') + + typeattribute $1 dbusd_system_bus_client; + + allow $1 { system_dbusd_t self }:dbus send_msg; + allow system_dbusd_t $1:dbus send_msg; + + files_search_var_lib($1) + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + + files_search_pids($1) + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) + + dbus_read_config($1) + + ifdef(`distro_gentoo',` + # The /var/lib/dbus/machine-id file is a link to /etc/machine-id + read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + ') +') + +####################################### +## <summary> +## Acquire service on all DBUS +## session busses. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_connect_all_session_bus',` + gen_require(` + attribute session_bus_type; + class dbus acquire_svc; + ') + + allow $1 session_bus_type:dbus acquire_svc; +') + +####################################### +## <summary> +## Acquire service on specified +## DBUS session bus. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_connect_spec_session_bus',` + gen_require(` + type $1_dbusd_t; + class dbus acquire_svc; + ') + + allow $2 $1_dbusd_t:dbus acquire_svc; +') + +####################################### +## <summary> +## Creating connections to all +## DBUS session busses. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_all_session_bus_client',` + gen_require(` + attribute session_bus_type, dbusd_session_bus_client; + class dbus send_msg; + ') + + typeattribute $1 dbusd_session_bus_client; + + allow $1 { session_bus_type self }:dbus send_msg; + allow session_bus_type $1:dbus send_msg; + + allow $1 session_bus_type:unix_stream_socket connectto; + allow $1 session_bus_type:fd use; +') + +####################################### +## <summary> +## Creating connections to specified +## DBUS session bus. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_spec_session_bus_client',` + gen_require(` + attribute dbusd_session_bus_client; + type $1_dbusd_t; + class dbus send_msg; + ') + + typeattribute $2 dbusd_session_bus_client; + + allow $2 { $1_dbusd_t self }:dbus send_msg; + allow $1_dbusd_t $2:dbus send_msg; + + allow $2 $1_dbusd_t:unix_stream_socket connectto; + allow $2 $1_dbusd_t:fd use; +') + +####################################### +## <summary> +## Send messages to all DBUS +## session busses. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_send_all_session_bus',` + gen_require(` + attribute session_bus_type; + class dbus send_msg; + ') + + allow $1 session_bus_type:dbus send_msg; +') + +####################################### +## <summary> +## Send messages to specified +## DBUS session busses. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_send_spec_session_bus',` + gen_require(` + type $1_dbusd_t; + class dbus send_msg; + ') + + allow $2 $1_dbusd_t:dbus send_msg; +') + +######################################## +## <summary> +## Read dbus configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_read_config',` + gen_require(` + type dbusd_etc_t; + ') + + allow $1 dbusd_etc_t:dir list_dir_perms; + allow $1 dbusd_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Read system dbus lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_read_lib_files',` + gen_require(` + type system_dbusd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## system dbus lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_manage_lib_files',` + gen_require(` + type system_dbusd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + +######################################## +## <summary> +## Allow a application domain to be +## started by the specified session bus. +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an +## entry point to this domain. +## </summary> +## </param> +# +interface(`dbus_all_session_domain',` + gen_require(` + attribute session_bus_type; + ') + + domtrans_pattern(session_bus_type, $2, $1) + + dbus_all_session_bus_client($1) + dbus_connect_all_session_bus($1) +') + +######################################## +## <summary> +## Allow a application domain to be +## started by the specified session bus. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an +## entry point to this domain. +## </summary> +## </param> +# +interface(`dbus_spec_session_domain',` + gen_require(` + type $1_dbusd_t; + ') + + domtrans_pattern($1_dbusd_t, $3, $2) + + dbus_spec_session_bus_client($1, $2) + dbus_connect_spec_session_bus($1, $2) +') + +######################################## +## <summary> +## Acquire service on the DBUS system bus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_connect_system_bus',` + gen_require(` + type system_dbusd_t; + class dbus acquire_svc; + ') + + allow $1 system_dbusd_t:dbus acquire_svc; +') + +######################################## +## <summary> +## Send messages to the DBUS system bus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_send_system_bus',` + gen_require(` + type system_dbusd_t; + class dbus send_msg; + ') + + allow $1 system_dbusd_t:dbus send_msg; +') + +######################################## +## <summary> +## Unconfined access to DBUS system bus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_system_bus_unconfined',` + gen_require(` + type system_dbusd_t; + class dbus { acquire_svc send_msg }; + ') + + allow $1 system_dbusd_t:dbus { acquire_svc send_msg }; +') + +######################################## +## <summary> +## Create a domain for processes which +## can be started by the DBUS system bus. +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +# +interface(`dbus_system_domain',` + gen_require(` + type system_dbusd_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(system_dbusd_t, $2, $1) + + dbus_system_bus_client($1) + dbus_connect_system_bus($1) + + ps_process_pattern(system_dbusd_t, $1) + + userdom_read_all_users_state($1) + + ifdef(`init_systemd',` + init_daemon_domain($1, $2) + ') + + ifdef(`hide_broken_symptoms', ` + dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; + ') +') + +######################################## +## <summary> +## Use and inherit DBUS system bus +## file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_use_system_bus_fds',` + gen_require(` + type system_dbusd_t; + ') + + allow $1 system_dbusd_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write DBUS system bus TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` + gen_require(` + type system_dbusd_t; + ') + + dontaudit $1 system_dbusd_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Unconfined access to DBUS. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_unconfined',` + gen_require(` + attribute dbusd_unconfined; + ') + + typeattribute $1 dbusd_unconfined; +') + +######################################## +## <summary> +## Create resources in /run or /var/run with the system_dbusd_var_run_t +## label. This method is deprecated in favor of the init_daemon_run_dir +## call. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="class"> +## <summary> +## Classes supported for the created resources +## </summary> +## </param> +## <param name="filename" optional="true"> +## <summary> +## Optional file name used for the resource +## </summary> +## </param> +# +interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Create directories with the system_dbusd_var_run_t label +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`dbus_create_system_dbusd_var_run_dirs',` + gen_require(` + type system_dbusd_var_run_t; + ') + + create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) +') + + diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te new file mode 100644 index 000000000..486b0b18d --- /dev/null +++ b/policy/modules/services/dbus.te @@ -0,0 +1,305 @@ +policy_module(dbus, 1.24.3) + +gen_require(` + class dbus all_dbus_perms; +') + +######################################## +# +# Declarations +# + +attribute dbusd_unconfined; +attribute session_bus_type; + +attribute dbusd_system_bus_client; +attribute dbusd_session_bus_client; + +type dbusd_etc_t; +files_config_file(dbusd_etc_t) + +type dbusd_exec_t; +corecmd_executable_file(dbusd_exec_t) +typealias dbusd_exec_t alias system_dbusd_exec_t; + +type dbusd_unit_t; +init_unit_file(dbusd_unit_t) + +type session_dbusd_home_t; +userdom_user_home_content(session_dbusd_home_t) + +type session_dbusd_tmp_t; +typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; +typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; +userdom_user_tmp_file(session_dbusd_tmp_t) + +type system_dbusd_t; +init_system_domain(system_dbusd_t, dbusd_exec_t) +init_named_socket_activation(system_dbusd_t, system_dbusd_var_run_t) + +type system_dbusd_tmp_t; +files_tmp_file(system_dbusd_tmp_t) + +type system_dbusd_var_lib_t; +files_type(system_dbusd_var_lib_t) + +type system_dbusd_var_run_t; +files_pid_file(system_dbusd_var_run_t) +init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") + +type session_dbusd_runtime_t; +files_pid_file(session_dbusd_runtime_t) +userdom_user_runtime_content(session_dbusd_runtime_t) + +ifdef(`enable_mcs',` + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) +') + +######################################## +# +# Local policy +# + +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource }; +dontaudit system_dbusd_t self:capability sys_tty_config; +allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; +allow system_dbusd_t self:fifo_file rw_fifo_file_perms; +allow system_dbusd_t self:dbus { send_msg acquire_svc }; +allow system_dbusd_t self:unix_stream_socket { accept connectto listen }; +allow system_dbusd_t self:netlink_selinux_socket { create bind read }; + +allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; +read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) +read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) + +manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) +manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) +files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file }) + +read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + +manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) +manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) +manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) +files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file }) + +can_exec(system_dbusd_t, dbusd_exec_t) + +kernel_read_system_state(system_dbusd_t) +kernel_read_kernel_sysctls(system_dbusd_t) + +corecmd_list_bin(system_dbusd_t) +corecmd_read_bin_pipes(system_dbusd_t) +corecmd_read_bin_sockets(system_dbusd_t) +corecmd_exec_shell(system_dbusd_t) + +dev_read_urand(system_dbusd_t) +dev_read_sysfs(system_dbusd_t) + +domain_use_interactive_fds(system_dbusd_t) +domain_read_all_domains_state(system_dbusd_t) + +files_list_home(system_dbusd_t) +files_read_usr_files(system_dbusd_t) + +fs_getattr_all_fs(system_dbusd_t) +fs_list_inotifyfs(system_dbusd_t) +fs_search_auto_mountpoints(system_dbusd_t) +fs_search_cgroup_dirs(system_dbusd_t) +fs_dontaudit_list_nfs(system_dbusd_t) + +mls_fd_use_all_levels(system_dbusd_t) +mls_rangetrans_target(system_dbusd_t) +mls_file_read_all_levels(system_dbusd_t) +mls_socket_write_all_levels(system_dbusd_t) +mls_socket_read_to_clearance(system_dbusd_t) +mls_dbus_recv_all_levels(system_dbusd_t) + +selinux_get_fs_mount(system_dbusd_t) +selinux_validate_context(system_dbusd_t) +selinux_compute_access_vector(system_dbusd_t) +selinux_compute_create_context(system_dbusd_t) +selinux_compute_relabel_context(system_dbusd_t) +selinux_compute_user_contexts(system_dbusd_t) + +term_dontaudit_use_console(system_dbusd_t) + +auth_use_nsswitch(system_dbusd_t) +auth_read_pam_console_data(system_dbusd_t) + +init_use_fds(system_dbusd_t) +init_use_script_ptys(system_dbusd_t) +init_all_labeled_script_domtrans(system_dbusd_t) +init_start_system(system_dbusd_t) # needed by dbus-broker + +# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/* +libs_exec_lib_files(system_dbusd_t) + +logging_send_audit_msgs(system_dbusd_t) +logging_send_syslog_msg(system_dbusd_t) + +miscfiles_read_localization(system_dbusd_t) +miscfiles_read_generic_certs(system_dbusd_t) + +seutil_read_config(system_dbusd_t) +seutil_read_default_contexts(system_dbusd_t) + +userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) +userdom_dontaudit_search_user_home_dirs(system_dbusd_t) +# read a file in ~/.local/share +userdom_read_user_home_content_files(system_dbusd_t) + +ifdef(`distro_gentoo',` + optional_policy(` + cpufreqselector_dbus_chat(system_dbusd_t) + ') +') + +ifdef(`init_systemd', ` + # gdm3 causes system_dbusd_t to want this access + dev_rw_dri(system_dbusd_t) + dev_rw_input_dev(system_dbusd_t) +') + +optional_policy(` + # for /run/systemd/users/* + systemd_read_logind_pids(system_dbusd_t) + systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) +') + +optional_policy(` + bluetooth_stream_connect(system_dbusd_t) +') + +optional_policy(` + consolekit_use_inhibit_lock(system_dbusd_t) +') + +optional_policy(` + policykit_read_lib(system_dbusd_t) +') + +optional_policy(` + seutil_sigchld_newrole(system_dbusd_t) +') + +optional_policy(` + udev_read_db(system_dbusd_t) +') + +optional_policy(` + unconfined_dbus_send(system_dbusd_t) +') + +optional_policy(` + xserver_read_xdm_lib_files(system_dbusd_t) + xserver_use_xdm_fds(system_dbusd_t) +') + +######################################## +# +# Common session bus local policy +# + +dontaudit session_bus_type self:capability sys_resource; +allow session_bus_type self:process { getattr sigkill signal }; +dontaudit session_bus_type self:process { ptrace setrlimit }; +allow session_bus_type self:file { getattr read write }; +allow session_bus_type self:fifo_file rw_fifo_file_perms; +allow session_bus_type self:dbus { send_msg acquire_svc }; +allow session_bus_type self:unix_stream_socket { accept listen }; +allow session_bus_type self:tcp_socket { accept listen }; +allow session_bus_type self:netlink_selinux_socket create_socket_perms; + +allow session_bus_type dbusd_etc_t:dir list_dir_perms; +read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) +read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) + +manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) +manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) +userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus") + +manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) +manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) +files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) + +manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) +userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) + +kernel_read_system_state(session_bus_type) +kernel_read_kernel_sysctls(session_bus_type) + +corecmd_list_bin(session_bus_type) +corecmd_read_bin_files(session_bus_type) +corecmd_read_bin_pipes(session_bus_type) +corecmd_read_bin_sockets(session_bus_type) + +corenet_all_recvfrom_unlabeled(session_bus_type) +corenet_all_recvfrom_netlabel(session_bus_type) +corenet_tcp_sendrecv_generic_if(session_bus_type) +corenet_tcp_sendrecv_generic_node(session_bus_type) +corenet_tcp_sendrecv_all_ports(session_bus_type) +corenet_tcp_bind_generic_node(session_bus_type) + +corenet_sendrecv_all_server_packets(session_bus_type) +corenet_tcp_bind_reserved_port(session_bus_type) + +dev_read_urand(session_bus_type) + +domain_read_all_domains_state(session_bus_type) +domain_use_interactive_fds(session_bus_type) + +files_list_home(session_bus_type) +files_read_usr_files(session_bus_type) +files_dontaudit_search_var(session_bus_type) + +fs_getattr_romfs(session_bus_type) +fs_getattr_xattr_fs(session_bus_type) +fs_list_inotifyfs(session_bus_type) +fs_dontaudit_list_nfs(session_bus_type) + +selinux_get_fs_mount(session_bus_type) +selinux_validate_context(session_bus_type) +selinux_compute_access_vector(session_bus_type) +selinux_compute_create_context(session_bus_type) +selinux_compute_relabel_context(session_bus_type) +selinux_compute_user_contexts(session_bus_type) + +auth_read_pam_console_data(session_bus_type) + +logging_send_audit_msgs(session_bus_type) +logging_send_syslog_msg(session_bus_type) + +miscfiles_read_localization(session_bus_type) + +seutil_read_config(session_bus_type) +seutil_read_default_contexts(session_bus_type) + +term_use_all_terms(session_bus_type) + +ifdef(`distro_gentoo',` + optional_policy(` + hal_dbus_chat(session_bus_type) + ') +') + +optional_policy(` + xserver_rw_xsession_log(session_bus_type) + xserver_use_xdm_fds(session_bus_type) + xserver_rw_xdm_pipes(session_bus_type) +') + +######################################## +# +# Unconfined access to this module +# + +allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg; +allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms; diff --git a/policy/modules/services/dcc.fc b/policy/modules/services/dcc.fc new file mode 100644 index 000000000..bc9189c84 --- /dev/null +++ b/policy/modules/services/dcc.fc @@ -0,0 +1,30 @@ +/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) +/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) +/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) + +/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) +/usr/bin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) +/usr/bin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) +/usr/bin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) +/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0) +/usr/bin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) + +/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) +/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) +/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) +/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) + +/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) +/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) +/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) +/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) + +/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) +/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) + +/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) +/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) + +/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) +/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) +/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if new file mode 100644 index 000000000..a5c21e0e8 --- /dev/null +++ b/policy/modules/services/dcc.if @@ -0,0 +1,178 @@ +## <summary>Distributed checksum clearinghouse spam filtering.</summary> + +######################################## +## <summary> +## Execute cdcc in the cdcc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dcc_domtrans_cdcc',` + gen_require(` + type cdcc_t, cdcc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cdcc_exec_t, cdcc_t) +') + +######################################## +## <summary> +## Execute cdcc in the cdcc domain, and +## allow the specified role the +## cdcc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dcc_run_cdcc',` + gen_require(` + attribute_role cdcc_roles; + ') + + dcc_domtrans_cdcc($1) + roleattribute $2 cdcc_roles; +') + +######################################## +## <summary> +## Execute dcc client in the dcc +## client domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dcc_domtrans_client',` + gen_require(` + type dcc_client_t, dcc_client_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dcc_client_exec_t, dcc_client_t) +') + +######################################## +## <summary> +## Send generic signals to dcc client. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dcc_signal_client',` + gen_require(` + type dcc_client_t; + ') + + allow $1 dcc_client_t:process signal; +') + +######################################## +## <summary> +## Execute dcc client in the dcc +## client domain, and allow the +## specified role the dcc client domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dcc_run_client',` + gen_require(` + attribute_role dcc_client_roles; + ') + + dcc_domtrans_client($1) + roleattribute $2 dcc_client_roles; +') + +######################################## +## <summary> +## Execute dbclean in the dcc dbclean domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dcc_domtrans_dbclean',` + gen_require(` + type dcc_dbclean_t, dcc_dbclean_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t) +') + +######################################## +## <summary> +## Execute dbclean in the dcc dbclean +## domain, and allow the specified +## role the dcc dbclean domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dcc_run_dbclean',` + gen_require(` + attribute_role dcc_dbclean_roles; + ') + + dcc_domtrans_dbclean($1) + roleattribute $2 dcc_dbclean_roles; +') + +######################################## +## <summary> +## Connect to dccifd over a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dcc_stream_connect_dccifd',` + gen_require(` + type dcc_var_t, dccifd_var_run_t, dccifd_t; + ') + + files_search_var($1) + stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) +') diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te new file mode 100644 index 000000000..9b8a0bc11 --- /dev/null +++ b/policy/modules/services/dcc.te @@ -0,0 +1,351 @@ +policy_module(dcc, 1.14.0) + +######################################## +# +# Declarations +# + +attribute_role cdcc_roles; +roleattribute system_r cdcc_roles; + +attribute_role dcc_client_roles; +roleattribute system_r dcc_client_roles; + +attribute_role dcc_dbclean_roles; +roleattribute system_r dcc_dbclean_roles; + +type cdcc_t; +type cdcc_exec_t; +application_domain(cdcc_t, cdcc_exec_t) +role cdcc_roles types cdcc_t; + +type cdcc_tmp_t; +files_tmp_file(cdcc_tmp_t) + +type dcc_client_t; +type dcc_client_exec_t; +application_domain(dcc_client_t, dcc_client_exec_t) +role dcc_client_roles types dcc_client_t; + +type dcc_client_map_t; +files_type(dcc_client_map_t) + +type dcc_client_tmp_t; +files_tmp_file(dcc_client_tmp_t) + +type dcc_dbclean_t; +type dcc_dbclean_exec_t; +application_domain(dcc_dbclean_t, dcc_dbclean_exec_t) +role dcc_dbclean_roles types dcc_dbclean_t; + +type dcc_dbclean_tmp_t; +files_tmp_file(dcc_dbclean_tmp_t) + +type dcc_var_t; +files_type(dcc_var_t) + +type dcc_var_run_t; +files_type(dcc_var_run_t) + +type dccd_t; +type dccd_exec_t; +init_daemon_domain(dccd_t, dccd_exec_t) + +type dccd_tmp_t; +files_tmp_file(dccd_tmp_t) + +type dccd_var_run_t; +files_pid_file(dccd_var_run_t) + +type dccifd_t; +type dccifd_exec_t; +init_daemon_domain(dccifd_t, dccifd_exec_t) + +type dccifd_tmp_t; +files_tmp_file(dccifd_tmp_t) + +type dccifd_var_run_t; +files_pid_file(dccifd_var_run_t) + +type dccm_t; +type dccm_exec_t; +init_daemon_domain(dccm_t, dccm_exec_t) + +type dccm_tmp_t; +files_tmp_file(dccm_tmp_t) + +type dccm_var_run_t; +files_pid_file(dccm_var_run_t) + +######################################## +# +# Daemon controller local policy +# + +allow cdcc_t self:capability { setgid setuid }; + +manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) +manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) +files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir }) + +allow cdcc_t dcc_client_map_t:file rw_file_perms; + +allow cdcc_t dcc_var_t:dir list_dir_perms; +read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) +read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) + +files_read_etc_runtime_files(cdcc_t) + +auth_use_nsswitch(cdcc_t) + +logging_send_syslog_msg(cdcc_t) + +miscfiles_read_localization(cdcc_t) + +userdom_use_user_terminals(cdcc_t) + +######################################## +# +# Procmail interface local policy +# + +allow dcc_client_t self:capability { setgid setuid }; + +allow dcc_client_t dcc_client_map_t:file rw_file_perms; + +manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) +manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) +files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) + +allow dcc_client_t dcc_var_t:dir list_dir_perms; +manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) +read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) + +kernel_read_system_state(dcc_client_t) + +files_read_etc_runtime_files(dcc_client_t) + +fs_getattr_all_fs(dcc_client_t) + +auth_use_nsswitch(dcc_client_t) + +logging_send_syslog_msg(dcc_client_t) + +miscfiles_read_localization(dcc_client_t) + +userdom_use_user_terminals(dcc_client_t) + +optional_policy(` + amavis_read_spool_files(dcc_client_t) +') + +optional_policy(` + spamassassin_read_spamd_tmp_files(dcc_client_t) +') + +######################################## +# +# Database cleanup local policy +# + +allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms; + +manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) +manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) +files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir }) + +manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) +manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) +manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) + +kernel_read_system_state(dcc_dbclean_t) + +files_read_etc_runtime_files(dcc_dbclean_t) + +auth_use_nsswitch(dcc_dbclean_t) + +logging_send_syslog_msg(dcc_dbclean_t) + +miscfiles_read_localization(dcc_dbclean_t) + +userdom_use_user_terminals(dcc_dbclean_t) + +######################################## +# +# Server local policy +# + +allow dccd_t self:capability net_admin; +dontaudit dccd_t self:capability sys_tty_config; +allow dccd_t self:process signal_perms; + +allow dccd_t dcc_client_map_t:file rw_file_perms; + +allow dccd_t dcc_var_t:dir list_dir_perms; +read_files_pattern(dccd_t, dcc_var_t, dcc_var_t) +read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) + +domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) + +manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t) +manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t) +manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) + +manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) +manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) +files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) + +manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) +manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) +files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) + +kernel_read_system_state(dccd_t) +kernel_read_kernel_sysctls(dccd_t) + +corenet_all_recvfrom_unlabeled(dccd_t) +corenet_all_recvfrom_netlabel(dccd_t) +corenet_udp_sendrecv_generic_if(dccd_t) +corenet_udp_sendrecv_generic_node(dccd_t) +corenet_udp_sendrecv_all_ports(dccd_t) +corenet_udp_bind_generic_node(dccd_t) + +corenet_udp_bind_dcc_port(dccd_t) +corenet_sendrecv_dcc_server_packets(dccd_t) + +corecmd_search_bin(dccd_t) + +dev_read_sysfs(dccd_t) + +domain_use_interactive_fds(dccd_t) + +files_read_etc_runtime_files(dccd_t) + +fs_getattr_all_fs(dccd_t) +fs_search_auto_mountpoints(dccd_t) + +auth_use_nsswitch(dccd_t) + +logging_send_syslog_msg(dccd_t) + +miscfiles_read_localization(dccd_t) + +userdom_dontaudit_use_unpriv_user_fds(dccd_t) +userdom_dontaudit_search_user_home_dirs(dccd_t) + +optional_policy(` + seutil_sigchld_newrole(dccd_t) +') + +optional_policy(` + udev_read_db(dccd_t) +') + +######################################## +# +# Spamassassin and general MTA persistent client local policy +# + +dontaudit dccifd_t self:capability sys_tty_config; +allow dccifd_t self:process signal_perms; +allow dccifd_t self:unix_stream_socket { accept listen }; + +allow dccifd_t dcc_client_map_t:file rw_file_perms; + +manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t) +manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) +manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) +manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) +manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) + +manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) +manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) +files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir }) + +manage_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) +manage_sock_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) +filetrans_pattern(dccifd_t, dcc_var_t, dccifd_var_run_t, { file sock_file }) +files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) + +kernel_read_system_state(dccifd_t) +kernel_read_kernel_sysctls(dccifd_t) + +dev_read_sysfs(dccifd_t) + +domain_use_interactive_fds(dccifd_t) + +files_read_etc_runtime_files(dccifd_t) + +fs_getattr_all_fs(dccifd_t) +fs_search_auto_mountpoints(dccifd_t) + +auth_use_nsswitch(dccifd_t) + +logging_send_syslog_msg(dccifd_t) + +miscfiles_read_localization(dccifd_t) + +userdom_dontaudit_use_unpriv_user_fds(dccifd_t) +userdom_dontaudit_search_user_home_dirs(dccifd_t) + +optional_policy(` + seutil_sigchld_newrole(dccifd_t) +') + +optional_policy(` + udev_read_db(dccifd_t) +') + +######################################## +# +# Sendmail milter client local policy +# + +dontaudit dccm_t self:capability sys_tty_config; +allow dccm_t self:process signal_perms; +allow dccm_t self:unix_stream_socket { accept listen }; + +allow dccm_t dcc_client_map_t:file rw_file_perms; + +manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t) +manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t) +manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t) +manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t) +manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t) + +manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) +manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) +files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir }) + +manage_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) +manage_sock_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) +filetrans_pattern(dccm_t, dcc_var_run_t, dccm_var_run_t, { file sock_file }) +files_pid_filetrans(dccm_t, dccm_var_run_t, file) + +kernel_read_system_state(dccm_t) +kernel_read_kernel_sysctls(dccm_t) + +dev_read_sysfs(dccm_t) + +domain_use_interactive_fds(dccm_t) + +files_read_etc_runtime_files(dccm_t) + +fs_getattr_all_fs(dccm_t) +fs_search_auto_mountpoints(dccm_t) + +auth_use_nsswitch(dccm_t) + +logging_send_syslog_msg(dccm_t) + +miscfiles_read_localization(dccm_t) + +userdom_dontaudit_use_unpriv_user_fds(dccm_t) +userdom_dontaudit_search_user_home_dirs(dccm_t) + +optional_policy(` + seutil_sigchld_newrole(dccm_t) +') + +optional_policy(` + udev_read_db(dccm_t) +') diff --git a/policy/modules/services/ddclient.fc b/policy/modules/services/ddclient.fc new file mode 100644 index 000000000..64d55e5c6 --- /dev/null +++ b/policy/modules/services/ddclient.fc @@ -0,0 +1,19 @@ +/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) +/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) + +/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0) + +/usr/bin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0) +/usr/bin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) + +/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0) +/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) + +/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0) + +/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0) + +/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) + +/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) +/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if new file mode 100644 index 000000000..96ddeea17 --- /dev/null +++ b/policy/modules/services/ddclient.if @@ -0,0 +1,95 @@ +## <summary>Update dynamic IP address at DynDNS.org.</summary> + +####################################### +## <summary> +## Execute ddclient in the ddclient domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ddclient_domtrans',` + gen_require(` + type ddclient_t, ddclient_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ddclient_exec_t, ddclient_t) +') + +######################################## +## <summary> +## Execute ddclient in the ddclient +## domain, and allow the specified +## role the ddclient domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ddclient_run',` + gen_require(` + attribute_role ddclient_roles; + ') + + ddclient_domtrans($1) + roleattribute $2 ddclient_roles; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ddclient environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ddclient_admin',` + gen_require(` + type ddclient_t, ddclient_etc_t, ddclient_log_t; + type ddclient_var_t, ddclient_var_lib_t, ddclient_tmp_t; + type ddclient_var_run_t, ddclient_initrc_exec_t; + ') + + allow $1 ddclient_t:process { ptrace signal_perms }; + ps_process_pattern($1, ddclient_t) + + init_startstop_service($1, $2, ddclient_t, ddclient_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, ddclient_etc_t) + + logging_list_logs($1) + admin_pattern($1, ddclient_log_t) + + files_list_var($1) + admin_pattern($1, ddclient_var_t) + + files_list_var_lib($1) + admin_pattern($1, ddclient_var_lib_t) + + files_list_pids($1) + admin_pattern($1, ddclient_var_run_t) + + files_list_tmp($1) + admin_pattern($1, ddclient_tmp_t) +') diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te new file mode 100644 index 000000000..ff6500ab6 --- /dev/null +++ b/policy/modules/services/ddclient.te @@ -0,0 +1,118 @@ +policy_module(ddclient, 1.13.0) + +######################################## +# +# Declarations +# + +attribute_role ddclient_roles; + +type ddclient_t; +type ddclient_exec_t; +init_daemon_domain(ddclient_t, ddclient_exec_t) +role ddclient_roles types ddclient_t; + +type ddclient_etc_t; +files_config_file(ddclient_etc_t) + +type ddclient_initrc_exec_t; +init_script_file(ddclient_initrc_exec_t) + +type ddclient_log_t; +logging_log_file(ddclient_log_t) + +type ddclient_tmp_t; +files_tmp_file(ddclient_tmp_t) + +type ddclient_var_t; +files_type(ddclient_var_t) + +type ddclient_var_lib_t; +files_type(ddclient_var_lib_t) + +type ddclient_var_run_t; +files_pid_file(ddclient_var_run_t) + +######################################## +# +# Declarations +# + +dontaudit ddclient_t self:capability sys_tty_config; +allow ddclient_t self:process signal_perms; +allow ddclient_t self:fifo_file rw_fifo_file_perms; + +read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) +setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) + +allow ddclient_t ddclient_log_t:file append_file_perms; +allow ddclient_t ddclient_log_t:file create_file_perms; +allow ddclient_t ddclient_log_t:file setattr_file_perms; +logging_log_filetrans(ddclient_t, ddclient_log_t, file) + +manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t) +files_tmp_filetrans(ddclient_t, ddclient_tmp_t, file) + +manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) +manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) +manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) +manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) +manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) + +manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t) + +manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t) +files_pid_filetrans(ddclient_t, ddclient_var_run_t, file) + +kernel_getattr_core_if(ddclient_t) +kernel_getattr_message_if(ddclient_t) +kernel_read_kernel_sysctls(ddclient_t) +kernel_read_network_state(ddclient_t) +kernel_read_software_raid_state(ddclient_t) +kernel_read_system_state(ddclient_t) +kernel_search_network_sysctl(ddclient_t) + +corecmd_exec_shell(ddclient_t) +corecmd_exec_bin(ddclient_t) + +corenet_all_recvfrom_unlabeled(ddclient_t) +corenet_all_recvfrom_netlabel(ddclient_t) +corenet_tcp_sendrecv_generic_if(ddclient_t) +corenet_udp_sendrecv_generic_if(ddclient_t) +corenet_tcp_sendrecv_generic_node(ddclient_t) +corenet_udp_sendrecv_generic_node(ddclient_t) +corenet_tcp_sendrecv_all_ports(ddclient_t) +corenet_udp_sendrecv_all_ports(ddclient_t) + +corenet_sendrecv_all_client_packets(ddclient_t) +corenet_tcp_connect_all_ports(ddclient_t) + +dev_read_sysfs(ddclient_t) +dev_read_urand(ddclient_t) + +domain_use_interactive_fds(ddclient_t) + +files_read_etc_files(ddclient_t) +files_read_etc_runtime_files(ddclient_t) +files_read_usr_files(ddclient_t) + +fs_getattr_all_fs(ddclient_t) +fs_search_auto_mountpoints(ddclient_t) + +logging_send_syslog_msg(ddclient_t) + +miscfiles_read_localization(ddclient_t) + +sysnet_exec_ifconfig(ddclient_t) +sysnet_dns_name_resolve(ddclient_t) + +userdom_dontaudit_use_unpriv_user_fds(ddclient_t) +userdom_dontaudit_search_user_home_dirs(ddclient_t) + +optional_policy(` + seutil_sigchld_newrole(ddclient_t) +') + +optional_policy(` + udev_read_db(ddclient_t) +') diff --git a/policy/modules/services/denyhosts.fc b/policy/modules/services/denyhosts.fc new file mode 100644 index 000000000..89b0b77d4 --- /dev/null +++ b/policy/modules/services/denyhosts.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0) + +/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0) + +/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0) + +/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0) + +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0) diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if new file mode 100644 index 000000000..0fb8ec7c4 --- /dev/null +++ b/policy/modules/services/denyhosts.if @@ -0,0 +1,76 @@ +## <summary>SSH dictionary attack mitigation.</summary> + +######################################## +## <summary> +## Execute a domain transition to run denyhosts. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`denyhosts_domtrans',` + gen_require(` + type denyhosts_t, denyhosts_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, denyhosts_exec_t, denyhosts_t) +') + +######################################## +## <summary> +## Execute denyhost server in the +## denyhost domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`denyhosts_initrc_domtrans',` + gen_require(` + type denyhosts_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, denyhosts_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an denyhosts environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`denyhosts_admin',` + gen_require(` + type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; + type denyhosts_var_log_t, denyhosts_initrc_exec_t; + ') + + allow $1 denyhosts_t:process { ptrace signal_perms }; + ps_process_pattern($1, denyhosts_t) + + init_startstop_service($1, $2, denyhosts_t, denyhosts_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, denyhosts_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, denyhosts_var_log_t) + + files_search_locks($1) + admin_pattern($1, denyhosts_var_lock_t) +') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te new file mode 100644 index 000000000..342e6231b --- /dev/null +++ b/policy/modules/services/denyhosts.te @@ -0,0 +1,73 @@ +policy_module(denyhosts, 1.2.0) + +######################################## +# +# Declarations +# + +type denyhosts_t; +type denyhosts_exec_t; +init_daemon_domain(denyhosts_t, denyhosts_exec_t) + +type denyhosts_initrc_exec_t; +init_script_file(denyhosts_initrc_exec_t) + +type denyhosts_var_lib_t; +files_type(denyhosts_var_lib_t) + +type denyhosts_var_lock_t; +files_lock_file(denyhosts_var_lock_t) + +type denyhosts_var_log_t; +logging_log_file(denyhosts_var_log_t) + +######################################## +# +# Local policy +# + +allow denyhosts_t self:capability sys_tty_config; +allow denyhosts_t self:fifo_file rw_fifo_file_perms; +allow denyhosts_t self:netlink_route_socket nlmsg_write; + +manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t) + +manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) +manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) +files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file }) + +append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) + +kernel_read_network_state(denyhosts_t) +kernel_read_system_state(denyhosts_t) + +corecmd_exec_bin(denyhosts_t) +corecmd_exec_shell(denyhosts_t) + +corenet_all_recvfrom_unlabeled(denyhosts_t) +corenet_all_recvfrom_netlabel(denyhosts_t) +corenet_tcp_sendrecv_generic_if(denyhosts_t) +corenet_tcp_sendrecv_generic_node(denyhosts_t) + +corenet_sendrecv_smtp_client_packets(denyhosts_t) +corenet_tcp_connect_smtp_port(denyhosts_t) +corenet_tcp_sendrecv_smtp_port(denyhosts_t) + +dev_read_urand(denyhosts_t) + +logging_read_generic_logs(denyhosts_t) +logging_send_syslog_msg(denyhosts_t) + +miscfiles_read_localization(denyhosts_t) + +sysnet_dns_name_resolve(denyhosts_t) +sysnet_manage_config(denyhosts_t) +sysnet_etc_filetrans_config(denyhosts_t) + +optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) +') diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc new file mode 100644 index 000000000..2b6d443c8 --- /dev/null +++ b/policy/modules/services/devicekit.fc @@ -0,0 +1,24 @@ +/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) + +/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) +/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) + +/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/lib/udisks.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) + +/var/log/pm-powersave\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) +/var/log/pm-suspend\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) + +/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0) +/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if new file mode 100644 index 000000000..da75b8e4e --- /dev/null +++ b/policy/modules/services/devicekit.if @@ -0,0 +1,279 @@ +## <summary>Devicekit modular hardware abstraction layer.</summary> + +######################################## +## <summary> +## Execute a domain transition to run devicekit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`devicekit_domtrans',` + gen_require(` + type devicekit_t, devicekit_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, devicekit_exec_t, devicekit_t) +') + +######################################## +## <summary> +## Send to devicekit over a unix domain +## datagram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_dgram_send',` + gen_require(` + type devicekit_t, devicekit_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t) +') + +######################################## +## <summary> +## Send and receive messages from +## devicekit over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_dbus_chat',` + gen_require(` + type devicekit_t; + class dbus send_msg; + ') + + allow $1 devicekit_t:dbus send_msg; + allow devicekit_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## devicekit disk over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_dbus_chat_disk',` + gen_require(` + type devicekit_disk_t; + class dbus send_msg; + ') + + allow $1 devicekit_disk_t:dbus send_msg; + allow devicekit_disk_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send generic signals to devicekit power. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_signal_power',` + gen_require(` + type devicekit_power_t; + ') + + allow $1 devicekit_power_t:process signal; +') + +######################################## +## <summary> +## Send and receive messages from +## devicekit power over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_dbus_chat_power',` + gen_require(` + type devicekit_power_t; + class dbus send_msg; + ') + + allow $1 devicekit_power_t:dbus send_msg; + allow devicekit_power_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Use and inherit devicekit power +## file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_use_fds_power',` + gen_require(` + type devicekit_power_t; + ') + + allow $1 devicekit_power_t:fd use; +') + +######################################## +## <summary> +## Append inherited devicekit log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_append_inherited_log_files',` + gen_require(` + type devicekit_var_log_t; + ') + + logging_search_logs($1) + allow $1 devicekit_var_log_t:file { getattr_file_perms append }; + + devicekit_use_fds_power($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## devicekit log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_manage_log_files',` + gen_require(` + type devicekit_var_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) +') + +######################################## +## <summary> +## Relabel devicekit log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_relabel_log_files',` + gen_require(` + type devicekit_var_log_t; + ') + + logging_search_logs($1) + relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) +') + +######################################## +## <summary> +## Read devicekit PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_read_pid_files',` + gen_require(` + type devicekit_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## devicekit PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_manage_pid_files',` + gen_require(` + type devicekit_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an devicekit environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role" unused="true"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`devicekit_admin',` + gen_require(` + type devicekit_t, devicekit_disk_t, devicekit_power_t; + type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; + type devicekit_var_log_t; + ') + + allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t }) + + files_search_tmp($1) + admin_pattern($1, devicekit_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, devicekit_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, devicekit_var_log_t) + + files_search_pids($1) + admin_pattern($1, devicekit_var_run_t) +') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te new file mode 100644 index 000000000..a5b869d31 --- /dev/null +++ b/policy/modules/services/devicekit.te @@ -0,0 +1,373 @@ +policy_module(devicekit, 1.8.3) + +######################################## +# +# Declarations +# + +type devicekit_t; +type devicekit_exec_t; +dbus_system_domain(devicekit_t, devicekit_exec_t) + +type devicekit_power_t; +type devicekit_power_exec_t; +dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) + +type devicekit_disk_t; +type devicekit_disk_exec_t; +dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) + +type devicekit_tmp_t; +files_tmp_file(devicekit_tmp_t) + +type devicekit_var_run_t; +files_pid_file(devicekit_var_run_t) + +type devicekit_var_lib_t; +files_type(devicekit_var_lib_t) + +type devicekit_var_log_t; +logging_log_file(devicekit_var_log_t) + +######################################## +# +# Local policy +# + +allow devicekit_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_t, devicekit_var_run_t, { dir file }) + +kernel_read_system_state(devicekit_t) + +dev_read_sysfs(devicekit_t) +dev_read_urand(devicekit_t) + +files_read_etc_files(devicekit_t) + +miscfiles_read_localization(devicekit_t) + +optional_policy(` + dbus_system_bus_client(devicekit_t) + + allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; +') + +optional_policy(` + udev_read_db(devicekit_t) +') + +optional_policy(` + xserver_dbus_chat_xdm(devicekit_power_t) +') + +######################################## +# +# Disk local policy +# + +allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability2 wake_alarm; +allow devicekit_disk_t self:process { getsched signal_perms }; +allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) +manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) +files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { dir file }) + +manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) + +allow devicekit_disk_t devicekit_var_run_t:dir mounton; +manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) + +kernel_getattr_message_if(devicekit_disk_t) +kernel_list_unlabeled(devicekit_disk_t) +kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) +kernel_read_fs_sysctls(devicekit_disk_t) +kernel_read_network_state(devicekit_disk_t) +kernel_read_software_raid_state(devicekit_disk_t) +kernel_read_system_state(devicekit_disk_t) +kernel_read_vm_overcommit_sysctl(devicekit_disk_t) +kernel_request_load_module(devicekit_disk_t) +kernel_setsched(devicekit_disk_t) +kernel_manage_unlabeled_dirs(devicekit_disk_t) + +corecmd_exec_bin(devicekit_disk_t) +corecmd_exec_shell(devicekit_disk_t) +corecmd_getattr_all_executables(devicekit_disk_t) + +dev_getattr_all_chr_files(devicekit_disk_t) +dev_getattr_mtrr_dev(devicekit_disk_t) +dev_getattr_usbfs_dirs(devicekit_disk_t) +dev_manage_generic_files(devicekit_disk_t) +dev_read_urand(devicekit_disk_t) +dev_rw_sysfs(devicekit_disk_t) + +domain_getattr_all_pipes(devicekit_disk_t) +domain_getattr_all_sockets(devicekit_disk_t) +domain_getattr_all_stream_sockets(devicekit_disk_t) +domain_read_all_domains_state(devicekit_disk_t) + +files_dontaudit_read_all_symlinks(devicekit_disk_t) +files_getattr_all_sockets(devicekit_disk_t) +files_getattr_all_dirs(devicekit_disk_t) +files_getattr_all_files(devicekit_disk_t) +files_getattr_all_pipes(devicekit_disk_t) +files_manage_boot_dirs(devicekit_disk_t) +files_manage_mnt_dirs(devicekit_disk_t) +files_read_etc_runtime_files(devicekit_disk_t) +files_read_usr_files(devicekit_disk_t) + +fs_getattr_all_fs(devicekit_disk_t) +fs_list_inotifyfs(devicekit_disk_t) +fs_manage_fusefs_dirs(devicekit_disk_t) +fs_mount_all_fs(devicekit_disk_t) +fs_unmount_all_fs(devicekit_disk_t) +fs_search_all(devicekit_disk_t) + +mls_file_read_all_levels(devicekit_disk_t) +mls_file_write_to_clearance(devicekit_disk_t) + +storage_raw_read_fixed_disk(devicekit_disk_t) +storage_raw_write_fixed_disk(devicekit_disk_t) +storage_raw_read_removable_device(devicekit_disk_t) +storage_raw_write_removable_device(devicekit_disk_t) + +term_use_all_terms(devicekit_disk_t) + +auth_use_nsswitch(devicekit_disk_t) + +logging_send_syslog_msg(devicekit_disk_t) + +miscfiles_read_localization(devicekit_disk_t) + +userdom_read_all_users_state(devicekit_disk_t) +userdom_search_user_home_dirs(devicekit_disk_t) + +ifdef(`distro_debian',` + # /dev/mem is accessed by libparted to get EFI data + dev_read_raw_memory(devicekit_disk_t) +') + +optional_policy(` + dbus_system_bus_client(devicekit_disk_t) + + allow devicekit_disk_t devicekit_t:dbus send_msg; + + optional_policy(` + consolekit_dbus_chat(devicekit_disk_t) + ') + + optional_policy(` + policykit_dbus_chat(devicekit_disk_t) + ') + + optional_policy(` + # gwenview triggers the need for this + xserver_dbus_chat_xdm(devicekit_disk_t) + ') +') + +optional_policy(` + fstools_domtrans(devicekit_disk_t) +') + +optional_policy(` + lvm_domtrans(devicekit_disk_t) +') + +optional_policy(` + mount_domtrans(devicekit_disk_t) +') + +optional_policy(` + policykit_domtrans_auth(devicekit_disk_t) + policykit_read_lib(devicekit_disk_t) + policykit_read_reload(devicekit_disk_t) +') + +optional_policy(` + raid_domtrans_mdadm(devicekit_disk_t) +') + +optional_policy(` + udev_domtrans(devicekit_disk_t) + udev_read_db(devicekit_disk_t) + udev_read_pid_files(devicekit_disk_t) +') + +optional_policy(` + virt_manage_images(devicekit_disk_t) +') + +######################################## +# +# Power local policy +# + +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config }; +allow devicekit_power_t self:capability2 wake_alarm; +allow devicekit_power_t self:process { getsched signal_perms }; +allow devicekit_power_t self:fifo_file rw_fifo_file_perms; +allow devicekit_power_t self:unix_dgram_socket create_socket_perms; +allow devicekit_power_t self:unix_stream_socket create_socket_perms; +allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) +manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) +files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) + +manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) + +allow devicekit_power_t devicekit_var_log_t:file append_file_perms; +allow devicekit_power_t devicekit_var_log_t:file create_file_perms; +allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms; +logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) + +manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) + +kernel_read_fs_sysctls(devicekit_power_t) +kernel_read_network_state(devicekit_power_t) +kernel_read_system_state(devicekit_power_t) +kernel_rw_hotplug_sysctls(devicekit_power_t) +kernel_rw_kernel_sysctl(devicekit_power_t) +kernel_rw_vm_sysctls(devicekit_power_t) +kernel_search_debugfs(devicekit_power_t) +kernel_write_proc_files(devicekit_power_t) +kernel_setsched(devicekit_power_t) + +corecmd_exec_bin(devicekit_power_t) +corecmd_exec_shell(devicekit_power_t) + +dev_read_input(devicekit_power_t) +dev_read_urand(devicekit_power_t) +dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_generic_chr_files(devicekit_power_t) +dev_rw_netcontrol(devicekit_power_t) +dev_rw_sysfs(devicekit_power_t) +dev_read_rand(devicekit_power_t) +dev_getattr_all_blk_files(devicekit_power_t) +dev_getattr_all_chr_files(devicekit_power_t) + +domain_read_all_domains_state(devicekit_power_t) + +files_read_kernel_img(devicekit_power_t) +files_read_etc_runtime_files(devicekit_power_t) +files_read_usr_files(devicekit_power_t) +files_dontaudit_list_mnt(devicekit_power_t) + +fs_getattr_all_fs(devicekit_power_t) +fs_list_inotifyfs(devicekit_power_t) + +term_use_all_terms(devicekit_power_t) + +auth_use_nsswitch(devicekit_power_t) + +init_all_labeled_script_domtrans(devicekit_power_t) +init_read_utmp(devicekit_power_t) +init_search_run(devicekit_power_t) + +logging_send_syslog_msg(devicekit_power_t) + +miscfiles_read_localization(devicekit_power_t) + +sysnet_domtrans_ifconfig(devicekit_power_t) +sysnet_domtrans_dhcpc(devicekit_power_t) + +userdom_read_all_users_state(devicekit_power_t) + +optional_policy(` + bootloader_domtrans(devicekit_power_t) +') + +optional_policy(` + consoletype_exec(devicekit_power_t) +') + +optional_policy(` + dbus_system_bus_client(devicekit_power_t) + init_dbus_chat(devicekit_power_t) + + allow devicekit_power_t devicekit_t:dbus send_msg; + + optional_policy(` + consolekit_dbus_chat(devicekit_power_t) + ') + + optional_policy(` + hal_dbus_chat(devicekit_power_t) + ') + + optional_policy(` + networkmanager_dbus_chat(devicekit_power_t) + ') + + optional_policy(` + policykit_dbus_chat(devicekit_power_t) + ') + + optional_policy(` + rpm_dbus_chat(devicekit_power_t) + ') +') + +optional_policy(` + fstools_domtrans(devicekit_power_t) +') + +optional_policy(` + hal_domtrans_mac(devicekit_power_t) + hal_manage_log(devicekit_power_t) + hal_manage_pid_dirs(devicekit_power_t) + hal_manage_pid_files(devicekit_power_t) +') + +optional_policy(` + modutils_domtrans(devicekit_power_t) +') + +optional_policy(` + mount_domtrans(devicekit_power_t) +') + +optional_policy(` + networkmanager_domtrans(devicekit_power_t) +') + +optional_policy(` + policykit_domtrans_auth(devicekit_power_t) + policykit_read_lib(devicekit_power_t) + policykit_read_reload(devicekit_power_t) +') + +optional_policy(` + readahead_domtrans(devicekit_power_t) +') + +optional_policy(` + systemd_write_inherited_logind_inhibit_pipes(devicekit_power_t) +') + +optional_policy(` + udev_read_db(devicekit_power_t) + udev_manage_pid_files(devicekit_power_t) +') + +optional_policy(` + usbmuxd_stream_connect(devicekit_power_t) +') + +optional_policy(` + vbetool_domtrans(devicekit_power_t) +') diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc new file mode 100644 index 000000000..a58b11034 --- /dev/null +++ b/policy/modules/services/dhcp.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) + +/usr/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_t,s0) + +/usr/bin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) + +/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) + +/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) +/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) +/var/lib/dhcp/dhcpd6\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) + +/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if new file mode 100644 index 000000000..b7a0337c4 --- /dev/null +++ b/policy/modules/services/dhcp.if @@ -0,0 +1,97 @@ +## <summary>Dynamic host configuration protocol server.</summary> + +######################################## +## <summary> +## Execute a domain transition to run dhcpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dhcpd_domtrans',` + gen_require(` + type dhcpd_t, dhcpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) +') + +######################################## +## <summary> +## Set attributes of dhcpd server +## state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dhcpd_setattr_state_files',` + gen_require(` + type dhcpd_state_t; + ') + + sysnet_search_dhcp_state($1) + allow $1 dhcpd_state_t:file setattr; +') + +######################################## +## <summary> +## Execute dhcp server in the dhcp domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +# +interface(`dhcpd_initrc_domtrans',` + gen_require(` + type dhcpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an dhcpd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dhcpd_admin',` + gen_require(` + type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; + type dhcpd_var_run_t, dhcpd_initrc_exec_t; + ') + + allow $1 dhcpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, dhcpd_t) + + init_startstop_service($1, $2, dhcpd_t, dhcpd_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, dhcpd_tmp_t) + + files_list_var_lib($1) + admin_pattern($1, dhcpd_state_t) + + files_list_pids($1) + admin_pattern($1, dhcpd_var_run_t) +') diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te new file mode 100644 index 000000000..2e5802bb8 --- /dev/null +++ b/policy/modules/services/dhcp.te @@ -0,0 +1,134 @@ +policy_module(dhcp, 1.16.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether DHCP daemon +## can use LDAP backends. +## </p> +## </desc> +gen_tunable(dhcpd_use_ldap, false) + +type dhcpd_t; +type dhcpd_exec_t; +init_daemon_domain(dhcpd_t, dhcpd_exec_t) + +type dhcpd_initrc_exec_t; +init_script_file(dhcpd_initrc_exec_t) + +type dhcpd_state_t; +files_type(dhcpd_state_t) + +type dhcpd_tmp_t; +files_tmp_file(dhcpd_tmp_t) + +type dhcpd_unit_t; +init_unit_file(dhcpd_unit_t) + +type dhcpd_var_run_t; +files_pid_file(dhcpd_var_run_t) + +######################################## +# +# Local policy +# + +allow dhcpd_t self:capability { chown dac_override net_raw setgid setuid sys_chroot sys_resource }; +dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; +allow dhcpd_t self:process { getcap setcap signal_perms }; +allow dhcpd_t self:fifo_file rw_fifo_file_perms; +allow dhcpd_t self:tcp_socket { accept listen }; +allow dhcpd_t self:packet_socket create_socket_perms; +allow dhcpd_t self:rawip_socket create_socket_perms; + +manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t) +sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file) + +manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) +manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) +files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { dir file }) + +manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t) +files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file) + +can_exec(dhcpd_t, dhcpd_exec_t) + +kernel_read_system_state(dhcpd_t) +kernel_read_kernel_sysctls(dhcpd_t) +kernel_read_network_state(dhcpd_t) + +corenet_all_recvfrom_unlabeled(dhcpd_t) +corenet_all_recvfrom_netlabel(dhcpd_t) +corenet_tcp_sendrecv_generic_if(dhcpd_t) +corenet_udp_sendrecv_generic_if(dhcpd_t) +corenet_raw_sendrecv_generic_if(dhcpd_t) +corenet_tcp_sendrecv_generic_node(dhcpd_t) +corenet_udp_sendrecv_generic_node(dhcpd_t) +corenet_raw_sendrecv_generic_node(dhcpd_t) +corenet_tcp_sendrecv_all_ports(dhcpd_t) +corenet_udp_sendrecv_all_ports(dhcpd_t) +corenet_tcp_bind_generic_node(dhcpd_t) +corenet_udp_bind_generic_node(dhcpd_t) + +corenet_sendrecv_dhcpd_server_packets(dhcpd_t) +corenet_tcp_bind_dhcpd_port(dhcpd_t) +corenet_udp_bind_dhcpd_port(dhcpd_t) + +corenet_sendrecv_pxe_server_packets(dhcpd_t) +corenet_udp_bind_pxe_port(dhcpd_t) + +corenet_sendrecv_all_client_packets(dhcpd_t) +corenet_tcp_connect_all_ports(dhcpd_t) + +corenet_udp_bind_all_unreserved_ports(dhcpd_t) + +corecmd_exec_bin(dhcpd_t) + +dev_read_sysfs(dhcpd_t) +dev_read_rand(dhcpd_t) +dev_read_urand(dhcpd_t) + +fs_getattr_all_fs(dhcpd_t) +fs_search_auto_mountpoints(dhcpd_t) + +domain_use_interactive_fds(dhcpd_t) + +files_read_usr_files(dhcpd_t) +files_read_etc_runtime_files(dhcpd_t) +files_search_var_lib(dhcpd_t) + +auth_use_nsswitch(dhcpd_t) + +logging_send_syslog_msg(dhcpd_t) + +miscfiles_read_localization(dhcpd_t) + +sysnet_read_dhcp_config(dhcpd_t) + +userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) +userdom_dontaudit_search_user_home_dirs(dhcpd_t) + +tunable_policy(`dhcpd_use_ldap',` + sysnet_use_ldap(dhcpd_t) +') + +optional_policy(` + bind_read_dnssec_keys(dhcpd_t) +') + +optional_policy(` + dbus_system_bus_client(dhcpd_t) + dbus_connect_system_bus(dhcpd_t) +') + +optional_policy(` + seutil_sigchld_newrole(dhcpd_t) +') + +optional_policy(` + udev_read_db(dhcpd_t) +') diff --git a/policy/modules/services/dictd.fc b/policy/modules/services/dictd.fc new file mode 100644 index 000000000..b2c773b2d --- /dev/null +++ b/policy/modules/services/dictd.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0) + +/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0) + +/usr/bin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) + +/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) + +/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) + +/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if new file mode 100644 index 000000000..6feb8280f --- /dev/null +++ b/policy/modules/services/dictd.if @@ -0,0 +1,39 @@ +## <summary>Dictionary daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an dictd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dictd_admin',` + gen_require(` + type dictd_t, dictd_etc_t, dictd_var_lib_t; + type dictd_var_run_t, dictd_initrc_exec_t; + ') + + allow $1 dictd_t:process { ptrace signal_perms }; + ps_process_pattern($1, dictd_t) + + init_startstop_service($1, $2, dictd_t, dictd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, dictd_etc_t) + + files_list_var_lib($1) + admin_pattern($1, dictd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, dictd_var_run_t) +') diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te new file mode 100644 index 000000000..6cad541bd --- /dev/null +++ b/policy/modules/services/dictd.te @@ -0,0 +1,82 @@ +policy_module(dictd, 1.11.1) + +######################################## +# +# Declarations +# + +type dictd_t; +type dictd_exec_t; +init_daemon_domain(dictd_t, dictd_exec_t) + +type dictd_etc_t; +files_config_file(dictd_etc_t) + +type dictd_initrc_exec_t; +init_script_file(dictd_initrc_exec_t) + +type dictd_var_lib_t alias var_lib_dictd_t; +files_type(dictd_var_lib_t) + +type dictd_var_run_t; +files_pid_file(dictd_var_run_t) + +######################################## +# +# Local policy +# + +allow dictd_t self:capability { setgid setuid }; +dontaudit dictd_t self:capability sys_tty_config; +allow dictd_t self:process { signal_perms setpgid }; +allow dictd_t self:unix_stream_socket { accept listen }; +allow dictd_t self:tcp_socket { accept listen }; + +allow dictd_t dictd_etc_t:file read_file_perms; + +allow dictd_t dictd_var_lib_t:dir list_dir_perms; +allow dictd_t dictd_var_lib_t:file read_file_perms; + +manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t) +files_pid_filetrans(dictd_t, dictd_var_run_t, file) + +kernel_read_system_state(dictd_t) +kernel_read_kernel_sysctls(dictd_t) + +corenet_all_recvfrom_unlabeled(dictd_t) +corenet_all_recvfrom_netlabel(dictd_t) +corenet_tcp_sendrecv_generic_if(dictd_t) +corenet_tcp_sendrecv_generic_node(dictd_t) +corenet_tcp_bind_generic_node(dictd_t) + +corenet_sendrecv_dict_server_packets(dictd_t) +corenet_tcp_bind_dict_port(dictd_t) +corenet_tcp_sendrecv_dict_port(dictd_t) + +dev_read_sysfs(dictd_t) + +domain_use_interactive_fds(dictd_t) + +files_map_usr_files(dictd_t) +files_read_etc_runtime_files(dictd_t) +files_read_usr_files(dictd_t) +files_search_var_lib(dictd_t) + +fs_getattr_xattr_fs(dictd_t) +fs_search_auto_mountpoints(dictd_t) + +auth_use_nsswitch(dictd_t) + +logging_send_syslog_msg(dictd_t) + +miscfiles_read_localization(dictd_t) + +userdom_dontaudit_use_unpriv_user_fds(dictd_t) + +optional_policy(` + seutil_sigchld_newrole(dictd_t) +') + +optional_policy(` + udev_read_db(dictd_t) +') diff --git a/policy/modules/services/dirmngr.fc b/policy/modules/services/dirmngr.fc new file mode 100644 index 000000000..60f19f47d --- /dev/null +++ b/policy/modules/services/dirmngr.fc @@ -0,0 +1,18 @@ +HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0) + +/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0) + +/etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0) + +/usr/bin/dirmngr -- gen_context(system_u:object_r:dirmngr_exec_t,s0) + +/var/log/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_log_t,s0) + +/var/lib/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_lib_t,s0) +/var/cache/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_lib_t,s0) + +/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0) + +/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) + +/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0) diff --git a/policy/modules/services/dirmngr.if b/policy/modules/services/dirmngr.if new file mode 100644 index 000000000..07af50631 --- /dev/null +++ b/policy/modules/services/dirmngr.if @@ -0,0 +1,136 @@ +## <summary>Server for managing and downloading certificate revocation lists.</summary> + +############################################################ +## <summary> +## Role access for dirmngr. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`dirmngr_role',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + type dirmngr_tmp_t; + ') + + role $1 types dirmngr_t; + + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t) + + allow $2 dirmngr_t:process { ptrace signal_perms }; + ps_process_pattern($2, dirmngr_t) + + allow dirmngr_t $2:fd use; + allow dirmngr_t $2:fifo_file { read write }; + + allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; +') + +######################################## +## <summary> +## Execute dirmngr in the dirmngr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dirmngr_domtrans',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t) +') + +######################################## +## <summary> +## Execute the dirmngr in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirmngr_exec',` + gen_require(` + type dirmngr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, dirmngr_exec_t) +') + +######################################## +## <summary> +## Connect to dirmngr socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirmngr_stream_connect',` + gen_require(` + type dirmngr_t, dirmngr_tmp_t; + ') + + gpg_search_agent_tmp_dirs($1) + allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms; + allow $1 dirmngr_t:unix_stream_socket connectto; + userdom_search_user_runtime($1) + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an dirmngr environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dirmngr_admin',` + gen_require(` + type dirmngr_t, dirmngr_initrc_exec_t, dirmngr_var_run_t; + type dirmngr_conf_t, dirmngr_var_lib_t, dirmngr_log_t; + ') + + allow $1 dirmngr_t:process { ptrace signal_perms }; + ps_process_pattern($1, dirmngr_t) + + init_startstop_service($1, $2, dirmngr_t, dirmngr_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, dirmngr_conf_t) + + logging_search_logs($1) + admin_pattern($1, dirmngr_log_t) + + files_search_pids($1) + admin_pattern($1, dirmngr_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, dirmngr_var_lib_t) +') diff --git a/policy/modules/services/dirmngr.te b/policy/modules/services/dirmngr.te new file mode 100644 index 000000000..68b0cf099 --- /dev/null +++ b/policy/modules/services/dirmngr.te @@ -0,0 +1,91 @@ +policy_module(dirmngr, 1.4.1) + +######################################## +# +# Declarations +# + +type dirmngr_t; +type dirmngr_exec_t; +init_daemon_domain(dirmngr_t, dirmngr_exec_t) + +type dirmngr_conf_t; +files_config_file(dirmngr_conf_t) + +type dirmngr_initrc_exec_t; +init_script_file(dirmngr_initrc_exec_t) + +type dirmngr_log_t; +logging_log_file(dirmngr_log_t) + +type dirmngr_tmp_t; +userdom_user_tmp_file(dirmngr_tmp_t) +userdom_user_runtime_content(dirmngr_tmp_t) + +type dirmngr_var_lib_t; +files_type(dirmngr_var_lib_t) + +type dirmngr_var_run_t; +files_pid_file(dirmngr_var_run_t) + +type dirmngr_home_t; +userdom_user_home_content(dirmngr_home_t) + +######################################## +# +# Local policy +# + +allow dirmngr_t self:fifo_file rw_file_perms; + +allow dirmngr_t dirmngr_conf_t:dir list_dir_perms; +allow dirmngr_t dirmngr_conf_t:file read_file_perms; +allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms; + +allow dirmngr_t dirmngr_home_t:dir list_dir_perms; +allow dirmngr_t dirmngr_home_t:file read_file_perms; + +manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) +append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) +create_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) +setattr_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) +logging_log_filetrans(dirmngr_t, dirmngr_log_t, dir) + +manage_dirs_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) +manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) +manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) +files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir) + +manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t) + +manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) +manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) +manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) +files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) + +kernel_read_crypto_sysctls(dirmngr_t) + +dev_read_rand(dirmngr_t) + +sysnet_dns_name_resolve(dirmngr_t) + +corenet_tcp_connect_http_port(dirmngr_t) +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t) +corenet_udp_bind_generic_node(dirmngr_t) + +files_read_etc_files(dirmngr_t) +files_read_usr_files(dirmngr_t) + +miscfiles_read_localization(dirmngr_t) +miscfiles_read_generic_certs(dirmngr_t) + +userdom_search_user_home_dirs(dirmngr_t) +userdom_search_user_runtime(dirmngr_t) +userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) + +optional_policy(` + gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) + gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) + gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir) + gpg_stream_connect_agent(dirmngr_t) +') diff --git a/policy/modules/services/distcc.fc b/policy/modules/services/distcc.fc new file mode 100644 index 000000000..3da3c346f --- /dev/null +++ b/policy/modules/services/distcc.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/distccd -- gen_context(system_u:object_r:distccd_initrc_exec_t,s0) + +/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0) + +/var/log/distccd.* -- gen_context(system_u:object_r:distccd_log_t,s0) + +/run/distccd\.pid -- gen_context(system_u:object_r:distccd_var_run_t,s0) diff --git a/policy/modules/services/distcc.if b/policy/modules/services/distcc.if new file mode 100644 index 000000000..6b432866b --- /dev/null +++ b/policy/modules/services/distcc.if @@ -0,0 +1,39 @@ +## <summary>Distributed compiler daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an distcc environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`distcc_admin',` + gen_require(` + type distccd_t, distccd_t, distccd_log_t; + type distccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t; + ') + + allow $1 distccd_t:process { ptrace signal_perms }; + ps_process_pattern($1, distccd_t) + + init_startstop_service($1, $2, distccd_t, distccd_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, distccd_log_t) + + files_search_tmp($1) + admin_pattern($1, distccd_tmp_t) + + files_search_pids($1) + admin_pattern($1, distccd_var_run_t) +') diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te new file mode 100644 index 000000000..4239519e8 --- /dev/null +++ b/policy/modules/services/distcc.te @@ -0,0 +1,88 @@ +policy_module(distcc, 1.12.0) + +######################################## +# +# Declarations +# + +type distccd_t; +type distccd_exec_t; +init_daemon_domain(distccd_t, distccd_exec_t) + +type distccd_initrc_exec_t; +init_script_file(distccd_initrc_exec_t) + +type distccd_log_t; +logging_log_file(distccd_log_t) + +type distccd_tmp_t; +files_tmp_file(distccd_tmp_t) + +type distccd_var_run_t; +files_pid_file(distccd_var_run_t) + +######################################## +# +# Local policy +# + +allow distccd_t self:capability { setgid setuid }; +dontaudit distccd_t self:capability sys_tty_config; +allow distccd_t self:process { signal_perms setsched }; +allow distccd_t self:fifo_file rw_fifo_file_perms; +allow distccd_t self:tcp_socket { accept listen }; + +allow distccd_t distccd_log_t:file append_file_perms; +allow distccd_t distccd_log_t:file create_file_perms; +allow distccd_t distccd_log_t:file setattr_file_perms; +logging_log_filetrans(distccd_t, distccd_log_t, file) + +manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) +manage_files_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) +files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir }) + +manage_files_pattern(distccd_t, distccd_var_run_t, distccd_var_run_t) +files_pid_filetrans(distccd_t, distccd_var_run_t, file) + +kernel_read_system_state(distccd_t) +kernel_read_kernel_sysctls(distccd_t) + +corenet_all_recvfrom_unlabeled(distccd_t) +corenet_all_recvfrom_netlabel(distccd_t) +corenet_tcp_sendrecv_generic_if(distccd_t) +corenet_tcp_sendrecv_generic_node(distccd_t) +corenet_tcp_bind_generic_node(distccd_t) + +corenet_sendrecv_distccd_server_packets(distccd_t) +corenet_tcp_bind_distccd_port(distccd_t) +corenet_tcp_sendrecv_distccd_port(distccd_t) + +dev_read_sysfs(distccd_t) + +fs_getattr_all_fs(distccd_t) +fs_search_auto_mountpoints(distccd_t) + +corecmd_exec_bin(distccd_t) + +domain_use_interactive_fds(distccd_t) + +files_read_etc_runtime_files(distccd_t) + +auth_use_nsswitch(distccd_t) + +libs_exec_lib_files(distccd_t) + +logging_send_syslog_msg(distccd_t) + +miscfiles_read_localization(distccd_t) + +userdom_dontaudit_use_unpriv_user_fds(distccd_t) +userdom_dontaudit_search_user_home_dirs(distccd_t) + +optional_policy(` + seutil_sigchld_newrole(distccd_t) +') + +optional_policy(` + udev_read_db(distccd_t) +') diff --git a/policy/modules/services/djbdns.fc b/policy/modules/services/djbdns.fc new file mode 100644 index 000000000..e9b1b32a8 --- /dev/null +++ b/policy/modules/services/djbdns.fc @@ -0,0 +1,7 @@ +/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0) +/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0) +/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0) + +/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0) +/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0) +/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0) diff --git a/policy/modules/services/djbdns.if b/policy/modules/services/djbdns.if new file mode 100644 index 000000000..dd87a12ae --- /dev/null +++ b/policy/modules/services/djbdns.if @@ -0,0 +1,78 @@ +## <summary>Small and secure DNS daemon.</summary> + +####################################### +## <summary> +## The template to define a djbdns domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`djbdns_daemontools_domain_template',` + gen_require(` + attribute djbdns_domain; + ') + + ######################################## + # + # Declarations + # + + type djbdns_$1_t, djbdns_domain; + type djbdns_$1_exec_t; + domain_type(djbdns_$1_t) + domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t) + role system_r types djbdns_$1_t; + + type djbdns_$1_conf_t; + files_config_file(djbdns_$1_conf_t) + + ######################################## + # + # Local policy + # + + daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t) + daemontools_read_svc(djbdns_$1_t) + + allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; + allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; +') + +##################################### +## <summary> +## Search djbdns-tinydns key ring. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`djbdns_search_tinydns_keys',` + gen_require(` + type djbdns_tinydns_t; + ') + + allow $1 djbdns_tinydns_t:key search; +') + +##################################### +## <summary> +## Link djbdns-tinydns key ring. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`djbdns_link_tinydns_keys',` + gen_require(` + type djbdns_tinydns_t; + ') + + allow $1 djbdns_tinydns_t:key link; +') diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te new file mode 100644 index 000000000..d77c66b02 --- /dev/null +++ b/policy/modules/services/djbdns.te @@ -0,0 +1,64 @@ +policy_module(djbdns, 1.6.1) + +######################################## +# +# Declarations +# + +attribute djbdns_domain; + +djbdns_daemontools_domain_template(axfrdns) +ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) + +djbdns_daemontools_domain_template(dnscache) +djbdns_daemontools_domain_template(tinydns) + +######################################## +# +# Common local policy +# + +allow djbdns_domain self:capability { setgid setuid sys_chroot }; +allow djbdns_domain self:process signal; +allow djbdns_domain self:fifo_file rw_fifo_file_perms; +allow djbdns_domain self:tcp_socket create_stream_socket_perms; +allow djbdns_domain self:udp_socket create_socket_perms; + +corenet_all_recvfrom_unlabeled(djbdns_domain) +corenet_all_recvfrom_netlabel(djbdns_domain) +corenet_tcp_sendrecv_generic_if(djbdns_domain) +corenet_udp_sendrecv_generic_if(djbdns_domain) +corenet_tcp_sendrecv_generic_node(djbdns_domain) +corenet_udp_sendrecv_generic_node(djbdns_domain) +corenet_tcp_sendrecv_all_ports(djbdns_domain) +corenet_udp_sendrecv_all_ports(djbdns_domain) +corenet_tcp_bind_generic_node(djbdns_domain) +corenet_udp_bind_generic_node(djbdns_domain) + +corenet_sendrecv_dns_server_packets(djbdns_domain) +corenet_tcp_bind_dns_port(djbdns_domain) +corenet_udp_bind_dns_port(djbdns_domain) + +corenet_sendrecv_dns_client_packets(djbdns_domain) +corenet_tcp_connect_dns_port(djbdns_domain) + +corenet_sendrecv_generic_server_packets(djbdns_domain) +corenet_tcp_bind_generic_port(djbdns_domain) +corenet_udp_bind_generic_port(djbdns_domain) + +files_search_var(djbdns_domain) + +######################################## +# +# axfrdns local policy +# + +allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:dir list_dir_perms; +allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:file read_file_perms; + +######################################## +# +# tinydns local policy +# + +init_dontaudit_use_script_fds(djbdns_tinydns_t) diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc new file mode 100644 index 000000000..08b652630 --- /dev/null +++ b/policy/modules/services/dkim.fc @@ -0,0 +1,25 @@ +/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + +/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0) + +/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) +/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) + +/usr/lib/systemd/system/opendkim\.service -- gen_context(system_u:object_r:dkim_milter_unit_t,s0) + +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) +/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) + +/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + +/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + +/var/spool/postfix/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + +/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) + +/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + +/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/policy/modules/services/dkim.if b/policy/modules/services/dkim.if new file mode 100644 index 000000000..059e495a5 --- /dev/null +++ b/policy/modules/services/dkim.if @@ -0,0 +1,54 @@ +## <summary>DomainKeys Identified Mail milter.</summary> + +######################################## +## <summary> +## Allow a domain to talk to dkim via Unix domain socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dkim_stream_connect',` + gen_require(` + type dkim_milter_data_t, dkim_milter_t; + ') + + stream_connect_pattern($1, dkim_milter_data_t, dkim_milter_data_t, dkim_milter_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an dkim environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dkim_admin',` + gen_require(` + type dkim_milter_t, dkim_milter_initrc_exec_t, dkim_milter_private_key_t; + type dkim_milter_data_t; + ') + + allow $1 dkim_milter_t:process { ptrace signal_perms }; + ps_process_pattern($1, dkim_milter_t) + + init_startstop_service($1, $2, dkim_milter_t, dkim_milter_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, dkim_milter_private_key_t) + + files_search_pids($1) + admin_pattern($1, dkim_milter_data_t) +') diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te new file mode 100644 index 000000000..03c8fc652 --- /dev/null +++ b/policy/modules/services/dkim.te @@ -0,0 +1,54 @@ +policy_module(dkim, 1.7.0) + +######################################## +# +# Declarations +# + +milter_template(dkim) + +type dkim_milter_initrc_exec_t; +init_script_file(dkim_milter_initrc_exec_t) + +type dkim_milter_private_key_t; +files_security_file(dkim_milter_private_key_t) + +type dkim_milter_unit_t; +init_unit_file(dkim_milter_unit_t) + +init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim") + +######################################## +# +# Local policy +# + +allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid }; +allow dkim_milter_t self:process { signal signull }; +allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; + +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) + +# /proc/sys/kernel/ngroups_max +kernel_read_kernel_sysctls(dkim_milter_t) +kernel_read_vm_overcommit_sysctl(dkim_milter_t) + +corenet_udp_bind_generic_node(dkim_milter_t) +corenet_udp_bind_all_unreserved_ports(dkim_milter_t) + +dev_read_urand(dkim_milter_t) +# for cpu/online +dev_read_sysfs(dkim_milter_t) + +files_pid_filetrans(dkim_milter_t, dkim_milter_data_t, { dir file }) +files_read_usr_files(dkim_milter_t) +files_search_spool(dkim_milter_t) + +optional_policy(` + mta_read_config(dkim_milter_t) +') + +optional_policy(` + # set up unix socket + postfix_search_spool(dkim_milter_t) +') diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc new file mode 100644 index 000000000..07ffc0d49 --- /dev/null +++ b/policy/modules/services/dnsmasq.fc @@ -0,0 +1,24 @@ +/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0) +/etc/dnsmasq\.d(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0) + +/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) + +/usr/bin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0) + +/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) + +/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) +/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) + +/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0) + +/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) + +ifdef(`distro_gentoo',` +# Fix bug 531836 - Needed to support dnssec in dnsmasq +/usr/share/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0) +') diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if new file mode 100644 index 000000000..f81566a87 --- /dev/null +++ b/policy/modules/services/dnsmasq.if @@ -0,0 +1,286 @@ +## <summary>DNS forwarder and DHCP server.</summary> + +######################################## +## <summary> +## Execute dnsmasq server in the dnsmasq domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +# +interface(`dnsmasq_domtrans',` + gen_require(` + type dnsmasq_exec_t, dnsmasq_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) +') + +######################################## +## <summary> +## Execute the dnsmasq init script in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +# +interface(`dnsmasq_initrc_domtrans',` + gen_require(` + type dnsmasq_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) +') + +######################################## +## <summary> +## Send generic signals to dnsmasq. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`dnsmasq_signal',` + gen_require(` + type dnsmasq_t; + ') + + allow $1 dnsmasq_t:process signal; +') + +######################################## +## <summary> +## Send null signals to dnsmasq. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`dnsmasq_signull',` + gen_require(` + type dnsmasq_t; + ') + + allow $1 dnsmasq_t:process signull; +') + +######################################## +## <summary> +## Send kill signals to dnsmasq. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`dnsmasq_kill',` + gen_require(` + type dnsmasq_t; + ') + + allow $1 dnsmasq_t:process sigkill; +') + +######################################## +## <summary> +## Read dnsmasq config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dnsmasq_read_config',` + gen_require(` + type dnsmasq_etc_t; + ') + + read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) + files_search_etc($1) +') + +######################################## +## <summary> +## Write dnsmasq config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dnsmasq_write_config',` + gen_require(` + type dnsmasq_etc_t; + ') + + write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) + files_search_etc($1) +') + +######################################## +## <summary> +## Delete dnsmasq pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`dnsmasq_delete_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + + delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## dnsmasq pid files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dnsmasq_manage_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) +') + +######################################## +## <summary> +## Read dnsmasq pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`dnsmasq_read_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + + read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) +') + +######################################## +## <summary> +## Create dnsmasq pid directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dnsmasq_create_pid_dirs',` + gen_require(` + type dnsmasq_var_run_t; + ') + + files_search_pids($1) + allow $1 dnsmasq_var_run_t:dir create_dir_perms; +') + +######################################## +## <summary> +## Create specified objects in specified +## directories with a type transition to +## the dnsmasq pid file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="file_type"> +## <summary> +## Directory to transition on. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`dnsmasq_spec_filetrans_pid',` + gen_require(` + type dnsmasq_var_run_t; + ') + + filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an dnsmasq environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dnsmasq_admin',` + gen_require(` + type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; + type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; + ') + + allow $1 dnsmasq_t:process { ptrace signal_perms }; + ps_process_pattern($1, dnsmasq_t) + + init_startstop_service($1, $2, dnsmasq_t, dnsmasq_initrc_exec_t) + + files_list_var_lib($1) + admin_pattern($1, dnsmasq_lease_t) + + logging_search_logs($1) + admin_pattern($1, dnsmasq_var_log_t) + + files_list_pids($1) + admin_pattern($1, dnsmasq_var_run_t) +') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te new file mode 100644 index 000000000..29d34c136 --- /dev/null +++ b/policy/modules/services/dnsmasq.te @@ -0,0 +1,137 @@ +policy_module(dnsmasq, 1.16.0) + +######################################## +# +# Declarations +# + +type dnsmasq_t; +type dnsmasq_exec_t; +init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) + +type dnsmasq_initrc_exec_t; +init_script_file(dnsmasq_initrc_exec_t) + +type dnsmasq_etc_t; +files_config_file(dnsmasq_etc_t) + +type dnsmasq_lease_t; +files_type(dnsmasq_lease_t) + +type dnsmasq_unit_t; +init_unit_file(dnsmasq_unit_t) + +type dnsmasq_var_log_t; +logging_log_file(dnsmasq_var_log_t) + +type dnsmasq_var_run_t; +files_pid_file(dnsmasq_var_run_t) + +######################################## +# +# Local policy +# + +allow dnsmasq_t self:capability { chown dac_override net_admin net_raw setgid setuid }; +dontaudit dnsmasq_t self:capability sys_tty_config; +allow dnsmasq_t self:process { getcap setcap signal_perms }; +allow dnsmasq_t self:fifo_file rw_fifo_file_perms; +allow dnsmasq_t self:tcp_socket { accept listen }; +allow dnsmasq_t self:packet_socket create_socket_perms; +allow dnsmasq_t self:rawip_socket create_socket_perms; + +allow dnsmasq_t dnsmasq_etc_t:dir list_dir_perms; +allow dnsmasq_t dnsmasq_etc_t:file read_file_perms; + +manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) +files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) + +allow dnsmasq_t dnsmasq_var_log_t:file append_file_perms; +allow dnsmasq_t dnsmasq_var_log_t:file create_file_perms; +allow dnsmasq_t dnsmasq_var_log_t:file setattr_file_perms; +logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) + +manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) +manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) +files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + +kernel_read_kernel_sysctls(dnsmasq_t) +kernel_read_net_sysctls(dnsmasq_t) +kernel_read_network_state(dnsmasq_t) +kernel_read_system_state(dnsmasq_t) +kernel_request_load_module(dnsmasq_t) + +corecmd_exec_shell(dnsmasq_t) + +corenet_all_recvfrom_unlabeled(dnsmasq_t) +corenet_all_recvfrom_netlabel(dnsmasq_t) +corenet_tcp_sendrecv_generic_if(dnsmasq_t) +corenet_udp_sendrecv_generic_if(dnsmasq_t) +corenet_raw_sendrecv_generic_if(dnsmasq_t) +corenet_tcp_sendrecv_generic_node(dnsmasq_t) +corenet_udp_sendrecv_generic_node(dnsmasq_t) +corenet_raw_sendrecv_generic_node(dnsmasq_t) +corenet_tcp_sendrecv_all_ports(dnsmasq_t) +corenet_udp_sendrecv_all_ports(dnsmasq_t) +corenet_tcp_bind_generic_node(dnsmasq_t) +corenet_udp_bind_generic_node(dnsmasq_t) + +corenet_sendrecv_dns_server_packets(dnsmasq_t) +corenet_tcp_bind_dns_port(dnsmasq_t) +corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) +corenet_udp_bind_all_ports(dnsmasq_t) + +dev_read_sysfs(dnsmasq_t) +dev_read_urand(dnsmasq_t) + +domain_use_interactive_fds(dnsmasq_t) + +files_read_etc_runtime_files(dnsmasq_t) + +fs_getattr_all_fs(dnsmasq_t) +fs_search_auto_mountpoints(dnsmasq_t) + +auth_use_nsswitch(dnsmasq_t) + +logging_send_syslog_msg(dnsmasq_t) + +miscfiles_read_localization(dnsmasq_t) + +userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) +userdom_dontaudit_search_user_home_dirs(dnsmasq_t) + +optional_policy(` + cobbler_read_lib_files(dnsmasq_t) +') + +optional_policy(` + dbus_connect_system_bus(dnsmasq_t) + dbus_system_bus_client(dnsmasq_t) +') + +optional_policy(` + networkmanager_read_pid_files(dnsmasq_t) +') + +optional_policy(` + ppp_read_pid_files(dnsmasq_t) +') + +optional_policy(` + seutil_sigchld_newrole(dnsmasq_t) +') + +optional_policy(` + tftp_read_content(dnsmasq_t) +') + +optional_policy(` + udev_read_db(dnsmasq_t) +') + +optional_policy(` + virt_manage_lib_files(dnsmasq_t) + virt_read_pid_files(dnsmasq_t) + virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + virt_domtrans_leaseshelper(dnsmasq_t) +') diff --git a/policy/modules/services/dnssectrigger.fc b/policy/modules/services/dnssectrigger.fc new file mode 100644 index 000000000..e2ed6e235 --- /dev/null +++ b/policy/modules/services/dnssectrigger.fc @@ -0,0 +1,11 @@ +/etc/dnssec-trigger/dnssec-trigger\.conf -- gen_context(system_u:object_r:dnssec_trigger_conf_t,s0) + +/etc/rc\.d/init\.d/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_initrc_exec_t,s0) + +/usr/bin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_exec_t,s0) + +/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_exec_t,s0) + +/var/log/dnssec-trigger\.log.* -- gen_context(system_u:object_r:dnssec_trigger_log_t,s0) + +/run/dnssec-triggerd\.pid -- gen_context(system_u:object_r:dnssec_triggerd_var_run_t,s0) diff --git a/policy/modules/services/dnssectrigger.if b/policy/modules/services/dnssectrigger.if new file mode 100644 index 000000000..eea250e35 --- /dev/null +++ b/policy/modules/services/dnssectrigger.if @@ -0,0 +1,39 @@ +## <summary>Enables DNSSEC protection for DNS traffic.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an dnssec environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dnssectrigger_admin',` + gen_require(` + type dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t, dnssec_trigger_conf_t; + type dnssec_trigger_log_t, dnssec_triggerd_var_run_t; + ') + + allow $1 dnssec_triggerd_t:process { ptrace signal_perms }; + ps_process_pattern($1, dnssec_triggerd_t) + + init_startstop_service($1, $2, dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, dnssec_trigger_conf_t) + + logging_search_logs($1) + admin_pattern($1, dnssec_trigger_log_t) + + files_search_pids($1) + admin_pattern($1, dnssec_triggerd_var_run_t) +') diff --git a/policy/modules/services/dnssectrigger.te b/policy/modules/services/dnssectrigger.te new file mode 100644 index 000000000..27d900a13 --- /dev/null +++ b/policy/modules/services/dnssectrigger.te @@ -0,0 +1,79 @@ +policy_module(dnssectrigger, 1.4.0) + +######################################## +# +# Declarations +# + +type dnssec_triggerd_t; +type dnssec_triggerd_exec_t; +init_daemon_domain(dnssec_triggerd_t, dnssec_triggerd_exec_t) + +type dnssec_triggerd_initrc_exec_t; +init_script_file(dnssec_triggerd_initrc_exec_t) + +type dnssec_trigger_conf_t; +files_config_file(dnssec_trigger_conf_t) + +type dnssec_trigger_log_t; +logging_log_file(dnssec_trigger_log_t) + +type dnssec_triggerd_var_run_t; +files_pid_file(dnssec_triggerd_var_run_t) + +######################################## +# +# Local policy +# + +allow dnssec_triggerd_t self:capability linux_immutable; +allow dnssec_triggerd_t self:process signal; +allow dnssec_triggerd_t self:fifo_file rw_fifo_file_perms; +allow dnssec_triggerd_t self:unix_stream_socket { accept listen }; +allow dnssec_triggerd_t self:tcp_socket { accept listen }; + +allow dnssec_triggerd_t dnssec_trigger_conf_t:file read_file_perms; + +append_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t) +create_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t) +setattr_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t) +logging_log_filetrans(dnssec_triggerd_t, dnssec_trigger_log_t, file) + +manage_files_pattern(dnssec_triggerd_t, dnssec_triggerd_var_run_t, dnssec_triggerd_var_run_t) +files_pid_filetrans(dnssec_triggerd_t, dnssec_triggerd_var_run_t, file) + +kernel_read_system_state(dnssec_triggerd_t) + +corecmd_exec_bin(dnssec_triggerd_t) +corecmd_exec_shell(dnssec_triggerd_t) + +corenet_all_recvfrom_unlabeled(dnssec_triggerd_t) +corenet_all_recvfrom_netlabel(dnssec_triggerd_t) +corenet_tcp_sendrecv_generic_if(dnssec_triggerd_t) +corenet_tcp_sendrecv_generic_node(dnssec_triggerd_t) +corenet_tcp_bind_generic_node(dnssec_triggerd_t) + +corenet_sendrecv_rndc_client_packets(dnssec_triggerd_t) +corenet_tcp_connect_rndc_port(dnssec_triggerd_t) +corenet_tcp_sendrecv_rndc_port(dnssec_triggerd_t) + +corenet_sendrecv_http_client_packets(dnssec_triggerd_t) +corenet_tcp_connect_http_port(dnssec_triggerd_t) +corenet_tcp_sendrecv_http_port(dnssec_triggerd_t) + +dev_read_urand(dnssec_triggerd_t) + +files_read_etc_runtime_files(dnssec_triggerd_t) + +logging_send_syslog_msg(dnssec_triggerd_t) + +miscfiles_read_localization(dnssec_triggerd_t) + +sysnet_dns_name_resolve(dnssec_triggerd_t) +sysnet_manage_config(dnssec_triggerd_t) +sysnet_etc_filetrans_config(dnssec_triggerd_t) + +optional_policy(` + bind_read_config(dnssec_triggerd_t) + bind_read_dnssec_keys(dnssec_triggerd_t) +') diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc new file mode 100644 index 000000000..1ab9d6437 --- /dev/null +++ b/policy/modules/services/dovecot.fc @@ -0,0 +1,41 @@ +/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) +/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) + +/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) +/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) + +/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) + +/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) + +/usr/bin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) + +/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) + +/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) +/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) + +/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) + +/usr/lib/dovecot/anvil -- gen_context(system_u:object_r:dovecot_exec_t,s0) +/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/lib/dovecot/log -- gen_context(system_u:object_r:dovecot_exec_t,s0) +/usr/lib/dovecot/ssl-params -- gen_context(system_u:object_r:dovecot_exec_t,s0) + +/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) + +/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) + +/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) + +/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) +/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) + +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if new file mode 100644 index 000000000..3608ba24a --- /dev/null +++ b/policy/modules/services/dovecot.if @@ -0,0 +1,173 @@ +## <summary>POP and IMAP mail server.</summary> + +####################################### +## <summary> +## Connect to dovecot using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dovecot_stream_connect',` + gen_require(` + type dovecot_t, dovecot_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) +') + +######################################## +## <summary> +## Connect to dovecot using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dovecot_stream_connect_auth',` + gen_require(` + type dovecot_auth_t, dovecot_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) +') + +######################################## +## <summary> +## Execute dovecot_deliver in the +## dovecot_deliver domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dovecot_domtrans_deliver',` + gen_require(` + type dovecot_deliver_t, dovecot_deliver_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## dovecot spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dovecot_manage_spool',` + gen_require(` + type dovecot_spool_t; + ') + + files_search_spool($1) + allow $1 dovecot_spool_t:dir manage_dir_perms; + allow $1 dovecot_spool_t:file manage_file_perms; + allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to delete +## dovecot lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dovecot_dontaudit_unlink_lib_files',` + gen_require(` + type dovecot_var_lib_t; + ') + + dontaudit $1 dovecot_var_lib_t:file delete_file_perms; +') + +###################################### +## <summary> +## Write inherited dovecot tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dovecot_write_inherited_tmp_files',` + gen_require(` + type dovecot_tmp_t; + ') + + allow $1 dovecot_tmp_t:file write; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an dovecot environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dovecot_admin',` + gen_require(` + type dovecot_t, dovecot_etc_t, dovecot_var_log_t; + type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; + type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t; + type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; + type dovecot_keytab_t; + ') + + allow $1 dovecot_t:process { ptrace signal_perms }; + ps_process_pattern($1, dovecot_t) + + init_startstop_service($1, $2, dovecot_t, dovecot_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, { dovecot_keytab_t dovecot_etc_t }) + + logging_list_logs($1) + admin_pattern($1, dovecot_var_log_t) + + files_list_spool($1) + admin_pattern($1, dovecot_spool_t) + + files_search_tmp($1) + admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t }) + + files_list_var_lib($1) + admin_pattern($1, dovecot_var_lib_t) + + files_list_pids($1) + admin_pattern($1, dovecot_var_run_t) + + admin_pattern($1, { dovecot_cert_t dovecot_passwd_t }) +') diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te new file mode 100644 index 000000000..1d7a3bd34 --- /dev/null +++ b/policy/modules/services/dovecot.te @@ -0,0 +1,344 @@ +policy_module(dovecot, 1.21.0) + +######################################## +# +# Declarations +# + +attribute dovecot_domain; + +type dovecot_t, dovecot_domain; +type dovecot_exec_t; +init_daemon_domain(dovecot_t, dovecot_exec_t) + +type dovecot_auth_t, dovecot_domain; +type dovecot_auth_exec_t; +domain_type(dovecot_auth_t) +domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) +role system_r types dovecot_auth_t; + +type dovecot_auth_tmp_t; +files_tmp_file(dovecot_auth_tmp_t) + +type dovecot_cert_t; +miscfiles_cert_type(dovecot_cert_t) + +type dovecot_deliver_t, dovecot_domain; +type dovecot_deliver_exec_t; +domain_type(dovecot_deliver_t) +domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) +role system_r types dovecot_deliver_t; + +type dovecot_deliver_tmp_t; +files_tmp_file(dovecot_deliver_tmp_t) + +type dovecot_etc_t; +files_config_file(dovecot_etc_t) + +type dovecot_initrc_exec_t; +init_script_file(dovecot_initrc_exec_t) + +type dovecot_keytab_t; +files_type(dovecot_keytab_t) + +type dovecot_passwd_t; +files_type(dovecot_passwd_t) + +type dovecot_spool_t; +files_type(dovecot_spool_t) + +type dovecot_tmp_t; +files_tmp_file(dovecot_tmp_t) + +type dovecot_var_lib_t; +files_type(dovecot_var_lib_t) + +type dovecot_var_log_t; +logging_log_file(dovecot_var_log_t) + +type dovecot_var_run_t; +files_pid_file(dovecot_var_run_t) + +######################################## +# +# Common local policy +# + +allow dovecot_domain self:capability2 block_suspend; +allow dovecot_domain self:fifo_file rw_fifo_file_perms; + +allow dovecot_domain dovecot_etc_t:dir list_dir_perms; +allow dovecot_domain dovecot_etc_t:file read_file_perms; +allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms; + +kernel_read_all_sysctls(dovecot_domain) +kernel_read_system_state(dovecot_domain) + +corecmd_exec_bin(dovecot_domain) +corecmd_exec_shell(dovecot_domain) + +dev_read_sysfs(dovecot_domain) +dev_read_rand(dovecot_domain) +dev_read_urand(dovecot_domain) + +files_read_etc_runtime_files(dovecot_domain) + +logging_send_syslog_msg(dovecot_domain) + +miscfiles_read_localization(dovecot_domain) + +######################################## +# +# Local policy +# + +allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot sys_resource }; +dontaudit dovecot_t self:capability sys_tty_config; +allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; +allow dovecot_t self:tcp_socket { accept listen }; +allow dovecot_t self:unix_stream_socket { accept connectto listen }; + +allow dovecot_t dovecot_cert_t:dir list_dir_perms; +allow dovecot_t dovecot_cert_t:file read_file_perms; +allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms; + +allow dovecot_t dovecot_keytab_t:file read_file_perms; + +manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) +manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) +files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) + +manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) + +manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) + +manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) + +manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) + +can_exec(dovecot_t, dovecot_exec_t) + +allow dovecot_t dovecot_auth_t:process signal; + +domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) + +corenet_all_recvfrom_unlabeled(dovecot_t) +corenet_all_recvfrom_netlabel(dovecot_t) +corenet_tcp_sendrecv_generic_if(dovecot_t) +corenet_tcp_sendrecv_generic_node(dovecot_t) +corenet_tcp_sendrecv_all_ports(dovecot_t) +corenet_tcp_bind_generic_node(dovecot_t) + +corenet_sendrecv_mail_server_packets(dovecot_t) +corenet_tcp_bind_mail_port(dovecot_t) +corenet_sendrecv_pop_server_packets(dovecot_t) +corenet_tcp_bind_pop_port(dovecot_t) +corenet_sendrecv_sieve_server_packets(dovecot_t) +corenet_tcp_bind_sieve_port(dovecot_t) + +corenet_sendrecv_all_client_packets(dovecot_t) +corenet_tcp_connect_all_ports(dovecot_t) +corenet_tcp_connect_postgresql_port(dovecot_t) + +domain_use_interactive_fds(dovecot_t) + +files_read_var_lib_files(dovecot_t) +files_read_var_symlinks(dovecot_t) +files_search_spool(dovecot_t) +files_dontaudit_list_default(dovecot_t) +files_dontaudit_search_all_dirs(dovecot_t) +files_search_all_mountpoints(dovecot_t) +files_list_usr(dovecot_t) +files_read_usr_files(dovecot_t) + +fs_getattr_all_fs(dovecot_t) +fs_getattr_all_dirs(dovecot_t) +fs_search_auto_mountpoints(dovecot_t) +fs_list_inotifyfs(dovecot_t) + +init_getattr_utmp(dovecot_t) + +auth_use_nsswitch(dovecot_t) + +miscfiles_read_generic_certs(dovecot_t) +miscfiles_read_generic_tls_privkey(dovecot_t) + +userdom_dontaudit_use_unpriv_user_fds(dovecot_t) +userdom_use_user_terminals(dovecot_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(dovecot_t) + fs_manage_nfs_files(dovecot_t) + fs_manage_nfs_symlinks(dovecot_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(dovecot_t) + fs_manage_cifs_files(dovecot_t) + fs_manage_cifs_symlinks(dovecot_t) +') + +optional_policy(` + kerberos_manage_host_rcache(dovecot_t) + kerberos_read_keytab(dovecot_t) + kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0") + kerberos_use(dovecot_t) +') + +optional_policy(` + mta_manage_spool(dovecot_t) + mta_manage_mail_home_rw_content(dovecot_t) + mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir") + mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir") +') + +optional_policy(` + postgresql_stream_connect(dovecot_t) +') + +optional_policy(` + postfix_manage_private_sockets(dovecot_t) + postfix_search_spool(dovecot_t) +') + +optional_policy(` + sendmail_domtrans(dovecot_t) +') + +optional_policy(` + seutil_sigchld_newrole(dovecot_t) +') + +optional_policy(` + squid_dontaudit_search_cache(dovecot_t) +') + +optional_policy(` + udev_read_db(dovecot_t) +') + +######################################## +# +# Auth local policy +# + +allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; +allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; +allow dovecot_auth_t self:unix_stream_socket { accept connectto listen }; + +read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) + +manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) + +allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; +allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms; +allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms; +manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) + +allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; + +files_search_pids(dovecot_auth_t) +files_read_usr_files(dovecot_auth_t) +files_read_var_lib_files(dovecot_auth_t) + +selinux_get_enforce_mode(dovecot_auth_t) +selinux_get_fs_mount(dovecot_auth_t) + +auth_domtrans_chk_passwd(dovecot_auth_t) +auth_use_nsswitch(dovecot_auth_t) + +init_rw_utmp(dovecot_auth_t) + +logging_send_audit_msgs(dovecot_auth_t) + +seutil_search_default_contexts(dovecot_auth_t) + +sysnet_use_ldap(dovecot_auth_t) + +optional_policy(` + userdom_list_user_tmp(dovecot_auth_t) + userdom_read_user_tmp_files(dovecot_auth_t) + userdom_read_user_tmp_symlinks(dovecot_auth_t) +') + +optional_policy(` + mysql_stream_connect(dovecot_auth_t) + mysql_read_config(dovecot_auth_t) + mysql_tcp_connect(dovecot_auth_t) +') + +optional_policy(` + nis_authenticate(dovecot_auth_t) +') + +optional_policy(` + postfix_manage_private_sockets(dovecot_auth_t) + postfix_search_spool(dovecot_auth_t) +') + +######################################## +# +# Deliver local policy +# + +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; + +append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) + +manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) +manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) +files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) + +allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; +allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms; +allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms; + +stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t }) + +can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) + +allow dovecot_deliver_t dovecot_t:process signull; + +fs_getattr_all_fs(dovecot_deliver_t) + +auth_use_nsswitch(dovecot_deliver_t) + +logging_search_logs(dovecot_deliver_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(dovecot_deliver_t) + fs_manage_nfs_files(dovecot_deliver_t) + fs_manage_nfs_symlinks(dovecot_deliver_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(dovecot_deliver_t) + fs_manage_cifs_files(dovecot_deliver_t) + fs_manage_cifs_symlinks(dovecot_deliver_t) +') + +optional_policy(` + mta_mailserver_delivery(dovecot_deliver_t) + mta_read_queue(dovecot_deliver_t) +') + +optional_policy(` + postfix_use_fds_master(dovecot_deliver_t) +') + +optional_policy(` + sendmail_domtrans(dovecot_deliver_t) +') diff --git a/policy/modules/services/drbd.fc b/policy/modules/services/drbd.fc new file mode 100644 index 000000000..3b7da5684 --- /dev/null +++ b/policy/modules/services/drbd.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/drbd -- gen_context(system_u:object_r:drbd_initrc_exec_t,s0) + +/usr/bin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) +/usr/bin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) + +/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0) + +/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) +/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) + +/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0) + +/var/lock/subsys/drbd -- gen_context(system_u:object_r:drbd_lock_t,s0) diff --git a/policy/modules/services/drbd.if b/policy/modules/services/drbd.if new file mode 100644 index 000000000..f147c1023 --- /dev/null +++ b/policy/modules/services/drbd.if @@ -0,0 +1,56 @@ +## <summary>Mirrors a block device over the network to another machine.</summary> + +######################################## +## <summary> +## Execute a domain transition to +## run drbd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`drbd_domtrans',` + gen_require(` + type drbd_t, drbd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, drbd_exec_t, drbd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an drbd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`drbd_admin',` + gen_require(` + type drbd_t, drbd_initrc_exec_t, drbd_lock_t; + type drbd_var_lib_t; + ') + + allow $1 drbd_t:process { ptrace signal_perms }; + ps_process_pattern($1, drbd_t) + + init_startstop_service($1, $2, drbd_t, drbd_initrc_exec_t) + + files_search_locks($1) + admin_pattern($1, drbd_lock_t) + + files_search_var_lib($1) + admin_pattern($1, drbd_var_lib_t) +') diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te new file mode 100644 index 000000000..308e14884 --- /dev/null +++ b/policy/modules/services/drbd.te @@ -0,0 +1,55 @@ +policy_module(drbd, 1.3.0) + +######################################## +# +# Declarations +# + +type drbd_t; +type drbd_exec_t; +init_daemon_domain(drbd_t, drbd_exec_t) + +type drbd_initrc_exec_t; +init_script_file(drbd_initrc_exec_t) + +type drbd_var_lib_t; +files_type(drbd_var_lib_t) + +type drbd_lock_t; +files_lock_file(drbd_lock_t) + +######################################## +# +# Local policy +# + +allow drbd_t self:capability { kill net_admin }; +dontaudit drbd_t self:capability sys_tty_config; +allow drbd_t self:fifo_file rw_fifo_file_perms; +allow drbd_t self:unix_stream_socket create_stream_socket_perms; +allow drbd_t self:netlink_socket create_socket_perms; +allow drbd_t self:netlink_route_socket nlmsg_write; + +manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) +manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) +manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) +files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir) + +manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t) +files_lock_filetrans(drbd_t, drbd_lock_t, file) + +can_exec(drbd_t, drbd_exec_t) + +kernel_read_system_state(drbd_t) + +dev_read_rand(drbd_t) +dev_read_sysfs(drbd_t) +dev_read_urand(drbd_t) + +files_read_etc_files(drbd_t) + +storage_raw_read_fixed_disk(drbd_t) + +miscfiles_read_localization(drbd_t) + +sysnet_dns_name_resolve(drbd_t) diff --git a/policy/modules/services/dspam.fc b/policy/modules/services/dspam.fc new file mode 100644 index 000000000..40f98ba6a --- /dev/null +++ b/policy/modules/services/dspam.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/dspam -- gen_context(system_u:object_r:dspam_initrc_exec_t,s0) + +/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0) + +/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) + +/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0) +/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) + +/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0) + +/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0) diff --git a/policy/modules/services/dspam.if b/policy/modules/services/dspam.if new file mode 100644 index 000000000..969fd89d0 --- /dev/null +++ b/policy/modules/services/dspam.if @@ -0,0 +1,79 @@ +## <summary>Content-based spam filter designed for multi-user enterprise systems.</summary> + +######################################## +## <summary> +## Execute a domain transition to run dspam. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dspam_domtrans',` + gen_require(` + type dspam_t, dspam_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dspam_exec_t, dspam_t) +') + +####################################### +## <summary> +## Connect to dspam using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dspam_stream_connect',` + gen_require(` + type dspam_t, dspam_var_run_t; + ') + + files_search_pids($1) + files_search_tmp($1) + stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an dspam environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dspam_admin',` + gen_require(` + type dspam_t, dspam_initrc_exec_t, dspam_log_t; + type dspam_var_lib_t, dspam_var_run_t; + ') + + allow $1 dspam_t:process { ptrace signal_perms }; + ps_process_pattern($1, dspam_t) + + init_startstop_service($1, $2, dspam_t, dspam_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, dspam_log_t) + + files_search_var_lib($1) + admin_pattern($1, dspam_var_lib_t) + + files_search_pids($1) + admin_pattern($1, dspam_var_run_t) +') diff --git a/policy/modules/services/dspam.te b/policy/modules/services/dspam.te new file mode 100644 index 000000000..edf5d942b --- /dev/null +++ b/policy/modules/services/dspam.te @@ -0,0 +1,89 @@ +policy_module(dspam, 1.3.1) + +######################################## +# +# Declarations +# + +type dspam_t; +type dspam_exec_t; +init_daemon_domain(dspam_t, dspam_exec_t) + +type dspam_initrc_exec_t; +init_script_file(dspam_initrc_exec_t) + +type dspam_log_t; +logging_log_file(dspam_log_t) + +type dspam_var_lib_t; +files_type(dspam_var_lib_t) + +type dspam_var_run_t; +files_pid_file(dspam_var_run_t) + +######################################## +# +# Local policy +# + +allow dspam_t self:capability net_admin; +allow dspam_t self:process signal; +allow dspam_t self:fifo_file rw_fifo_file_perms; +allow dspam_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(dspam_t, dspam_log_t, dspam_log_t) +append_files_pattern(dspam_t, dspam_log_t, dspam_log_t) +create_files_pattern(dspam_t, dspam_log_t, dspam_log_t) +setattr_files_pattern(dspam_t, dspam_log_t, dspam_log_t) +logging_log_filetrans(dspam_t, dspam_log_t, dir) + +manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t) +manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t) +files_var_lib_filetrans(dspam_t, dspam_var_lib_t, dir) + +manage_dirs_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) +manage_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) +manage_sock_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) +files_pid_filetrans(dspam_t, dspam_var_run_t, dir) + +corenet_all_recvfrom_unlabeled(dspam_t) +corenet_all_recvfrom_netlabel(dspam_t) +corenet_tcp_sendrecv_generic_if(dspam_t) +corenet_tcp_sendrecv_generic_node(dspam_t) +corenet_tcp_bind_generic_node(dspam_t) + +corenet_sendrecv_spamd_client_packets(dspam_t) +corenet_sendrecv_spamd_server_packets(dspam_t) +corenet_tcp_bind_spamd_port(dspam_t) +corenet_tcp_connect_spamd_port(dspam_t) +corenet_tcp_sendrecv_spamd_port(dspam_t) + +files_search_spool(dspam_t) + +auth_use_nsswitch(dspam_t) + +logging_send_syslog_msg(dspam_t) + +miscfiles_read_localization(dspam_t) + +optional_policy(` + apache_content_template(dspam) + + list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) + manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) + manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) +') + +optional_policy(` + mysql_stream_connect(dspam_t) + mysql_read_config(dspam_t) + + mysql_tcp_connect(dspam_t) +') + +optional_policy(` + postgresql_stream_connect(dspam_t) + postgresql_unpriv_client(dspam_t) + + postgresql_tcp_connect(dspam_t) +') diff --git a/policy/modules/services/entropyd.fc b/policy/modules/services/entropyd.fc new file mode 100644 index 000000000..b7342ef26 --- /dev/null +++ b/policy/modules/services/entropyd.fc @@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/((audio-entropyd)|(haveged)) -- gen_context(system_u:object_r:entropyd_initrc_exec_t,s0) + +/usr/bin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) +/usr/bin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) + +/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) +/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) + +/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) +/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) diff --git a/policy/modules/services/entropyd.if b/policy/modules/services/entropyd.if new file mode 100644 index 000000000..eedfae6cf --- /dev/null +++ b/policy/modules/services/entropyd.if @@ -0,0 +1,32 @@ +## <summary>Generate entropy from audio input.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an entropyd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`entropyd_admin',` + gen_require(` + type entropyd_t, entropyd_initrc_exec_t, entropyd_var_run_t; + ') + + allow $1 entropyd_t:process { ptrace signal_perms }; + ps_process_pattern($1, entropyd_t) + + init_startstop_service($1, $2, entropyd_t, entropyd_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, entropyd_var_run_t) +') diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te new file mode 100644 index 000000000..4acc526ba --- /dev/null +++ b/policy/modules/services/entropyd.te @@ -0,0 +1,81 @@ +policy_module(entropyd, 1.12.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether entropyd can use +## audio devices as the source for +## the entropy feeds. +## </p> +## </desc> +gen_tunable(entropyd_use_audio, false) + +type entropyd_t; +type entropyd_exec_t; +init_daemon_domain(entropyd_t, entropyd_exec_t) + +type entropyd_initrc_exec_t; +init_script_file(entropyd_initrc_exec_t) + +type entropyd_var_run_t; +files_pid_file(entropyd_var_run_t) + +######################################## +# +# Local policy +# + +allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; +dontaudit entropyd_t self:capability sys_tty_config; +allow entropyd_t self:process signal_perms; + +manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) +files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) + +kernel_read_system_state(entropyd_t) +kernel_rw_kernel_sysctl(entropyd_t) + +dev_read_sysfs(entropyd_t) +dev_read_urand(entropyd_t) +dev_write_urand(entropyd_t) +dev_read_rand(entropyd_t) +dev_write_rand(entropyd_t) + +files_read_etc_files(entropyd_t) +files_read_usr_files(entropyd_t) + +fs_getattr_all_fs(entropyd_t) +fs_search_auto_mountpoints(entropyd_t) + +domain_use_interactive_fds(entropyd_t) + +logging_send_syslog_msg(entropyd_t) + +miscfiles_read_localization(entropyd_t) + +userdom_dontaudit_use_unpriv_user_fds(entropyd_t) +userdom_dontaudit_search_user_home_dirs(entropyd_t) + +tunable_policy(`entropyd_use_audio',` + dev_read_sound(entropyd_t) + dev_write_sound(entropyd_t) +') + +optional_policy(` + tunable_policy(`entropyd_use_audio',` + alsa_read_lib(entropyd_t) + alsa_read_config(entropyd_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(entropyd_t) +') + +optional_policy(` + udev_read_db(entropyd_t) +') diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc new file mode 100644 index 000000000..bd1f558a9 --- /dev/null +++ b/policy/modules/services/exim.fc @@ -0,0 +1,16 @@ +/etc/rc\.d/init\.d/exim[0-9]? -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) + +/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_pid_t,s0) +/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_pid_t,s0) + +/usr/bin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) +/usr/bin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) + +/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) +/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) + +/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0) + +/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) + +/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if new file mode 100644 index 000000000..495adb859 --- /dev/null +++ b/policy/modules/services/exim.if @@ -0,0 +1,326 @@ +## <summary>Mail transfer agent.</summary> + +######################################## +## <summary> +## Execute exim in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_exec',` + gen_require(` + type exim_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, exim_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run exim. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`exim_domtrans',` + gen_require(` + type exim_t, exim_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, exim_exec_t, exim_t) +') + +######################################## +## <summary> +## Execute exim in the exim domain, +## and allow the specified role +## the exim domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`exim_run',` + gen_require(` + attribute_role exim_roles; + ') + + exim_domtrans($1) + roleattribute $2 exim_roles; +') + +######################################## +## <summary> +## Do not audit attempts to read exim +## temporary tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`exim_dontaudit_read_tmp_files',` + gen_require(` + type exim_tmp_t; + ') + + dontaudit $1 exim_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Read exim temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_read_tmp_files',` + gen_require(` + type exim_tmp_t; + ') + + allow $1 exim_tmp_t:file read_file_perms; + files_search_tmp($1) +') + +######################################## +## <summary> +## Read exim pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_read_pid_files',` + gen_require(` + type exim_pid_t; + ') + + allow $1 exim_pid_t:file read_file_perms; + files_search_pids($1) +') + +######################################## +## <summary> +## Read exim log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`exim_read_log',` + gen_require(` + type exim_log_t; + ') + + read_files_pattern($1, exim_log_t, exim_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## Append exim log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_append_log',` + gen_require(` + type exim_log_t; + ') + + append_files_pattern($1, exim_log_t, exim_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## exim log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`exim_manage_log',` + gen_require(` + type exim_log_t; + ') + + manage_files_pattern($1, exim_log_t, exim_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## exim spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_manage_spool_dirs',` + gen_require(` + type exim_spool_t; + ') + + manage_dirs_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) +') + +######################################## +## <summary> +## Read exim spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_read_spool_files',` + gen_require(` + type exim_spool_t; + ') + + allow $1 exim_spool_t:file read_file_perms; + allow $1 exim_spool_t:dir list_dir_perms; + files_search_spool($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## exim spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_manage_spool_files',` + gen_require(` + type exim_spool_t; + ') + + manage_files_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) +') + +######################################## +## <summary> +## Read exim var lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_read_var_lib_files',` + gen_require(` + type exim_var_lib_t; + ') + + read_files_pattern($1, exim_var_lib_t, exim_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## Create, read, and write exim var lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_manage_var_lib_files',` + gen_require(` + type exim_var_lib_t; + ') + + manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an exim environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`exim_admin',` + gen_require(` + type exim_t, exim_spool_t, exim_log_t; + type exim_pid_t, exim_initrc_exec_t, exim_tmp_t; + type exim_keytab_t; + ') + + allow $1 exim_t:process { ptrace signal_perms }; + ps_process_pattern($1, exim_t) + + init_startstop_service($1, $2, exim_t, exim_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, exim_keytab_t) + + files_search_spool($1) + admin_pattern($1, exim_spool_t) + + logging_search_logs($1) + admin_pattern($1, exim_log_t) + + files_search_pids($1) + admin_pattern($1, exim_pid_t) + + files_search_tmp($1) + admin_pattern($1, exim_tmp_t) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te new file mode 100644 index 000000000..693ac4913 --- /dev/null +++ b/policy/modules/services/exim.te @@ -0,0 +1,254 @@ +policy_module(exim, 1.12.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether exim can connect to +## databases. +## </p> +## </desc> +gen_tunable(exim_can_connect_db, false) + +## <desc> +## <p> +## Determine whether exim can read generic +## user content files. +## </p> +## </desc> +gen_tunable(exim_read_user_files, false) + +## <desc> +## <p> +## Determine whether exim can create, +## read, write, and delete generic user +## content files. +## </p> +## </desc> +gen_tunable(exim_manage_user_files, false) + +attribute_role exim_roles; + +type exim_t; +type exim_exec_t; +init_daemon_domain(exim_t, exim_exec_t) +role exim_roles types exim_t; + +mta_mailserver(exim_t, exim_exec_t) +mta_mailserver_delivery(exim_t) +mta_mailserver_user_agent(exim_t) +mta_agent_executable(exim_exec_t) + +type exim_initrc_exec_t; +init_script_file(exim_initrc_exec_t) + +type exim_keytab_t; +files_type(exim_keytab_t) + +type exim_var_lib_t; +files_type(exim_var_lib_t) + +type exim_log_t; +logging_log_file(exim_log_t) + +type exim_pid_t; +typealias exim_pid_t alias exim_var_run_t; +files_pid_file(exim_pid_t) + +type exim_spool_t; +files_type(exim_spool_t) + +type exim_tmp_t; +files_tmp_file(exim_tmp_t) + +ifdef(`distro_debian',` + init_daemon_pid_file(exim_pid_t, dir, "exim4") +') + +######################################## +# +# Local policy +# + +allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource }; +allow exim_t self:process { setrlimit setpgid }; +allow exim_t self:fifo_file rw_fifo_file_perms; +allow exim_t self:unix_stream_socket { accept listen }; +allow exim_t self:tcp_socket { accept listen }; + +can_exec(exim_t, exim_exec_t) + +allow exim_t exim_keytab_t:file read_file_perms; + +append_files_pattern(exim_t, exim_log_t, exim_log_t) +create_files_pattern(exim_t, exim_log_t, exim_log_t) +setattr_files_pattern(exim_t, exim_log_t, exim_log_t) +logging_log_filetrans(exim_t, exim_log_t, file) + +manage_dirs_pattern(exim_t, exim_pid_t, exim_pid_t) +manage_files_pattern(exim_t, exim_pid_t, exim_pid_t) +files_pid_filetrans(exim_t, exim_pid_t, { dir file }) + +manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t) +manage_files_pattern(exim_t, exim_spool_t, exim_spool_t) +manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t) +files_spool_filetrans(exim_t, exim_spool_t, { dir file sock_file }) + +manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t) +manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t) +files_tmp_filetrans(exim_t, exim_tmp_t, { dir file }) + +manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t) + +kernel_read_crypto_sysctls(exim_t) +kernel_read_kernel_sysctls(exim_t) +kernel_read_network_state(exim_t) +kernel_dontaudit_read_system_state(exim_t) + +corecmd_search_bin(exim_t) + +corenet_all_recvfrom_unlabeled(exim_t) +corenet_all_recvfrom_netlabel(exim_t) +corenet_tcp_sendrecv_generic_if(exim_t) +corenet_udp_sendrecv_generic_if(exim_t) +corenet_tcp_sendrecv_generic_node(exim_t) +corenet_udp_sendrecv_generic_node(exim_t) +corenet_tcp_sendrecv_all_ports(exim_t) +corenet_tcp_bind_generic_node(exim_t) + +corenet_sendrecv_smtp_server_packets(exim_t) +corenet_tcp_bind_smtp_port(exim_t) + +corenet_sendrecv_amavisd_send_server_packets(exim_t) +corenet_tcp_bind_amavisd_send_port(exim_t) + +corenet_sendrecv_auth_client_packets(exim_t) +corenet_tcp_connect_auth_port(exim_t) + +corenet_sendrecv_smtp_client_packets(exim_t) +corenet_tcp_connect_smtp_port(exim_t) + +corenet_sendrecv_inetd_child_client_packets(exim_t) +corenet_tcp_connect_inetd_child_port(exim_t) + +corenet_sendrecv_spamd_client_packets(exim_t) +corenet_tcp_connect_spamd_port(exim_t) + +dev_read_rand(exim_t) +dev_read_urand(exim_t) +dev_read_sysfs(exim_t) + +domain_use_interactive_fds(exim_t) + +files_search_usr(exim_t) +files_search_var(exim_t) +files_read_etc_runtime_files(exim_t) +files_getattr_all_mountpoints(exim_t) + +fs_getattr_xattr_fs(exim_t) +fs_list_inotifyfs(exim_t) + +auth_use_nsswitch(exim_t) + +logging_send_syslog_msg(exim_t) + +miscfiles_read_localization(exim_t) +miscfiles_read_generic_certs(exim_t) +miscfiles_read_generic_tls_privkey(exim_t) + +userdom_dontaudit_search_user_home_dirs(exim_t) + +mta_read_aliases(exim_t) +mta_read_config(exim_t) +mta_manage_spool(exim_t) + +tunable_policy(`exim_can_connect_db',` + corenet_sendrecv_gds_db_client_packets(exim_t) + corenet_tcp_connect_gds_db_port(exim_t) + corenet_tcp_sendrecv_gds_db_port(exim_t) + corenet_sendrecv_mssql_client_packets(exim_t) + corenet_tcp_connect_mssql_port(exim_t) + corenet_tcp_sendrecv_mssql_port(exim_t) + corenet_sendrecv_oracledb_client_packets(exim_t) + corenet_tcp_connect_oracledb_port(exim_t) + corenet_tcp_sendrecv_oracledb_port(exim_t) +') + +tunable_policy(`exim_read_user_files',` + userdom_read_user_home_content_files(exim_t) + userdom_read_user_tmp_files(exim_t) +') + +tunable_policy(`exim_manage_user_files',` + userdom_manage_user_home_content_dirs(exim_t) + userdom_manage_user_tmp_files(exim_t) +') + +optional_policy(` + clamav_domtrans_clamscan(exim_t) + clamav_stream_connect(exim_t) +') + +optional_policy(` + cron_read_pipes(exim_t) + cron_rw_system_job_pipes(exim_t) + cron_use_system_job_fds(exim_t) +') + +optional_policy(` + cyrus_stream_connect(exim_t) +') + +optional_policy(` + dovecot_stream_connect(exim_t) +') + +optional_policy(` + kerberos_read_keytab(exim_t) + kerberos_use(exim_t) +') + +optional_policy(` + mailman_read_data_files(exim_t) + mailman_domtrans(exim_t) +') + +optional_policy(` + nagios_search_spool(exim_t) +') + +optional_policy(` + tunable_policy(`exim_can_connect_db',` + mysql_stream_connect(exim_t) + mysql_tcp_connect(exim_t) + ') +') + +optional_policy(` + postgresql_unpriv_client(exim_t) + + tunable_policy(`exim_can_connect_db',` + postgresql_stream_connect(exim_t) + postgresql_tcp_connect(exim_t) + ') +') + +optional_policy(` + procmail_domtrans(exim_t) +') + +optional_policy(` + sasl_connect(exim_t) +') + +optional_policy(` + sendmail_manage_tmp_files(exim_t) +') + +optional_policy(` + spamassassin_exec(exim_t) + spamassassin_exec_client(exim_t) +') diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc new file mode 100644 index 000000000..1379b6eef --- /dev/null +++ b/policy/modules/services/fail2ban.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) + +/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0) +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) + +/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) +/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) +/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if new file mode 100644 index 000000000..5b8e08be5 --- /dev/null +++ b/policy/modules/services/fail2ban.if @@ -0,0 +1,284 @@ +## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary> + +######################################## +## <summary> +## Execute a domain transition to run fail2ban. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`fail2ban_domtrans',` + gen_require(` + type fail2ban_t, fail2ban_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) +') + +######################################## +## <summary> +## Execute the fail2ban client in +## the fail2ban client domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`fail2ban_domtrans_client',` + gen_require(` + type fail2ban_client_t, fail2ban_client_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) +') + +######################################## +## <summary> +## Execute fail2ban client in the +## fail2ban client domain, and allow +## the specified role the fail2ban +## client domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`fail2ban_run_client',` + gen_require(` + attribute_role fail2ban_client_roles; + ') + + fail2ban_domtrans_client($1) + roleattribute $2 fail2ban_client_roles; +') + +##################################### +## <summary> +## Connect to fail2ban over a +## unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_stream_connect',` + gen_require(` + type fail2ban_t, fail2ban_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) +') + +######################################## +## <summary> +## Read and write inherited temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_rw_inherited_tmp_files',` + gen_require(` + type fail2ban_tmp_t; + ') + + files_search_tmp($1) + allow $1 fail2ban_tmp_t:file { read write }; +') + +######################################## +## <summary> +## Do not audit attempts to use +## fail2ban file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`fail2ban_dontaudit_use_fds',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write fail2ban unix stream sockets +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`fail2ban_dontaudit_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Read and write fail2ban unix +## stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; +') + +######################################## +## <summary> +## Read fail2ban lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_read_lib_files',` + gen_require(` + type fail2ban_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 fail2ban_var_lib_t:file read_file_perms; +') + +######################################## +## <summary> +## Read fail2ban log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fail2ban_read_log',` + gen_require(` + type fail2ban_log_t; + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:file read_file_perms; +') + +######################################## +## <summary> +## Append fail2ban log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_append_log',` + gen_require(` + type fail2ban_log_t; + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:file append_file_perms; +') + +######################################## +## <summary> +## Read fail2ban pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_read_pid_files',` + gen_require(` + type fail2ban_var_run_t; + ') + + files_search_pids($1) + allow $1 fail2ban_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an fail2ban environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fail2ban_admin',` + gen_require(` + type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t; + type fail2ban_var_run_t, fail2ban_initrc_exec_t; + type fail2ban_var_lib_t, fail2ban_client_t; + ') + + allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) + + init_startstop_service($1, $2, fail2ban_t, fail2ban_initrc_exec_t) + + logging_list_logs($1) + admin_pattern($1, fail2ban_log_t) + + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, fail2ban_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, fail2ban_tmp_t) + + fail2ban_run_client($1, $2) +') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te new file mode 100644 index 000000000..215d0935b --- /dev/null +++ b/policy/modules/services/fail2ban.te @@ -0,0 +1,172 @@ +policy_module(fail2ban, 1.7.0) + +######################################## +# +# Declarations +# + +attribute_role fail2ban_client_roles; + +type fail2ban_t; +type fail2ban_exec_t; +init_daemon_domain(fail2ban_t, fail2ban_exec_t) + +type fail2ban_initrc_exec_t; +init_script_file(fail2ban_initrc_exec_t) + +type fail2ban_log_t; +logging_log_file(fail2ban_log_t) + +type fail2ban_var_lib_t; +files_type(fail2ban_var_lib_t) + +type fail2ban_var_run_t; +files_pid_file(fail2ban_var_run_t) + +type fail2ban_tmp_t; +files_tmp_file(fail2ban_tmp_t) + +type fail2ban_client_t; +type fail2ban_client_exec_t; +init_system_domain(fail2ban_client_t, fail2ban_client_exec_t) +role fail2ban_client_roles types fail2ban_client_t; + +######################################## +# +# Server Local policy +# + +allow fail2ban_t self:capability { dac_override dac_read_search sys_tty_config }; +allow fail2ban_t self:process signal; +allow fail2ban_t self:fifo_file rw_fifo_file_perms; +allow fail2ban_t self:unix_stream_socket { accept connectto listen }; +allow fail2ban_t self:tcp_socket { accept listen }; + +read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) + +append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) + +manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) + +manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) +manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) + +manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) + +kernel_read_system_state(fail2ban_t) + +corecmd_exec_bin(fail2ban_t) +corecmd_exec_shell(fail2ban_t) + +corenet_all_recvfrom_unlabeled(fail2ban_t) +corenet_all_recvfrom_netlabel(fail2ban_t) +corenet_tcp_sendrecv_generic_if(fail2ban_t) +corenet_tcp_sendrecv_generic_node(fail2ban_t) + +corenet_sendrecv_whois_client_packets(fail2ban_t) +corenet_tcp_connect_whois_port(fail2ban_t) +corenet_tcp_sendrecv_whois_port(fail2ban_t) + +dev_read_urand(fail2ban_t) + +domain_use_interactive_fds(fail2ban_t) +domain_dontaudit_read_all_domains_state(fail2ban_t) + +files_read_etc_runtime_files(fail2ban_t) +files_read_usr_files(fail2ban_t) +files_list_var(fail2ban_t) +files_dontaudit_list_tmp(fail2ban_t) + +fs_list_inotifyfs(fail2ban_t) +fs_getattr_all_fs(fail2ban_t) + +auth_use_nsswitch(fail2ban_t) + +logging_read_all_logs(fail2ban_t) +logging_send_syslog_msg(fail2ban_t) + +miscfiles_read_localization(fail2ban_t) + +sysnet_manage_config(fail2ban_t) +sysnet_etc_filetrans_config(fail2ban_t) + +optional_policy(` + apache_read_log(fail2ban_t) +') + +optional_policy(` + ftp_read_log(fail2ban_t) +') + +optional_policy(` + iptables_domtrans(fail2ban_t) +') + +optional_policy(` + libs_exec_ldconfig(fail2ban_t) +') + +optional_policy(` + mta_send_mail(fail2ban_t) +') + +optional_policy(` + shorewall_domtrans(fail2ban_t) +') + +######################################## +# +# Client Local policy +# + +allow fail2ban_client_t self:capability dac_read_search; +allow fail2ban_client_t self:unix_stream_socket { create connect write read }; + +domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) + +stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) + +kernel_read_system_state(fail2ban_client_t) + +corecmd_exec_bin(fail2ban_client_t) + +domain_use_interactive_fds(fail2ban_client_t) + +files_read_etc_files(fail2ban_client_t) +files_read_usr_files(fail2ban_client_t) +files_search_pids(fail2ban_client_t) + +logging_getattr_all_logs(fail2ban_client_t) +logging_search_all_logs(fail2ban_client_t) + +miscfiles_read_localization(fail2ban_client_t) + +userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) +userdom_use_user_terminals(fail2ban_client_t) + +ifdef(`distro_gentoo',` + ############################## + # + # fail2ban policy + # + + # Python compilation + files_dontaudit_write_usr_dirs(fail2ban_t) + + # Fix bug 534256 - Startup fails without these + allow fail2ban_client_t fail2ban_var_run_t:dir write; + + init_daemon_pid_file(fail2ban_var_run_t, dir, "fail2ban") + init_use_script_ptys(fail2ban_client_t) +') + + diff --git a/policy/modules/services/fcoe.fc b/policy/modules/services/fcoe.fc new file mode 100644 index 000000000..cb9552dbe --- /dev/null +++ b/policy/modules/services/fcoe.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/fcoe -- gen_context(system_u:object_r:fcoemon_initrc_exec_t,s0) + +/usr/bin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0) + +/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0) + +/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0) +/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0) diff --git a/policy/modules/services/fcoe.if b/policy/modules/services/fcoe.if new file mode 100644 index 000000000..78d114715 --- /dev/null +++ b/policy/modules/services/fcoe.if @@ -0,0 +1,51 @@ +## <summary>Fibre Channel over Ethernet utilities.</summary> + +####################################### +## <summary> +## Send to fcoemon with a unix dgram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fcoe_dgram_send_fcoemon',` + gen_require(` + type fcoemon_t, fcoemon_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, fcoemon_var_run_t, fcoemon_var_run_t, fcoemon_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an fcoemon environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fcoe_admin',` + gen_require(` + type fcoemon_t, fcoemon_initrc_exec_t, fcoemon_var_run_t; + ') + + allow $1 fcoemon_t:process { ptrace signal_perms }; + ps_process_pattern($1, fcoemon_t) + + init_startstop_service($1, $2, fcoemon_t, fcoemon_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, fcoemon_var_run_t) +') diff --git a/policy/modules/services/fcoe.te b/policy/modules/services/fcoe.te new file mode 100644 index 000000000..3ec9397c7 --- /dev/null +++ b/policy/modules/services/fcoe.te @@ -0,0 +1,44 @@ +policy_module(fcoe, 1.4.0) + +######################################## +# +# Declarations +# + +type fcoemon_t; +type fcoemon_exec_t; +init_daemon_domain(fcoemon_t, fcoemon_exec_t) + +type fcoemon_initrc_exec_t; +init_script_file(fcoemon_initrc_exec_t) + +type fcoemon_var_run_t; +files_pid_file(fcoemon_var_run_t) + +######################################## +# +# Local policy +# + +allow fcoemon_t self:capability { dac_override kill net_admin }; +allow fcoemon_t self:fifo_file rw_fifo_file_perms; +allow fcoemon_t self:unix_stream_socket { accept listen }; +allow fcoemon_t self:netlink_socket create_socket_perms; +allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms; + +manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) +manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) +manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) +files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) + +files_read_etc_files(fcoemon_t) + +dev_read_sysfs(fcoemon_t) + +logging_send_syslog_msg(fcoemon_t) + +miscfiles_read_localization(fcoemon_t) + +optional_policy(` + lldpad_dgram_send(fcoemon_t) +') diff --git a/policy/modules/services/fetchmail.fc b/policy/modules/services/fetchmail.fc new file mode 100644 index 000000000..8ffcb5ae6 --- /dev/null +++ b/policy/modules/services/fetchmail.fc @@ -0,0 +1,15 @@ +HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0) + +/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) + +/etc/rc\.d/init\.d/fetchmail -- gen_context(system_u:object_r:fetchmail_initrc_exec_t,s0) + +/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0) + +/var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) + +/var/log/fetchmail.* gen_context(system_u:object_r:fetchmail_log_t,s0) + +/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) + +/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0) diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if new file mode 100644 index 000000000..5115affc7 --- /dev/null +++ b/policy/modules/services/fetchmail.if @@ -0,0 +1,42 @@ +## <summary>Remote-mail retrieval and forwarding utility.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an fetchmail environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fetchmail_admin',` + gen_require(` + type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t; + type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; + ') + + init_startstop_service($1, $2, fetchmail_t, fetchmail_initrc_exec_t) + + allow $1 fetchmail_t:process { ptrace signal_perms }; + ps_process_pattern($1, fetchmail_t) + + files_list_etc($1) + admin_pattern($1, fetchmail_etc_t) + + files_search_var_lib($1) + admin_pattern($1, fetchmail_uidl_cache_t) + + files_list_pids($1) + admin_pattern($1, fetchmail_var_run_t) + + logging_search_logs($1) + admin_pattern($1, fetchmail_log_t) +') diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te new file mode 100644 index 000000000..ca6f269fc --- /dev/null +++ b/policy/modules/services/fetchmail.te @@ -0,0 +1,113 @@ +policy_module(fetchmail, 1.17.0) + +######################################## +# +# Declarations +# + +type fetchmail_t; +type fetchmail_exec_t; +init_daemon_domain(fetchmail_t, fetchmail_exec_t) +application_executable_file(fetchmail_exec_t) + +type fetchmail_initrc_exec_t; +init_script_file(fetchmail_initrc_exec_t) + +type fetchmail_etc_t; +files_config_file(fetchmail_etc_t) + +type fetchmail_home_t; +userdom_user_home_content(fetchmail_home_t) + +type fetchmail_log_t; +logging_log_file(fetchmail_log_t) + +type fetchmail_var_run_t; +files_pid_file(fetchmail_var_run_t) + +type fetchmail_uidl_cache_t; +files_type(fetchmail_uidl_cache_t) + +######################################## +# +# Local policy +# + +dontaudit fetchmail_t self:capability sys_tty_config; +allow fetchmail_t self:process { signal_perms setrlimit }; +allow fetchmail_t self:unix_stream_socket { accept listen }; + +allow fetchmail_t fetchmail_etc_t:file read_file_perms; + +read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) + +manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) +append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) +create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) +setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) +logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file }) + +allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms; +allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; +mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) + +manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) +manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) +files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(fetchmail_t) +kernel_list_proc(fetchmail_t) +kernel_getattr_proc_files(fetchmail_t) +kernel_read_proc_symlinks(fetchmail_t) +kernel_dontaudit_read_system_state(fetchmail_t) + +corecmd_exec_bin(fetchmail_t) +corecmd_exec_shell(fetchmail_t) + +corenet_all_recvfrom_unlabeled(fetchmail_t) +corenet_all_recvfrom_netlabel(fetchmail_t) +corenet_tcp_sendrecv_generic_if(fetchmail_t) +corenet_tcp_sendrecv_generic_node(fetchmail_t) +corenet_tcp_sendrecv_all_ports(fetchmail_t) + +corenet_sendrecv_all_client_packets(fetchmail_t) +corenet_tcp_connect_all_ports(fetchmail_t) + +dev_read_sysfs(fetchmail_t) +dev_read_rand(fetchmail_t) +dev_read_urand(fetchmail_t) + +files_read_etc_runtime_files(fetchmail_t) +files_search_tmp(fetchmail_t) +files_dontaudit_search_home(fetchmail_t) + +fs_getattr_all_fs(fetchmail_t) +fs_search_auto_mountpoints(fetchmail_t) + +domain_use_interactive_fds(fetchmail_t) + +auth_use_nsswitch(fetchmail_t) + +logging_send_syslog_msg(fetchmail_t) + +miscfiles_read_localization(fetchmail_t) +miscfiles_read_generic_certs(fetchmail_t) + +userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) +userdom_search_user_home_dirs(fetchmail_t) + +optional_policy(` + procmail_domtrans(fetchmail_t) +') + +optional_policy(` + sendmail_manage_log(fetchmail_t) +') + +optional_policy(` + seutil_sigchld_newrole(fetchmail_t) +') + +optional_policy(` + udev_read_db(fetchmail_t) +') diff --git a/policy/modules/services/finger.fc b/policy/modules/services/finger.fc new file mode 100644 index 000000000..ce3adb5c9 --- /dev/null +++ b/policy/modules/services/finger.fc @@ -0,0 +1,13 @@ +/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0) + +/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) + +/usr/bin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) +/usr/bin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) + +/usr/sbin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) +/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) + +/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0) + +/run/fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0) diff --git a/policy/modules/services/finger.if b/policy/modules/services/finger.if new file mode 100644 index 000000000..a071cfd4e --- /dev/null +++ b/policy/modules/services/finger.if @@ -0,0 +1,20 @@ +## <summary>Finger user information service.</summary> + +######################################## +## <summary> +## Execute fingerd in the fingerd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`finger_domtrans',` + gen_require(` + type fingerd_t, fingerd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fingerd_exec_t, fingerd_t) +') diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te new file mode 100644 index 000000000..92a0161f1 --- /dev/null +++ b/policy/modules/services/finger.te @@ -0,0 +1,104 @@ +policy_module(finger, 1.13.0) + +######################################## +# +# Declarations +# + +type fingerd_t; +type fingerd_exec_t; +init_daemon_domain(fingerd_t, fingerd_exec_t) +inetd_tcp_service_domain(fingerd_t, fingerd_exec_t) + +type fingerd_etc_t; +files_config_file(fingerd_etc_t) + +type fingerd_log_t; +logging_log_file(fingerd_log_t) + +type fingerd_var_run_t; +files_pid_file(fingerd_var_run_t) + +######################################## +# +# Local policy +# + +allow fingerd_t self:capability { setgid setuid }; +dontaudit fingerd_t self:capability { fsetid sys_tty_config }; +allow fingerd_t self:process signal_perms; +allow fingerd_t self:fifo_file rw_fifo_file_perms; +allow fingerd_t self:tcp_socket connected_stream_socket_perms; + +manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t) +files_pid_filetrans(fingerd_t, fingerd_var_run_t, file) + +allow fingerd_t fingerd_etc_t:dir list_dir_perms; +read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) +read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) + +allow fingerd_t fingerd_log_t:file append_file_perms; +allow fingerd_t fingerd_log_t:file create_file_perms; +allow fingerd_t fingerd_log_t:file setattr_file_perms; +logging_log_filetrans(fingerd_t, fingerd_log_t, file) + +kernel_read_kernel_sysctls(fingerd_t) +kernel_read_system_state(fingerd_t) + +corenet_all_recvfrom_unlabeled(fingerd_t) +corenet_all_recvfrom_netlabel(fingerd_t) +corenet_tcp_sendrecv_generic_if(fingerd_t) +corenet_tcp_sendrecv_generic_node(fingerd_t) +corenet_tcp_bind_generic_node(fingerd_t) + +corenet_sendrecv_fingerd_server_packets(fingerd_t) +corenet_tcp_bind_fingerd_port(fingerd_t) +corenet_tcp_sendrecv_fingerd_port(fingerd_t) + +corecmd_exec_bin(fingerd_t) +corecmd_exec_shell(fingerd_t) + +dev_read_sysfs(fingerd_t) + +domain_use_interactive_fds(fingerd_t) + +files_read_etc_runtime_files(fingerd_t) + +fs_getattr_all_fs(fingerd_t) +fs_search_auto_mountpoints(fingerd_t) + +term_getattr_all_ttys(fingerd_t) +term_getattr_all_ptys(fingerd_t) + +auth_read_lastlog(fingerd_t) + +init_read_utmp(fingerd_t) +init_dontaudit_write_utmp(fingerd_t) + +logging_send_syslog_msg(fingerd_t) + +mta_getattr_spool(fingerd_t) + +miscfiles_read_localization(fingerd_t) + +userdom_dontaudit_use_unpriv_user_fds(fingerd_t) + +optional_policy(` + cron_system_entry(fingerd_t, fingerd_exec_t) +') + +optional_policy(` + logrotate_exec(fingerd_t) +') + +optional_policy(` + seutil_sigchld_newrole(fingerd_t) +') + +optional_policy(` + tcpd_wrapped_domain(fingerd_t, fingerd_exec_t) +') + +optional_policy(` + udev_read_db(fingerd_t) +') diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc new file mode 100644 index 000000000..19fc91778 --- /dev/null +++ b/policy/modules/services/firewalld.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0) + +/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) + +/usr/bin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0) + +/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0) + +/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0) + +/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0) +/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0) diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if new file mode 100644 index 000000000..b4fda82cb --- /dev/null +++ b/policy/modules/services/firewalld.if @@ -0,0 +1,118 @@ +## <summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary> + +######################################## +## <summary> +## Read firewalld configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firewalld_read_config_files',` + gen_require(` + type firewalld_etc_rw_t; + ') + + files_search_etc($1) + read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t) +') + +######################################## +## <summary> +## Send and receive messages from +## firewalld over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firewalld_dbus_chat',` + gen_require(` + type firewalld_t; + class dbus send_msg; + ') + + allow $1 firewalld_t:dbus send_msg; + allow firewalld_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Do not audit attempts to read, snd +## write firewalld temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`firewalld_dontaudit_rw_tmp_files',` + gen_require(` + type firewalld_tmp_t; + ') + + dontaudit $1 firewalld_tmp_t:file { read write }; +') + +######################################## +## <summary> +## Read firewalld runtime files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firewalld_read_var_run_files',` + gen_require(` + type firewalld_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, firewalld_var_run_t, firewalld_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an firewalld environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`firewalld_admin',` + gen_require(` + type firewalld_t, firewalld_initrc_exec_t; + type firewalld_etc_rw_t, firewalld_var_run_t; + type firewalld_var_log_t; + ') + + allow $1 firewalld_t:process { ptrace signal_perms }; + ps_process_pattern($1, firewalld_t) + + init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, firewalld_var_run_t) + + logging_search_logs($1) + admin_pattern($1, firewalld_var_log_t) + + files_search_etc($1) + admin_pattern($1, firewalld_etc_rw_t) +') diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te new file mode 100644 index 000000000..7eea52656 --- /dev/null +++ b/policy/modules/services/firewalld.te @@ -0,0 +1,109 @@ +policy_module(firewalld, 1.6.1) + +######################################## +# +# Declarations +# + +type firewalld_t; +type firewalld_exec_t; +init_daemon_domain(firewalld_t, firewalld_exec_t) + +type firewalld_initrc_exec_t; +init_script_file(firewalld_initrc_exec_t) + +type firewalld_etc_rw_t; +files_config_file(firewalld_etc_rw_t) + +type firewalld_var_log_t; +logging_log_file(firewalld_var_log_t) + +type firewalld_tmp_t; +files_tmp_file(firewalld_tmp_t) + +type firewalld_var_run_t; +files_pid_file(firewalld_var_run_t) + +######################################## +# +# Local policy +# + +allow firewalld_t self:capability { dac_override net_admin }; +dontaudit firewalld_t self:capability sys_tty_config; +allow firewalld_t self:fifo_file rw_fifo_file_perms; +allow firewalld_t self:unix_stream_socket { accept listen }; +allow firewalld_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) +manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) +dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto }; + +allow firewalld_t firewalld_var_log_t:file append_file_perms; +allow firewalld_t firewalld_var_log_t:file create_file_perms; +allow firewalld_t firewalld_var_log_t:file read_file_perms; +allow firewalld_t firewalld_var_log_t:file setattr_file_perms; +logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) + +manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) +files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) +allow firewalld_t firewalld_tmp_t:file mmap_exec_file_perms; + +manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) +manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) +files_pid_filetrans(firewalld_t, firewalld_var_run_t, { dir file }) + +kernel_read_network_state(firewalld_t) +kernel_read_system_state(firewalld_t) +kernel_rw_net_sysctls(firewalld_t) + +corecmd_exec_bin(firewalld_t) +corecmd_exec_shell(firewalld_t) + +dev_read_urand(firewalld_t) +dev_search_sysfs(firewalld_t) + +domain_use_interactive_fds(firewalld_t) + +files_read_etc_files(firewalld_t) +files_read_usr_files(firewalld_t) +files_dontaudit_list_tmp(firewalld_t) + +fs_getattr_xattr_fs(firewalld_t) + +logging_send_syslog_msg(firewalld_t) + +miscfiles_read_localization(firewalld_t) + +seutil_exec_setfiles(firewalld_t) +seutil_read_file_contexts(firewalld_t) + +sysnet_read_config(firewalld_t) + +optional_policy(` + dbus_system_domain(firewalld_t, firewalld_exec_t) + + optional_policy(` + devicekit_dbus_chat_power(firewalld_t) + ') + + optional_policy(` + policykit_dbus_chat(firewalld_t) + ') + + optional_policy(` + networkmanager_dbus_chat(firewalld_t) + ') +') + +optional_policy(` + iptables_domtrans(firewalld_t) +') + +optional_policy(` + modutils_domtrans(firewalld_t) +') + +optional_policy(` + networkmanager_read_state(firewalld_t) +') diff --git a/policy/modules/services/fprintd.fc b/policy/modules/services/fprintd.fc new file mode 100644 index 000000000..81317ea6c --- /dev/null +++ b/policy/modules/services/fprintd.fc @@ -0,0 +1,5 @@ +/usr/lib/fprintd/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) + +/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) + +/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0) diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if new file mode 100644 index 000000000..8081132cd --- /dev/null +++ b/policy/modules/services/fprintd.if @@ -0,0 +1,41 @@ +## <summary>DBus fingerprint reader service.</summary> + +######################################## +## <summary> +## Execute a domain transition to run fprintd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`fprintd_domtrans',` + gen_require(` + type fprintd_t, fprintd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fprintd_exec_t, fprintd_t) +') + +######################################## +## <summary> +## Send and receive messages from +## fprintd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fprintd_dbus_chat',` + gen_require(` + type fprintd_t; + class dbus send_msg; + ') + + allow $1 fprintd_t:dbus send_msg; + allow fprintd_t $1:dbus send_msg; +') diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te new file mode 100644 index 000000000..4ff45da59 --- /dev/null +++ b/policy/modules/services/fprintd.te @@ -0,0 +1,61 @@ +policy_module(fprintd, 1.3.0) + +######################################## +# +# Declarations +# + +type fprintd_t; +type fprintd_exec_t; +init_daemon_domain(fprintd_t, fprintd_exec_t) + +type fprintd_var_lib_t; +files_type(fprintd_var_lib_t) + +######################################## +# +# Local policy +# + +allow fprintd_t self:capability sys_nice; +allow fprintd_t self:process { getsched setsched signal sigkill }; +allow fprintd_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) +manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) + +kernel_read_system_state(fprintd_t) + +dev_list_usbfs(fprintd_t) +dev_read_sysfs(fprintd_t) +dev_rw_generic_usb_dev(fprintd_t) + +files_read_usr_files(fprintd_t) + +fs_getattr_all_fs(fprintd_t) + +auth_use_nsswitch(fprintd_t) + +miscfiles_read_localization(fprintd_t) + +userdom_use_user_ptys(fprintd_t) +userdom_read_all_users_state(fprintd_t) + +optional_policy(` + dbus_system_domain(fprintd_t, fprintd_exec_t) + + optional_policy(` + consolekit_dbus_chat(fprintd_t) + ') + + optional_policy(` + policykit_dbus_chat(fprintd_t) + policykit_dbus_chat_auth(fprintd_t) + ') +') + +optional_policy(` + policykit_domtrans_auth(fprintd_t) + policykit_read_reload(fprintd_t) + policykit_read_lib(fprintd_t) +') diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc new file mode 100644 index 000000000..6af8b34f8 --- /dev/null +++ b/policy/modules/services/ftp.fc @@ -0,0 +1,36 @@ +/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) + +/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + +/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) + +/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0) +/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/bin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/bin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/bin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/bin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + +/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + +/usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0) +/usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0) + +/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + +/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) + +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) + +/var/lock/subsys/.*ftpd -- gen_context(system_u:object_r:ftpd_lock_t,s0) + +/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) +/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) +/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) +/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) +/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if new file mode 100644 index 000000000..3bfe581d2 --- /dev/null +++ b/policy/modules/services/ftp.if @@ -0,0 +1,191 @@ +## <summary>File transfer protocol service.</summary> + +####################################### +## <summary> +## Execute a dyntransition to run anon sftpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ftp_dyntrans_anon_sftpd',` + gen_require(` + type anon_sftpd_t; + ') + + dyntrans_pattern($1, anon_sftpd_t) +') + +######################################## +## <summary> +## Read ftpd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ftp_read_config',` + gen_require(` + type ftpd_etc_t; + ') + + files_search_etc($1) + allow $1 ftpd_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute FTP daemon entry point programs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ftp_check_exec',` + gen_require(` + type ftpd_exec_t; + ') + + corecmd_search_bin($1) + allow $1 ftpd_exec_t:file mmap_exec_file_perms; +') + +######################################## +## <summary> +## Read ftpd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ftp_read_log',` + gen_require(` + type xferlog_t; + ') + + logging_search_logs($1) + allow $1 xferlog_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute the ftpdctl in the ftpdctl domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ftp_domtrans_ftpdctl',` + gen_require(` + type ftpdctl_t, ftpdctl_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t) +') + +######################################## +## <summary> +## Execute the ftpdctl in the ftpdctl +## domain, and allow the specified +## role the ftpctl domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ftp_run_ftpdctl',` + gen_require(` + attribute_role ftpdctl_roles; + ') + + ftp_domtrans_ftpdctl($1) + roleattribute $2 ftpdctl_roles; +') + +####################################### +## <summary> +## Execute a dyntransition to run sftpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ftp_dyntrans_sftpd',` + gen_require(` + type sftpd_t; + ') + + dyntrans_pattern($1, sftpd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ftp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ftp_admin',` + gen_require(` + type ftpd_t, ftpdctl_t, ftpd_tmp_t; + type ftpd_etc_t, ftpd_lock_t, sftpd_t; + type ftpd_var_run_t, xferlog_t, anon_sftpd_t; + type ftpd_initrc_exec_t, ftpdctl_tmp_t; + type ftpd_keytab_t; + ') + + allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) + + init_startstop_service($1, $2, ftpd_t, ftpd_initrc_exec_t) + + miscfiles_manage_public_files($1) + + files_list_tmp($1) + admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t }) + + files_list_etc($1) + admin_pattern($1, { ftpd_etc_t ftpd_keytab_t }) + + files_list_var($1) + admin_pattern($1, ftpd_lock_t) + + files_list_pids($1) + admin_pattern($1, ftpd_var_run_t) + + logging_list_logs($1) + admin_pattern($1, xferlog_t) + + ftp_run_ftpdctl($1, $2) +') diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te new file mode 100644 index 000000000..96a92aca5 --- /dev/null +++ b/policy/modules/services/ftp.te @@ -0,0 +1,508 @@ +policy_module(ftp, 1.21.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether ftpd can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_ftpd_anon_write, false) + +## <desc> +## <p> +## Determine whether ftpd can login to +## local users and can read and write +## all files on the system, governed by DAC. +## </p> +## </desc> +gen_tunable(allow_ftpd_full_access, false) + +## <desc> +## <p> +## Determine whether ftpd can use CIFS +## used for public file transfer services. +## </p> +## </desc> +gen_tunable(allow_ftpd_use_cifs, false) + +## <desc> +## <p> +## Determine whether ftpd can use NFS +## used for public file transfer services. +## </p> +## </desc> +gen_tunable(allow_ftpd_use_nfs, false) + +## <desc> +## <p> +## Determine whether ftpd can connect to +## databases over the TCP network. +## </p> +## </desc> +gen_tunable(ftpd_connect_db, false) + +## <desc> +## <p> +## Determine whether ftpd can bind to all +## unreserved ports for passive mode. +## </p> +## </desc> +gen_tunable(ftpd_use_passive_mode, false) + +## <desc> +## <p> +## Determine whether ftpd can connect to +## all unreserved ports. +## </p> +## </desc> +gen_tunable(ftpd_connect_all_unreserved, false) + +## <desc> +## <p> +## Determine whether ftpd can read and write +## files in user home directories. +## </p> +## </desc> +gen_tunable(ftp_home_dir, false) + +## <desc> +## <p> +## Determine whether sftpd can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(sftpd_anon_write, false) + +## <desc> +## <p> +## Determine whether sftpd-can read and write +## files in user home directories. +## </p> +## </desc> +gen_tunable(sftpd_enable_homedirs, false) + +## <desc> +## <p> +## Determine whether sftpd-can login to +## local users and read and write all +## files on the system, governed by DAC. +## </p> +## </desc> +gen_tunable(sftpd_full_access, false) + +## <desc> +## <p> +## Determine whether sftpd can read and write +## files in user ssh home directories. +## </p> +## </desc> +gen_tunable(sftpd_write_ssh_home, false) + +attribute_role ftpdctl_roles; + +type anon_sftpd_t; +typealias anon_sftpd_t alias sftpd_anon_t; +domain_type(anon_sftpd_t) +role system_r types anon_sftpd_t; + +type ftpd_t; +type ftpd_exec_t; +init_daemon_domain(ftpd_t, ftpd_exec_t) + +type ftpd_etc_t; +files_config_file(ftpd_etc_t) + +type ftpd_initrc_exec_t; +init_script_file(ftpd_initrc_exec_t) + +type ftpd_keytab_t; +files_type(ftpd_keytab_t) + +type ftpd_lock_t; +files_lock_file(ftpd_lock_t) + +type ftpd_tmp_t; +files_tmp_file(ftpd_tmp_t) + +type ftpd_tmpfs_t; +files_tmpfs_file(ftpd_tmpfs_t) + +type ftpd_unit_t; +init_unit_file(ftpd_unit_t) + +type ftpd_var_run_t; +files_pid_file(ftpd_var_run_t) + +type ftpdctl_t; +type ftpdctl_exec_t; +init_system_domain(ftpdctl_t, ftpdctl_exec_t) +role ftpdctl_roles types ftpdctl_t; + +type ftpdctl_tmp_t; +files_tmp_file(ftpdctl_tmp_t) + +type sftpd_t; +domain_type(sftpd_t) +role system_r types sftpd_t; + +type xferlog_t; +logging_log_file(xferlog_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh) +') + +######################################## +# +# Local policy +# + +allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_admin sys_chroot sys_nice sys_resource }; +dontaudit ftpd_t self:capability sys_tty_config; +allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; +allow ftpd_t self:fifo_file rw_fifo_file_perms; +allow ftpd_t self:unix_dgram_socket sendto; +allow ftpd_t self:unix_stream_socket { accept listen }; +allow ftpd_t self:tcp_socket { accept listen }; +allow ftpd_t self:shm create_shm_perms; +allow ftpd_t self:key manage_key_perms; + +allow ftpd_t ftpd_etc_t:file read_file_perms; + +allow ftpd_t ftpd_keytab_t:file read_file_perms; + +allow ftpd_t ftpd_lock_t:file manage_file_perms; +files_lock_filetrans(ftpd_t, ftpd_lock_t, file) + +manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) +manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) +manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) +files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) + +allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; + +allow ftpd_t xferlog_t:dir setattr_dir_perms; +append_files_pattern(ftpd_t, xferlog_t, xferlog_t) +create_files_pattern(ftpd_t, xferlog_t, xferlog_t) +setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t) +logging_log_filetrans(ftpd_t, xferlog_t, file) + +kernel_read_kernel_sysctls(ftpd_t) +kernel_read_system_state(ftpd_t) +kernel_search_network_state(ftpd_t) + +dev_read_sysfs(ftpd_t) +dev_read_urand(ftpd_t) + +corecmd_exec_bin(ftpd_t) + +corenet_all_recvfrom_unlabeled(ftpd_t) +corenet_all_recvfrom_netlabel(ftpd_t) +corenet_tcp_sendrecv_generic_if(ftpd_t) +corenet_udp_sendrecv_generic_if(ftpd_t) +corenet_tcp_sendrecv_generic_node(ftpd_t) +corenet_udp_sendrecv_generic_node(ftpd_t) +corenet_tcp_sendrecv_all_ports(ftpd_t) +corenet_udp_sendrecv_all_ports(ftpd_t) +corenet_tcp_bind_generic_node(ftpd_t) + +corenet_sendrecv_ftp_server_packets(ftpd_t) +corenet_tcp_bind_ftp_port(ftpd_t) + +corenet_sendrecv_ftp_data_server_packets(ftpd_t) +corenet_tcp_bind_ftp_data_port(ftpd_t) + +domain_use_interactive_fds(ftpd_t) + +files_read_etc_files(ftpd_t) +files_read_etc_runtime_files(ftpd_t) +files_search_var_lib(ftpd_t) + +fs_search_auto_mountpoints(ftpd_t) +fs_getattr_all_fs(ftpd_t) +fs_search_fusefs(ftpd_t) + +auth_use_pam(ftpd_t) +auth_write_login_records(ftpd_t) +auth_rw_faillog(ftpd_t) +auth_manage_var_auth(ftpd_t) + +init_rw_utmp(ftpd_t) + +logging_send_audit_msgs(ftpd_t) +logging_send_syslog_msg(ftpd_t) +logging_set_loginuid(ftpd_t) + +miscfiles_read_localization(ftpd_t) +miscfiles_read_public_files(ftpd_t) + +seutil_dontaudit_search_config(ftpd_t) + +sysnet_use_ldap(ftpd_t) + +userdom_dontaudit_use_unpriv_user_fds(ftpd_t) +userdom_dontaudit_search_user_home_dirs(ftpd_t) + +tunable_policy(`allow_ftpd_anon_write',` + miscfiles_manage_public_files(ftpd_t) +') + +tunable_policy(`allow_ftpd_use_cifs',` + fs_read_cifs_files(ftpd_t) + fs_read_cifs_symlinks(ftpd_t) +') + +tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` + fs_manage_cifs_files(ftpd_t) +') + +tunable_policy(`allow_ftpd_use_nfs',` + fs_read_nfs_files(ftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') + +tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` + fs_manage_nfs_files(ftpd_t) +') + +tunable_policy(`allow_ftpd_full_access',` + allow ftpd_t self:capability { dac_override dac_read_search }; + files_manage_non_auth_files(ftpd_t) +') + +tunable_policy(`ftpd_use_passive_mode',` + corenet_sendrecv_all_server_packets(ftpd_t) + corenet_tcp_bind_all_unreserved_ports(ftpd_t) +') + +tunable_policy(`ftpd_connect_all_unreserved',` + corenet_sendrecv_all_client_packets(ftpd_t) + corenet_tcp_connect_all_unreserved_ports(ftpd_t) +') + +tunable_policy(`ftpd_connect_db',` + corenet_sendrecv_gds_db_client_packets(ftpd_t) + corenet_tcp_connect_gds_db_port(ftpd_t) + corenet_tcp_sendrecv_gds_db_port(ftpd_t) + corenet_sendrecv_mssql_client_packets(ftpd_t) + corenet_tcp_connect_mssql_port(ftpd_t) + corenet_tcp_sendrecv_mssql_port(ftpd_t) + corenet_sendrecv_oracledb_client_packets(ftpd_t) + corenet_tcp_connect_oracledb_port(ftpd_t) + corenet_tcp_sendrecv_oracledb_port(ftpd_t) +') + +tunable_policy(`ftp_home_dir',` + allow ftpd_t self:capability { dac_override dac_read_search }; + + userdom_manage_user_home_content_dirs(ftpd_t) + userdom_manage_user_home_content_files(ftpd_t) + userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) + userdom_manage_user_tmp_dirs(ftpd_t) + userdom_manage_user_tmp_files(ftpd_t) + userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) + userdom_user_runtime_filetrans_user_tmp(ftpd_t, { dir file }) +',` + userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) + userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) + userdom_user_runtime_filetrans_user_tmp(ftpd_t, { dir file }) +') + +tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` + fs_manage_nfs_dirs(ftpd_t) + fs_manage_nfs_files(ftpd_t) + fs_manage_nfs_symlinks(ftpd_t) +') + +tunable_policy(`ftp_home_dir && use_samba_home_dirs',` + fs_manage_cifs_dirs(ftpd_t) + fs_manage_cifs_files(ftpd_t) + fs_manage_cifs_symlinks(ftpd_t) +') + +optional_policy(` + tunable_policy(`ftp_home_dir',` + apache_search_sys_content(ftpd_t) + ') +') + +optional_policy(` + corecmd_exec_shell(ftpd_t) + + files_read_usr_files(ftpd_t) + + cron_system_entry(ftpd_t, ftpd_exec_t) + + optional_policy(` + logrotate_exec(ftpd_t) + ') +') + +optional_policy(` + daemontools_service_domain(ftpd_t, ftpd_exec_t) +') + +optional_policy(` + fail2ban_read_lib_files(ftpd_t) +') + +optional_policy(` + selinux_validate_context(ftpd_t) + + kerberos_read_keytab(ftpd_t) + kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0") + kerberos_use(ftpd_t) +') + +optional_policy(` + mysql_stream_connect(ftpd_t) + + tunable_policy(`ftpd_connect_db',` + mysql_tcp_connect(ftpd_t) + ') +') + +optional_policy(` + postgresql_stream_connect(ftpd_t) + + tunable_policy(`ftpd_connect_db',` + postgresql_tcp_connect(ftpd_t) + ') +') + +optional_policy(` + inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) + + optional_policy(` + tcpd_domtrans(ftpd_t) + ') +') + +optional_policy(` + dbus_system_bus_client(ftpd_t) + + optional_policy(` + oddjob_dbus_chat(ftpd_t) + oddjob_domtrans_mkhomedir(ftpd_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(ftpd_t) +') + +optional_policy(` + udev_read_db(ftpd_t) +') + +######################################## +# +# Ctl local policy +# + +stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) + +allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; +files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) + +files_read_etc_files(ftpdctl_t) +files_search_pids(ftpdctl_t) + +userdom_use_user_terminals(ftpdctl_t) + +######################################## +# +# Anon sftpd local policy +# + +files_read_etc_files(anon_sftpd_t) + +miscfiles_read_public_files(anon_sftpd_t) + +tunable_policy(`sftpd_anon_write',` + miscfiles_manage_public_files(anon_sftpd_t) +') + +######################################## +# +# Sftpd local policy +# + +files_read_etc_files(sftpd_t) + +userdom_read_user_home_content_files(sftpd_t) +userdom_read_user_home_content_symlinks(sftpd_t) + +tunable_policy(`sftpd_enable_homedirs',` + allow sftpd_t self:capability { dac_override dac_read_search }; + + userdom_manage_user_home_content_dirs(sftpd_t) + userdom_manage_user_home_content_files(sftpd_t) + userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) + userdom_manage_user_tmp_dirs(sftpd_t) + userdom_manage_user_tmp_files(sftpd_t) + userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) + userdom_user_runtime_filetrans_user_tmp(sftpd_t, { dir file }) +',` + userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) + userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) + userdom_user_runtime_filetrans_user_tmp(sftpd_t, { dir file }) +') + +tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` + fs_manage_nfs_dirs(sftpd_t) + fs_manage_nfs_files(sftpd_t) + fs_manage_nfs_symlinks(sftpd_t) +') + +tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` + fs_manage_cifs_dirs(sftpd_t) + fs_manage_cifs_files(sftpd_t) + fs_manage_cifs_symlinks(sftpd_t) +') + +tunable_policy(`sftpd_anon_write',` + miscfiles_manage_public_files(sftpd_t) +') + +tunable_policy(`sftpd_full_access',` + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) + files_manage_non_auth_files(sftpd_t) +') + +tunable_policy(`sftpd_write_ssh_home',` + ssh_manage_home_files(sftpd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(sftpd_t) + fs_read_cifs_files(sftpd_t) + fs_read_cifs_symlinks(sftpd_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(sftpd_t) + fs_read_nfs_files(sftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') diff --git a/policy/modules/services/gatekeeper.fc b/policy/modules/services/gatekeeper.fc new file mode 100644 index 000000000..516f65a24 --- /dev/null +++ b/policy/modules/services/gatekeeper.fc @@ -0,0 +1,14 @@ +/etc/gatekeeper\.ini -- gen_context(system_u:object_r:gatekeeper_etc_t,s0) + +/etc/rc\.d/init\.d/gnugk -- gen_context(system_u:object_r:gatekeeper_initrc_exec_t,s0) + +/usr/bin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) +/usr/bin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) + +/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) +/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) + +/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0) + +/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0) +/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0) diff --git a/policy/modules/services/gatekeeper.if b/policy/modules/services/gatekeeper.if new file mode 100644 index 000000000..83681df77 --- /dev/null +++ b/policy/modules/services/gatekeeper.if @@ -0,0 +1,42 @@ +## <summary>OpenH.323 Voice-Over-IP Gatekeeper.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an gatekeeper environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`gatekeeper_admin',` + gen_require(` + type gatekeeper_t, gatekeeper_etc_t, gatekeeper_log_t; + type gatekeeper_var_run_t, gatekeeper_tmp_t, gatekeeper_initrc_exec_t; + ') + + allow $1 gatekeeper_t:process { ptrace signal_perms }; + ps_process_pattern($1, gatekeeper_t) + + init_startstop_service($1, $2, gatekeeper_t, gatekeeper_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, gatekeeper_etc_t) + + logging_search_logs($1) + admin_pattern($1, gatekeeper_log_t) + + files_search_tmp($1) + admin_pattern($1, gatekeeper_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, gatekeeper_var_run_t) +') diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te new file mode 100644 index 000000000..a2a4b41c1 --- /dev/null +++ b/policy/modules/services/gatekeeper.te @@ -0,0 +1,104 @@ +policy_module(gatekeeper, 1.11.0) + +######################################## +# +# Declarations +# + +type gatekeeper_t; +type gatekeeper_exec_t; +init_daemon_domain(gatekeeper_t, gatekeeper_exec_t) + +type gatekeeper_initrc_exec_t; +init_script_file(gatekeeper_initrc_exec_t) + +type gatekeeper_etc_t; +files_config_file(gatekeeper_etc_t) + +type gatekeeper_log_t; +logging_log_file(gatekeeper_log_t) + +type gatekeeper_tmp_t; +files_tmp_file(gatekeeper_tmp_t) + +type gatekeeper_var_run_t; +files_pid_file(gatekeeper_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit gatekeeper_t self:capability sys_tty_config; +allow gatekeeper_t self:process { setsched signal_perms }; +allow gatekeeper_t self:fifo_file rw_fifo_file_perms; +allow gatekeeper_t self:tcp_socket create_stream_socket_perms; +allow gatekeeper_t self:udp_socket create_socket_perms; + +allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms; +allow gatekeeper_t gatekeeper_etc_t:file read_file_perms; + +manage_dirs_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) +append_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) +create_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) +setattr_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) +logging_log_filetrans(gatekeeper_t, gatekeeper_log_t, { file dir }) + +manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) +manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) +files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir }) + +manage_dirs_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t) +manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t) +files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, { dir file }) + +kernel_read_system_state(gatekeeper_t) +kernel_read_kernel_sysctls(gatekeeper_t) + +corecmd_list_bin(gatekeeper_t) + +corenet_all_recvfrom_unlabeled(gatekeeper_t) +corenet_all_recvfrom_netlabel(gatekeeper_t) +corenet_tcp_sendrecv_generic_if(gatekeeper_t) +corenet_udp_sendrecv_generic_if(gatekeeper_t) +corenet_tcp_sendrecv_generic_node(gatekeeper_t) +corenet_udp_sendrecv_generic_node(gatekeeper_t) +corenet_tcp_sendrecv_all_ports(gatekeeper_t) +corenet_udp_sendrecv_all_ports(gatekeeper_t) +corenet_tcp_bind_generic_node(gatekeeper_t) +corenet_udp_bind_generic_node(gatekeeper_t) + +corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t) +corenet_tcp_bind_gatekeeper_port(gatekeeper_t) +corenet_udp_bind_gatekeeper_port(gatekeeper_t) + +dev_read_sysfs(gatekeeper_t) +dev_read_urand(gatekeeper_t) + +domain_use_interactive_fds(gatekeeper_t) + +files_read_etc_files(gatekeeper_t) + +fs_getattr_all_fs(gatekeeper_t) +fs_search_auto_mountpoints(gatekeeper_t) + +logging_send_syslog_msg(gatekeeper_t) + +miscfiles_read_localization(gatekeeper_t) + +sysnet_read_config(gatekeeper_t) + +userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) +userdom_dontaudit_search_user_home_dirs(gatekeeper_t) + +optional_policy(` + nis_use_ypbind(gatekeeper_t) +') + +optional_policy(` + seutil_sigchld_newrole(gatekeeper_t) +') + +optional_policy(` + udev_read_db(gatekeeper_t) +') diff --git a/policy/modules/services/gdomap.fc b/policy/modules/services/gdomap.fc new file mode 100644 index 000000000..ddf2c1889 --- /dev/null +++ b/policy/modules/services/gdomap.fc @@ -0,0 +1,7 @@ +/etc/default/gdomap -- gen_context(system_u:object_r:gdomap_conf_t,s0) + +/etc/rc\.d/init\.d/gdomap -- gen_context(system_u:object_r:gdomap_initrc_exec_t,s0) + +/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0) + +/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0) diff --git a/policy/modules/services/gdomap.if b/policy/modules/services/gdomap.if new file mode 100644 index 000000000..58e5c4423 --- /dev/null +++ b/policy/modules/services/gdomap.if @@ -0,0 +1,55 @@ +## <summary>GNUstep distributed object mapper.</summary> + +######################################## +## <summary> +## Read gdomap configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gdomap_read_config',` + gen_require(` + type gdomap_conf_t; + ') + + files_search_etc($1) + allow $1 gdomap_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an gdomap environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`gdomap_admin',` + gen_require(` + type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t; + type gdomap_var_run_t; + ') + + allow $1 gdomap_t:process { ptrace signal_perms }; + ps_process_pattern($1, gdomap_t) + + init_startstop_service($1, $2, gdomap_t, gdomap_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, gdomap_conf_t) + + files_search_pids($1) + admin_pattern($1, gdomap_var_run_t) +') diff --git a/policy/modules/services/gdomap.te b/policy/modules/services/gdomap.te new file mode 100644 index 000000000..e710d3565 --- /dev/null +++ b/policy/modules/services/gdomap.te @@ -0,0 +1,46 @@ +policy_module(gdomap, 1.3.0) + +######################################## +# +# Declarations +# + +type gdomap_t; +type gdomap_exec_t; +init_daemon_domain(gdomap_t, gdomap_exec_t) + +type gdomap_initrc_exec_t; +init_script_file(gdomap_initrc_exec_t) + +type gdomap_conf_t; +files_config_file(gdomap_conf_t) + +type gdomap_var_run_t; +files_pid_file(gdomap_var_run_t) + +######################################## +# +# Local policy +# + +allow gdomap_t self:capability { net_bind_service setgid setuid sys_chroot }; +allow gdomap_t self:tcp_socket { listen accept }; + +allow gdomap_t gdomap_var_run_t:file manage_file_perms; +files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid") + +corenet_sendrecv_gdomap_server_packets(gdomap_t) +corenet_tcp_bind_generic_node(gdomap_t) +corenet_tcp_bind_gdomap_port(gdomap_t) +corenet_tcp_sendrecv_gdomap_port(gdomap_t) +corenet_udp_bind_generic_node(gdomap_t) +corenet_udp_bind_gdomap_port(gdomap_t) +corenet_udp_sendrecv_gdomap_port(gdomap_t) + +domain_use_interactive_fds(gdomap_t) + +files_search_tmp(gdomap_t) + +auth_use_nsswitch(gdomap_t) + +logging_send_syslog_msg(gdomap_t) diff --git a/policy/modules/services/geoclue.fc b/policy/modules/services/geoclue.fc new file mode 100644 index 000000000..d460e44d6 --- /dev/null +++ b/policy/modules/services/geoclue.fc @@ -0,0 +1,8 @@ +/etc/geoclue(/.*)? gen_context(system_u:object_r:geoclue_etc_t,s0) + +/usr/lib/geoclue2/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0) +/usr/lib/geoclue-2\.0/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0) + +/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0) + +/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0) diff --git a/policy/modules/services/geoclue.if b/policy/modules/services/geoclue.if new file mode 100644 index 000000000..9df360861 --- /dev/null +++ b/policy/modules/services/geoclue.if @@ -0,0 +1 @@ +## <summary>Geoclue is a D-Bus service that provides location information.</summary> diff --git a/policy/modules/services/geoclue.te b/policy/modules/services/geoclue.te new file mode 100644 index 000000000..c6e664088 --- /dev/null +++ b/policy/modules/services/geoclue.te @@ -0,0 +1,46 @@ +policy_module(geoclue, 1.1.0) + +######################################## +# +# Declarations +# + +type geoclue_t; +type geoclue_exec_t; +dbus_system_domain(geoclue_t, geoclue_exec_t) + +type geoclue_etc_t; +files_config_file(geoclue_etc_t) + +type geoclue_var_lib_t; +files_type(geoclue_var_lib_t) + +######################################## +# +# Local policy +# + +read_files_pattern(geoclue_t, geoclue_etc_t, geoclue_etc_t) + +kernel_read_kernel_sysctls(geoclue_t) + +corenet_tcp_connect_http_port(geoclue_t) + +dev_read_urand(geoclue_t) + +auth_use_nsswitch(geoclue_t) + +miscfiles_read_generic_certs(geoclue_t) +miscfiles_read_localization(geoclue_t) + +optional_policy(` + avahi_dbus_chat(geoclue_t) +') + +optional_policy(` + networkmanager_dbus_chat(geoclue_t) +') + +optional_policy(` + modemmanager_dbus_chat(geoclue_t) +') diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc new file mode 100644 index 000000000..c26586d31 --- /dev/null +++ b/policy/modules/services/git.fc @@ -0,0 +1,18 @@ +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) + +/usr/lib/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) + +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) + +/usr/share/gitweb/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/usr/share/gitweb/static(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) + +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) +/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) + +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) + +/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if new file mode 100644 index 000000000..1e29af196 --- /dev/null +++ b/policy/modules/services/git.if @@ -0,0 +1,81 @@ +## <summary>GIT revision control system.</summary> + +######################################## +## <summary> +## Role access for Git session. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +template(`git_role',` + gen_require(` + attribute_role git_session_roles; + type git_session_t, gitd_exec_t, git_user_content_t; + ') + + ######################################## + # + # Declarations + # + + roleattribute $1 git_session_roles; + + ######################################## + # + # Policy + # + + allow $2 git_user_content_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git") + + allow $2 git_session_t:process { ptrace signal_perms }; + ps_process_pattern($2, git_session_t) + + tunable_policy(`git_session_users',` + domtrans_pattern($2, gitd_exec_t, git_session_t) + ',` + can_exec($2, gitd_exec_t) + ') +') + +######################################## +## <summary> +## Read generic system content files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`git_read_generic_sys_content_files',` + gen_require(` + type git_sys_content_t; + ') + + list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) + read_files_pattern($1, git_sys_content_t, git_sys_content_t) + + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_getattr_cifs($1) + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_getattr_nfs($1) + fs_list_nfs($1) + fs_read_nfs_files($1) + ') +') diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te new file mode 100644 index 000000000..45b25f0fb --- /dev/null +++ b/policy/modules/services/git.te @@ -0,0 +1,280 @@ +policy_module(git, 1.6.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether Git CGI +## can search home directories. +## </p> +## </desc> +gen_tunable(git_cgi_enable_homedirs, false) + +## <desc> +## <p> +## Determine whether Git CGI +## can access cifs file systems. +## </p> +## </desc> +gen_tunable(git_cgi_use_cifs, false) + +## <desc> +## <p> +## Determine whether Git CGI +## can access nfs file systems. +## </p> +## </desc> +gen_tunable(git_cgi_use_nfs, false) + +## <desc> +## <p> +## Determine whether Git session daemon +## can bind TCP sockets to all +## unreserved ports. +## </p> +## </desc> +gen_tunable(git_session_bind_all_unreserved_ports, false) + +## <desc> +## <p> +## Determine whether calling user domains +## can execute Git daemon in the +## git_session_t domain. +## </p> +## </desc> +gen_tunable(git_session_users, false) + +## <desc> +## <p> +## Determine whether Git session daemons +## can send syslog messages. +## </p> +## </desc> +gen_tunable(git_session_send_syslog_msg, false) + +## <desc> +## <p> +## Determine whether Git system daemon +## can search home directories. +## </p> +## </desc> +gen_tunable(git_system_enable_homedirs, false) + +## <desc> +## <p> +## Determine whether Git system daemon +## can access cifs file systems. +## </p> +## </desc> +gen_tunable(git_system_use_cifs, false) + +## <desc> +## <p> +## Determine whether Git system daemon +## can access nfs file systems. +## </p> +## </desc> +gen_tunable(git_system_use_nfs, false) + +attribute git_daemon; +attribute_role git_session_roles; + +apache_content_template(git) + +type git_system_t, git_daemon; +type gitd_exec_t; +init_daemon_domain(git_system_t, gitd_exec_t) + +type git_session_t, git_daemon; +userdom_user_application_domain(git_session_t, gitd_exec_t) +role git_session_roles types git_session_t; + +type git_sys_content_t; +files_type(git_sys_content_t) + +type git_user_content_t; +userdom_user_home_content(git_user_content_t) + +######################################## +# +# Session policy +# + +userdom_search_user_home_dirs(git_session_t) + +corenet_all_recvfrom_netlabel(git_session_t) +corenet_all_recvfrom_unlabeled(git_session_t) +corenet_tcp_bind_generic_node(git_session_t) +corenet_tcp_sendrecv_generic_if(git_session_t) +corenet_tcp_sendrecv_generic_node(git_session_t) + +corenet_sendrecv_git_server_packets(git_session_t) +corenet_tcp_bind_git_port(git_session_t) +corenet_tcp_sendrecv_git_port(git_session_t) + +auth_use_nsswitch(git_session_t) + +userdom_use_user_terminals(git_session_t) + +optional_policy(` + inetd_service_domain(git_system_t, gitd_exec_t) +') + +tunable_policy(`git_session_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(git_session_t) + corenet_tcp_bind_all_unreserved_ports(git_session_t) + corenet_tcp_sendrecv_all_ports(git_session_t) +') + +tunable_policy(`git_session_send_syslog_msg',` + logging_send_syslog_msg(git_session_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(git_session_t) + fs_list_nfs(git_session_t) + fs_read_nfs_files(git_session_t) +',` + fs_dontaudit_read_nfs_files(git_session_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_getattr_cifs(git_session_t) + fs_list_cifs(git_session_t) + fs_read_cifs_files(git_session_t) +',` + fs_dontaudit_read_cifs_files(git_session_t) +') + +######################################## +# +# System policy +# + +list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) +read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) + +corenet_all_recvfrom_unlabeled(git_system_t) +corenet_all_recvfrom_netlabel(git_system_t) +corenet_tcp_sendrecv_generic_if(git_system_t) +corenet_tcp_sendrecv_generic_node(git_system_t) +corenet_tcp_bind_generic_node(git_system_t) + +corenet_sendrecv_git_server_packets(git_system_t) +corenet_tcp_bind_git_port(git_system_t) +corenet_tcp_sendrecv_git_port(git_system_t) + +files_search_var_lib(git_system_t) + +auth_use_nsswitch(git_system_t) + +logging_send_syslog_msg(git_system_t) + +tunable_policy(`git_system_enable_homedirs',` + userdom_search_user_home_dirs(git_system_t) +') + +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` + fs_getattr_nfs(git_system_t) + fs_list_nfs(git_system_t) + fs_read_nfs_files(git_system_t) +',` + fs_dontaudit_read_nfs_files(git_system_t) +') + +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` + fs_getattr_cifs(git_system_t) + fs_list_cifs(git_system_t) + fs_read_cifs_files(git_system_t) +',` + fs_dontaudit_read_cifs_files(git_system_t) +') + +tunable_policy(`git_system_use_cifs',` + fs_getattr_cifs(git_system_t) + fs_list_cifs(git_system_t) + fs_read_cifs_files(git_system_t) +',` + fs_dontaudit_read_cifs_files(git_system_t) +') + +tunable_policy(`git_system_use_nfs',` + fs_getattr_nfs(git_system_t) + fs_list_nfs(git_system_t) + fs_read_nfs_files(git_system_t) +',` + fs_dontaudit_read_nfs_files(git_system_t) +') + +######################################## +# +# CGI policy +# + +list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +files_search_var_lib(httpd_git_script_t) + +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) + +auth_use_nsswitch(httpd_git_script_t) + +tunable_policy(`git_cgi_enable_homedirs',` + userdom_search_user_home_dirs(httpd_git_script_t) +') + +tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` + fs_getattr_nfs(httpd_git_script_t) + fs_list_nfs(httpd_git_script_t) + fs_read_nfs_files(httpd_git_script_t) +',` + fs_dontaudit_read_nfs_files(httpd_git_script_t) +') + +tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',` + fs_getattr_cifs(httpd_git_script_t) + fs_list_cifs(httpd_git_script_t) + fs_read_cifs_files(httpd_git_script_t) +',` + fs_dontaudit_read_cifs_files(httpd_git_script_t) +') + +tunable_policy(`git_cgi_use_cifs',` + fs_getattr_cifs(httpd_git_script_t) + fs_list_cifs(httpd_git_script_t) + fs_read_cifs_files(httpd_git_script_t) +',` + fs_dontaudit_read_cifs_files(httpd_git_script_t) +') + +tunable_policy(`git_cgi_use_nfs',` + fs_getattr_nfs(httpd_git_script_t) + fs_list_nfs(httpd_git_script_t) + fs_read_nfs_files(httpd_git_script_t) +',` + fs_dontaudit_read_nfs_files(httpd_git_script_t) +') + +######################################## +# +# Git global policy +# + +allow git_daemon self:fifo_file rw_fifo_file_perms; +allow git_daemon self:tcp_socket { accept listen }; + +list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t) +read_files_pattern(git_daemon, git_user_content_t, git_user_content_t) + +kernel_read_system_state(git_daemon) + +corecmd_exec_bin(git_daemon) + +files_read_usr_files(git_daemon) + +fs_search_auto_mountpoints(git_daemon) + +miscfiles_read_localization(git_daemon) diff --git a/policy/modules/services/glance.fc b/policy/modules/services/glance.fc new file mode 100644 index 000000000..caf9c3d89 --- /dev/null +++ b/policy/modules/services/glance.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0) +/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0) + +/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) +/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0) + +/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0) + +/var/log/glance(/.*)? gen_context(system_u:object_r:glance_log_t,s0) + +/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0) diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if new file mode 100644 index 000000000..6d9f3daaa --- /dev/null +++ b/policy/modules/services/glance.if @@ -0,0 +1,259 @@ +## <summary>OpenStack image registry and delivery service.</summary> + +######################################## +## <summary> +## Execute a domain transition to +## run glance registry. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`glance_domtrans_registry',` + gen_require(` + type glance_registry_t, glance_registry_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, glance_registry_exec_t, glance_registry_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run glance api. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`glance_domtrans_api',` + gen_require(` + type glance_api_t, glance_api_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, glance_api_exec_t, glance_api_t) +') + +######################################## +## <summary> +## Read glance log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`glance_read_log',` + gen_require(` + type glance_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, glance_log_t, glance_log_t) +') + +######################################## +## <summary> +## Append glance log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_append_log',` + gen_require(` + type glance_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, glance_log_t, glance_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## glance log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_manage_log',` + gen_require(` + type glance_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, glance_log_t, glance_log_t) + manage_files_pattern($1, glance_log_t, glance_log_t) + manage_lnk_files_pattern($1, glance_log_t, glance_log_t) +') + +######################################## +## <summary> +## Search glance lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_search_lib',` + gen_require(` + type glance_var_lib_t; + ') + + allow $1 glance_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read glance lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_read_lib_files',` + gen_require(` + type glance_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, glance_var_lib_t, glance_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## glance lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_manage_lib_files',` + gen_require(` + type glance_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## glance lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_manage_lib_dirs',` + gen_require(` + type glance_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t) +') + +######################################## +## <summary> +## Read glance pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_read_pid_files',` + gen_require(` + type glance_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, glance_var_run_t, glance_var_run_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## glance pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_manage_pid_files',` + gen_require(` + type glance_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, glance_var_run_t, glance_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an glance environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`glance_admin',` + gen_require(` + type glance_registry_t, glance_api_t, glance_log_t; + type glance_var_lib_t, glance_var_run_t; + type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; + ') + + allow $1 { glance_api_t glance_registry_t }:process signal_perms; + ps_process_pattern($1, { glance_api_t glance_registry_t }) + + init_startstop_service($1, $2, glance_api_t, glance_api_initrc_exec_t) + init_startstop_service($1, $2, glance_registry_t, glance_registry_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, glance_log_t) + + files_search_var_lib($1) + admin_pattern($1, glance_var_lib_t) + + files_search_pids($1) + admin_pattern($1, glance_var_run_t) +') diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te new file mode 100644 index 000000000..20f0ff272 --- /dev/null +++ b/policy/modules/services/glance.te @@ -0,0 +1,120 @@ +policy_module(glance, 1.3.0) + +######################################## +# +# Declarations +# + +attribute glance_domain; + +type glance_registry_t, glance_domain; +type glance_registry_exec_t; +init_daemon_domain(glance_registry_t, glance_registry_exec_t) + +type glance_registry_initrc_exec_t; +init_script_file(glance_registry_initrc_exec_t) + +type glance_registry_tmp_t; +files_tmp_file(glance_registry_tmp_t) + +type glance_api_t, glance_domain; +type glance_api_exec_t; +init_daemon_domain(glance_api_t, glance_api_exec_t) + +type glance_api_initrc_exec_t; +init_script_file(glance_api_initrc_exec_t) + +type glance_log_t; +logging_log_file(glance_log_t) + +type glance_var_lib_t; +files_type(glance_var_lib_t) + +type glance_tmp_t; +files_tmp_file(glance_tmp_t) + +type glance_var_run_t; +files_pid_file(glance_var_run_t) + +####################################### +# +# Common local policy +# + +allow glance_domain self:fifo_file rw_fifo_file_perms; +allow glance_domain self:unix_stream_socket create_stream_socket_perms; +allow glance_domain self:tcp_socket { accept listen }; + +manage_dirs_pattern(glance_domain, glance_log_t, glance_log_t) +append_files_pattern(glance_domain, glance_log_t, glance_log_t) +create_files_pattern(glance_domain, glance_log_t, glance_log_t) +setattr_files_pattern(glance_domain, glance_log_t, glance_log_t) + +manage_dirs_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) +manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) + +manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) +manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) + +kernel_read_system_state(glance_domain) + +corenet_all_recvfrom_unlabeled(glance_domain) +corenet_all_recvfrom_netlabel(glance_domain) +corenet_tcp_sendrecv_generic_if(glance_domain) +corenet_tcp_sendrecv_generic_node(glance_domain) +corenet_tcp_sendrecv_all_ports(glance_domain) +corenet_tcp_bind_generic_node(glance_domain) + +corecmd_exec_bin(glance_domain) +corecmd_exec_shell(glance_domain) + +dev_read_urand(glance_domain) + +files_read_etc_files(glance_domain) +files_read_usr_files(glance_domain) + +libs_exec_ldconfig(glance_domain) + +miscfiles_read_localization(glance_domain) + +sysnet_dns_name_resolve(glance_domain) + +######################################## +# +# Registry local policy +# + +manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) +manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) +files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) + +corenet_sendrecv_glance_registry_server_packets(glance_registry_t) +corenet_tcp_bind_glance_registry_port(glance_registry_t) + +logging_send_syslog_msg(glance_registry_t) + +optional_policy(` + mysql_stream_connect(glance_registry_t) + mysql_tcp_connect(glance_registry_t) +') + +######################################## +# +# Api local policy +# + +manage_dirs_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) +can_exec(glance_api_t, glance_tmp_t) + +corenet_sendrecv_armtechdaemon_server_packets(glance_api_t) +corenet_tcp_bind_armtechdaemon_port(glance_api_t) + +corenet_sendrecv_hplip_server_packets(glance_api_t) +corenet_tcp_bind_hplip_port(glance_api_t) + +corenet_sendrecv_glance_registry_client_packets(glance_api_t) +corenet_tcp_connect_glance_registry_port(glance_api_t) + +fs_getattr_xattr_fs(glance_api_t) diff --git a/policy/modules/services/glusterfs.fc b/policy/modules/services/glusterfs.fc new file mode 100644 index 000000000..be43eb4f7 --- /dev/null +++ b/policy/modules/services/glusterfs.fc @@ -0,0 +1,19 @@ +/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) + +/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) +/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) + +/usr/bin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +/usr/bin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) + +/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) + +/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if new file mode 100644 index 000000000..b4f5d01c2 --- /dev/null +++ b/policy/modules/services/glusterfs.if @@ -0,0 +1,46 @@ +## <summary>Cluster File System binary, daemon and command line.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an glusterfs environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`glusterfs_admin',` + gen_require(` + type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t; + type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t; + type glusterd_var_run_t; + ') + + init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t) + + allow $1 glusterd_t:process { ptrace signal_perms }; + ps_process_pattern($1, glusterd_t) + + files_search_etc($1) + admin_pattern($1, glusterd_conf_t) + + logging_search_logs($1) + admin_pattern($1, glusterd_log_t) + + files_search_tmp($1) + admin_pattern($1, glusterd_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, glusterd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, glusterd_var_run_t) +') diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te new file mode 100644 index 000000000..54bd1807c --- /dev/null +++ b/policy/modules/services/glusterfs.te @@ -0,0 +1,105 @@ +policy_module(glusterfs, 1.5.0) + +######################################## +# +# Declarations +# + +type glusterd_t; +type glusterd_exec_t; +init_daemon_domain(glusterd_t, glusterd_exec_t) + +type glusterd_conf_t; +files_type(glusterd_conf_t) + +type glusterd_initrc_exec_t; +init_script_file(glusterd_initrc_exec_t) + +type glusterd_tmp_t; +files_tmp_file(glusterd_tmp_t) + +type glusterd_log_t; +logging_log_file(glusterd_log_t) + +type glusterd_var_run_t; +files_pid_file(glusterd_var_run_t) + +type glusterd_var_lib_t; +files_type(glusterd_var_lib_t) + +######################################## +# +# Local policy +# + +allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource }; +allow glusterd_t self:process { setrlimit signal }; +allow glusterd_t self:fifo_file rw_fifo_file_perms; +allow glusterd_t self:tcp_socket { accept listen }; +allow glusterd_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) +manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) +files_etc_filetrans(glusterd_t, glusterd_conf_t, dir) + +manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) + +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +logging_log_filetrans(glusterd_t, glusterd_log_t, dir) + +manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) + +can_exec(glusterd_t, glusterd_exec_t) + +kernel_read_system_state(glusterd_t) + +corecmd_exec_bin(glusterd_t) +corecmd_exec_shell(glusterd_t) + +corenet_all_recvfrom_unlabeled(glusterd_t) +corenet_all_recvfrom_netlabel(glusterd_t) +corenet_tcp_sendrecv_generic_if(glusterd_t) +corenet_udp_sendrecv_generic_if(glusterd_t) +corenet_tcp_sendrecv_generic_node(glusterd_t) +corenet_udp_sendrecv_generic_node(glusterd_t) +corenet_tcp_sendrecv_all_ports(glusterd_t) +corenet_udp_sendrecv_all_ports(glusterd_t) +corenet_tcp_bind_generic_node(glusterd_t) +corenet_udp_bind_generic_node(glusterd_t) + +# Too coarse? +corenet_sendrecv_all_server_packets(glusterd_t) +corenet_tcp_bind_all_reserved_ports(glusterd_t) +corenet_udp_bind_all_rpc_ports(glusterd_t) +corenet_udp_bind_ipp_port(glusterd_t) + +corenet_sendrecv_all_client_packets(glusterd_t) +corenet_tcp_connect_all_unreserved_ports(glusterd_t) + +dev_read_sysfs(glusterd_t) +dev_read_urand(glusterd_t) + +domain_read_all_domains_state(glusterd_t) + +domain_use_interactive_fds(glusterd_t) + +files_read_usr_files(glusterd_t) + +auth_use_nsswitch(glusterd_t) + +logging_send_syslog_msg(glusterd_t) + +miscfiles_read_localization(glusterd_t) diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc new file mode 100644 index 000000000..f9ba8cd99 --- /dev/null +++ b/policy/modules/services/gnomeclock.fc @@ -0,0 +1,7 @@ +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + +/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + +/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + +/usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if new file mode 100644 index 000000000..3f55702fb --- /dev/null +++ b/policy/modules/services/gnomeclock.if @@ -0,0 +1,90 @@ +## <summary>Gnome clock handler for setting the time.</summary> + +######################################## +## <summary> +## Execute a domain transition to +## run gnomeclock. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gnomeclock_domtrans',` + gen_require(` + type gnomeclock_t, gnomeclock_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) +') + +######################################## +## <summary> +## Execute gnomeclock in the gnomeclock +## domain, and allow the specified +## role the gnomeclock domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`gnomeclock_run',` + gen_require(` + attribute_role gnomeclock_roles; + ') + + gnomeclock_domtrans($1) + roleattribute $2 gnomeclock_roles; +') + +######################################## +## <summary> +## Send and receive messages from +## gnomeclock over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnomeclock_dbus_chat',` + gen_require(` + type gnomeclock_t; + class dbus send_msg; + ') + + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Do not audit attempts to send and +## receive messages from gnomeclock +## over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`gnomeclock_dontaudit_dbus_chat',` + gen_require(` + type gnomeclock_t; + class dbus send_msg; + ') + + dontaudit $1 gnomeclock_t:dbus send_msg; + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te new file mode 100644 index 000000000..7cd7435e6 --- /dev/null +++ b/policy/modules/services/gnomeclock.te @@ -0,0 +1,87 @@ +policy_module(gnomeclock, 1.1.0) + +######################################## +# +# Declarations +# + +attribute_role gnomeclock_roles; + +type gnomeclock_t; +type gnomeclock_exec_t; +init_system_domain(gnomeclock_t, gnomeclock_exec_t) +role gnomeclock_roles types gnomeclock_t; + +######################################## +# +# Local policy +# + +allow gnomeclock_t self:capability { sys_nice sys_time }; +allow gnomeclock_t self:process { getattr getsched signal }; +allow gnomeclock_t self:fifo_file rw_fifo_file_perms; +allow gnomeclock_t self:unix_stream_socket { accept listen }; + +kernel_read_system_state(gnomeclock_t) + +corecmd_exec_bin(gnomeclock_t) +corecmd_exec_shell(gnomeclock_t) + +corenet_all_recvfrom_unlabeled(gnomeclock_t) +corenet_all_recvfrom_netlabel(gnomeclock_t) +corenet_tcp_sendrecv_generic_if(gnomeclock_t) +corenet_tcp_sendrecv_generic_node(gnomeclock_t) + +# tcp:37 (time) +corenet_sendrecv_inetd_child_client_packets(gnomeclock_t) +corenet_tcp_connect_inetd_child_port(gnomeclock_t) +corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t) + +dev_read_sysfs(gnomeclock_t) +dev_read_urand(gnomeclock_t) +dev_rw_realtime_clock(gnomeclock_t) + +files_read_usr_files(gnomeclock_t) + +fs_getattr_xattr_fs(gnomeclock_t) + +auth_use_nsswitch(gnomeclock_t) + +logging_send_syslog_msg(gnomeclock_t) + +miscfiles_etc_filetrans_localization(gnomeclock_t) +miscfiles_manage_localization(gnomeclock_t) +miscfiles_read_localization(gnomeclock_t) + +userdom_read_all_users_state(gnomeclock_t) + +optional_policy(` + chronyd_initrc_domtrans(gnomeclock_t) +') + +optional_policy(` + clock_domtrans(gnomeclock_t) +') + +optional_policy(` + dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + + optional_policy(` + consolekit_dbus_chat(gnomeclock_t) + ') + + optional_policy(` + policykit_dbus_chat(gnomeclock_t) + ') +') + +optional_policy(` + ntp_domtrans_ntpdate(gnomeclock_t) + ntp_initrc_domtrans(gnomeclock_t) +') + +optional_policy(` + policykit_domtrans_auth(gnomeclock_t) + policykit_read_lib(gnomeclock_t) + policykit_read_reload(gnomeclock_t) +') diff --git a/policy/modules/services/gpm.fc b/policy/modules/services/gpm.fc new file mode 100644 index 000000000..24531dc00 --- /dev/null +++ b/policy/modules/services/gpm.fc @@ -0,0 +1,13 @@ +/dev/gpmctl -s gen_context(system_u:object_r:gpmctl_t,s0) +/dev/gpmdata -p gen_context(system_u:object_r:gpmctl_t,s0) + +/etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0) +/etc/gpm-.*\.conf -- gen_context(system_u:object_r:gpm_conf_t,s0) + +/etc/rc\.d/init\.d/gpm -- gen_context(system_u:object_r:gpm_initrc_exec_t,s0) + +/usr/bin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) + +/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) + +/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0) diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if new file mode 100644 index 000000000..356fb6d12 --- /dev/null +++ b/policy/modules/services/gpm.if @@ -0,0 +1,120 @@ +## <summary>General Purpose Mouse driver.</summary> + +######################################## +## <summary> +## Connect to GPM over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpm_stream_connect',` + gen_require(` + type gpmctl_t, gpm_t; + ') + + dev_list_all_dev_nodes($1) + stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t) +') + +######################################## +## <summary> +## Get attributes of gpm control +## channel named sock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpm_getattr_gpmctl',` + gen_require(` + type gpmctl_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 gpmctl_t:sock_file getattr_sock_file_perms; + allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to get +## attributes of gpm control channel +## named sock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`gpm_dontaudit_getattr_gpmctl',` + gen_require(` + type gpmctl_t; + ') + + dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; +') + +######################################## +## <summary> +## Set attributes of gpm control +## channel named sock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpm_setattr_gpmctl',` + gen_require(` + type gpmctl_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 gpmctl_t:sock_file setattr_sock_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an gpm environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`gpm_admin',` + gen_require(` + type gpm_t, gpm_conf_t, gpm_initrc_exec_t; + type gpm_var_run_t, gpmctl_t; + ') + + allow $1 gpm_t:process { ptrace signal_perms }; + ps_process_pattern($1, gpm_t) + + init_startstop_service($1, $2, gpm_t, gpm_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, gpm_conf_t) + + dev_list_all_dev_nodes($1) + admin_pattern($1, gpmctl_t) + + files_search_pids($1) + admin_pattern($1, gpm_var_run_t) +') diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te new file mode 100644 index 000000000..39000d859 --- /dev/null +++ b/policy/modules/services/gpm.te @@ -0,0 +1,83 @@ +policy_module(gpm, 1.12.0) + +######################################## +# +# Declarations +# + +type gpm_t; +type gpm_exec_t; +init_daemon_domain(gpm_t, gpm_exec_t) + +type gpm_initrc_exec_t; +init_script_file(gpm_initrc_exec_t) + +type gpm_conf_t; +files_type(gpm_conf_t) + +type gpm_tmp_t; +files_tmp_file(gpm_tmp_t) + +type gpm_var_run_t; +files_pid_file(gpm_var_run_t) + +type gpmctl_t; +files_type(gpmctl_t) + +######################################## +# +# Local policy +# + +allow gpm_t self:capability { dac_override setpcap setuid sys_admin sys_tty_config }; +allow gpm_t self:process { signal signull getcap setcap }; +allow gpm_t self:unix_stream_socket { accept listen }; + +allow gpm_t gpm_conf_t:dir list_dir_perms; +read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t) +read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t) + +manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) +manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) +files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir }) + +allow gpm_t gpm_var_run_t:file manage_file_perms; +files_pid_filetrans(gpm_t, gpm_var_run_t, file) + +allow gpm_t gpmctl_t:sock_file manage_sock_file_perms; +allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms; +dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file }) + +kernel_read_kernel_sysctls(gpm_t) +kernel_list_proc(gpm_t) +kernel_read_proc_symlinks(gpm_t) + +dev_read_sysfs(gpm_t) +# Access the mouse. +dev_rw_input_dev(gpm_t) +dev_rw_mouse(gpm_t) + +files_read_etc_files(gpm_t) + +fs_getattr_all_fs(gpm_t) +fs_search_auto_mountpoints(gpm_t) + +term_use_unallocated_ttys(gpm_t) + +domain_use_interactive_fds(gpm_t) + +logging_send_syslog_msg(gpm_t) + +miscfiles_read_localization(gpm_t) + +userdom_use_user_terminals(gpm_t) +userdom_dontaudit_use_unpriv_user_fds(gpm_t) +userdom_dontaudit_search_user_home_dirs(gpm_t) + +optional_policy(` + seutil_sigchld_newrole(gpm_t) +') + +optional_policy(` + udev_read_db(gpm_t) +') diff --git a/policy/modules/services/gpsd.fc b/policy/modules/services/gpsd.fc new file mode 100644 index 000000000..4e62fd9e8 --- /dev/null +++ b/policy/modules/services/gpsd.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) + +/usr/bin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) + +/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) + +/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) +/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) diff --git a/policy/modules/services/gpsd.if b/policy/modules/services/gpsd.if new file mode 100644 index 000000000..1d10f63ad --- /dev/null +++ b/policy/modules/services/gpsd.if @@ -0,0 +1,100 @@ +## <summary>gpsd monitor daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run gpsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gpsd_domtrans',` + gen_require(` + type gpsd_t, gpsd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gpsd_exec_t, gpsd_t) +') + +######################################## +## <summary> +## Execute gpsd in the gpsd domain, and +## allow the specified role the gpsd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`gpsd_run',` + gen_require(` + attribute_role gpsd_roles; + ') + + gpsd_domtrans($1) + roleattribute $2 gpsd_roles; +') + +######################################## +## <summary> +## Read and write gpsd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpsd_rw_shm',` + gen_require(` + type gpsd_t, gpsd_tmpfs_t; + ') + + allow $1 gpsd_t:shm rw_shm_perms; + allow $1 gpsd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an gpsd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`gpsd_admin',` + gen_require(` + type gpsd_t, gpsd_initrc_exec_t, gpsd_var_run_t; + ') + + allow $1 gpsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, gpsd_t) + + init_startstop_service($1, $2, gpsd_t, gpsd_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, gpsd_var_run_t) + + gpsd_run($1, $2) +') diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te new file mode 100644 index 000000000..d4aacb79c --- /dev/null +++ b/policy/modules/services/gpsd.te @@ -0,0 +1,84 @@ +policy_module(gpsd, 1.5.0) + +######################################## +# +# Declarations +# + +attribute_role gpsd_roles; + +type gpsd_t; +type gpsd_exec_t; +application_domain(gpsd_t, gpsd_exec_t) +init_daemon_domain(gpsd_t, gpsd_exec_t) +role gpsd_roles types gpsd_t; + +type gpsd_initrc_exec_t; +init_script_file(gpsd_initrc_exec_t) + +type gpsd_tmpfs_t; +files_tmpfs_file(gpsd_tmpfs_t) + +type gpsd_var_run_t; +files_pid_file(gpsd_var_run_t) + +######################################## +# +# Local policy +# + +allow gpsd_t self:capability { fowner fsetid setgid setuid sys_nice sys_time sys_tty_config }; +dontaudit gpsd_t self:capability { dac_override dac_read_search }; +allow gpsd_t self:process { setsched signal_perms }; +allow gpsd_t self:shm create_shm_perms; +allow gpsd_t self:unix_dgram_socket sendto; +allow gpsd_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) +manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) +fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) + +manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) + +kernel_list_proc(gpsd_t) +kernel_request_load_module(gpsd_t) + +corenet_all_recvfrom_unlabeled(gpsd_t) +corenet_all_recvfrom_netlabel(gpsd_t) +corenet_tcp_sendrecv_generic_if(gpsd_t) +corenet_tcp_sendrecv_generic_node(gpsd_t) +corenet_tcp_bind_all_nodes(gpsd_t) + +corenet_sendrecv_gpsd_server_packets(gpsd_t) +corenet_tcp_bind_gpsd_port(gpsd_t) +corenet_tcp_sendrecv_gpsd_port(gpsd_t) + +dev_read_sysfs(gpsd_t) +dev_rw_realtime_clock(gpsd_t) + +domain_dontaudit_read_all_domains_state(gpsd_t) + +term_use_unallocated_ttys(gpsd_t) +term_setattr_unallocated_ttys(gpsd_t) + +auth_use_nsswitch(gpsd_t) + +logging_send_syslog_msg(gpsd_t) + +miscfiles_read_localization(gpsd_t) + +optional_policy(` + chronyd_rw_shm(gpsd_t) + chronyd_stream_connect(gpsd_t) + chronyd_dgram_send(gpsd_t) +') + +optional_policy(` + dbus_system_bus_client(gpsd_t) +') + +optional_policy(` + ntp_rw_shm(gpsd_t) +') diff --git a/policy/modules/services/gssproxy.fc b/policy/modules/services/gssproxy.fc new file mode 100644 index 000000000..a99701592 --- /dev/null +++ b/policy/modules/services/gssproxy.fc @@ -0,0 +1,8 @@ +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0) + +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) + +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) + +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0) +/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0) diff --git a/policy/modules/services/gssproxy.if b/policy/modules/services/gssproxy.if new file mode 100644 index 000000000..1f8a44618 --- /dev/null +++ b/policy/modules/services/gssproxy.if @@ -0,0 +1,168 @@ +## <summary>policy for gssproxy - daemon to proxy GSSAPI context establishment and channel handling</summary> + +######################################## +## <summary> +## Execute gssproxy in the gssproxy domin. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gssproxy_domtrans',` + gen_require(` + type gssproxy_t, gssproxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) +') + +######################################## +## <summary> +## Search gssproxy lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_search_lib',` + gen_require(` + type gssproxy_var_lib_t; + ') + + allow $1 gssproxy_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read gssproxy lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_read_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + +######################################## +## <summary> +## Manage gssproxy lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_manage_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + +######################################## +## <summary> +## Manage gssproxy lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_manage_lib_dirs',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + +######################################## +## <summary> +## Read gssproxy PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_read_pid_files',` + gen_require(` + type gssproxy_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t) +') + +######################################## +## <summary> +## Connect to gssproxy over an unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_stream_connect',` + gen_require(` + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t) + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an gssproxy environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`gssproxy_admin',` + gen_require(` + type gssproxy_t; + type gssproxy_var_lib_t; + type gssproxy_run_t; + type gssproxy_unit_t; + ') + + allow $1 gssproxy_t:process { ptrace signal_perms }; + ps_process_pattern($1, gssproxy_t) + + files_search_var_lib($1) + admin_pattern($1, gssproxy_var_lib_t) + + files_search_pids($1) + admin_pattern($1, gssproxy_run_t) + + admin_pattern($1, gssproxy_unit_t) +') diff --git a/policy/modules/services/gssproxy.te b/policy/modules/services/gssproxy.te new file mode 100644 index 000000000..cd1b2b374 --- /dev/null +++ b/policy/modules/services/gssproxy.te @@ -0,0 +1,67 @@ +policy_module(gssproxy, 1.1.0) + +######################################## +# +# Declarations +# + +type gssproxy_t; +type gssproxy_exec_t; +init_daemon_domain(gssproxy_t, gssproxy_exec_t) + +type gssproxy_var_lib_t; +files_type(gssproxy_var_lib_t) + +type gssproxy_run_t; +files_pid_file(gssproxy_run_t) + +type gssproxy_unit_t; +init_unit_file(gssproxy_unit_t) + +######################################## +# +# gssproxy local policy +# +allow gssproxy_t self:capability { setuid setgid }; +allow gssproxy_t self:capability2 block_suspend; +allow gssproxy_t self:fifo_file rw_fifo_file_perms; +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file }) + +manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file }) + +kernel_rw_rpc_sysctls(gssproxy_t) + +domain_use_interactive_fds(gssproxy_t) + +files_read_etc_files(gssproxy_t) + +fs_getattr_all_fs(gssproxy_t) + +auth_use_nsswitch(gssproxy_t) + +dev_read_urand(gssproxy_t) + +logging_send_syslog_msg(gssproxy_t) + +miscfiles_read_localization(gssproxy_t) + +userdom_read_all_users_keys(gssproxy_t) +userdom_manage_user_tmp_dirs(gssproxy_t) +userdom_manage_user_tmp_files(gssproxy_t) + +optional_policy(` + kerberos_manage_host_rcache(gssproxy_t) + kerberos_read_keytab(gssproxy_t) + kerberos_use(gssproxy_t) + kerberos_tmp_filetrans_host_rcache(gssproxy_t, file) +') diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc new file mode 100644 index 000000000..b43cfde90 --- /dev/null +++ b/policy/modules/services/hadoop.fc @@ -0,0 +1,53 @@ +/etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) + +/etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hadoop-zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) +/etc/rc\.d/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) + +/etc/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0) +/etc/zookeeper\.dist(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0) + +/usr/lib/hadoop.*/bin/hadoop -- gen_context(system_u:object_r:hadoop_exec_t,s0) + +/usr/bin/zookeeper-client -- gen_context(system_u:object_r:zookeeper_exec_t,s0) +/usr/bin/zookeeper-server -- gen_context(system_u:object_r:zookeeper_server_exec_t,s0) + +/var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) +/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) +/var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) + +/var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) +/var/lock/subsys/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_lock_t,s0) +/var/lock/subsys/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_lock_t,s0) +/var/lock/subsys/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_lock_t,s0) +/var/lock/subsys/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_lock_t,s0) + +/var/log/hadoop.* gen_context(system_u:object_r:hadoop_log_t,s0) +/var/log/hadoop.*/hadoop-hadoop-datanode(-.*)? gen_context(system_u:object_r:hadoop_datanode_log_t,s0) +/var/log/hadoop.*/hadoop-hadoop-jobtracker(-.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0) +/var/log/hadoop.*/hadoop-hadoop-namenode(-.*)? gen_context(system_u:object_r:hadoop_namenode_log_t,s0) +/var/log/hadoop.*/hadoop-hadoop-secondarynamenode(-.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_log_t,s0) +/var/log/hadoop.*/hadoop-hadoop-tasktracker(-.*)? gen_context(system_u:object_r:hadoop_tasktracker_log_t,s0) +/var/log/hadoop.*/history(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0) +/var/log/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_log_t,s0) + +/run/hadoop.* -d gen_context(system_u:object_r:hadoop_var_run_t,s0) +/run/hadoop.*/hadoop-hadoop-datanode\.pid -- gen_context(system_u:object_r:hadoop_datanode_initrc_var_run_t,s0) +/run/hadoop.*/hadoop-hadoop-jobtracker\.pid -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_var_run_t,s0) +/run/hadoop.*/hadoop-hadoop-namenode\.pid -- gen_context(system_u:object_r:hadoop_namenode_initrc_var_run_t,s0) +/run/hadoop.*/hadoop-hadoop-secondarynamenode\.pid -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_var_run_t,s0) +/run/hadoop.*/hadoop-hadoop-tasktracker\.pid -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_var_run_t,s0) + +/var/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if new file mode 100644 index 000000000..5908119df --- /dev/null +++ b/policy/modules/services/hadoop.if @@ -0,0 +1,472 @@ +## <summary>Software for reliable, scalable, distributed computing.</summary> + +####################################### +## <summary> +## The template to define a hadoop domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`hadoop_domain_template',` + gen_require(` + attribute hadoop_domain, hadoop_initrc_domain, hadoop_init_script_file; + attribute hadoop_pid_file, hadoop_lock_file, hadoop_log_file; + attribute hadoop_tmp_file, hadoop_var_lib_file; + type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t; + type hadoop_exec_t, hadoop_hsperfdata_t; + ') + + ######################################## + # + # Declarations + # + + type hadoop_$1_t, hadoop_domain; + domain_type(hadoop_$1_t) + domain_entry_file(hadoop_$1_t, hadoop_exec_t) + role system_r types hadoop_$1_t; + + type hadoop_$1_initrc_t, hadoop_initrc_domain; + type hadoop_$1_initrc_exec_t, hadoop_init_script_file; + init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) + role system_r types hadoop_$1_initrc_t; + + type hadoop_$1_initrc_var_run_t, hadoop_pid_file; + files_pid_file(hadoop_$1_initrc_var_run_t) + + type hadoop_$1_lock_t, hadoop_lock_file; + files_lock_file(hadoop_$1_lock_t) + + type hadoop_$1_log_t, hadoop_log_file; + logging_log_file(hadoop_$1_log_t) + + type hadoop_$1_tmp_t, hadoop_tmp_file; + files_tmp_file(hadoop_$1_tmp_t) + + type hadoop_$1_var_lib_t, hadoop_var_lib_file; + files_type(hadoop_$1_var_lib_t) + + #################################### + # + # hadoop_domain policy + # + + manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t) + filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) + + manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) + manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) + filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) + + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) + + manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) + filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file) + + auth_use_nsswitch(hadoop_$1_t) + + #################################### + # + # hadoop_initrc_domain policy + # + + allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull }; + + domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t) + + manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t) + files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file) + + manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) + filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) + + manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t) + filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) +') + +######################################## +## <summary> +## Role access for hadoop. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`hadoop_role',` + gen_require(` + attribute_role hadoop_roles, zookeeper_roles; + type hadoop_t, zookeeper_t, hadoop_home_t; + type hadoop_tmp_t, hadoop_hsperfdata_t, zookeeper_tmp_t; + ') + + hadoop_domtrans($2) + roleattribute $1 hadoop_roles; + + hadoop_domtrans_zookeeper_client($2) + roleattribute $1 zookeeper_roles; + + allow $2 { hadoop_t zookeeper_t }:process { ptrace signal_perms }; + ps_process_pattern($2, { hadoop_t zookeeper_t }) + + allow $2 { hadoop_home_t hadoop_tmp_t hadoop_hsperfdata_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { hadoop_home_t hadoop_tmp_t zookeeper_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $2 hadoop_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +') + +######################################## +## <summary> +## Execute hadoop in the +## hadoop domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hadoop_domtrans',` + gen_require(` + type hadoop_t, hadoop_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, hadoop_exec_t, hadoop_t) +') + +######################################## +## <summary> +## Receive from hadoop peer. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_recvfrom',` + gen_require(` + type hadoop_t; + ') + + allow $1 hadoop_t:peer recv; +') + +######################################## +## <summary> +## Execute zookeeper client in the +## zookeeper client domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hadoop_domtrans_zookeeper_client',` + gen_require(` + type zookeeper_t, zookeeper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, zookeeper_exec_t, zookeeper_t) +') + +######################################## +## <summary> +## Receive from zookeeper peer. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_recvfrom_zookeeper_client',` + gen_require(` + type zookeeper_t; + ') + + allow $1 zookeeper_t:peer recv; +') + +######################################## +## <summary> +## Execute zookeeper server in the +## zookeeper server domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hadoop_domtrans_zookeeper_server',` + gen_require(` + type zookeeper_server_t, zookeeper_server_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t) +') + +######################################## +## <summary> +## Receive from zookeeper server peer. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_recvfrom_zookeeper_server',` + gen_require(` + type zookeeper_server_t; + ') + + allow $1 zookeeper_server_t:peer recv; +') + +######################################## +## <summary> +## Execute zookeeper server in the +## zookeeper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hadoop_initrc_domtrans_zookeeper_server',` + gen_require(` + type zookeeper_server_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t) +') + +######################################## +## <summary> +## Receive from datanode peer. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_recvfrom_datanode',` + gen_require(` + type hadoop_datanode_t; + ') + + allow $1 hadoop_datanode_t:peer recv; +') + +######################################## +## <summary> +## Read hadoop configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_read_config',` + gen_require(` + type hadoop_etc_t; + ') + + read_files_pattern($1, hadoop_etc_t, hadoop_etc_t) + read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t) +') + +######################################## +## <summary> +## Execute hadoop configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_exec_config',` + gen_require(` + type hadoop_etc_t; + ') + + hadoop_read_config($1) + allow $1 hadoop_etc_t:file exec_file_perms; +') + +######################################## +## <summary> +## Receive from jobtracker peer. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_recvfrom_jobtracker',` + gen_require(` + type hadoop_jobtracker_t; + ') + + allow $1 hadoop_jobtracker_t:peer recv; +') + +######################################## +## <summary> +## Match hadoop lan association. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_match_lan_spd',` + gen_require(` + type hadoop_lan_t; + ') + + allow $1 hadoop_lan_t:association polmatch; +') + +######################################## +## <summary> +## Receive from namenode peer. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_recvfrom_namenode',` + gen_require(` + type hadoop_namenode_t; + ') + + allow $1 hadoop_namenode_t:peer recv; +') + +######################################## +## <summary> +## Receive from secondary namenode peer. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_recvfrom_secondarynamenode',` + gen_require(` + type hadoop_secondarynamenode_t; + ') + + allow $1 hadoop_secondarynamenode_t:peer recv; +') + +######################################## +## <summary> +## Receive from tasktracker peer. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hadoop_recvfrom_tasktracker',` + gen_require(` + type hadoop_tasktracker_t; + ') + + allow $1 hadoop_tasktracker_t:peer recv; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an hadoop environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`hadoop_admin',` + gen_require(` + attribute hadoop_domain; + attribute hadoop_initrc_domain; + + attribute hadoop_pid_file; + attribute hadoop_lock_file; + attribute hadoop_log_file; + attribute hadoop_tmp_file; + attribute hadoop_var_lib_file; + + type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t; + type zookeeper_t, zookeeper_etc_t, zookeeper_server_t; + type zookeeper_server_var_t; + + type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t; + type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t; + type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t; + type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t; + type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t; + ') + + allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }) + + init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) + init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t) + init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t) + init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t) + init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, { hadoop_etc_t zookeeper_etc_t }) + + logging_search_logs($1) + admin_pattern($1, hadoop_log_file) + + files_search_locks($1) + admin_pattern($1, hadoop_lock_file) + + files_search_pids($1) + admin_pattern($1, hadoop_pid_file) + + files_search_tmp($1) + admin_pattern($1, { hadoop_tmp_file hadoop_hsperfdata_t }) + + files_search_var_lib($1) + admin_pattern($1, { hadoop_var_lib_file zookeeper_server_var_t }) +') diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te new file mode 100644 index 000000000..9f333bfd2 --- /dev/null +++ b/policy/modules/services/hadoop.te @@ -0,0 +1,553 @@ +policy_module(hadoop, 1.5.0) + +######################################## +# +# Declarations +# + +attribute hadoop_domain; +attribute hadoop_initrc_domain; + +attribute hadoop_init_script_file; +attribute hadoop_pid_file; +attribute hadoop_lock_file; +attribute hadoop_log_file; +attribute hadoop_tmp_file; +attribute hadoop_var_lib_file; + +attribute_role hadoop_roles; +attribute_role zookeeper_roles; + +type hadoop_t; +type hadoop_exec_t; +userdom_user_application_domain(hadoop_t, hadoop_exec_t) +role hadoop_roles types hadoop_t; + +type hadoop_etc_t; +files_config_file(hadoop_etc_t) + +type hadoop_home_t; +userdom_user_home_content(hadoop_home_t) + +type hadoop_lan_t; +corenet_spd_type(hadoop_lan_t) + +type hadoop_log_t, hadoop_log_file; +logging_log_file(hadoop_log_t) + +type hadoop_tmp_t, hadoop_tmp_file; +userdom_user_tmp_file(hadoop_tmp_t) + +type hadoop_var_lib_t, hadoop_var_lib_file; +files_type(hadoop_var_lib_t) + +type hadoop_var_run_t, hadoop_pid_file; +files_pid_file(hadoop_var_run_t) + +type hadoop_hsperfdata_t; +userdom_user_tmp_file(hadoop_hsperfdata_t) + +hadoop_domain_template(datanode) +hadoop_domain_template(jobtracker) +hadoop_domain_template(namenode) +hadoop_domain_template(secondarynamenode) +hadoop_domain_template(tasktracker) + +type zookeeper_t; +type zookeeper_exec_t; +userdom_user_application_domain(zookeeper_t, zookeeper_exec_t) +role zookeeper_roles types zookeeper_t; + +type zookeeper_etc_t; +files_config_file(zookeeper_etc_t) + +type zookeeper_log_t, hadoop_log_file; +logging_log_file(zookeeper_log_t) + +type zookeeper_server_t; +type zookeeper_server_exec_t; +init_daemon_domain(zookeeper_server_t, zookeeper_server_exec_t) + +type zookeeper_server_initrc_exec_t, hadoop_init_script_file; +init_script_file(zookeeper_server_initrc_exec_t) + +type zookeeper_server_tmp_t, hadoop_tmp_file; +files_tmp_file(zookeeper_server_tmp_t) + +type zookeeper_server_var_t; +files_type(zookeeper_server_var_t) + +type zookeeper_server_var_run_t, hadoop_pid_file; +files_pid_file(zookeeper_server_var_run_t) + +type zookeeper_tmp_t, hadoop_tmp_file; +userdom_user_tmp_file(zookeeper_tmp_t) + +######################################## +# +# Local policy +# + +allow hadoop_t self:capability sys_resource; +allow hadoop_t self:process { getsched setsched signal signull setrlimit execmem }; +allow hadoop_t self:fifo_file rw_fifo_file_perms; +allow hadoop_t self:key write; +allow hadoop_t self:peer recv; +allow hadoop_t self:tcp_socket { accept listen }; + +allow hadoop_t hadoop_domain:process signull; + +read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) +read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) +can_exec(hadoop_t, hadoop_etc_t) + +manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) +manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) +manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) +userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir }) + +allow hadoop_t hadoop_hsperfdata_t:dir manage_dir_perms; +files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir) + +manage_dirs_pattern(hadoop_t, hadoop_log_t, hadoop_log_t) + +manage_dirs_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t) +manage_files_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t) +filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, { dir file }) + +manage_dirs_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t) +manage_files_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t) +files_search_var_lib(hadoop_t) + +getattr_dirs_pattern(hadoop_t, hadoop_var_run_t, hadoop_var_run_t) + +kernel_read_network_state(hadoop_t) +kernel_read_system_state(hadoop_t) + +corecmd_exec_bin(hadoop_t) +corecmd_exec_shell(hadoop_t) + +corenet_all_recvfrom_unlabeled(hadoop_t) +corenet_all_recvfrom_netlabel(hadoop_t) +corenet_tcp_sendrecv_generic_if(hadoop_t) +corenet_tcp_sendrecv_generic_node(hadoop_t) +corenet_tcp_sendrecv_all_ports(hadoop_t) + +corenet_sendrecv_hadoop_namenode_client_packets(hadoop_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_t) + +corenet_sendrecv_hadoop_datanode_client_packets(hadoop_t) +corenet_tcp_connect_hadoop_datanode_port(hadoop_t) + +corenet_sendrecv_portmap_client_packets(hadoop_t) +corenet_tcp_connect_portmap_port(hadoop_t) + +corenet_sendrecv_zope_client_packets(hadoop_t) +corenet_tcp_connect_zope_port(hadoop_t) + +corenet_sendrecv_generic_client_packets(hadoop_t) +corenet_tcp_connect_generic_port(hadoop_t) + +dev_read_rand(hadoop_t) +dev_read_sysfs(hadoop_t) +dev_read_urand(hadoop_t) + +domain_use_interactive_fds(hadoop_t) + +files_dontaudit_search_spool(hadoop_t) +files_read_usr_files(hadoop_t) + +fs_getattr_xattr_fs(hadoop_t) + +auth_use_nsswitch(hadoop_t) + +miscfiles_read_localization(hadoop_t) + +userdom_use_user_terminals(hadoop_t) + +hadoop_match_lan_spd(hadoop_t) +hadoop_recvfrom_datanode(hadoop_t) +hadoop_recvfrom_jobtracker(hadoop_t) +hadoop_recvfrom_namenode(hadoop_t) +hadoop_recvfrom_tasktracker(hadoop_t) + +optional_policy(` + java_exec(hadoop_t) +') + +######################################## +# +# Common hadoop_domain local policy +# + +allow hadoop_domain self:capability { chown kill setgid setuid }; +allow hadoop_domain self:process { execmem getsched setsched sigkill signal }; +allow hadoop_domain self:fifo_file rw_fifo_file_perms; +allow hadoop_domain self:key search; +allow hadoop_domain self:peer recv; +allow hadoop_domain self:tcp_socket { accept listen }; + +allow hadoop_domain hadoop_domain:process signull; + +allow hadoop_domain hadoop_hsperfdata_t:dir manage_dir_perms; +files_tmp_filetrans(hadoop_domain, hadoop_hsperfdata_t, dir) + +hadoop_exec_config(hadoop_domain) +hadoop_match_lan_spd(hadoop_domain) + +kernel_read_kernel_sysctls(hadoop_domain) +kernel_read_network_state(hadoop_domain) +kernel_read_sysctl(hadoop_domain) +kernel_read_system_state(hadoop_domain) + +corecmd_exec_bin(hadoop_domain) +corecmd_exec_shell(hadoop_domain) + +corenet_all_recvfrom_unlabeled(hadoop_domain) +corenet_all_recvfrom_netlabel(hadoop_domain) +corenet_tcp_bind_all_nodes(hadoop_domain) +corenet_tcp_sendrecv_generic_if(hadoop_domain) +corenet_tcp_sendrecv_generic_node(hadoop_domain) +corenet_tcp_sendrecv_all_ports(hadoop_domain) + +corenet_sendrecv_generic_client_packets(hadoop_domain) +corenet_tcp_connect_generic_port(hadoop_domain) + +dev_read_rand(hadoop_domain) +dev_read_urand(hadoop_domain) +dev_read_sysfs(hadoop_domain) + +files_search_pids(hadoop_domain) +files_search_var_lib(hadoop_domain) + +auth_domtrans_chkpwd(hadoop_domain) + +init_read_utmp(hadoop_domain) +init_use_fds(hadoop_domain) +init_use_script_fds(hadoop_domain) +init_use_script_ptys(hadoop_domain) + +logging_search_logs(hadoop_domain) +logging_send_audit_msgs(hadoop_domain) +logging_send_syslog_msg(hadoop_domain) + +miscfiles_read_localization(hadoop_domain) + +optional_policy(` + java_exec(hadoop_domain) +') + +optional_policy(` + su_exec(hadoop_domain) +') + +######################################## +# +# Common hadoop_initrc_domain local policy +# + +allow hadoop_initrc_domain self:capability { setgid setuid }; +dontaudit hadoop_initrc_domain self:capability sys_tty_config; +allow hadoop_initrc_domain self:process setsched; +allow hadoop_initrc_domain self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(hadoop_initrc_domain, hadoop_var_run_t, hadoop_var_run_t) +manage_files_pattern(hadoop_initrc_domain, hadoop_var_run_t, hadoop_var_run_t) + +hadoop_exec_config(hadoop_initrc_domain) + +kernel_read_kernel_sysctls(hadoop_initrc_domain) +kernel_read_sysctl(hadoop_initrc_domain) +kernel_read_system_state(hadoop_initrc_domain) + +corecmd_exec_bin(hadoop_initrc_domain) +corecmd_exec_shell(hadoop_initrc_domain) + +files_read_etc_files(hadoop_initrc_domain) +files_read_usr_files(hadoop_initrc_domain) +files_search_locks(hadoop_initrc_domain) +files_search_pids(hadoop_initrc_domain) + +fs_getattr_xattr_fs(hadoop_initrc_domain) +fs_search_cgroup_dirs(hadoop_initrc_domain) + +term_use_generic_ptys(hadoop_initrc_domain) + +init_rw_utmp(hadoop_initrc_domain) +init_use_fds(hadoop_initrc_domain) +init_use_script_ptys(hadoop_initrc_domain) + +logging_search_logs(hadoop_initrc_domain) +logging_send_syslog_msg(hadoop_initrc_domain) +logging_send_audit_msgs(hadoop_initrc_domain) + +miscfiles_read_localization(hadoop_initrc_domain) + +userdom_dontaudit_search_user_home_dirs(hadoop_initrc_domain) + +optional_policy(` + consoletype_exec(hadoop_initrc_domain) +') + +optional_policy(` + nscd_use(hadoop_initrc_domain) +') + +######################################## +# +# Datanode local policy +# + +manage_dirs_pattern(hadoop_datanode_t, hadoop_var_lib_t, hadoop_var_lib_t) + +corenet_sendrecv_hadoop_datanode_server_packets(hadoop_datanode_t) +corenet_tcp_bind_hadoop_datanode_port(hadoop_datanode_t) + +corenet_sendrecv_hadoop_datanode_client_packets(hadoop_datanode_t) +corenet_tcp_connect_hadoop_datanode_port(hadoop_datanode_t) + +corenet_sendrecv_hadoop_namenode_client_packets(hadoop_datanode_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t) + +fs_getattr_xattr_fs(hadoop_datanode_t) + +hadoop_recvfrom_jobtracker(hadoop_datanode_t) +hadoop_recvfrom_namenode(hadoop_datanode_t) +hadoop_recvfrom(hadoop_datanode_t) +hadoop_recvfrom_tasktracker(hadoop_datanode_t) + +######################################## +# +# Jobtracker local policy +# + +create_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t) +setattr_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t) + +manage_dirs_pattern(hadoop_jobtracker_t, hadoop_var_lib_t, hadoop_var_lib_t) + +corenet_sendrecv_zope_server_packets(hadoop_jobtracker_t) +corenet_tcp_bind_zope_port(hadoop_jobtracker_t) + +corenet_sendrecv_hadoop_datanode_client_packets(hadoop_jobtracker_t) +corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t) + +corenet_sendrecv_hadoop_namenode_client_packets(hadoop_jobtracker_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t) + +hadoop_recvfrom_datanode(hadoop_jobtracker_t) +hadoop_recvfrom_namenode(hadoop_jobtracker_t) +hadoop_recvfrom(hadoop_jobtracker_t) +hadoop_recvfrom_tasktracker(hadoop_jobtracker_t) + +######################################## +# +# Namenode local policy +# + +manage_dirs_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) +manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) + +corenet_sendrecv_hadoop_namenode_server_packets(hadoop_namenode_t) +corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t) + +corenet_sendrecv_hadoop_namenode_client_packets(hadoop_namenode_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t) + +hadoop_recvfrom_datanode(hadoop_namenode_t) +hadoop_recvfrom_jobtracker(hadoop_namenode_t) +hadoop_recvfrom(hadoop_namenode_t) +hadoop_recvfrom_secondarynamenode(hadoop_namenode_t) +hadoop_recvfrom_tasktracker(hadoop_namenode_t) + +######################################## +# +# Secondary namenode local policy +# + +manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib_t) + +corenet_sendrecv_hadoop_namenode_client_packets(hadoop_secondarynamenode_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t) + +hadoop_recvfrom_namenode(hadoop_secondarynamenode_t) + +######################################## +# +# Tasktracker local policy +# + +manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t) +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) +filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) + +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) + +manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) + +corenet_sendrecv_hadoop_datanode_client_packets(hadoop_tasktracker_t) +corenet_tcp_connect_hadoop_datanode_port(hadoop_tasktracker_t) + +corenet_sendrecv_hadoop_namenode_client_packets(hadoop_tasktracker_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) + +corenet_sendrecv_zope_client_packets(hadoop_tasktracker_t) +corenet_tcp_connect_zope_port(hadoop_tasktracker_t) + +fs_getattr_xattr_fs(hadoop_tasktracker_t) + +hadoop_recvfrom_datanode(hadoop_tasktracker_t) +hadoop_recvfrom_jobtracker(hadoop_tasktracker_t) +hadoop_recvfrom(hadoop_tasktracker_t) +hadoop_recvfrom_namenode(hadoop_tasktracker_t) + +######################################## +# +# Zookeeper client local policy +# + +allow zookeeper_t self:process { getsched sigkill signal signull execmem }; +allow zookeeper_t self:fifo_file rw_fifo_file_perms; +allow zookeeper_t self:tcp_socket { accept listen }; + +read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) +read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) + +can_exec(zookeeper_t, zookeeper_exec_t) + +allow zookeeper_t hadoop_hsperfdata_t:dir manage_dir_perms; +files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir) + +allow zookeeper_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms }; +allow zookeeper_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms }; +append_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t) +logging_log_filetrans(zookeeper_t, zookeeper_log_t, file) + +allow zookeeper_t zookeeper_server_t:process signull; + +manage_files_pattern(zookeeper_t, zookeeper_tmp_t, zookeeper_tmp_t) +filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file) + +kernel_read_network_state(zookeeper_t) +kernel_read_system_state(zookeeper_t) + +corecmd_exec_bin(zookeeper_t) +corecmd_exec_shell(zookeeper_t) + +corenet_all_recvfrom_unlabeled(zookeeper_t) +corenet_all_recvfrom_netlabel(zookeeper_t) +corenet_tcp_sendrecv_generic_if(zookeeper_t) +corenet_tcp_sendrecv_generic_node(zookeeper_t) +corenet_tcp_sendrecv_all_ports(zookeeper_t) + +corenet_sendrecv_zookeeper_client_client_packets(zookeeper_t) +corenet_tcp_connect_zookeeper_client_port(zookeeper_t) + +corenet_sendrecv_generic_client_packets(zookeeper_t) +corenet_tcp_connect_generic_port(zookeeper_t) + +dev_read_rand(zookeeper_t) +dev_read_sysfs(zookeeper_t) +dev_read_urand(zookeeper_t) + +domain_use_interactive_fds(zookeeper_t) + +files_read_usr_files(zookeeper_t) + +auth_use_nsswitch(zookeeper_t) + +miscfiles_read_localization(zookeeper_t) + +userdom_use_user_terminals(zookeeper_t) +userdom_dontaudit_search_user_home_dirs(zookeeper_t) + +hadoop_match_lan_spd(zookeeper_t) +hadoop_recvfrom_zookeeper_server(zookeeper_t) + +optional_policy(` + java_exec(zookeeper_t) +') + +######################################## +# +# Zookeeper server local policy +# + +allow zookeeper_server_t self:capability kill; +allow zookeeper_server_t self:process { execmem getsched sigkill signal signull }; +allow zookeeper_server_t self:fifo_file rw_fifo_file_perms; +allow zookeeper_server_t self:peer recv; +allow zookeeper_server_t self:tcp_socket { accept listen }; + +allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms; +files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir) + +read_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t) +read_lnk_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t) + +manage_dirs_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t) +manage_files_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t) +files_var_lib_filetrans(zookeeper_server_t, zookeeper_server_var_t, { dir file }) + +allow zookeeper_server_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms }; +allow zookeeper_server_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms }; +logging_log_filetrans(zookeeper_server_t, zookeeper_log_t, file) + +manage_files_pattern(zookeeper_server_t, zookeeper_server_tmp_t, zookeeper_server_tmp_t) +filetrans_pattern(zookeeper_server_t, hadoop_hsperfdata_t, zookeeper_server_tmp_t, file) + +manage_files_pattern(zookeeper_server_t, zookeeper_server_var_run_t, zookeeper_server_var_run_t) +files_pid_filetrans(zookeeper_server_t, zookeeper_server_var_run_t, file) + +can_exec(zookeeper_server_t, zookeeper_server_exec_t) + +kernel_read_network_state(zookeeper_server_t) +kernel_read_system_state(zookeeper_server_t) + +corecmd_exec_bin(zookeeper_server_t) +corecmd_exec_shell(zookeeper_server_t) + +corenet_all_recvfrom_unlabeled(zookeeper_server_t) +corenet_all_recvfrom_netlabel(zookeeper_server_t) +corenet_tcp_sendrecv_generic_if(zookeeper_server_t) +corenet_tcp_sendrecv_generic_node(zookeeper_server_t) +corenet_tcp_sendrecv_all_ports(zookeeper_server_t) +corenet_tcp_bind_generic_node(zookeeper_server_t) + +corenet_sendrecv_zookeeper_client_server_packets(zookeeper_server_t) +corenet_tcp_bind_zookeeper_client_port(zookeeper_server_t) + +corenet_sendrecv_zookeeper_election_server_packets(zookeeper_server_t) +corenet_tcp_bind_zookeeper_election_port(zookeeper_server_t) + +corenet_sendrecv_zookeeper_leader_server_packets(zookeeper_server_t) +corenet_tcp_bind_zookeeper_leader_port(zookeeper_server_t) + +corenet_sendrecv_zookeeper_election_client_packets(zookeeper_server_t) +corenet_tcp_connect_zookeeper_election_port(zookeeper_server_t) + +corenet_tcp_connect_zookeeper_leader_port(zookeeper_server_t) +corenet_sendrecv_zookeeper_leader_client_packets(zookeeper_server_t) + +corenet_sendrecv_generic_client_packets(zookeeper_server_t) +corenet_tcp_connect_generic_port(zookeeper_server_t) + +dev_read_rand(zookeeper_server_t) +dev_read_sysfs(zookeeper_server_t) +dev_read_urand(zookeeper_server_t) + +files_read_usr_files(zookeeper_server_t) + +fs_getattr_xattr_fs(zookeeper_server_t) + +logging_send_syslog_msg(zookeeper_server_t) + +miscfiles_read_localization(zookeeper_server_t) + +hadoop_match_lan_spd(zookeeper_server_t) +hadoop_recvfrom_zookeeper_client(zookeeper_server_t) + +optional_policy(` + java_exec(zookeeper_server_t) +') diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc new file mode 100644 index 000000000..5ac1f7a74 --- /dev/null +++ b/policy/modules/services/hal.fc @@ -0,0 +1,29 @@ +/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) +/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) + +/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) +/usr/bin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) +/usr/bin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0) + +/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) +/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) +/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) +/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) +/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) +/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) + +/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) +/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0) + +/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) + +/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) +/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) + +/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) + +/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) +/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0) +/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if new file mode 100644 index 000000000..98c4f127d --- /dev/null +++ b/policy/modules/services/hal.if @@ -0,0 +1,440 @@ +## <summary>Hardware abstraction layer.</summary> + +######################################## +## <summary> +## Execute hal in the hal domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hal_domtrans',` + gen_require(` + type hald_t, hald_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, hald_exec_t, hald_t) +') + +######################################## +## <summary> +## Get attributes of hald processes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_getattr',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:process getattr; +') + +######################################## +## <summary> +## Read hal process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_read_state',` + gen_require(` + type hald_t; + ') + + ps_process_pattern($1, hald_t) +') + +######################################## +## <summary> +## Trace hald processes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_ptrace',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:process ptrace; +') + +######################################## +## <summary> +## Inherit and use hald file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_use_fds',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to inherited +## and use hald file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_use_fds',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:fd use; +') + +######################################## +## <summary> +## Read and write hald unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_rw_pipes',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write hald unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_rw_pipes',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Send to hald over a unix domain +## datagram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_dgram_send',` + gen_require(` + type hald_t, hald_var_lib_t; + ') + + files_search_var_lib($1) + dgram_send_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) +') + +######################################## +## <summary> +## Send to hald over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_stream_connect',` + gen_require(` + type hald_t, hald_var_lib_t; + ') + + files_search_var_lib($1) + stream_connect_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write hald unix datagram sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_rw_dgram_sockets',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:unix_dgram_socket { read write }; +') + +######################################## +## <summary> +## Send messages to hald over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_dbus_send',` + gen_require(` + type hald_t; + class dbus send_msg; + ') + + allow $1 hald_t:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## hald over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_dbus_chat',` + gen_require(` + type hald_t; + class dbus send_msg; + ') + + allow $1 hald_t:dbus send_msg; + allow hald_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute hal mac in the hal mac domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hal_domtrans_mac',` + gen_require(` + type hald_mac_t, hald_mac_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) +') + +######################################## +## <summary> +## Write hald log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_write_log',` + gen_require(` + type hald_log_t; + ') + + logging_search_logs($1) + write_files_pattern($1, hald_log_t, hald_log_t) +') + +######################################## +## <summary> +## Do not audit attempts to write hald +## log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_write_log',` + gen_require(` + type hald_log_t; + ') + + dontaudit $1 hald_log_t:file { append write }; +') + +######################################## +## <summary> +## Create, read, write, and delete +## hald log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_manage_log',` + gen_require(` + type hald_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, hald_log_t, hald_log_t) +') + +######################################## +## <summary> +## Read hald temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_read_tmp_files',` + gen_require(` + type hald_tmp_t; + ') + + files_search_tmp($1) + allow $1 hald_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to append +## hald libraries files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_append_lib_files',` + gen_require(` + type hald_var_lib_t; + ') + + dontaudit $1 hald_var_lib_t:file append_file_perms; +') + +######################################## +## <summary> +## Read hald pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_read_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + allow $1 hald_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Read and write hald pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_rw_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + allow $1 hald_var_run_t:file rw_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## hald pid directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_manage_pid_dirs',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## hald pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_manage_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, hald_var_run_t, hald_var_run_t) +') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te new file mode 100644 index 000000000..9bfd37fbc --- /dev/null +++ b/policy/modules/services/hal.te @@ -0,0 +1,500 @@ +policy_module(hal, 1.18.0) + +######################################## +# +# Declarations +# + +attribute hald_domain; + +type hald_t, hald_domain; +type hald_exec_t; +init_daemon_domain(hald_t, hald_exec_t) + +type hald_acl_t, hald_domain; +type hald_acl_exec_t; +domain_type(hald_acl_t) +domain_entry_file(hald_acl_t, hald_acl_exec_t) +role system_r types hald_acl_t; + +type hald_cache_t; +files_pid_file(hald_cache_t) + +type hald_dccm_t, hald_domain; +type hald_dccm_exec_t; +domain_type(hald_dccm_t) +domain_entry_file(hald_dccm_t, hald_dccm_exec_t) +role system_r types hald_dccm_t; + +type hald_keymap_t, hald_domain; +type hald_keymap_exec_t; +domain_type(hald_keymap_t) +domain_entry_file(hald_keymap_t, hald_keymap_exec_t) +role system_r types hald_keymap_t; + +type hald_log_t; +logging_log_file(hald_log_t) + +type hald_mac_t, hald_domain; +type hald_mac_exec_t; +domain_type(hald_mac_t) +domain_entry_file(hald_mac_t, hald_mac_exec_t) +role system_r types hald_mac_t; + +type hald_sonypic_t, hald_domain; +type hald_sonypic_exec_t; +domain_type(hald_sonypic_t) +domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t) +role system_r types hald_sonypic_t; + +type hald_tmp_t; +files_tmp_file(hald_tmp_t) + +type hald_var_run_t; +files_pid_file(hald_var_run_t) + +type hald_var_lib_t; +files_type(hald_var_lib_t) + +######################################## +# +# Common local policy +# + +files_read_usr_files(hald_domain) + +miscfiles_read_localization(hald_domain) + +hal_stream_connect(hald_domain) + +######################################## +# +# Local policy +# + +allow hald_t self:capability { chown dac_override dac_read_search kill mknod net_admin setgid setuid sys_admin sys_nice sys_rawio sys_tty_config }; +dontaudit hald_t self:capability { sys_ptrace sys_tty_config }; +allow hald_t self:process { getsched getattr signal_perms }; +allow hald_t self:fifo_file rw_fifo_file_perms; +allow hald_t self:unix_stream_socket { accept listen }; +allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; +allow hald_t self:tcp_socket { accept listen }; + +manage_files_pattern(hald_t, hald_cache_t, hald_cache_t) + +append_files_pattern(hald_t, hald_log_t, hald_log_t) +create_files_pattern(hald_t, hald_log_t, hald_log_t) +setattr_files_pattern(hald_t, hald_log_t, hald_log_t) +logging_log_filetrans(hald_t, hald_log_t, file) + +manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t) +manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t) +files_tmp_filetrans(hald_t, hald_tmp_t, { file dir }) + +manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) +manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) + +manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t) +manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t) +files_pid_filetrans(hald_t, hald_var_run_t, { dir file }) + +domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) +domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) +domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t) +domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t) +domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) + +allow hald_t hald_domain:process signal; + +kernel_read_system_state(hald_t) +kernel_read_network_state(hald_t) +kernel_read_software_raid_state(hald_t) +kernel_rw_kernel_sysctl(hald_t) +kernel_read_fs_sysctls(hald_t) +kernel_rw_irq_sysctls(hald_t) +kernel_rw_vm_sysctls(hald_t) +kernel_write_proc_files(hald_t) +kernel_rw_net_sysctls(hald_t) +kernel_setsched(hald_t) +kernel_request_load_module(hald_t) + +corecmd_exec_all_executables(hald_t) + +dev_rw_usbfs(hald_t) +dev_read_rand(hald_t) +dev_read_urand(hald_t) +dev_read_input(hald_t) +dev_read_mouse(hald_t) +dev_rw_printer(hald_t) +dev_read_lvm_control(hald_t) +dev_getattr_all_chr_files(hald_t) +dev_rw_generic_usb_dev(hald_t) +dev_setattr_generic_usb_dev(hald_t) +dev_setattr_usbfs_files(hald_t) +dev_rw_power_management(hald_t) +dev_read_raw_memory(hald_t) +dev_rw_sysfs(hald_t) +dev_read_video_dev(hald_t) + +domain_use_interactive_fds(hald_t) +domain_read_all_domains_state(hald_t) +domain_dontaudit_ptrace_all_domains(hald_t) + +files_exec_etc_files(hald_t) +files_getattr_all_mountpoints(hald_t) +files_rw_etc_runtime_files(hald_t) +files_manage_mnt_dirs(hald_t) +files_manage_mnt_files(hald_t) +files_manage_mnt_symlinks(hald_t) +files_create_boot_flag(hald_t) +files_getattr_all_dirs(hald_t) +files_getattr_all_files(hald_t) +files_read_kernel_img(hald_t) +files_rw_lock_dirs(hald_t) +files_read_generic_pids(hald_t) + +fs_getattr_all_fs(hald_t) +fs_search_all(hald_t) +fs_list_inotifyfs(hald_t) +fs_list_auto_mountpoints(hald_t) +fs_mount_dos_fs(hald_t) +fs_unmount_dos_fs(hald_t) +fs_manage_dos_files(hald_t) +fs_manage_fusefs_dirs(hald_t) +fs_rw_removable_blk_files(hald_t) + +mls_file_read_all_levels(hald_t) + +selinux_get_fs_mount(hald_t) +selinux_validate_context(hald_t) +selinux_compute_access_vector(hald_t) +selinux_compute_create_context(hald_t) +selinux_compute_relabel_context(hald_t) +selinux_compute_user_contexts(hald_t) + +storage_raw_read_removable_device(hald_t) +storage_raw_write_removable_device(hald_t) +storage_raw_read_fixed_disk(hald_t) +storage_raw_write_fixed_disk(hald_t) + +term_setattr_unallocated_ttys(hald_t) +term_use_unallocated_ttys(hald_t) + +auth_use_nsswitch(hald_t) +auth_read_pam_console_data(hald_t) + +fstools_getattr_swap_files(hald_t) + +init_domtrans_script(hald_t) +init_read_utmp(hald_t) + +libs_exec_ld_so(hald_t) +libs_exec_lib_files(hald_t) + +logging_send_audit_msgs(hald_t) +logging_send_syslog_msg(hald_t) + +miscfiles_read_hwdata(hald_t) + +modutils_domtrans(hald_t) +modutils_read_module_deps(hald_t) + +seutil_read_config(hald_t) +seutil_read_default_contexts(hald_t) +seutil_read_file_contexts(hald_t) + +sysnet_domtrans_dhcpc(hald_t) +sysnet_domtrans_ifconfig(hald_t) +sysnet_read_dhcp_config(hald_t) + +userdom_dontaudit_use_unpriv_user_fds(hald_t) +userdom_dontaudit_search_user_home_dirs(hald_t) + +optional_policy(` + alsa_domtrans(hald_t) + alsa_read_config(hald_t) +') + +optional_policy(` + bootloader_domtrans(hald_t) +') + +optional_policy(` + acpi_stream_connect(hald_t) +') + +optional_policy(` + bind_search_cache(hald_t) +') + +optional_policy(` + bluetooth_domtrans(hald_t) +') + +optional_policy(` + clock_domtrans(hald_t) +') + +optional_policy(` + cups_domtrans_config(hald_t) + cups_signal_config(hald_t) +') + +optional_policy(` + dbus_system_bus_client(hald_t) + dbus_connect_system_bus(hald_t) + + init_dbus_chat_script(hald_t) + + optional_policy(` + networkmanager_dbus_chat(hald_t) + ') + + optional_policy(` + policykit_dbus_chat(hald_t) + ') +') + +optional_policy(` + dmidecode_domtrans(hald_t) +') + +optional_policy(` + gpm_dontaudit_getattr_gpmctl(hald_t) +') + +optional_policy(` + hotplug_read_config(hald_t) +') + +optional_policy(` + lvm_domtrans(hald_t) +') + +optional_policy(` + mount_domtrans(hald_t) +') + +optional_policy(` + ntp_domtrans(hald_t) +') + +optional_policy(` + pcmcia_manage_pid(hald_t) + pcmcia_manage_pid_chr_files(hald_t) +') + +optional_policy(` + podsleuth_domtrans(hald_t) +') + +optional_policy(` + ppp_domtrans(hald_t) + ppp_read_rw_config(hald_t) +') + +optional_policy(` + policykit_domtrans_auth(hald_t) + policykit_domtrans_resolve(hald_t) + policykit_read_lib(hald_t) + policykit_read_reload(hald_t) +') + +optional_policy(` + rpc_search_nfs_state_data(hald_t) +') + +optional_policy(` + seutil_sigchld_newrole(hald_t) +') + +optional_policy(` + shutdown_domtrans(hald_t) +') + +optional_policy(` + udev_domtrans(hald_t) + udev_read_db(hald_t) +') + +optional_policy(` + usbmuxd_stream_connect(hald_t) +') + +optional_policy(` + updfstab_domtrans(hald_t) +') + +optional_policy(` + vbetool_domtrans(hald_t) +') + +optional_policy(` + virt_manage_images(hald_t) +') + +######################################## +# +# ACL local policy +# + +allow hald_acl_t self:capability { dac_override fowner sys_resource }; +allow hald_acl_t self:process { getattr signal }; +allow hald_acl_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) + +manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) +manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) +files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) + +corecmd_exec_bin(hald_acl_t) + +dev_getattr_all_chr_files(hald_acl_t) +dev_setattr_all_chr_files(hald_acl_t) +dev_getattr_generic_usb_dev(hald_acl_t) +dev_getattr_video_dev(hald_acl_t) +dev_setattr_video_dev(hald_acl_t) +dev_getattr_sound_dev(hald_acl_t) +dev_setattr_sound_dev(hald_acl_t) +dev_setattr_generic_usb_dev(hald_acl_t) +dev_setattr_usbfs_files(hald_acl_t) + +fs_getattr_all_fs(hald_acl_t) + +storage_getattr_removable_dev(hald_acl_t) +storage_setattr_removable_dev(hald_acl_t) +storage_getattr_fixed_disk_dev(hald_acl_t) +storage_setattr_fixed_disk_dev(hald_acl_t) + +auth_use_nsswitch(hald_acl_t) + +logging_send_syslog_msg(hald_acl_t) + +optional_policy(` + dbus_system_bus_client(hald_acl_t) + + optional_policy(` + policykit_dbus_chat(hald_acl_t) + ') +') + +optional_policy(` + policykit_domtrans_auth(hald_acl_t) + policykit_read_lib(hald_acl_t) + policykit_read_reload(hald_acl_t) +') + +######################################## +# +# MAC local policy +# + +allow hald_mac_t self:capability { setgid setuid sys_admin }; + +manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) + +append_files_pattern(hald_mac_t, hald_log_t, hald_log_t) + +kernel_read_system_state(hald_mac_t) + +dev_read_raw_memory(hald_mac_t) +dev_write_raw_memory(hald_mac_t) +dev_read_sysfs(hald_mac_t) + +auth_use_nsswitch(hald_mac_t) + +logging_send_syslog_msg(hald_mac_t) +logging_search_logs(hald_mac_t) + +######################################## +# +# Sonypic local policy +# + +dev_read_video_dev(hald_sonypic_t) +dev_write_video_dev(hald_sonypic_t) + +manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) + +append_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t) + +logging_search_logs(hald_sonypic_t) + +######################################## +# +# Keymap local policy +# + +manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) + +write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) + +dev_rw_input_dev(hald_keymap_t) + +files_read_etc_files(hald_keymap_t) + +logging_search_logs(hald_keymap_t) + +######################################## +# +# Dccm local policy +# + +allow hald_dccm_t self:capability chown; +allow hald_dccm_t self:process getsched; +allow hald_dccm_t self:fifo_file rw_fifo_file_perms; +allow hald_dccm_t self:tcp_socket create_stream_socket_perms; +allow hald_dccm_t self:udp_socket create_socket_perms; +allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; + +manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) + +manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) +manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) +manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) +files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file }) + +manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t) +files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file) + +append_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) + +kernel_search_network_sysctl(hald_dccm_t) + +corenet_all_recvfrom_unlabeled(hald_dccm_t) +corenet_all_recvfrom_netlabel(hald_dccm_t) +corenet_tcp_sendrecv_generic_if(hald_dccm_t) +corenet_udp_sendrecv_generic_if(hald_dccm_t) +corenet_tcp_sendrecv_generic_node(hald_dccm_t) +corenet_udp_sendrecv_generic_node(hald_dccm_t) +corenet_tcp_sendrecv_all_ports(hald_dccm_t) +corenet_udp_sendrecv_all_ports(hald_dccm_t) +corenet_tcp_bind_generic_node(hald_dccm_t) +corenet_udp_bind_generic_node(hald_dccm_t) + +corenet_sendrecv_dhcpc_server_packets(hald_dccm_t) +corenet_udp_bind_dhcpc_port(hald_dccm_t) + +corenet_sendrecv_ftp_server_packets(hald_dccm_t) +corenet_tcp_bind_ftp_port(hald_dccm_t) + +corenet_sendrecv_dccm_server_packets(hald_dccm_t) +corenet_tcp_bind_dccm_port(hald_dccm_t) + +dev_read_urand(hald_dccm_t) + +logging_send_syslog_msg(hald_dccm_t) +logging_search_logs(hald_dccm_t) + +hal_dontaudit_rw_dgram_sockets(hald_dccm_t) + +optional_policy(` + dbus_system_bus_client(hald_dccm_t) +') diff --git a/policy/modules/services/hddtemp.fc b/policy/modules/services/hddtemp.fc new file mode 100644 index 000000000..f1d334eb6 --- /dev/null +++ b/policy/modules/services/hddtemp.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) + +/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0) + +/usr/bin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) + +/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if new file mode 100644 index 000000000..269bafd18 --- /dev/null +++ b/policy/modules/services/hddtemp.if @@ -0,0 +1,70 @@ +## <summary>Hard disk temperature tool running as a daemon.</summary> + +####################################### +## <summary> +## Execute a domain transition to run hddtemp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hddtemp_domtrans',` + gen_require(` + type hddtemp_t, hddtemp_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) +') + +###################################### +## <summary> +## Execute hddtemp in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hddtemp_exec',` + gen_require(` + type hddtemp_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, hddtemp_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an hddtemp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`hddtemp_admin',` + gen_require(` + type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; + ') + + allow $1 hddtemp_t:process { ptrace signal_perms }; + ps_process_pattern($1, hddtemp_t) + + init_startstop_service($1, $2, hddtemp_t, hddtemp_initrc_exec_t) + + admin_pattern($1, hddtemp_etc_t) + files_search_etc($1) +') diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te new file mode 100644 index 000000000..2f925799c --- /dev/null +++ b/policy/modules/services/hddtemp.te @@ -0,0 +1,49 @@ +policy_module(hddtemp, 1.4.0) + +######################################## +# +# Declarations +# + +type hddtemp_t; +type hddtemp_exec_t; +init_daemon_domain(hddtemp_t, hddtemp_exec_t) + +type hddtemp_initrc_exec_t; +init_script_file(hddtemp_initrc_exec_t) + +type hddtemp_etc_t; +files_config_file(hddtemp_etc_t) + +######################################## +# +# Local policy +# + +allow hddtemp_t self:capability sys_rawio; +dontaudit hddtemp_t self:capability sys_admin; +allow hddtemp_t self:tcp_socket { accept listen }; + +allow hddtemp_t hddtemp_etc_t:file read_file_perms; + +corenet_all_recvfrom_unlabeled(hddtemp_t) +corenet_all_recvfrom_netlabel(hddtemp_t) +corenet_tcp_sendrecv_generic_if(hddtemp_t) +corenet_tcp_sendrecv_generic_node(hddtemp_t) +corenet_tcp_bind_generic_node(hddtemp_t) + +corenet_tcp_bind_hddtemp_port(hddtemp_t) +corenet_sendrecv_hddtemp_server_packets(hddtemp_t) +corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) + +files_search_etc(hddtemp_t) +files_read_usr_files(hddtemp_t) + +storage_raw_read_fixed_disk(hddtemp_t) +storage_raw_read_removable_device(hddtemp_t) + +auth_use_nsswitch(hddtemp_t) + +logging_send_syslog_msg(hddtemp_t) + +miscfiles_read_localization(hddtemp_t) diff --git a/policy/modules/services/howl.fc b/policy/modules/services/howl.fc new file mode 100644 index 000000000..c164df12d --- /dev/null +++ b/policy/modules/services/howl.fc @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/((nifd)|(mDNSResponder)) -- gen_context(system_u:object_r:howl_initrc_exec_t,s0) + +/usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0) +/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0) + +/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0) diff --git a/policy/modules/services/howl.if b/policy/modules/services/howl.if new file mode 100644 index 000000000..afea18462 --- /dev/null +++ b/policy/modules/services/howl.if @@ -0,0 +1,50 @@ +## <summary>Port of Apple Rendezvous multicast DNS.</summary> + +######################################## +## <summary> +## Send generic signals to howl. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`howl_signal',` + gen_require(` + type howl_t; + ') + + allow $1 howl_t:process signal; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an howl environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`howl_admin',` + gen_require(` + type howl_t, howl_initrc_exec_t, howl_var_run_t; + ') + + allow $1 howl_t:process { ptrace signal_perms }; + ps_process_pattern($1, howl_t) + + init_startstop_service($1, $2, howl_t, howl_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, howl_var_run_t) +') diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te new file mode 100644 index 000000000..6bbede584 --- /dev/null +++ b/policy/modules/services/howl.te @@ -0,0 +1,79 @@ +policy_module(howl, 1.12.0) + +######################################## +# +# Declarations +# + +type howl_t; +type howl_exec_t; +application_executable_file(howl_exec_t) +init_daemon_domain(howl_t, howl_exec_t) + +type howl_initrc_exec_t; +init_script_file(howl_initrc_exec_t) + +type howl_var_run_t; +files_pid_file(howl_var_run_t) + +######################################## +# +# Local policy +# + +allow howl_t self:capability { kill net_admin }; +dontaudit howl_t self:capability sys_tty_config; +allow howl_t self:process signal_perms; +allow howl_t self:fifo_file rw_fifo_file_perms; +allow howl_t self:tcp_socket { accept listen }; + +manage_files_pattern(howl_t, howl_var_run_t, howl_var_run_t) +files_pid_filetrans(howl_t, howl_var_run_t, file) + +kernel_read_network_state(howl_t) +kernel_read_kernel_sysctls(howl_t) +kernel_request_load_module(howl_t) +kernel_list_proc(howl_t) +kernel_read_proc_symlinks(howl_t) + +corenet_all_recvfrom_unlabeled(howl_t) +corenet_all_recvfrom_netlabel(howl_t) +corenet_tcp_sendrecv_generic_if(howl_t) +corenet_udp_sendrecv_generic_if(howl_t) +corenet_tcp_sendrecv_generic_node(howl_t) +corenet_udp_sendrecv_generic_node(howl_t) +corenet_tcp_bind_generic_node(howl_t) +corenet_udp_bind_generic_node(howl_t) + +corenet_sendrecv_howl_server_packets(howl_t) +corenet_tcp_bind_howl_port(howl_t) +corenet_tcp_sendrecv_howl_port(howl_t) +corenet_udp_bind_howl_port(howl_t) +corenet_udp_sendrecv_howl_port(howl_t) + +dev_read_sysfs(howl_t) + +fs_getattr_all_fs(howl_t) +fs_search_auto_mountpoints(howl_t) + +domain_use_interactive_fds(howl_t) + +auth_use_nsswitch(howl_t) + +init_read_utmp(howl_t) +init_dontaudit_write_utmp(howl_t) + +logging_send_syslog_msg(howl_t) + +miscfiles_read_localization(howl_t) + +userdom_dontaudit_use_unpriv_user_fds(howl_t) +userdom_dontaudit_search_user_home_dirs(howl_t) + +optional_policy(` + seutil_sigchld_newrole(howl_t) +') + +optional_policy(` + udev_read_db(howl_t) +') diff --git a/policy/modules/services/hypervkvp.fc b/policy/modules/services/hypervkvp.fc new file mode 100644 index 000000000..d1bbb44c8 --- /dev/null +++ b/policy/modules/services/hypervkvp.fc @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0) + +/usr/bin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0) + +/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0) diff --git a/policy/modules/services/hypervkvp.if b/policy/modules/services/hypervkvp.if new file mode 100644 index 000000000..f9a3b8eae --- /dev/null +++ b/policy/modules/services/hypervkvp.if @@ -0,0 +1,29 @@ +## <summary>HyperV key value pair (KVP).</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an hypervkvp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`hypervkvp_admin',` + gen_require(` + type hypervkvpd_t, hypervkvpd_initrc_exec_t; + ') + + allow $1 hypervkvpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, hypervkvpd_t) + + init_startstop_service($1, $2, hypervkvpd_t, hypervkvpd_initrc_exec_t) +') diff --git a/policy/modules/services/hypervkvp.te b/policy/modules/services/hypervkvp.te new file mode 100644 index 000000000..33623ebab --- /dev/null +++ b/policy/modules/services/hypervkvp.te @@ -0,0 +1,28 @@ +policy_module(hypervkvp, 1.2.0) + +######################################## +# +# Declarations +# + +type hypervkvpd_t; +type hypervkvpd_exec_t; +init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t) + +type hypervkvpd_initrc_exec_t; +init_script_file(hypervkvpd_initrc_exec_t) + +######################################## +# +# Local policy +# +# + +allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; +allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; + +logging_send_syslog_msg(hypervkvpd_t) + +miscfiles_read_localization(hypervkvpd_t) + +sysnet_dns_name_resolve(hypervkvpd_t) diff --git a/policy/modules/services/i18n_input.fc b/policy/modules/services/i18n_input.fc new file mode 100644 index 000000000..9dcc65aaf --- /dev/null +++ b/policy/modules/services/i18n_input.fc @@ -0,0 +1,18 @@ +/etc/init\.d/((iiimf-htt-server)|(iiimf-server)|(iiim)) -- gen_context(system_u:object_r:i18n_input_initrc_exec_t,s0) + +/usr/bin/iiimd -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/bin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/bin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0) + +/usr/lib/iiim/iiim-xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0) + +/usr/sbin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/sbin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0) + +/var/log/iiim(/.*)? gen_context(system_u:object_r:i18n_input_log_t,s0) + +/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0) diff --git a/policy/modules/services/i18n_input.if b/policy/modules/services/i18n_input.if new file mode 100644 index 000000000..4e08c3cfb --- /dev/null +++ b/policy/modules/services/i18n_input.if @@ -0,0 +1,36 @@ +## <summary>IIIMF htt server.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an i18n input environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`i18n_input_admin',` + gen_require(` + type i18n_input_t, i18n_input_initrc_exec_t, i18n_input_var_run_t; + type i18n_input_log_t; + ') + + allow $1 i18n_input_t:process { ptrace signal_perms }; + ps_process_pattern($1, i18n_input_t) + + init_startstop_service($1, $2, i18n_input_t, i18n_input_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, i18n_input_var_run_t) + + logging_search_logs($1) + admin_pattern($1, i18n_input_log_t) +') diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te new file mode 100644 index 000000000..181d3e90c --- /dev/null +++ b/policy/modules/services/i18n_input.te @@ -0,0 +1,126 @@ +policy_module(i18n_input, 1.12.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Grant the i18n_input domains read access to generic user content +## </p> +## </desc> +gen_tunable(`i18n_input_read_generic_user_content', true) + +type i18n_input_t; +type i18n_input_exec_t; +init_daemon_domain(i18n_input_t, i18n_input_exec_t) + +type i18n_input_initrc_exec_t; +init_script_file(i18n_input_initrc_exec_t) + +type i18n_input_log_t; +logging_log_file(i18n_input_log_t) + +type i18n_input_var_run_t; +files_pid_file(i18n_input_var_run_t) + +######################################## +# +# Local policy +# + +allow i18n_input_t self:capability { kill setgid setuid }; +dontaudit i18n_input_t self:capability sys_tty_config; +allow i18n_input_t self:process { signal_perms setsched setpgid }; +allow i18n_input_t self:fifo_file rw_fifo_file_perms; +allow i18n_input_t self:unix_stream_socket { accept listen }; +allow i18n_input_t self:tcp_socket { accept listen }; + +allow i18n_input_t i18n_input_log_t:dir setattr_dir_perms; +append_files_pattern(i18n_input_t, i18n_input_log_t, i18n_input_log_t) +create_files_pattern(i18n_input_t, i18n_input_log_t, i18n_input_log_t) +setattr_files_pattern(i18n_input_t, i18n_input_log_t, i18n_input_log_t) + +manage_dirs_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) +manage_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) +manage_sock_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) +files_pid_filetrans(i18n_input_t, i18n_input_var_run_t, file) + +can_exec(i18n_input_t, i18n_input_exec_t) + +kernel_read_kernel_sysctls(i18n_input_t) +kernel_read_system_state(i18n_input_t) + +corenet_all_recvfrom_unlabeled(i18n_input_t) +corenet_all_recvfrom_netlabel(i18n_input_t) +corenet_tcp_sendrecv_generic_if(i18n_input_t) +corenet_tcp_sendrecv_generic_node(i18n_input_t) +corenet_tcp_sendrecv_all_ports(i18n_input_t) +corenet_tcp_bind_generic_node(i18n_input_t) + +corenet_sendrecv_i18n_input_server_packets(i18n_input_t) +corenet_tcp_bind_i18n_input_port(i18n_input_t) + +corenet_sendrecv_all_client_packets(i18n_input_t) +corenet_tcp_connect_all_ports(i18n_input_t) + +corecmd_exec_bin(i18n_input_t) + +dev_read_sysfs(i18n_input_t) + +domain_use_interactive_fds(i18n_input_t) + +fs_getattr_all_fs(i18n_input_t) +fs_search_auto_mountpoints(i18n_input_t) + +files_read_etc_runtime_files(i18n_input_t) +files_read_usr_files(i18n_input_t) + +auth_use_nsswitch(i18n_input_t) + +init_stream_connect_script(i18n_input_t) + +logging_send_syslog_msg(i18n_input_t) + +miscfiles_read_localization(i18n_input_t) + +userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) + +tunable_policy(`i18n_input_read_generic_user_content',` + userdom_list_user_tmp(i18n_input_t) + userdom_list_user_home_content(i18n_input_t) + userdom_read_user_home_content_files(i18n_input_t) + userdom_read_user_home_content_symlinks(i18n_input_t) + userdom_read_user_tmp_files(i18n_input_t) +',` + files_dontaudit_list_home(i18n_input_t) + files_dontaudit_list_tmp(i18n_input_t) + + userdom_dontaudit_list_user_home_dirs(i18n_input_t) + userdom_dontaudit_list_user_tmp(i18n_input_t) + userdom_dontaudit_read_user_home_content_files(i18n_input_t) + userdom_dontaudit_read_user_tmp_files(i18n_input_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(i18n_input_t) + fs_read_nfs_symlinks(i18n_input_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(i18n_input_t) + fs_read_cifs_symlinks(i18n_input_t) +') + +optional_policy(` + canna_stream_connect(i18n_input_t) +') + +optional_policy(` + seutil_sigchld_newrole(i18n_input_t) +') + +optional_policy(` + udev_read_db(i18n_input_t) +') diff --git a/policy/modules/services/icecast.fc b/policy/modules/services/icecast.fc new file mode 100644 index 000000000..6080443fe --- /dev/null +++ b/policy/modules/services/icecast.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) + +/usr/bin/icecast -- gen_context(system_u:object_r:icecast_exec_t,s0) + +/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) + +/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) +/run/icecast\.pid -- gen_context(system_u:object_r:icecast_var_run_t,s0) diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if new file mode 100644 index 000000000..38ce1b7fa --- /dev/null +++ b/policy/modules/services/icecast.if @@ -0,0 +1,189 @@ +## <summary>ShoutCast compatible streaming media server.</summary> + +######################################## +## <summary> +## Execute a domain transition to run icecast. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`icecast_domtrans',` + gen_require(` + type icecast_t, icecast_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, icecast_exec_t, icecast_t) +') + +######################################## +## <summary> +## Send generic signals to icecast. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`icecast_signal',` + gen_require(` + type icecast_t; + ') + + allow $1 icecast_t:process signal; +') + +######################################## +## <summary> +## Execute icecast server in the icecast domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`icecast_initrc_domtrans',` + gen_require(` + type icecast_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, icecast_initrc_exec_t) +') + +######################################## +## <summary> +## Read icecast pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`icecast_read_pid_files',` + gen_require(` + type icecast_var_run_t; + ') + + files_search_pids($1) + allow $1 icecast_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## icecast pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`icecast_manage_pid_files',` + gen_require(` + type icecast_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t) +') + +######################################## +## <summary> +## Read icecast log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`icecast_read_log',` + gen_require(` + type icecast_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, icecast_log_t, icecast_log_t) +') + +######################################## +## <summary> +## Append icecast log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`icecast_append_log',` + gen_require(` + type icecast_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, icecast_log_t, icecast_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## icecast log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allow access. +## </summary> +## </param> +# +interface(`icecast_manage_log',` + gen_require(` + type icecast_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, icecast_log_t, icecast_log_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an icecast environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`icecast_admin',` + gen_require(` + type icecast_t, icecast_initrc_exec_t, icecast_log_t; + type icecast_var_run_t; + ') + + init_startstop_service($1, $2, icecast_t, icecast_initrc_exec_t) + + allow $1 icecast_t:process { ptrace signal_perms }; + ps_process_pattern($1, icecast_t) + + logging_search_logs($1) + admin_pattern($1, icecast_log_t) + + files_search_pids($1) + admin_pattern($1, icecast_var_run_t) +') diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te new file mode 100644 index 000000000..acbb3fc69 --- /dev/null +++ b/policy/modules/services/icecast.te @@ -0,0 +1,88 @@ +policy_module(icecast, 1.4.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether icecast can listen +## on and connect to any TCP port. +## </p> +## </desc> +gen_tunable(icecast_use_any_tcp_ports, false) + +type icecast_t; +type icecast_exec_t; +application_executable_file(icecast_exec_t) +init_daemon_domain(icecast_t, icecast_exec_t) + +type icecast_initrc_exec_t; +init_script_file(icecast_initrc_exec_t) + +type icecast_log_t; +logging_log_file(icecast_log_t) + +type icecast_var_run_t; +files_pid_file(icecast_var_run_t) + +######################################## +# +# Local policy +# + +allow icecast_t self:capability { dac_override setgid setuid sys_nice }; +allow icecast_t self:process { getsched setsched signal }; +allow icecast_t self:fifo_file rw_fifo_file_perms; +allow icecast_t self:unix_stream_socket create_stream_socket_perms; +allow icecast_t self:tcp_socket { accept listen }; + +allow icecast_t icecast_log_t:dir setattr_dir_perms; +append_files_pattern(icecast_t, icecast_log_t, icecast_log_t) +create_files_pattern(icecast_t, icecast_log_t, icecast_log_t) +setattr_files_pattern(icecast_t, icecast_log_t, icecast_log_t) + +manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) +manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) +files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) + +kernel_read_system_state(icecast_t) + +corenet_all_recvfrom_unlabeled(icecast_t) +corenet_all_recvfrom_netlabel(icecast_t) +corenet_tcp_sendrecv_generic_if(icecast_t) +corenet_tcp_sendrecv_generic_node(icecast_t) +corenet_tcp_bind_generic_node(icecast_t) + +corenet_sendrecv_soundd_server_packets(icecast_t) +corenet_tcp_bind_soundd_port(icecast_t) +corenet_sendrecv_soundd_client_packets(icecast_t) +corenet_tcp_connect_soundd_port(icecast_t) +corenet_tcp_sendrecv_soundd_port(icecast_t) + +dev_read_sysfs(icecast_t) +dev_read_urand(icecast_t) +dev_read_rand(icecast_t) + +domain_use_interactive_fds(icecast_t) + +auth_use_nsswitch(icecast_t) + +miscfiles_read_localization(icecast_t) + +tunable_policy(`icecast_use_any_tcp_ports',` + corenet_tcp_connect_all_ports(icecast_t) + corenet_sendrecv_all_client_packets(icecast_t) + corenet_tcp_bind_all_ports(icecast_t) + corenet_sendrecv_all_server_packets(icecast_t) + corenet_tcp_sendrecv_all_ports(icecast_t) +') + +optional_policy(` + apache_read_sys_content(icecast_t) +') + +optional_policy(` + rtkit_scheduled(icecast_t) +') diff --git a/policy/modules/services/ifplugd.fc b/policy/modules/services/ifplugd.fc new file mode 100644 index 000000000..2a1e92907 --- /dev/null +++ b/policy/modules/services/ifplugd.fc @@ -0,0 +1,9 @@ +/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) + +/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) + +/usr/bin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) + +/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) + +/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if new file mode 100644 index 000000000..3cd19b368 --- /dev/null +++ b/policy/modules/services/ifplugd.if @@ -0,0 +1,132 @@ +## <summary>Bring up/down ethernet interfaces based on cable detection.</summary> + +######################################## +## <summary> +## Execute a domain transition to run ifplugd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ifplugd_domtrans',` + gen_require(` + type ifplugd_t, ifplugd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ifplugd_exec_t, ifplugd_t) +') + +######################################## +## <summary> +## Send generic signals to ifplugd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ifplugd_signal',` + gen_require(` + type ifplugd_t; + ') + + allow $1 ifplugd_t:process signal; +') + +######################################## +## <summary> +## Read ifplugd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ifplugd_read_config',` + gen_require(` + type ifplugd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## ifplugd configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ifplugd_manage_config',` + gen_require(` + type ifplugd_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) + manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) +') + +######################################## +## <summary> +## Read ifplugd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ifplugd_read_pid_files',` + gen_require(` + type ifplugd_var_run_t; + ') + + files_search_pids($1) + allow $1 ifplugd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ifplugd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ifplugd_admin',` + gen_require(` + type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t; + type ifplugd_initrc_exec_t; + ') + + allow $1 ifplugd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ifplugd_t) + + init_startstop_service($1, $2, ifplugd_t, ifplugd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, ifplugd_etc_t) + + files_list_pids($1) + admin_pattern($1, ifplugd_var_run_t) +') diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te new file mode 100644 index 000000000..14180ac63 --- /dev/null +++ b/policy/modules/services/ifplugd.te @@ -0,0 +1,72 @@ +policy_module(ifplugd, 1.4.1) + +######################################## +# +# Declarations +# + +type ifplugd_t; +type ifplugd_exec_t; +init_daemon_domain(ifplugd_t, ifplugd_exec_t) + +type ifplugd_etc_t; +files_type(ifplugd_etc_t) + +type ifplugd_initrc_exec_t; +init_script_file(ifplugd_initrc_exec_t) + +type ifplugd_var_run_t; +files_pid_file(ifplugd_var_run_t) + +######################################## +# +# Local policy +# + +allow ifplugd_t self:capability { net_admin net_bind_service sys_nice }; +dontaudit ifplugd_t self:capability sys_tty_config; +allow ifplugd_t self:process { signal signull }; +allow ifplugd_t self:fifo_file rw_fifo_file_perms; +allow ifplugd_t self:tcp_socket { accept listen }; +allow ifplugd_t self:packet_socket create_socket_perms; +allow ifplugd_t self:netlink_route_socket nlmsg_write; + +read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) +exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) + +manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) +manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) +files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(ifplugd_t) +kernel_read_network_state(ifplugd_t) +kernel_read_system_state(ifplugd_t) +kernel_rw_net_sysctls(ifplugd_t) + +corecmd_exec_bin(ifplugd_t) +corecmd_exec_shell(ifplugd_t) + +dev_read_sysfs(ifplugd_t) + +domain_read_confined_domains_state(ifplugd_t) +domain_dontaudit_read_all_domains_state(ifplugd_t) + +auth_use_nsswitch(ifplugd_t) + +init_domtrans_script(ifplugd_t) + +logging_send_syslog_msg(ifplugd_t) + +miscfiles_read_localization(ifplugd_t) + +netutils_domtrans(ifplugd_t) + +sysnet_domtrans_ifconfig(ifplugd_t) +sysnet_domtrans_dhcpc(ifplugd_t) +sysnet_delete_dhcpc_pid(ifplugd_t) +sysnet_read_dhcpc_pid(ifplugd_t) +sysnet_signal_dhcpc(ifplugd_t) + +optional_policy(` + consoletype_exec(ifplugd_t) +') diff --git a/policy/modules/services/imaze.fc b/policy/modules/services/imaze.fc new file mode 100644 index 000000000..eb9416e87 --- /dev/null +++ b/policy/modules/services/imaze.fc @@ -0,0 +1,7 @@ +/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0) + +/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0) + +/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0) + +/run/imaze\.pid -- gen_context(system_u:object_r:imazesrv_var_run_t,s0) diff --git a/policy/modules/services/imaze.if b/policy/modules/services/imaze.if new file mode 100644 index 000000000..db53881db --- /dev/null +++ b/policy/modules/services/imaze.if @@ -0,0 +1 @@ +## <summary>iMaze game server.</summary> diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te new file mode 100644 index 000000000..7649b91aa --- /dev/null +++ b/policy/modules/services/imaze.te @@ -0,0 +1,85 @@ +policy_module(imaze, 1.9.0) + +######################################## +# +# Declarations +# + +type imazesrv_t; +type imazesrv_exec_t; +application_executable_file(imazesrv_exec_t) +init_daemon_domain(imazesrv_t, imazesrv_exec_t) + +type imazesrv_data_t; +files_type(imazesrv_data_t) + +type imazesrv_log_t; +logging_log_file(imazesrv_log_t) + +type imazesrv_var_run_t; +files_pid_file(imazesrv_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit imazesrv_t self:capability sys_tty_config; +allow imazesrv_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow imazesrv_t self:fifo_file rw_fifo_file_perms; +allow imazesrv_t self:tcp_socket { accept listen }; +allow imazesrv_t self:unix_dgram_socket sendto; +allow imazesrv_t self:unix_stream_socket { accept connectto listen }; + +allow imazesrv_t imazesrv_data_t:dir list_dir_perms; +read_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) +read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) + +allow imazesrv_t imazesrv_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(imazesrv_t, imazesrv_log_t, file) + +manage_files_pattern(imazesrv_t, imazesrv_var_run_t, imazesrv_var_run_t) +files_pid_filetrans(imazesrv_t, imazesrv_var_run_t, file) + +kernel_list_proc(imazesrv_t) +kernel_read_kernel_sysctls(imazesrv_t) +kernel_read_proc_symlinks(imazesrv_t) + +corenet_all_recvfrom_unlabeled(imazesrv_t) +corenet_all_recvfrom_netlabel(imazesrv_t) +corenet_tcp_sendrecv_generic_if(imazesrv_t) +corenet_udp_sendrecv_generic_if(imazesrv_t) +corenet_tcp_sendrecv_generic_node(imazesrv_t) +corenet_udp_sendrecv_generic_node(imazesrv_t) +corenet_tcp_bind_generic_node(imazesrv_t) +corenet_udp_bind_generic_node(imazesrv_t) + +corenet_sendrecv_imaze_server_packets(imazesrv_t) +corenet_tcp_bind_imaze_port(imazesrv_t) +corenet_tcp_sendrecv_imaze_port(imazesrv_t) +corenet_udp_bind_imaze_port(imazesrv_t) +corenet_udp_sendrecv_imaze_port(imazesrv_t) + +dev_read_sysfs(imazesrv_t) + +domain_use_interactive_fds(imazesrv_t) + +fs_getattr_all_fs(imazesrv_t) +fs_search_auto_mountpoints(imazesrv_t) + +auth_use_nsswitch(imazesrv_t) + +logging_send_syslog_msg(imazesrv_t) + +miscfiles_read_localization(imazesrv_t) + +userdom_use_unpriv_users_fds(imazesrv_t) +userdom_dontaudit_search_user_home_dirs(imazesrv_t) + +optional_policy(` + seutil_sigchld_newrole(imazesrv_t) +') + +optional_policy(` + udev_read_db(imazesrv_t) +') diff --git a/policy/modules/services/inetd.fc b/policy/modules/services/inetd.fc new file mode 100644 index 000000000..3329de47b --- /dev/null +++ b/policy/modules/services/inetd.fc @@ -0,0 +1,19 @@ +/usr/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0) + +/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0) + +/usr/bin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) +/usr/bin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0) + +/usr/bin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) +/usr/bin/(x)?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) + +/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) +/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0) + +/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) +/usr/sbin/(x)?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) + +/var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0) + +/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if new file mode 100644 index 000000000..593cd40bc --- /dev/null +++ b/policy/modules/services/inetd.if @@ -0,0 +1,177 @@ +## <summary>Internet services daemon.</summary> + +######################################## +## <summary> +## Define the specified domain as a inetd service. +## </summary> +## <desc> +## <p> +## Define the specified domain as a inetd service. The +## inetd_service_domain(), inetd_tcp_service_domain(), +## or inetd_udp_service_domain() interfaces should be used +## instead of this interface, as this interface only provides +## the common rules to these three interfaces. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_core_service_domain',` + gen_require(` + type inetd_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(inetd_t, $2, $1) + allow inetd_t $1:process { siginh sigkill }; +') + +######################################## +## <summary> +## Define the specified domain as a TCP inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_tcp_service_domain',` + + gen_require(` + type inetd_t; + ') + + inetd_core_service_domain($1, $2) + + allow $1 inetd_t:tcp_socket rw_stream_socket_perms; +') + +######################################## +## <summary> +## Define the specified domain as a UDP inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_udp_service_domain',` + gen_require(` + type inetd_t; + ') + + inetd_core_service_domain($1, $2) + + allow $1 inetd_t:udp_socket rw_socket_perms; +') + +######################################## +## <summary> +## Define the specified domain as a TCP and UDP inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_service_domain',` + gen_require(` + type inetd_t; + ') + + inetd_core_service_domain($1, $2) + + allow $1 inetd_t:tcp_socket rw_stream_socket_perms; + allow $1 inetd_t:udp_socket rw_socket_perms; + + optional_policy(` + stunnel_service_domain($1, $2) + ') +') + +######################################## +## <summary> +## Inherit and use inetd file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inetd_use_fds',` + gen_require(` + type inetd_t; + ') + + allow $1 inetd_t:fd use; +') + +######################################## +## <summary> +## Run inetd child process in the +## inet child domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`inetd_domtrans_child',` + gen_require(` + type inetd_child_t, inetd_child_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, inetd_child_exec_t, inetd_child_t) +') + +######################################## +## <summary> +## Read and write inetd TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inetd_rw_tcp_sockets',` + gen_require(` + type inetd_t; + ') + + allow $1 inetd_t:tcp_socket rw_stream_socket_perms; +') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te new file mode 100644 index 000000000..277a8ad40 --- /dev/null +++ b/policy/modules/services/inetd.te @@ -0,0 +1,238 @@ +policy_module(inetd, 1.15.0) + +######################################## +# +# Declarations +# + +type inetd_t; +type inetd_exec_t; +init_daemon_domain(inetd_t, inetd_exec_t) + +type inetd_log_t; +logging_log_file(inetd_log_t) + +type inetd_tmp_t; +files_tmp_file(inetd_tmp_t) + +type inetd_var_run_t; +files_pid_file(inetd_var_run_t) + +type inetd_child_t; +type inetd_child_exec_t; +inetd_service_domain(inetd_child_t, inetd_child_exec_t) + +type inetd_child_tmp_t; +files_tmp_file(inetd_child_tmp_t) + +type inetd_child_var_run_t; +files_pid_file(inetd_child_var_run_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh) +') + +######################################## +# +# Local policy +# + +allow inetd_t self:capability { setgid setuid sys_resource }; +dontaudit inetd_t self:capability sys_tty_config; +allow inetd_t self:process { setsched setexec setrlimit }; +allow inetd_t self:fifo_file rw_fifo_file_perms; +allow inetd_t self:tcp_socket { accept listen }; +allow inetd_t self:fd use; + +allow inetd_t inetd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(inetd_t, inetd_log_t, file) + +manage_dirs_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) +manage_files_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) +files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir }) + +allow inetd_t inetd_var_run_t:file manage_file_perms; +files_pid_filetrans(inetd_t, inetd_var_run_t, file) + +kernel_read_kernel_sysctls(inetd_t) +kernel_list_proc(inetd_t) +kernel_read_proc_symlinks(inetd_t) +kernel_read_system_state(inetd_t) +kernel_tcp_recvfrom_unlabeled(inetd_t) + +corecmd_bin_domtrans(inetd_t, inetd_child_t) +corecmd_bin_entry_type(inetd_child_t) + +corenet_all_recvfrom_unlabeled(inetd_t) +corenet_all_recvfrom_netlabel(inetd_t) +corenet_tcp_sendrecv_generic_if(inetd_t) +corenet_udp_sendrecv_generic_if(inetd_t) +corenet_tcp_sendrecv_generic_node(inetd_t) +corenet_udp_sendrecv_generic_node(inetd_t) +corenet_tcp_sendrecv_all_ports(inetd_t) +corenet_udp_sendrecv_all_ports(inetd_t) +corenet_tcp_bind_generic_node(inetd_t) +corenet_udp_bind_generic_node(inetd_t) + +corenet_sendrecv_all_client_packets(inetd_t) +corenet_tcp_connect_all_ports(inetd_t) + +corenet_sendrecv_amanda_server_packets(inetd_t) +corenet_tcp_bind_amanda_port(inetd_t) +corenet_udp_bind_amanda_port(inetd_t) + +corenet_sendrecv_auth_server_packets(inetd_t) +corenet_tcp_bind_auth_port(inetd_t) + +corenet_sendrecv_comsat_server_packets(inetd_t) +corenet_udp_bind_comsat_port(inetd_t) + +corenet_sendrecv_dbskkd_server_packets(inetd_t) +corenet_tcp_bind_dbskkd_port(inetd_t) +corenet_udp_bind_dbskkd_port(inetd_t) + +corenet_sendrecv_ftp_server_packets(inetd_t) +corenet_tcp_bind_ftp_port(inetd_t) +corenet_udp_bind_ftp_port(inetd_t) + +corenet_sendrecv_inetd_child_server_packets(inetd_t) +corenet_tcp_bind_inetd_child_port(inetd_t) +corenet_udp_bind_inetd_child_port(inetd_t) + +corenet_sendrecv_ircd_server_packets(inetd_t) +corenet_tcp_bind_ircd_port(inetd_t) + +corenet_sendrecv_ktalkd_server_packets(inetd_t) +corenet_udp_bind_ktalkd_port(inetd_t) + +corenet_sendrecv_pop_server_packets(inetd_t) +corenet_tcp_bind_pop_port(inetd_t) + +corenet_sendrecv_printer_server_packets(inetd_t) +corenet_tcp_bind_printer_port(inetd_t) + +corenet_sendrecv_rlogind_server_packets(inetd_t) +corenet_udp_bind_rlogind_port(inetd_t) + +corenet_sendrecv_rsh_server_packets(inetd_t) +corenet_udp_bind_rsh_port(inetd_t) +corenet_tcp_bind_rsh_port(inetd_t) + +corenet_sendrecv_rsync_server_packets(inetd_t) +corenet_tcp_bind_rsync_port(inetd_t) +corenet_udp_bind_rsync_port(inetd_t) + +corenet_sendrecv_stunnel_server_packets(inetd_t) +corenet_tcp_bind_stunnel_port(inetd_t) + +corenet_sendrecv_swat_server_packets(inetd_t) +corenet_tcp_bind_swat_port(inetd_t) +corenet_udp_bind_swat_port(inetd_t) + +corenet_sendrecv_telnetd_server_packets(inetd_t) +corenet_tcp_bind_telnetd_port(inetd_t) + +corenet_sendrecv_tftp_server_packets(inetd_t) +corenet_udp_bind_tftp_port(inetd_t) + +corenet_sendrecv_ssh_server_packets(inetd_t) +corenet_tcp_bind_ssh_port(inetd_t) + +corenet_sendrecv_git_server_packets(inetd_t) +corenet_tcp_bind_git_port(inetd_t) +corenet_udp_bind_git_port(inetd_t) + +dev_read_sysfs(inetd_t) + +domain_use_interactive_fds(inetd_t) + +fs_getattr_all_fs(inetd_t) +fs_search_auto_mountpoints(inetd_t) + +selinux_validate_context(inetd_t) +selinux_compute_create_context(inetd_t) + +files_read_etc_runtime_files(inetd_t) + +auth_use_nsswitch(inetd_t) + +logging_send_syslog_msg(inetd_t) + +miscfiles_read_localization(inetd_t) + +mls_fd_share_all_levels(inetd_t) +mls_socket_read_to_clearance(inetd_t) +mls_socket_write_to_clearance(inetd_t) +mls_net_outbound_all_levels(inetd_t) +mls_process_set_level(inetd_t) + +userdom_dontaudit_use_unpriv_user_fds(inetd_t) +userdom_dontaudit_search_user_home_dirs(inetd_t) + +ifdef(`distro_redhat',` + optional_policy(` + unconfined_domain(inetd_t) + ') +') + +ifdef(`enable_mls',` + corenet_tcp_recvfrom_netlabel(inetd_t) + corenet_udp_recvfrom_netlabel(inetd_t) +') + +optional_policy(` + amanda_search_lib(inetd_t) +') + +optional_policy(` + seutil_sigchld_newrole(inetd_t) +') + +optional_policy(` + tftp_read_config_files(inetd_t) +') + +optional_policy(` + udev_read_db(inetd_t) +') + +optional_policy(` + unconfined_domtrans(inetd_t) +') + +######################################## +# +# Child local policy +# + +allow inetd_child_t self:capability { setgid setuid }; +allow inetd_child_t self:process signal_perms; +allow inetd_child_t self:fifo_file rw_fifo_file_perms; +allow inetd_child_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) +manage_files_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) +files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir }) + +manage_files_pattern(inetd_child_t, inetd_child_var_run_t, inetd_child_var_run_t) +files_pid_filetrans(inetd_child_t, inetd_child_var_run_t, file) + +kernel_read_kernel_sysctls(inetd_child_t) +kernel_read_network_state(inetd_child_t) +kernel_read_system_state(inetd_child_t) + +dev_read_urand(inetd_child_t) + +fs_getattr_xattr_fs(inetd_child_t) + +files_read_etc_runtime_files(inetd_child_t) + +auth_use_nsswitch(inetd_child_t) + +logging_send_syslog_msg(inetd_child_t) + +miscfiles_read_localization(inetd_child_t) + +optional_policy(` + unconfined_domain(inetd_child_t) +') diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc new file mode 100644 index 000000000..eb9bda28a --- /dev/null +++ b/policy/modules/services/inn.fc @@ -0,0 +1,60 @@ +/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0) +/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0) + +/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0) + +/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/bin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/bin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0) + +/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0) + +/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0) + +/usr/lib/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0) + +/var/log/news.* -- gen_context(system_u:object_r:innd_log_t,s0) + +/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) +/run/innd\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0) +/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) +/run/news\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0) + +/var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0) diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if new file mode 100644 index 000000000..8e24feb99 --- /dev/null +++ b/policy/modules/services/inn.if @@ -0,0 +1,252 @@ +## <summary>Internet News NNTP server.</summary> + +######################################## +## <summary> +## Execute innd in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_exec',` + gen_require(` + type innd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, innd_exec_t) +') + +######################################## +## <summary> +## Execute inn configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_exec_config',` + gen_require(` + type innd_etc_t; + ') + + files_search_etc($1) + exec_files_pattern($1, innd_etc_t, innd_etc_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## innd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_manage_log',` + gen_require(` + type innd_log_t; + ') + + manage_files_pattern($1, innd_log_t, innd_log_t) +') + +######################################## +## <summary> +## Create specified objects in generic +## log directories with the innd log file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`inn_generic_log_filetrans_innd_log',` + gen_require(` + type innd_log_t; + ') + + logging_log_filetrans($1, innd_log_t, $2, $3) +') + +######################################## +## <summary> +## Create, read, write, and delete +## innd pid content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_manage_pid',` + gen_require(` + type innd_var_run_t; + ') + + files_search_pids($1) + allow $1 innd_var_run_t:dir manage_dir_perms; + allow $1 innd_var_run_t:file manage_file_perms; + allow $1 innd_var_run_t:sock_file manage_sock_file_perms; +') + +######################################## +## <summary> +## Read innd configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> + +# +interface(`inn_read_config',` + gen_require(` + type innd_etc_t; + ') + + allow $1 innd_etc_t:dir list_dir_perms; + allow $1 innd_etc_t:file read_file_perms; + allow $1 innd_etc_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Read innd news library content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_read_news_lib',` + gen_require(` + type innd_var_lib_t; + ') + + allow $1 innd_var_lib_t:dir list_dir_perms; + allow $1 innd_var_lib_t:file read_file_perms; +') + +######################################## +## <summary> +## Read innd news spool content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_read_news_spool',` + gen_require(` + type news_spool_t; + ') + + allow $1 news_spool_t:dir list_dir_perms; + allow $1 news_spool_t:file read_file_perms; + allow $1 news_spool_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Send to a innd unix dgram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_dgram_send',` + gen_require(` + type innd_t, innd_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, innd_var_run_t, innd_var_run_t, innd_t) +') + +######################################## +## <summary> +## Execute innd in the innd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`inn_domtrans',` + gen_require(` + type innd_t, innd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, innd_exec_t, innd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an inn environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`inn_admin',` + gen_require(` + type innd_t, innd_etc_t, innd_log_t; + type news_spool_t, innd_var_lib_t; + type innd_var_run_t, innd_initrc_exec_t; + ') + + init_startstop_service($1, $2, innd_t, innd_initrc_exec_t) + + allow $1 innd_t:process { ptrace signal_perms }; + ps_process_pattern($1, innd_t) + + files_list_etc($1) + admin_pattern($1, innd_etc_t) + + logging_list_logs($1) + admin_pattern($1, innd_log_t) + + files_list_var_lib($1) + admin_pattern($1, innd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, innd_var_run_t) + + files_list_spool($1) + admin_pattern($1, news_spool_t) +') diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te new file mode 100644 index 000000000..a1575e90c --- /dev/null +++ b/policy/modules/services/inn.te @@ -0,0 +1,129 @@ +policy_module(inn, 1.14.0) + +######################################## +# +# Declarations +# + +type innd_t; +type innd_exec_t; +init_daemon_domain(innd_t, innd_exec_t) + +type innd_etc_t; +files_config_file(innd_etc_t) + +type innd_initrc_exec_t; +init_script_file(innd_initrc_exec_t) + +type innd_log_t; +logging_log_file(innd_log_t) + +type innd_var_lib_t; +files_type(innd_var_lib_t) + +type innd_var_run_t; +files_pid_file(innd_var_run_t) + +type news_spool_t; +files_mountpoint(news_spool_t) + +######################################## +# +# Local policy +# + +allow innd_t self:capability { dac_override kill setgid setuid }; +dontaudit innd_t self:capability sys_tty_config; +allow innd_t self:process { setsched signal_perms }; +allow innd_t self:fifo_file rw_fifo_file_perms; +allow innd_t self:unix_dgram_socket sendto; +allow innd_t self:unix_stream_socket { accept connectto listen }; +allow innd_t self:tcp_socket { accept listen }; + +read_files_pattern(innd_t, innd_etc_t, innd_etc_t) +read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) + +allow innd_t innd_log_t:dir setattr_dir_perms; +append_files_pattern(innd_t, innd_log_t, innd_log_t) +create_files_pattern(innd_t, innd_log_t, innd_log_t) +setattr_files_pattern(innd_t, innd_log_t, innd_log_t) + +manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) +manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) + +manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) +manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) +manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) +files_pid_filetrans(innd_t, innd_var_run_t, file) + +manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) +manage_files_pattern(innd_t, news_spool_t, news_spool_t) +manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t) + +can_exec(innd_t, innd_exec_t) + +kernel_read_kernel_sysctls(innd_t) +kernel_read_system_state(innd_t) + +corenet_all_recvfrom_unlabeled(innd_t) +corenet_all_recvfrom_netlabel(innd_t) +corenet_tcp_sendrecv_generic_if(innd_t) +corenet_tcp_sendrecv_generic_node(innd_t) +corenet_tcp_sendrecv_all_ports(innd_t) +corenet_tcp_bind_generic_node(innd_t) + +corenet_sendrecv_innd_server_packets(innd_t) +corenet_tcp_bind_innd_port(innd_t) + +corenet_sendrecv_all_client_packets(innd_t) +corenet_tcp_connect_all_ports(innd_t) + +corecmd_exec_bin(innd_t) +corecmd_exec_shell(innd_t) + +dev_read_sysfs(innd_t) +dev_read_urand(innd_t) + +domain_use_interactive_fds(innd_t) + +fs_getattr_all_fs(innd_t) +fs_search_auto_mountpoints(innd_t) + +files_list_spool(innd_t) +files_read_etc_runtime_files(innd_t) +files_read_usr_files(innd_t) + +auth_use_nsswitch(innd_t) + +logging_send_syslog_msg(innd_t) + +miscfiles_read_localization(innd_t) + +seutil_dontaudit_search_config(innd_t) + +userdom_dontaudit_use_unpriv_user_fds(innd_t) +userdom_dontaudit_search_user_home_dirs(innd_t) + +mta_send_mail(innd_t) + +ifdef(`distro_gentoo',` + logging_syslog_managed_log_file(innd_log_t, "news.crit") + logging_syslog_managed_log_file(innd_log_t, "news.err") + logging_syslog_managed_log_file(innd_log_t, "news.notice") +') + +optional_policy(` + cron_system_entry(innd_t, innd_exec_t) +') + +optional_policy(` + hostname_exec(innd_t) +') + +optional_policy(` + seutil_sigchld_newrole(innd_t) +') + +optional_policy(` + udev_read_db(innd_t) +') diff --git a/policy/modules/services/iodine.fc b/policy/modules/services/iodine.fc new file mode 100644 index 000000000..7ae0c0693 --- /dev/null +++ b/policy/modules/services/iodine.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0) + +/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0) + +/usr/bin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) + +/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) diff --git a/policy/modules/services/iodine.if b/policy/modules/services/iodine.if new file mode 100644 index 000000000..99f1afd18 --- /dev/null +++ b/policy/modules/services/iodine.if @@ -0,0 +1,29 @@ +## <summary>IP over DNS tunneling daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an iodined environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`iodine_admin',` + gen_require(` + type iodined_t, iodined_initrc_exec_t; + ') + + allow $1 iodined_t:process { ptrace signal_perms }; + ps_process_pattern($1, iodined_t) + + init_startstop_service($1, $2, iodined_t, iodined_initrc_exec_t) +') diff --git a/policy/modules/services/iodine.te b/policy/modules/services/iodine.te new file mode 100644 index 000000000..c918bbf43 --- /dev/null +++ b/policy/modules/services/iodine.te @@ -0,0 +1,57 @@ +policy_module(iodine, 1.3.0) + +######################################## +# +# Declarations +# + +type iodined_t; +type iodined_exec_t; +init_daemon_domain(iodined_t, iodined_exec_t) + +type iodined_initrc_exec_t; +init_script_file(iodined_initrc_exec_t) + +type iodined_var_run_t; +files_pid_file(iodined_var_run_t) + +######################################## +# +# Local policy +# + +allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot }; +allow iodined_t self:rawip_socket create_socket_perms; +allow iodined_t self:tun_socket create_socket_perms; +allow iodined_t self:udp_socket connected_socket_perms; +allow iodined_t self:netlink_route_socket rw_netlink_socket_perms; + +manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t) +manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t) + +kernel_read_net_sysctls(iodined_t) +kernel_read_network_state(iodined_t) +kernel_read_system_state(iodined_t) +kernel_request_load_module(iodined_t) + +corenet_all_recvfrom_netlabel(iodined_t) +corenet_all_recvfrom_unlabeled(iodined_t) +corenet_raw_sendrecv_generic_if(iodined_t) +corenet_udp_sendrecv_generic_if(iodined_t) +corenet_raw_sendrecv_generic_node(iodined_t) +corenet_udp_sendrecv_generic_node(iodined_t) +corenet_udp_bind_generic_node(iodined_t) + +corenet_rw_tun_tap_dev(iodined_t) + +corenet_sendrecv_dns_server_packets(iodined_t) +corenet_udp_bind_dns_port(iodined_t) +corenet_udp_sendrecv_dns_port(iodined_t) + +corecmd_exec_shell(iodined_t) + +files_read_etc_files(iodined_t) + +logging_send_syslog_msg(iodined_t) + +sysnet_domtrans_ifconfig(iodined_t) diff --git a/policy/modules/services/ircd.fc b/policy/modules/services/ircd.fc new file mode 100644 index 000000000..f1944c754 --- /dev/null +++ b/policy/modules/services/ircd.fc @@ -0,0 +1,23 @@ +/etc/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0) +/etc/ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0) +/etc/ngircd\.conf -- gen_context(system_u:object_r:ircd_etc_t,s0) +/etc/ngircd\.motd -- gen_context(system_u:object_r:ircd_etc_t,s0) + +/etc/rc\.d/init\.d/((ircd)|(ngircd)|(dancer-ircd)) -- gen_context(system_u:object_r:ircd_initrc_exec_t,s0) + +/usr/bin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0) +/usr/bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0) +/usr/bin/ngircd -- gen_context(system_u:object_r:ircd_exec_t,s0) + +/usr/sbin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0) +/usr/sbin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0) +/usr/sbin/ngircd -- gen_context(system_u:object_r:ircd_exec_t,s0) + +/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0) + +/var/log/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0) +/var/log/ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0) +/var/log/ngircd\.log.* -- gen_context(system_u:object_r:ircd_log_t,s0) + +/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) +/run/ngircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) diff --git a/policy/modules/services/ircd.if b/policy/modules/services/ircd.if new file mode 100644 index 000000000..3dbe87d67 --- /dev/null +++ b/policy/modules/services/ircd.if @@ -0,0 +1,42 @@ +## <summary>IRC servers.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an ircd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ircd_admin',` + gen_require(` + type ircd_t, ircd_initrc_exec_t, ircd_etc_t; + type ircd_log_t, ircd_var_lib_t, ircd_var_run_t; + ') + + init_startstop_service($1, $2, ircd_t, ircd_initrc_exec_t) + + allow $1 ircd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ircd_t) + + files_search_etc($1) + admin_pattern($1, ircd_etc_t) + + logging_search_logs($1) + admin_pattern($1, ircd_log_t) + + files_search_var_lib($1) + admin_pattern($1, ircd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, ircd_var_run_t) +') diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te new file mode 100644 index 000000000..a50373e07 --- /dev/null +++ b/policy/modules/services/ircd.te @@ -0,0 +1,89 @@ +policy_module(ircd, 1.11.0) + +######################################## +# +# Declarations +# + +type ircd_t; +type ircd_exec_t; +init_daemon_domain(ircd_t, ircd_exec_t) + +type ircd_initrc_exec_t; +init_script_file(ircd_initrc_exec_t) + +type ircd_etc_t; +files_config_file(ircd_etc_t) + +type ircd_log_t; +logging_log_file(ircd_log_t) + +type ircd_var_lib_t; +files_type(ircd_var_lib_t) + +type ircd_var_run_t; +files_pid_file(ircd_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit ircd_t self:capability sys_tty_config; +allow ircd_t self:process signal_perms; +allow ircd_t self:tcp_socket { accept listen }; + +read_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t) +read_lnk_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t) + +allow ircd_t ircd_log_t:dir setattr_dir_perms; +append_files_pattern(ircd_t, ircd_log_t, ircd_log_t) +create_files_pattern(ircd_t, ircd_log_t, ircd_log_t) +setattr_files_pattern(ircd_t, ircd_log_t, ircd_log_t) +logging_log_filetrans(ircd_t, ircd_log_t, file) + +manage_files_pattern(ircd_t, ircd_var_lib_t, ircd_var_lib_t) + +manage_files_pattern(ircd_t, ircd_var_run_t, ircd_var_run_t) +files_pid_filetrans(ircd_t, ircd_var_run_t, file) + +kernel_read_system_state(ircd_t) +kernel_read_kernel_sysctls(ircd_t) + +corecmd_exec_bin(ircd_t) + +corenet_all_recvfrom_unlabeled(ircd_t) +corenet_all_recvfrom_netlabel(ircd_t) +corenet_tcp_sendrecv_generic_if(ircd_t) +corenet_tcp_sendrecv_generic_node(ircd_t) +corenet_tcp_bind_generic_node(ircd_t) + +corenet_sendrecv_ircd_server_packets(ircd_t) +corenet_tcp_bind_ircd_port(ircd_t) +corenet_tcp_sendrecv_ircd_port(ircd_t) + +dev_read_sysfs(ircd_t) + +domain_use_interactive_fds(ircd_t) + +files_read_etc_runtime_files(ircd_t) + +fs_getattr_all_fs(ircd_t) +fs_search_auto_mountpoints(ircd_t) + +auth_use_nsswitch(ircd_t) + +logging_send_syslog_msg(ircd_t) + +miscfiles_read_localization(ircd_t) + +userdom_dontaudit_use_unpriv_user_fds(ircd_t) +userdom_dontaudit_search_user_home_dirs(ircd_t) + +optional_policy(` + seutil_sigchld_newrole(ircd_t) +') + +optional_policy(` + udev_read_db(ircd_t) +') diff --git a/policy/modules/services/irqbalance.fc b/policy/modules/services/irqbalance.fc new file mode 100644 index 000000000..a9fb42964 --- /dev/null +++ b/policy/modules/services/irqbalance.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/irqbalance -- gen_context(system_u:object_r:irqbalance_initrc_exec_t,s0) + +/usr/lib/systemd/system/irqbalance\.service -- gen_context(system_u:object_r:irqbalance_unit_t,s0) + +/run/irqbalance\.pid -- gen_context(system_u:object_r:irqbalance_pid_t,s0) + +/usr/bin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0) + +/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0) diff --git a/policy/modules/services/irqbalance.if b/policy/modules/services/irqbalance.if new file mode 100644 index 000000000..a8e452fe4 --- /dev/null +++ b/policy/modules/services/irqbalance.if @@ -0,0 +1,33 @@ +## <summary>IRQ balancing daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an irqbalance environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`irqbalance_admin',` + gen_require(` + type irqbalance_t, irqbalance_initrc_exec_t; + type irqbalance_pid_t, irqbalance_unit_t; + ') + + allow $1 irqbalance_t:process { ptrace signal_perms }; + ps_process_pattern($1, irqbalance_t) + + init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t, irqbalance_unit_t) + + files_search_pids($1) + admin_pattern($1, irqbalance_pid_t) +') diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te new file mode 100644 index 000000000..a71058d86 --- /dev/null +++ b/policy/modules/services/irqbalance.te @@ -0,0 +1,59 @@ +policy_module(irqbalance, 1.10.0) + +######################################## +# +# Declarations +# + +type irqbalance_t; +type irqbalance_exec_t; +init_daemon_domain(irqbalance_t, irqbalance_exec_t) + +type irqbalance_initrc_exec_t; +init_script_file(irqbalance_initrc_exec_t) + +type irqbalance_pid_t; +typealias irqbalance_pid_t alias irqbalance_var_run_t; +files_pid_file(irqbalance_pid_t) + +type irqbalance_unit_t; +init_unit_file(irqbalance_unit_t) + +######################################## +# +# Local policy +# + +allow irqbalance_t self:capability { setpcap }; +dontaudit irqbalance_t self:capability sys_tty_config; +allow irqbalance_t self:process { getcap getsched setcap signal_perms }; +allow irqbalance_t self:udp_socket create_socket_perms; + +manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t) +files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file) + +kernel_read_network_state(irqbalance_t) +kernel_read_system_state(irqbalance_t) +kernel_read_kernel_sysctls(irqbalance_t) +kernel_rw_irq_sysctls(irqbalance_t) + +dev_read_sysfs(irqbalance_t) + +files_read_etc_files(irqbalance_t) +files_read_etc_runtime_files(irqbalance_t) + +fs_getattr_all_fs(irqbalance_t) +fs_search_auto_mountpoints(irqbalance_t) + +domain_use_interactive_fds(irqbalance_t) + +logging_send_syslog_msg(irqbalance_t) + +miscfiles_read_localization(irqbalance_t) + +userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) +userdom_dontaudit_search_user_home_dirs(irqbalance_t) + +optional_policy(` + udev_read_db(irqbalance_t) +') diff --git a/policy/modules/services/isns.fc b/policy/modules/services/isns.fc new file mode 100644 index 000000000..488e9a0cc --- /dev/null +++ b/policy/modules/services/isns.fc @@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0) + +/usr/bin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0) + +/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0) + +/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0) + +/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_var_run_t,s0) +/run/isnsctl -s gen_context(system_u:object_r:isnsd_var_run_t,s0) diff --git a/policy/modules/services/isns.if b/policy/modules/services/isns.if new file mode 100644 index 000000000..4d847e9cc --- /dev/null +++ b/policy/modules/services/isns.if @@ -0,0 +1,36 @@ +## <summary>Internet Storage Name Service.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an isnsd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`isnsd_admin',` + gen_require(` + type isnsd_t, isnsd_initrc_exec_t, isnsd_var_lib_t; + type isnsd_var_run_t; + ') + + allow $1 isnsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, isnsd_t) + + init_startstop_service($1, $2, isnsd_t, isnsd_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, isnsd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, isnsd_var_run_t) +') diff --git a/policy/modules/services/isns.te b/policy/modules/services/isns.te new file mode 100644 index 000000000..b6780d1ef --- /dev/null +++ b/policy/modules/services/isns.te @@ -0,0 +1,55 @@ +policy_module(isns, 1.3.0) + +######################################## +# +# Declarations +# + +type isnsd_t; +type isnsd_exec_t; +init_daemon_domain(isnsd_t, isnsd_exec_t) + +type isnsd_initrc_exec_t; +init_script_file(isnsd_initrc_exec_t) + +type isnsd_var_lib_t; +files_type(isnsd_var_lib_t) + +type isnsd_var_run_t; +files_pid_file(isnsd_var_run_t) + +######################################## +# +# Local policy +# + +allow isnsd_t self:capability kill; +allow isnsd_t self:process signal; +allow isnsd_t self:fifo_file rw_fifo_file_perms; +allow isnsd_t self:udp_socket { accept listen }; +allow isnsd_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t) +manage_files_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t) +files_var_lib_filetrans(isnsd_t, isnsd_var_lib_t, dir) + +manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) +manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) +files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file }) + +corenet_all_recvfrom_unlabeled(isnsd_t) +corenet_all_recvfrom_netlabel(isnsd_t) +corenet_tcp_sendrecv_generic_if(isnsd_t) +corenet_tcp_sendrecv_generic_node(isnsd_t) +corenet_tcp_sendrecv_isns_port(isnsd_t) +corenet_tcp_bind_generic_node(isnsd_t) +corenet_sendrecv_isns_server_packets(isnsd_t) +corenet_tcp_bind_isns_port(isnsd_t) + +files_read_etc_files(isnsd_t) + +logging_send_syslog_msg(isnsd_t) + +miscfiles_read_localization(isnsd_t) + +sysnet_dns_name_resolve(isnsd_t) diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc new file mode 100644 index 000000000..bda8b8c50 --- /dev/null +++ b/policy/modules/services/jabber.fc @@ -0,0 +1,32 @@ +/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) + +/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +/usr/bin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/bin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/bin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) + +/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) + +/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0) + +/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/var/log/prosody(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) + +/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0) +/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +/var/lib/prosody(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0) + +/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) +/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) +/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_var_run_t,s0) diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if new file mode 100644 index 000000000..9a31ee513 --- /dev/null +++ b/policy/modules/services/jabber.if @@ -0,0 +1,86 @@ +## <summary>Jabber instant messaging servers.</summary> + +####################################### +## <summary> +## The template to define a jabber domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`jabber_domain_template',` + gen_require(` + attribute jabberd_domain; + ') + + type $1_t, jabberd_domain; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## jabber lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`jabber_manage_lib_files',` + gen_require(` + type jabberd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an jabber environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`jabber_admin',` + gen_require(` + attribute jabberd_domain; + type jabberd_lock_t, jabberd_log_t, jabberd_spool_t; + type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t; + ') + + allow $1 jabberd_domain:process { ptrace signal_perms }; + ps_process_pattern($1, jabberd_domain) + + init_startstop_service($1, $2, jabberd_domain, jabberd_initrc_exec_t) + + files_search_locks($1) + admin_pattern($1, jabberd_lock_t) + + logging_search_logs($1) + admin_pattern($1, jabberd_log_t) + + files_search_spool($1) + admin_pattern($1, jabberd_spool_t) + + files_search_var_lib($1) + admin_pattern($1, jabberd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, jabberd_var_run_t) +') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te new file mode 100644 index 000000000..7bed09fd0 --- /dev/null +++ b/policy/modules/services/jabber.te @@ -0,0 +1,147 @@ +policy_module(jabber, 1.13.0) + +######################################## +# +# Declarations +# + +attribute jabberd_domain; + +jabber_domain_template(jabberd) +jabber_domain_template(jabberd_router) + +type jabberd_initrc_exec_t; +init_script_file(jabberd_initrc_exec_t) + +type jabberd_lock_t; +files_lock_file(jabberd_lock_t) + +type jabberd_log_t; +logging_log_file(jabberd_log_t) + +type jabberd_spool_t; +files_type(jabberd_spool_t) + +type jabberd_var_lib_t; +files_type(jabberd_var_lib_t) + +type jabberd_var_run_t; +files_pid_file(jabberd_var_run_t) + +######################################## +# +# Common local policy +# + +allow jabberd_domain self:process signal_perms; +allow jabberd_domain self:fifo_file rw_fifo_file_perms; +allow jabberd_domain self:tcp_socket { accept listen }; + +manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) + +kernel_read_system_state(jabberd_domain) + +corenet_all_recvfrom_unlabeled(jabberd_domain) +corenet_all_recvfrom_netlabel(jabberd_domain) +corenet_tcp_sendrecv_generic_if(jabberd_domain) +corenet_tcp_sendrecv_generic_node(jabberd_domain) +corenet_tcp_bind_generic_node(jabberd_domain) + +dev_read_urand(jabberd_domain) +dev_read_sysfs(jabberd_domain) + +fs_getattr_all_fs(jabberd_domain) + +logging_send_syslog_msg(jabberd_domain) + +miscfiles_read_localization(jabberd_domain) + +optional_policy(` + nis_use_ypbind(jabberd_domain) +') + +optional_policy(` + seutil_sigchld_newrole(jabberd_domain) +') + +######################################## +# +# Local policy +# + +allow jabberd_t self:capability dac_override; +dontaudit jabberd_t self:capability sys_tty_config; +allow jabberd_t self:tcp_socket create_socket_perms; +allow jabberd_t self:udp_socket create_socket_perms; +allow jabberd_t self:netlink_route_socket r_netlink_socket_perms; + +manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) + +allow jabberd_t jabberd_log_t:dir setattr_dir_perms; +append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) + +manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) + +manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) +files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) + +domain_dontaudit_search_all_domains_state(jabberd_t) + +kernel_read_kernel_sysctls(jabberd_t) + +corecmd_exec_bin(jabberd_t) + +corenet_sendrecv_jabber_client_server_packets(jabberd_t) +corenet_tcp_bind_jabber_client_port(jabberd_t) +corenet_tcp_sendrecv_jabber_client_port(jabberd_t) + +corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) +corenet_tcp_bind_jabber_interserver_port(jabberd_t) +corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) +corenet_tcp_connect_jabber_interserver_port(jabberd_t) + +dev_read_rand(jabberd_t) + +domain_use_interactive_fds(jabberd_t) + +files_read_etc_files(jabberd_t) +files_read_etc_runtime_files(jabberd_t) +# usr for lua modules +files_read_usr_files(jabberd_t) + +fs_search_auto_mountpoints(jabberd_t) + +miscfiles_read_all_certs(jabberd_t) + +sysnet_read_config(jabberd_t) + +userdom_dontaudit_use_unpriv_user_fds(jabberd_t) +userdom_dontaudit_search_user_home_dirs(jabberd_t) + +optional_policy(` + udev_read_db(jabberd_t) +') + +######################################## +# +# Router local policy +# + +manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) + +kernel_read_network_state(jabberd_router_t) + +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) +corenet_tcp_bind_jabber_client_port(jabberd_router_t) +corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t) + +# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) +# corenet_tcp_bind_jabber_router_port(jabberd_router_t) +# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t) +# corenet_tcp_connect_jabber_router_port(jabberd_router_t) +# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t) + +auth_use_nsswitch(jabberd_router_t) diff --git a/policy/modules/services/jockey.fc b/policy/modules/services/jockey.fc new file mode 100644 index 000000000..d57dad40e --- /dev/null +++ b/policy/modules/services/jockey.fc @@ -0,0 +1,6 @@ +/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0) + +/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0) + +/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0) +/var/log/jockey\.log.* -- gen_context(system_u:object_r:jockey_var_log_t,s0) diff --git a/policy/modules/services/jockey.if b/policy/modules/services/jockey.if new file mode 100644 index 000000000..2fb7a20fa --- /dev/null +++ b/policy/modules/services/jockey.if @@ -0,0 +1 @@ +## <summary>Jockey driver manager.</summary> diff --git a/policy/modules/services/jockey.te b/policy/modules/services/jockey.te new file mode 100644 index 000000000..520543c0f --- /dev/null +++ b/policy/modules/services/jockey.te @@ -0,0 +1,59 @@ +policy_module(jockey, 1.1.0) + +######################################## +# +# Declarations +# + +type jockey_t; +type jockey_exec_t; +init_daemon_domain(jockey_t, jockey_exec_t) + +type jockey_cache_t; +files_type(jockey_cache_t) + +type jockey_var_log_t; +logging_log_file(jockey_var_log_t) + +######################################## +# +# Local policy +# + +allow jockey_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t) +manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t) +manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t) +files_var_filetrans(jockey_t, jockey_cache_t, { dir file }) + +manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) +append_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) +create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) +setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) +logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir }) + +kernel_read_system_state(jockey_t) + +corecmd_exec_bin(jockey_t) +corecmd_exec_shell(jockey_t) + +dev_read_rand(jockey_t) +dev_read_sysfs(jockey_t) +dev_read_urand(jockey_t) + +domain_use_interactive_fds(jockey_t) + +files_read_etc_files(jockey_t) +files_read_usr_files(jockey_t) + +miscfiles_read_localization(jockey_t) + +optional_policy(` + dbus_system_domain(jockey_t, jockey_exec_t) +') + +optional_policy(` + modutils_domtrans(jockey_t) + modutils_read_module_config(jockey_t) +') diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc new file mode 100644 index 000000000..df21fcc78 --- /dev/null +++ b/policy/modules/services/kerberos.fc @@ -0,0 +1,55 @@ +HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + +/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) +/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) + +/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) +/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + +/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + +/usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +/usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) + +/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) + +/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) + +/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) + +/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + +/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + +/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) + +/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) +/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) +/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) + +/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) +/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) +/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) + +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if new file mode 100644 index 000000000..c8c5a37d3 --- /dev/null +++ b/policy/modules/services/kerberos.if @@ -0,0 +1,487 @@ +## <summary>MIT Kerberos admin and KDC.</summary> + +######################################## +## <summary> +## Execute kadmind in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_exec_kadmind',` + gen_require(` + type kadmind_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, kadmind_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run kpropd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kerberos_domtrans_kpropd',` + gen_require(` + type kpropd_t, kpropd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kpropd_exec_t, kpropd_t) +') + +######################################## +## <summary> +## Support kerberos services. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_use',` + gen_require(` + type krb5kdc_conf_t, krb5_host_rcache_t; + ') + + kerberos_read_config($1) + + dontaudit $1 krb5_conf_t:file write_file_perms; + dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; + dontaudit $1 krb5kdc_conf_t:file rw_file_perms; + + dontaudit $1 self:process setfscreate; + + selinux_dontaudit_validate_context($1) + seutil_dontaudit_read_file_contexts($1) + + tunable_policy(`allow_kerberos',` + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) + + corenet_sendrecv_kerberos_client_packets($1) + corenet_tcp_connect_kerberos_port($1) + corenet_tcp_sendrecv_kerberos_port($1) + corenet_udp_sendrecv_kerberos_port($1) + + corenet_sendrecv_ocsp_client_packets($1) + corenet_tcp_connect_ocsp_port($1) + corenet_tcp_sendrecv_ocsp_port($1) + + allow $1 krb5_host_rcache_t:file getattr_file_perms; + ') + + optional_policy(` + tunable_policy(`allow_kerberos',` + pcscd_stream_connect($1) + ') + ') + + optional_policy(` + sssd_read_public_files($1) + ') +') + +######################################## +## <summary> +## Read kerberos configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_read_config',` + gen_require(` + type krb5_conf_t, krb5_home_t; + ') + + files_search_etc($1) + allow $1 krb5_conf_t:file read_file_perms; + + userdom_search_user_home_dirs($1) + allow $1 krb5_home_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to write +## kerberos configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`kerberos_dontaudit_write_config',` + gen_require(` + type krb5_conf_t; + ') + + dontaudit $1 krb5_conf_t:file write_file_perms; +') + +######################################## +## <summary> +## Read and write kerberos +## configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_rw_config',` + gen_require(` + type krb5_conf_t; + ') + + files_search_etc($1) + allow $1 krb5_conf_t:file rw_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## kerberos home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_manage_krb5_home_files',` + gen_require(` + type krb5_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 krb5_home_t:file manage_file_perms; +') + +######################################## +## <summary> +## Relabel kerberos home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_relabel_krb5_home_files',` + gen_require(` + type krb5_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 krb5_home_t:file relabel_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the krb5 home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`kerberos_home_filetrans_krb5_home',` + gen_require(` + type krb5_home_t; + ') + + userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) +') + +######################################## +## <summary> +## Read kerberos key table files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_read_keytab',` + gen_require(` + type krb5_keytab_t; + ') + + files_search_etc($1) + allow $1 krb5_keytab_t:file read_file_perms; +') + +######################################## +## <summary> +## Read and write kerberos key table files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_rw_keytab',` + gen_require(` + type krb5_keytab_t; + ') + + files_search_etc($1) + allow $1 krb5_keytab_t:file rw_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## kerberos key table files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_manage_keytab_files',` + gen_require(` + type krb5_keytab_t; + ') + + files_search_etc($1) + allow $1 krb5_keytab_t:file manage_file_perms; +') + +######################################## +## <summary> +## Create specified objects in generic +## etc directories with the kerberos +## keytab file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`kerberos_etc_filetrans_keytab',` + gen_require(` + type krb5_keytab_t; + ') + + files_etc_filetrans($1, krb5_keytab_t, $2, $3) +') + +######################################## +## <summary> +## Read kerberos kdc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_read_kdc_config',` + gen_require(` + type krb5kdc_conf_t; + ') + + files_search_etc($1) + read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## kerberos host rcache files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_manage_host_rcache',` + gen_require(` + type krb5_host_rcache_t; + ') + + domain_obj_id_change_exemption($1) + + tunable_policy(`allow_kerberos',` + allow $1 self:process setfscreate; + + selinux_validate_context($1) + + seutil_read_file_contexts($1) + + files_search_tmp($1) + allow $1 krb5_host_rcache_t:file manage_file_perms; + ') +') + +######################################## +## <summary> +## Create objects in generic temporary +## directories with the kerberos host +## rcache type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`kerberos_tmp_filetrans_host_rcache',` + gen_require(` + type krb5_host_rcache_t; + ') + + files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3) +') + +######################################## +## <summary> +## Connect to krb524 service. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_connect_524',` + tunable_policy(`allow_kerberos',` + allow $1 self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_udp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_node($1) + + corenet_sendrecv_kerberos_master_client_packets($1) + corenet_udp_sendrecv_kerberos_master_port($1) + ') +') + +######################################## +## <summary> +## All of the rules required to +## administrate an kerberos environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_admin',` + gen_require(` + type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; + type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; + type krb5kdc_var_run_t, krb5_host_rcache_t; + ') + + allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t }) + + init_startstop_service($1, $2, { kadmind_t krb5kdc_t }, kerberos_initrc_exec_t) + + logging_list_logs($1) + admin_pattern($1, kadmind_log_t) + + files_list_tmp($1) + admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t }) + + kerberos_tmp_filetrans_host_rcache($1, file, "host_0") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") + + files_list_pids($1) + admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t }) + + files_list_etc($1) + admin_pattern($1, krb5_conf_t) + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + + admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t }) + + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab") +') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te new file mode 100644 index 000000000..91ca8aac2 --- /dev/null +++ b/policy/modules/services/kerberos.te @@ -0,0 +1,330 @@ +policy_module(kerberos, 1.15.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether kerberos is supported. +## </p> +## </desc> +gen_tunable(allow_kerberos, false) + +type kadmind_t; +type kadmind_exec_t; +init_daemon_domain(kadmind_t, kadmind_exec_t) +domain_obj_id_change_exemption(kadmind_t) + +type kadmind_log_t; +logging_log_file(kadmind_log_t) + +type kadmind_tmp_t; +files_tmp_file(kadmind_tmp_t) + +type kadmind_var_run_t; +files_pid_file(kadmind_var_run_t) + +type kerberos_initrc_exec_t; +init_script_file(kerberos_initrc_exec_t) + +type kpropd_t; +type kpropd_exec_t; +init_daemon_domain(kpropd_t, kpropd_exec_t) +domain_obj_id_change_exemption(kpropd_t) + +type krb5_conf_t; +files_type(krb5_conf_t) + +type krb5_home_t; +userdom_user_home_content(krb5_home_t) + +type krb5_host_rcache_t; +files_tmp_file(krb5_host_rcache_t) + +type krb5_keytab_t; +files_security_file(krb5_keytab_t) + +type krb5kdc_conf_t; +files_type(krb5kdc_conf_t) + +type krb5kdc_lock_t; +files_type(krb5kdc_lock_t) + +type krb5kdc_principal_t; +files_type(krb5kdc_principal_t) + +type krb5kdc_t; +type krb5kdc_exec_t; +init_daemon_domain(krb5kdc_t, krb5kdc_exec_t) +domain_obj_id_change_exemption(krb5kdc_t) + +type krb5kdc_log_t; +logging_log_file(krb5kdc_log_t) + +type krb5kdc_tmp_t; +files_tmp_file(krb5kdc_tmp_t) + +type krb5kdc_var_run_t; +files_pid_file(krb5kdc_var_run_t) + +######################################## +# +# kadmind local policy +# + +allow kadmind_t self:capability { chown dac_override fowner setgid setuid sys_nice }; +dontaudit kadmind_t self:capability sys_tty_config; +allow kadmind_t self:capability2 block_suspend; +allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; +allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; +allow kadmind_t self:tcp_socket { accept listen }; +allow kadmind_t self:udp_socket create_socket_perms; + +allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(kadmind_t, kadmind_log_t, file) + +allow kadmind_t krb5_conf_t:file read_file_perms; +dontaudit kadmind_t krb5_conf_t:file write_file_perms; + +read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) +dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms }; + +allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; + +allow kadmind_t krb5kdc_principal_t:file manage_file_perms; +filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) + +manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) +manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) +files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) + +manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) +files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) + +can_exec(kadmind_t, kadmind_exec_t) + +kernel_read_kernel_sysctls(kadmind_t) +kernel_read_network_state(kadmind_t) +kernel_read_system_state(kadmind_t) + +corenet_all_recvfrom_unlabeled(kadmind_t) +corenet_all_recvfrom_netlabel(kadmind_t) +corenet_tcp_sendrecv_generic_if(kadmind_t) +corenet_udp_sendrecv_generic_if(kadmind_t) +corenet_tcp_sendrecv_generic_node(kadmind_t) +corenet_udp_sendrecv_generic_node(kadmind_t) +corenet_tcp_sendrecv_all_ports(kadmind_t) +corenet_udp_sendrecv_all_ports(kadmind_t) +corenet_tcp_bind_generic_node(kadmind_t) +corenet_udp_bind_generic_node(kadmind_t) + +corenet_sendrecv_all_server_packets(kadmind_t) +corenet_tcp_bind_kerberos_admin_port(kadmind_t) +corenet_udp_bind_kerberos_admin_port(kadmind_t) +corenet_tcp_bind_reserved_port(kadmind_t) + +dev_read_sysfs(kadmind_t) + +fs_getattr_all_fs(kadmind_t) +fs_search_auto_mountpoints(kadmind_t) + +domain_use_interactive_fds(kadmind_t) + +files_read_etc_files(kadmind_t) +files_read_usr_files(kadmind_t) +files_read_var_files(kadmind_t) + +selinux_validate_context(kadmind_t) + +logging_send_syslog_msg(kadmind_t) + +miscfiles_read_localization(kadmind_t) + +seutil_read_file_contexts(kadmind_t) + +sysnet_use_ldap(kadmind_t) + +userdom_dontaudit_use_unpriv_user_fds(kadmind_t) +userdom_dontaudit_search_user_home_dirs(kadmind_t) + +optional_policy(` + ldap_stream_connect(kadmind_t) +') + +optional_policy(` + nis_use_ypbind(kadmind_t) +') + +optional_policy(` + sssd_read_public_files(kadmind_t) +') + +optional_policy(` + seutil_sigchld_newrole(kadmind_t) +') + +optional_policy(` + udev_read_db(kadmind_t) +') + +######################################## +# +# Krb5kdc local policy +# + +allow krb5kdc_t self:capability { chown dac_override fowner net_admin setgid setuid sys_nice }; +dontaudit krb5kdc_t self:capability sys_tty_config; +allow krb5kdc_t self:capability2 block_suspend; +allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; +allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; +allow krb5kdc_t self:tcp_socket { accept listen }; +allow krb5kdc_t self:udp_socket create_socket_perms; +allow krb5kdc_t self:fifo_file rw_fifo_file_perms; + +allow krb5kdc_t krb5_conf_t:file read_file_perms; +dontaudit krb5kdc_t krb5_conf_t:file write; + +read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) +dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms; + +allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; + +allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) + +allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; + +manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) + +manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) +files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) + +can_exec(krb5kdc_t, krb5kdc_exec_t) + +kernel_read_system_state(krb5kdc_t) +kernel_read_kernel_sysctls(krb5kdc_t) +kernel_read_network_state(krb5kdc_t) +kernel_search_network_sysctl(krb5kdc_t) + +corecmd_exec_bin(krb5kdc_t) + +corenet_all_recvfrom_unlabeled(krb5kdc_t) +corenet_all_recvfrom_netlabel(krb5kdc_t) +corenet_tcp_sendrecv_generic_if(krb5kdc_t) +corenet_udp_sendrecv_generic_if(krb5kdc_t) +corenet_tcp_sendrecv_generic_node(krb5kdc_t) +corenet_udp_sendrecv_generic_node(krb5kdc_t) +corenet_tcp_bind_generic_node(krb5kdc_t) +corenet_udp_bind_generic_node(krb5kdc_t) + +corenet_sendrecv_kerberos_server_packets(krb5kdc_t) +corenet_tcp_bind_kerberos_port(krb5kdc_t) +corenet_udp_bind_kerberos_port(krb5kdc_t) +corenet_tcp_sendrecv_kerberos_port(krb5kdc_t) +corenet_udp_sendrecv_kerberos_port(krb5kdc_t) + +corenet_sendrecv_ocsp_client_packets(krb5kdc_t) +corenet_tcp_connect_ocsp_port(krb5kdc_t) +corenet_tcp_sendrecv_ocsp_port(krb5kdc_t) + +dev_read_sysfs(krb5kdc_t) + +fs_getattr_all_fs(krb5kdc_t) +fs_search_auto_mountpoints(krb5kdc_t) + +domain_use_interactive_fds(krb5kdc_t) + +files_read_etc_files(krb5kdc_t) +files_read_usr_symlinks(krb5kdc_t) +files_read_var_files(krb5kdc_t) + +selinux_validate_context(krb5kdc_t) + +logging_send_syslog_msg(krb5kdc_t) + +miscfiles_read_generic_certs(krb5kdc_t) +miscfiles_read_localization(krb5kdc_t) + +seutil_read_file_contexts(krb5kdc_t) + +sysnet_use_ldap(krb5kdc_t) + +userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) +userdom_dontaudit_search_user_home_dirs(krb5kdc_t) + +optional_policy(` + ldap_stream_connect(krb5kdc_t) +') + +optional_policy(` + nis_use_ypbind(krb5kdc_t) +') + +optional_policy(` + sssd_read_public_files(krb5kdc_t) +') + +optional_policy(` + seutil_sigchld_newrole(krb5kdc_t) +') + +optional_policy(` + udev_read_db(krb5kdc_t) +') + +######################################## +# +# kpropd local policy +# + +allow kpropd_t self:process setfscreate; +allow kpropd_t self:fifo_file rw_fifo_file_perms; +allow kpropd_t self:unix_stream_socket { accept listen }; +allow kpropd_t self:tcp_socket { accept listen }; + +allow kpropd_t krb5_host_rcache_t:file manage_file_perms; + +allow kpropd_t krb5_keytab_t:file read_file_perms; + +read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t) + +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) +filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file) + +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) + +manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) + +corecmd_exec_bin(kpropd_t) + +corenet_all_recvfrom_unlabeled(kpropd_t) +corenet_tcp_sendrecv_generic_if(kpropd_t) +corenet_tcp_sendrecv_generic_node(kpropd_t) +corenet_tcp_bind_generic_node(kpropd_t) + +corenet_sendrecv_kprop_server_packets(kpropd_t) +corenet_tcp_bind_kprop_port(kpropd_t) +corenet_tcp_sendrecv_kprop_port(kpropd_t) + +dev_read_urand(kpropd_t) + +files_read_etc_files(kpropd_t) +files_search_tmp(kpropd_t) + +selinux_validate_context(kpropd_t) + +logging_send_syslog_msg(kpropd_t) + +miscfiles_read_localization(kpropd_t) + +seutil_read_file_contexts(kpropd_t) + +sysnet_dns_name_resolve(kpropd_t) + +kerberos_use(kpropd_t) diff --git a/policy/modules/services/kerneloops.fc b/policy/modules/services/kerneloops.fc new file mode 100644 index 000000000..d0db3544c --- /dev/null +++ b/policy/modules/services/kerneloops.fc @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0) + +/usr/bin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) + +/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if new file mode 100644 index 000000000..d6f5fd822 --- /dev/null +++ b/policy/modules/services/kerneloops.if @@ -0,0 +1,115 @@ +## <summary>Service for reporting kernel oopses to kerneloops.org.</summary> + +######################################## +## <summary> +## Execute a domain transition to run kerneloops. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kerneloops_domtrans',` + gen_require(` + type kerneloops_t, kerneloops_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) +') + +######################################## +## <summary> +## Send and receive messages from +## kerneloops over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerneloops_dbus_chat',` + gen_require(` + type kerneloops_t; + class dbus send_msg; + ') + + allow $1 kerneloops_t:dbus send_msg; + allow kerneloops_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Do not audit attempts to Send and +## receive messages from kerneloops +## over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`kerneloops_dontaudit_dbus_chat',` + gen_require(` + type kerneloops_t; + class dbus send_msg; + ') + + dontaudit $1 kerneloops_t:dbus send_msg; + dontaudit kerneloops_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Create, read, write, and delete +## kerneloops temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerneloops_manage_tmp_files',` + gen_require(` + type kerneloops_tmp_t; + ') + + files_search_tmp($1) + allow $1 kerneloops_tmp_t:file manage_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an kerneloops environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerneloops_admin',` + gen_require(` + type kerneloops_t, kerneloops_initrc_exec_t; + type kerneloops_tmp_t; + ') + + allow $1 kerneloops_t:process { ptrace signal_perms }; + ps_process_pattern($1, kerneloops_t) + + init_startstop_service($1, $2, kerneloops_t, kerneloops_initrc_exec_t) + + files_search_tmp($1) + admin_pattern($1, kerneloops_tmp_t) +') diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te new file mode 100644 index 000000000..acf8d073d --- /dev/null +++ b/policy/modules/services/kerneloops.te @@ -0,0 +1,55 @@ +policy_module(kerneloops, 1.7.0) + +######################################## +# +# Declarations +# + +type kerneloops_t; +type kerneloops_exec_t; +init_daemon_domain(kerneloops_t, kerneloops_exec_t) + +type kerneloops_initrc_exec_t; +init_script_file(kerneloops_initrc_exec_t) + +type kerneloops_tmp_t; +files_tmp_file(kerneloops_tmp_t) + +######################################## +# +# Local policy +# + +allow kerneloops_t self:capability sys_nice; +allow kerneloops_t self:process { getcap setcap setsched getsched signal }; +allow kerneloops_t self:fifo_file rw_fifo_file_perms; + +manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) +files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file) + +kernel_read_ring_buffer(kerneloops_t) +kernel_read_system_state(kerneloops_t) + +dev_read_urand(kerneloops_t) + +domain_use_interactive_fds(kerneloops_t) + +corenet_all_recvfrom_unlabeled(kerneloops_t) +corenet_all_recvfrom_netlabel(kerneloops_t) +corenet_tcp_sendrecv_generic_if(kerneloops_t) +corenet_tcp_sendrecv_generic_node(kerneloops_t) + +corenet_sendrecv_http_client_packets(kerneloops_t) +corenet_tcp_connect_http_port(kerneloops_t) +corenet_tcp_sendrecv_http_port(kerneloops_t) + +auth_use_nsswitch(kerneloops_t) + +logging_send_syslog_msg(kerneloops_t) +logging_read_generic_logs(kerneloops_t) + +miscfiles_read_localization(kerneloops_t) + +optional_policy(` + dbus_system_domain(kerneloops_t, kerneloops_exec_t) +') diff --git a/policy/modules/services/keyboardd.fc b/policy/modules/services/keyboardd.fc new file mode 100644 index 000000000..647a5593d --- /dev/null +++ b/policy/modules/services/keyboardd.fc @@ -0,0 +1 @@ +/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0) diff --git a/policy/modules/services/keyboardd.if b/policy/modules/services/keyboardd.if new file mode 100644 index 000000000..8982b9106 --- /dev/null +++ b/policy/modules/services/keyboardd.if @@ -0,0 +1,19 @@ +## <summary>Xorg.conf keyboard layout callout.</summary> + +###################################### +## <summary> +## Read keyboardd unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`keyboardd_read_pipes',` + gen_require(` + type keyboardd_t; + ') + + allow $1 keyboardd_t:fifo_file read_fifo_file_perms; +') diff --git a/policy/modules/services/keyboardd.te b/policy/modules/services/keyboardd.te new file mode 100644 index 000000000..628b78b4b --- /dev/null +++ b/policy/modules/services/keyboardd.te @@ -0,0 +1,24 @@ +policy_module(keyboardd, 1.1.0) + +######################################## +# +# Declarations +# + +type keyboardd_t; +type keyboardd_exec_t; +init_daemon_domain(keyboardd_t, keyboardd_exec_t) + +######################################## +# +# Local policy +# + +allow keyboardd_t self:fifo_file rw_fifo_file_perms; +allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; + +files_manage_etc_runtime_files(keyboardd_t) +files_etc_filetrans_etc_runtime(keyboardd_t, file) +files_read_etc_files(keyboardd_t) + +miscfiles_read_localization(keyboardd_t) diff --git a/policy/modules/services/keystone.fc b/policy/modules/services/keystone.fc new file mode 100644 index 000000000..b273d803c --- /dev/null +++ b/policy/modules/services/keystone.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0) + +/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0) + +/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0) + +/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0) diff --git a/policy/modules/services/keystone.if b/policy/modules/services/keystone.if new file mode 100644 index 000000000..ec9adb00f --- /dev/null +++ b/policy/modules/services/keystone.if @@ -0,0 +1,39 @@ +## <summary>Python implementation of the OpenStack identity service API.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an keystone environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`keystone_admin',` + gen_require(` + type keystone_t, keystone_initrc_exec_t, keystone_log_t; + type keystone_var_lib_t, keystone_tmp_t; + ') + + allow $1 keystone_t:process { ptrace signal_perms }; + ps_process_pattern($1, keystone_t) + + init_startstop_service($1, $2, keystone_t, keystone_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, keystone_log_t) + + files_search_var_lib($1) + admin_pattern($1, keystone_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, keystone_tmp_t) +') diff --git a/policy/modules/services/keystone.te b/policy/modules/services/keystone.te new file mode 100644 index 000000000..9e051ad08 --- /dev/null +++ b/policy/modules/services/keystone.te @@ -0,0 +1,76 @@ +policy_module(keystone, 1.2.0) + +######################################## +# +# Declarations +# + +type keystone_t; +type keystone_exec_t; +init_daemon_domain(keystone_t, keystone_exec_t) + +type keystone_initrc_exec_t; +init_script_file(keystone_initrc_exec_t) + +type keystone_log_t; +logging_log_file(keystone_log_t) + +type keystone_var_lib_t; +files_type(keystone_var_lib_t) + +type keystone_tmp_t; +files_tmp_file(keystone_tmp_t) + +######################################## +# +# Local policy +# + +allow keystone_t self:fifo_file rw_fifo_file_perms; +allow keystone_t self:unix_stream_socket { accept listen }; +allow keystone_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(keystone_t, keystone_log_t, keystone_log_t) +append_files_pattern(keystone_t, keystone_log_t, keystone_log_t) +create_files_pattern(keystone_t, keystone_log_t, keystone_log_t) +setattr_files_pattern(keystone_t, keystone_log_t, keystone_log_t) +logging_log_filetrans(keystone_t, keystone_log_t, dir) + +manage_dirs_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t) +manage_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t) +manage_lnk_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t) +files_tmp_filetrans(keystone_t, keystone_tmp_t, { dir file lnk_file }) + +manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t) +manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t) +files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir) + +can_exec(keystone_t, keystone_tmp_t) + +kernel_read_system_state(keystone_t) + +corecmd_exec_bin(keystone_t) +corecmd_exec_shell(keystone_t) + +corenet_all_recvfrom_unlabeled(keystone_t) +corenet_all_recvfrom_netlabel(keystone_t) +corenet_tcp_sendrecv_generic_if(keystone_t) +corenet_tcp_sendrecv_generic_node(keystone_t) +corenet_tcp_bind_generic_node(keystone_t) + +corenet_sendrecv_commplex_main_server_packets(keystone_t) +corenet_tcp_bind_commplex_main_port(keystone_t) +corenet_tcp_sendrecv_commplex_main_port(keystone_t) + +files_read_usr_files(keystone_t) + +auth_use_pam(keystone_t) + +libs_exec_ldconfig(keystone_t) + +miscfiles_read_localization(keystone_t) + +optional_policy(` + mysql_stream_connect(keystone_t) + mysql_tcp_connect(keystone_t) +') diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc new file mode 100644 index 000000000..68f3623b9 --- /dev/null +++ b/policy/modules/services/ksmtuned.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) + +/usr/bin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) + +/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) + +/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) + +/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if new file mode 100644 index 000000000..59f401bf9 --- /dev/null +++ b/policy/modules/services/ksmtuned.if @@ -0,0 +1,74 @@ +## <summary>Kernel Samepage Merging Tuning Daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run ksmtuned. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ksmtuned_domtrans',` + gen_require(` + type ksmtuned_t, ksmtuned_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t) +') + +######################################## +## <summary> +## Execute ksmtuned server in +## the ksmtuned domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ksmtuned_initrc_domtrans',` + gen_require(` + type ksmtuned_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ksmtuned environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ksmtuned_admin',` + gen_require(` + type ksmtuned_t, ksmtuned_var_run_t; + type ksmtuned_initrc_exec_t, ksmtuned_log_t; + ') + + init_startstop_service($1, $2, ksmtuned_t, ksmtuned_initrc_exec_t) + + allow $1 ksmtuned_t:process { ptrace signal_perms }; + ps_process_pattern($1, ksmtuned_t) + + files_list_pids($1) + admin_pattern($1, ksmtuned_var_run_t) + + logging_search_logs($1) + admin_pattern($1, ksmtuned_log_t) +') diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te new file mode 100644 index 000000000..97cfdc2d4 --- /dev/null +++ b/policy/modules/services/ksmtuned.te @@ -0,0 +1,55 @@ +policy_module(ksmtuned, 1.5.0) + +######################################## +# +# Declarations +# + +type ksmtuned_t; +type ksmtuned_exec_t; +init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) + +type ksmtuned_initrc_exec_t; +init_script_file(ksmtuned_initrc_exec_t) + +type ksmtuned_log_t; +logging_log_file(ksmtuned_log_t) + +type ksmtuned_var_run_t; +files_pid_file(ksmtuned_var_run_t) + +######################################## +# +# Local policy +# + +allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; +allow ksmtuned_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) +append_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) +create_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) +setattr_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) +logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir }) + +manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) +files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) + +kernel_read_system_state(ksmtuned_t) + +corecmd_exec_bin(ksmtuned_t) +corecmd_exec_shell(ksmtuned_t) + +dev_rw_sysfs(ksmtuned_t) + +domain_read_all_domains_state(ksmtuned_t) + +mls_file_read_to_clearance(ksmtuned_t) + +term_use_all_terms(ksmtuned_t) + +auth_use_nsswitch(ksmtuned_t) + +logging_send_syslog_msg(ksmtuned_t) + +miscfiles_read_localization(ksmtuned_t) diff --git a/policy/modules/services/ktalk.fc b/policy/modules/services/ktalk.fc new file mode 100644 index 000000000..fae3b8c4e --- /dev/null +++ b/policy/modules/services/ktalk.fc @@ -0,0 +1,9 @@ +/usr/bin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +/usr/bin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) + +/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +/usr/sbin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) + +/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0) diff --git a/policy/modules/services/ktalk.if b/policy/modules/services/ktalk.if new file mode 100644 index 000000000..19777b806 --- /dev/null +++ b/policy/modules/services/ktalk.if @@ -0,0 +1 @@ +## <summary>KDE Talk daemon.</summary> diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te new file mode 100644 index 000000000..f190b5b23 --- /dev/null +++ b/policy/modules/services/ktalk.te @@ -0,0 +1,61 @@ +policy_module(ktalk, 1.11.0) + +######################################## +# +# Declarations +# + +type ktalkd_t; +type ktalkd_exec_t; +init_daemon_domain(ktalkd_t, ktalkd_exec_t) +inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) + +type ktalkd_log_t; +logging_log_file(ktalkd_log_t) + +type ktalkd_tmp_t; +files_tmp_file(ktalkd_tmp_t) + +######################################## +# +# Local policy +# + +allow ktalkd_t self:process signal_perms; +allow ktalkd_t self:fifo_file rw_fifo_file_perms; +allow ktalkd_t self:tcp_socket { accept listen }; + +allow ktalkd_t ktalkd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(ktalkd_t, ktalkd_log_t, file) + +manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) +manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) +files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(ktalkd_t) +kernel_read_system_state(ktalkd_t) +kernel_read_network_state(ktalkd_t) + +corenet_all_recvfrom_unlabeled(ktalkd_t) +corenet_all_recvfrom_netlabel(ktalkd_t) +corenet_udp_sendrecv_generic_if(ktalkd_t) +corenet_udp_sendrecv_generic_node(ktalkd_t) +corenet_udp_bind_generic_node(ktalkd_t) + +corenet_sendrecv_ktalkd_server_packets(ktalkd_t) +corenet_udp_bind_ktalkd_port(ktalkd_t) +corenet_udp_sendrecv_ktalkd_port(ktalkd_t) + +dev_read_urand(ktalkd_t) + +fs_getattr_xattr_fs(ktalkd_t) + +term_use_all_terms(ktalkd_t) + +auth_use_nsswitch(ktalkd_t) + +init_read_utmp(ktalkd_t) + +logging_send_syslog_msg(ktalkd_t) + +miscfiles_read_localization(ktalkd_t) diff --git a/policy/modules/services/l2tp.fc b/policy/modules/services/l2tp.fc new file mode 100644 index 000000000..499c7de6e --- /dev/null +++ b/policy/modules/services/l2tp.fc @@ -0,0 +1,13 @@ +/etc/.*l2tp(/.*)? gen_context(system_u:object_r:l2tp_conf_t,s0) + +/etc/rc\.d/init\.d/.*l2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) + +/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0) + +/usr/bin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) + +/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) + +/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) +/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) +/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/policy/modules/services/l2tp.if b/policy/modules/services/l2tp.if new file mode 100644 index 000000000..24d3c444d --- /dev/null +++ b/policy/modules/services/l2tp.if @@ -0,0 +1,99 @@ +## <summary>Layer 2 Tunneling Protocol.</summary> + +######################################## +## <summary> +## Send to l2tpd with a unix +## domain dgram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`l2tpd_dgram_send',` + gen_require(` + type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; + ') + + files_search_pids($1) + files_search_tmp($1) + dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) +') + +######################################## +## <summary> +## Read and write l2tpd sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`l2tpd_rw_socket',` + gen_require(` + type l2tpd_t; + ') + + allow $1 l2tpd_t:socket rw_socket_perms; +') + +##################################### +## <summary> +## Connect to l2tpd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`l2tpd_stream_connect',` + gen_require(` + type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t; + ') + + files_search_pids($1) + files_search_tmp($1) + stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an l2tp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`l2tp_admin',` + gen_require(` + type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; + type l2tp_conf_t, l2tpd_tmp_t; + ') + + allow $1 l2tpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, l2tpd_t) + + init_startstop_service($1, $2, l2tpd_t, l2tpd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, l2tp_conf_t) + + files_search_pids($1) + admin_pattern($1, l2tpd_var_run_t) + + files_search_tmp($1) + admin_pattern($1, l2tpd_tmp_t) +') diff --git a/policy/modules/services/l2tp.te b/policy/modules/services/l2tp.te new file mode 100644 index 000000000..2fd536984 --- /dev/null +++ b/policy/modules/services/l2tp.te @@ -0,0 +1,94 @@ +policy_module(l2tp, 1.4.0) + +######################################## +# +# Declarations +# + +type l2tpd_t; +type l2tpd_exec_t; +init_daemon_domain(l2tpd_t, l2tpd_exec_t) + +type l2tpd_initrc_exec_t; +init_script_file(l2tpd_initrc_exec_t) + +type l2tp_conf_t; +files_config_file(l2tp_conf_t) + +type l2tpd_tmp_t; +files_tmp_file(l2tpd_tmp_t) + +type l2tpd_var_run_t; +files_pid_file(l2tpd_var_run_t) + +######################################## +# +# Local policy +# + +allow l2tpd_t self:capability net_admin; +allow l2tpd_t self:process signal; +allow l2tpd_t self:fifo_file rw_fifo_file_perms; +allow l2tpd_t self:netlink_socket create_socket_perms; +allow l2tpd_t self:rawip_socket create_socket_perms; +allow l2tpd_t self:socket create_socket_perms; +allow l2tpd_t self:tcp_socket { accept listen }; +allow l2tpd_t self:unix_dgram_socket sendto; +allow l2tpd_t self:unix_stream_socket { accept listen }; + +read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t) + +manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) +manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) +manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) +manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) +files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file }) + +manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) +files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) + +corenet_all_recvfrom_unlabeled(l2tpd_t) +corenet_all_recvfrom_netlabel(l2tpd_t) +corenet_raw_sendrecv_generic_if(l2tpd_t) +corenet_tcp_sendrecv_generic_if(l2tpd_t) +corenet_udp_sendrecv_generic_if(l2tpd_t) +corenet_raw_bind_generic_node(l2tpd_t) +corenet_tcp_bind_generic_node(l2tpd_t) +corenet_udp_bind_generic_node(l2tpd_t) +corenet_raw_sendrecv_generic_node(l2tpd_t) +corenet_tcp_sendrecv_generic_node(l2tpd_t) +corenet_udp_sendrecv_generic_node(l2tpd_t) +corenet_tcp_sendrecv_all_ports(l2tpd_t) +corenet_udp_sendrecv_all_ports(l2tpd_t) + +corenet_sendrecv_all_server_packets(l2tpd_t) +corenet_tcp_bind_all_rpc_ports(l2tpd_t) +corenet_udp_bind_all_rpc_ports(l2tpd_t) + +corenet_udp_bind_l2tp_port(l2tpd_t) + +kernel_read_network_state(l2tpd_t) +kernel_read_system_state(l2tpd_t) +kernel_request_load_module(l2tpd_t) + +corecmd_exec_bin(l2tpd_t) + +dev_read_urand(l2tpd_t) + +files_read_etc_files(l2tpd_t) + +term_setattr_generic_ptys(l2tpd_t) +term_use_generic_ptys(l2tpd_t) +term_use_ptmx(l2tpd_t) + +logging_send_syslog_msg(l2tpd_t) + +miscfiles_read_localization(l2tpd_t) + +sysnet_dns_name_resolve(l2tpd_t) + +optional_policy(` + ppp_domtrans(l2tpd_t) + ppp_signal(l2tpd_t) + ppp_kill(l2tpd_t) +') diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc new file mode 100644 index 000000000..174f4d73b --- /dev/null +++ b/policy/modules/services/ldap.fc @@ -0,0 +1,32 @@ +/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) +/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) +/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + +/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + +/usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + +/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + +/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) +/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) +/usr/lib/systemd/system/slapd.*\.service -- gen_context(system_u:object_r:slapd_unit_t,s0) + +/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) +/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) + +/var/lib/openldap-data(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) +/var/lib/openldap-ldbm(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) +/var/lib/openldap-slurpd(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + +/var/lock/subsys/ldap -- gen_context(system_u:object_r:slapd_lock_t,s0) +/var/lock/subsys/slapd -- gen_context(system_u:object_r:slapd_lock_t,s0) + +/var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) +/var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) + +/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) +/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) +/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) +/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if new file mode 100644 index 000000000..59752140d --- /dev/null +++ b/policy/modules/services/ldap.if @@ -0,0 +1,156 @@ +## <summary>OpenLDAP directory server.</summary> + +######################################## +## <summary> +## List ldap database directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ldap_list_db',` + gen_require(` + type slapd_db_t; + ') + + files_search_etc($1) + allow $1 slapd_db_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Read ldap configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ldap_read_config',` + gen_require(` + type slapd_etc_t; + ') + + files_search_etc($1) + allow $1 slapd_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Connect to slapd over an unix +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ldap_stream_connect',` + gen_require(` + type slapd_t, slapd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) +') + +######################################## +## <summary> +## Connect to ldap over the network. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ldap_tcp_connect',` + gen_require(` + type slapd_t; + ') + + corenet_sendrecv_ldap_client_packets($1) + corenet_tcp_connect_ldap_port($1) + corenet_tcp_recvfrom_labeled($1, slapd_t) + corenet_tcp_sendrecv_ldap_port($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ldap environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ldap_admin',` + gen_require(` + type slapd_t, slapd_tmp_t, slapd_replog_t; + type slapd_lock_t, slapd_etc_t, slapd_var_run_t; + type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; + type slapd_db_t, slapd_keytab_t; + ') + + allow $1 slapd_t:process { ptrace signal_perms }; + ps_process_pattern($1, slapd_t) + + init_startstop_service($1, $2, slapd_t, slapd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t }) + + files_list_locks($1) + admin_pattern($1, slapd_lock_t) + + logging_list_logs($1) + admin_pattern($1, slapd_log_t) + + files_search_var_lib($1) + admin_pattern($1, slapd_replog_t) + + files_list_tmp($1) + admin_pattern($1, slapd_tmp_t) + + files_list_pids($1) + admin_pattern($1, slapd_var_run_t) +') + +######################################## +## <summary> +## Execute slapd in the slapd domain, and +## allow the given role the slapd_t type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`ldap_run',` + gen_require(` + type slapd_t; + type slapd_exec_t; + ') + + role $2 types slapd_t; + domtrans_pattern($1, slapd_exec_t, slapd_t) +') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te new file mode 100644 index 000000000..4a525e6d1 --- /dev/null +++ b/policy/modules/services/ldap.te @@ -0,0 +1,167 @@ +policy_module(ldap, 1.17.0) + +######################################## +# +# Declarations +# + +type slapd_t; +type slapd_exec_t; +init_daemon_domain(slapd_t, slapd_exec_t) + +type slapd_cert_t; +miscfiles_cert_type(slapd_cert_t) + +type slapd_db_t; +files_type(slapd_db_t) + +type slapd_etc_t; +files_config_file(slapd_etc_t) + +type slapd_initrc_exec_t; +init_script_file(slapd_initrc_exec_t) + +type slapd_keytab_t; +files_type(slapd_keytab_t) + +type slapd_lock_t; +files_lock_file(slapd_lock_t) + +type slapd_log_t; +logging_log_file(slapd_log_t) + +type slapd_replog_t; +files_type(slapd_replog_t) + +type slapd_tmp_t; +files_tmp_file(slapd_tmp_t) + +type slapd_tmpfs_t; +files_tmpfs_file(slapd_tmpfs_t) + +type slapd_unit_t; +init_unit_file(slapd_unit_t) + +type slapd_var_run_t; +files_pid_file(slapd_var_run_t) + +######################################## +# +# Local policy +# + +allow slapd_t self:capability { dac_override dac_read_search kill net_raw setgid setuid }; +dontaudit slapd_t self:capability sys_tty_config; +allow slapd_t self:process setsched; +allow slapd_t self:fifo_file rw_fifo_file_perms; +allow slapd_t self:tcp_socket { accept listen }; + +allow slapd_t slapd_cert_t:dir list_dir_perms; +read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) +read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) + +manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t) +manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t) +manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) + +allow slapd_t slapd_etc_t:file read_file_perms; + +allow slapd_t slapd_keytab_t:file read_file_perms; + +allow slapd_t slapd_lock_t:file manage_file_perms; +files_lock_filetrans(slapd_t, slapd_lock_t, file) + +manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) +append_files_pattern(slapd_t, slapd_log_t, slapd_log_t) +create_files_pattern(slapd_t, slapd_log_t, slapd_log_t) +setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t) +logging_log_filetrans(slapd_t, slapd_log_t, { file dir }) + +manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) +manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) +manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) + +manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) +manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) +files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) + +manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) +fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file) + +manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) +manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) +manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) +files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) + +kernel_read_system_state(slapd_t) +kernel_read_kernel_sysctls(slapd_t) + +corenet_all_recvfrom_unlabeled(slapd_t) +corenet_all_recvfrom_netlabel(slapd_t) +corenet_tcp_sendrecv_generic_if(slapd_t) +corenet_tcp_sendrecv_generic_node(slapd_t) +corenet_tcp_sendrecv_all_ports(slapd_t) +corenet_tcp_bind_generic_node(slapd_t) + +corenet_sendrecv_ldap_server_packets(slapd_t) +corenet_tcp_bind_ldap_port(slapd_t) + +corenet_sendrecv_all_client_packets(slapd_t) +corenet_tcp_connect_all_ports(slapd_t) + +dev_read_urand(slapd_t) +dev_read_sysfs(slapd_t) + +domain_use_interactive_fds(slapd_t) + +fs_getattr_all_fs(slapd_t) +fs_search_auto_mountpoints(slapd_t) + +files_read_etc_runtime_files(slapd_t) +files_read_usr_files(slapd_t) +files_list_var_lib(slapd_t) + +auth_use_nsswitch(slapd_t) + +logging_send_syslog_msg(slapd_t) + +miscfiles_read_generic_certs(slapd_t) +miscfiles_read_localization(slapd_t) +miscfiles_read_generic_tls_privkey(slapd_t) + +userdom_dontaudit_use_unpriv_user_fds(slapd_t) +userdom_dontaudit_search_user_home_dirs(slapd_t) + +optional_policy(` + kerberos_manage_host_rcache(slapd_t) + kerberos_read_keytab(slapd_t) + kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55") + kerberos_use(slapd_t) +') + +optional_policy(` + sasl_connect(slapd_t) +') + +optional_policy(` + seutil_sigchld_newrole(slapd_t) +') + +optional_policy(` + udev_read_db(slapd_t) +') + +ifdef(`distro_gentoo',` + init_daemon_pid_file(slapd_var_run_t, dir, "openldap") + + ######################################## + # + # Local slapd_t policy + # + allow slapd_t self:process signal; + allow slapd_t self:unix_stream_socket listen; + + userdom_use_user_terminals(slapd_t) +') diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc new file mode 100644 index 000000000..c95fd7d58 --- /dev/null +++ b/policy/modules/services/likewise.fc @@ -0,0 +1,109 @@ +/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) +/etc/likewise-open/\.pstore\.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) +/etc/likewise-open/likewise-krb5-ad\.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0) + +/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/likewise -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) + +/opt/likewise/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) +/opt/likewise/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) +/opt/likewise/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) +/opt/likewise/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) +/opt/likewise/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) +/opt/likewise/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) +/opt/likewise/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) +/opt/likewise/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) + +/usr/bin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) +/usr/bin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) +/usr/bin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) +/usr/bin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) +/usr/bin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) +/usr/bin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) +/usr/bin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) +/usr/bin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) + +/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) +/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) +/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) +/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) +/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) +/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) +/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) +/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) + +/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise/\.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0) +/var/lib/likewise/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) +/var/lib/likewise/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) +/var/lib/likewise/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) +/var/lib/likewise/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) +/var/lib/likewise/\.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0) +/var/lib/likewise/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) +/var/lib/likewise/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) +/var/lib/likewise/\.pstore\.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) +/var/lib/likewise/krb5-affinity\.conf -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) +/var/lib/likewise/krb5cc.* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) +/var/lib/likewise/krb5ccr_lsass\..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) +/var/lib/likewise/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) +/var/lib/likewise/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) +/var/lib/likewise/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise/db/lwi_events\.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) +/var/lib/likewise/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise/db/lsass-adcache\.filedb\..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) +/var/lib/likewise/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) +/var/lib/likewise/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) +/var/lib/likewise/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0) +/var/lib/likewise/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise/run/rpcdep\.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0) + +/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/\.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0) +/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) +/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) +/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) +/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) +/var/lib/likewise-open/\.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0) +/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) +/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) +/var/lib/likewise-open/\.pstore\.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) +/var/lib/likewise-open/krb5-affinity\.conf -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) +/var/lib/likewise-open/krb5cc.* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) +/var/lib/likewise-open/krb5ccr_lsass\..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) +/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) +/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) +/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/db/lwi_events\.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) +/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/lsass-adcache\.filedb\..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) +/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t,s0) +/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) +/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0) +/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/run/rpcdep\.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t,s0) + +/run/eventlogd\.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0) +/run/lsassd\.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) +/run/lwiod\.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) +/run/lwregd\.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) +/run/netlogond\.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) +/run/srvsvcd\.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if new file mode 100644 index 000000000..2b884e640 --- /dev/null +++ b/policy/modules/services/likewise.if @@ -0,0 +1,131 @@ +## <summary>Likewise Active Directory support for UNIX.</summary> + +####################################### +## <summary> +## The template to define a likewise domain. +## </summary> +## <param name="userdomain_prefix"> +## <summary> +## The type of daemon to be used. +## </summary> +## </param> +# +template(`likewise_domain_template',` + gen_require(` + attribute likewise_domains; + type likewise_var_lib_t; + ') + + ######################################## + # + # Declarations + # + + type $1_t; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + + typeattribute $1_t likewise_domains; + + type $1_var_run_t; + files_pid_file($1_var_run_t) + + type $1_var_socket_t; + files_type($1_var_socket_t) + + type $1_var_lib_t; + files_type($1_var_lib_t) + + #################################### + # + # Policy + # + + allow $1_t self:process { signal_perms getsched setsched }; + allow $1_t self:fifo_file rw_fifo_file_perms; + allow $1_t self:unix_stream_socket { accept listen }; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, file) + + manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t) + filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file) + + manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) + filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) +') + +######################################## +## <summary> +## Connect to lsassd with a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`likewise_stream_connect_lsassd',` + gen_require(` + type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an likewise environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`likewise_admin',` + gen_require(` + attribute likewise_domains; + type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t; + type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t; + type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t; + type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t; + type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t; + type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t; + type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t; + type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t; + ') + + allow $1 likewise_domains:process { ptrace signal_perms }; + ps_process_pattern($1, likewise_domains) + + init_startstop_service($1, $2, likewise_domains, likewise_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t }) + + files_search_var_lib($1) + admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t }) + admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t }) + admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t }) + admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t }) + admin_pattern($1, dcerpcd_var_lib_t) + + files_list_tmp($1) + admin_pattern($1, lsassd_tmp_t) + + files_list_pids($1) + admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t }) + admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t }) +') diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te new file mode 100644 index 000000000..d2a736efb --- /dev/null +++ b/policy/modules/services/likewise.te @@ -0,0 +1,254 @@ +policy_module(likewise, 1.6.0) + +################################# +# +# Declarations +# + +attribute likewise_domains; + +likewise_domain_template(dcerpcd) +likewise_domain_template(eventlogd) +likewise_domain_template(lsassd) +likewise_domain_template(lwiod) +likewise_domain_template(lwregd) +likewise_domain_template(lwsmd) +likewise_domain_template(netlogond) +likewise_domain_template(srvsvcd) + +type likewise_etc_t; +files_config_file(likewise_etc_t) + +type likewise_initrc_exec_t; +init_script_file(likewise_initrc_exec_t) + +type likewise_var_lib_t; +files_type(likewise_var_lib_t) + +type likewise_pstore_lock_t; +files_type(likewise_pstore_lock_t) + +type likewise_krb5_ad_t; +files_type(likewise_krb5_ad_t) + +type lsassd_tmp_t; +files_tmp_file(lsassd_tmp_t) + +################################# +# +# Common local policy +# + +allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms; + +kernel_read_system_state(likewise_domains) + +dev_read_rand(likewise_domains) +dev_read_urand(likewise_domains) + +domain_use_interactive_fds(likewise_domains) + +files_read_etc_files(likewise_domains) +files_search_var_lib(likewise_domains) + +logging_send_syslog_msg(likewise_domains) + +miscfiles_read_localization(likewise_domains) + +################################# +# +# dcerpcd local policy +# + +stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +corenet_all_recvfrom_netlabel(dcerpcd_t) +corenet_all_recvfrom_unlabeled(dcerpcd_t) +corenet_tcp_sendrecv_generic_if(dcerpcd_t) +corenet_tcp_sendrecv_generic_node(dcerpcd_t) +corenet_tcp_sendrecv_generic_port(dcerpcd_t) +corenet_tcp_bind_generic_node(dcerpcd_t) +corenet_udp_bind_generic_node(dcerpcd_t) +corenet_udp_sendrecv_generic_if(dcerpcd_t) +corenet_udp_sendrecv_generic_node(dcerpcd_t) +corenet_udp_sendrecv_generic_port(dcerpcd_t) + +corenet_sendrecv_epmap_server_packets(dcerpcd_t) +corenet_tcp_bind_epmap_port(dcerpcd_t) +corenet_udp_bind_epmap_port(dcerpcd_t) + +corenet_sendrecv_generic_client_packets(dcerpcd_t) +corenet_tcp_connect_generic_port(dcerpcd_t) + +################################# +# +# eventlogd local policy +# + +stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) +stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +corenet_all_recvfrom_netlabel(eventlogd_t) +corenet_all_recvfrom_unlabeled(eventlogd_t) +corenet_tcp_sendrecv_generic_if(eventlogd_t) +corenet_tcp_sendrecv_generic_node(eventlogd_t) + +corenet_sendrecv_epmap_client_packets(eventlogd_t) +corenet_tcp_connect_epmap_port(eventlogd_t) +corenet_tcp_sendrecv_epmap_port(eventlogd_t) + +################################# +# +# lsassd local policy +# + +allow lsassd_t self:capability { chown dac_override fowner fsetid sys_time }; +allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; + +allow lsassd_t likewise_krb5_ad_t:file read_file_perms; +allow lsassd_t netlogond_var_lib_t:file read_file_perms; + +manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t) + +manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t) +files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file) + +stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) + +kernel_list_all_proc(lsassd_t) + +corecmd_exec_bin(lsassd_t) +corecmd_exec_shell(lsassd_t) + +corenet_all_recvfrom_netlabel(lsassd_t) +corenet_all_recvfrom_unlabeled(lsassd_t) +corenet_tcp_sendrecv_generic_if(lsassd_t) +corenet_tcp_sendrecv_generic_node(lsassd_t) + +corenet_sendrecv_epmap_client_packets(lsassd_t) +corenet_tcp_connect_epmap_port(lsassd_t) +corenet_tcp_sendrecv_epmap_port(lsassd_t) + +domain_obj_id_change_exemption(lsassd_t) +domain_dontaudit_search_all_domains_state(lsassd_t) + +files_manage_etc_files(lsassd_t) +files_manage_etc_symlinks(lsassd_t) +files_manage_etc_runtime_files(lsassd_t) +files_relabelto_home(lsassd_t) + +selinux_get_fs_mount(lsassd_t) +selinux_validate_context(lsassd_t) + +seutil_read_config(lsassd_t) +seutil_read_default_contexts(lsassd_t) +seutil_read_file_contexts(lsassd_t) +seutil_run_semanage(lsassd_t, system_r) + +sysnet_use_ldap(lsassd_t) + +userdom_home_filetrans_user_home_dir(lsassd_t) +userdom_manage_user_home_content_files(lsassd_t) + +optional_policy(` + kerberos_rw_keytab(lsassd_t) + kerberos_use(lsassd_t) +') + +################################# +# +# lwiod local policy +# + +allow lwiod_t self:capability { chown dac_override fowner fsetid sys_resource }; +allow lwiod_t self:process setrlimit; +allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; + +allow lwiod_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms; + +stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) +stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) +stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) + +corenet_all_recvfrom_netlabel(lwiod_t) +corenet_all_recvfrom_unlabeled(lwiod_t) +corenet_tcp_sendrecv_generic_if(lwiod_t) +corenet_tcp_sendrecv_generic_node(lwiod_t) +corenet_tcp_bind_generic_node(lwiod_t) + +corenet_sendrecv_smbd_server_packets(lwiod_t) +corenet_tcp_bind_smbd_port(lwiod_t) +corenet_sendrecv_smbd_client_packets(lwiod_t) +corenet_tcp_connect_smbd_port(lwiod_t) +corenet_tcp_sendrecv_smbd_port(lwiod_t) + +sysnet_read_config(lwiod_t) + +optional_policy(` + kerberos_rw_config(lwiod_t) + kerberos_use(lwiod_t) +') + +################################# +# +# lwsmd local policy +# + +allow lwsmd_t self:process setpgid; + +allow lwsmd_t likewise_domains:process signal; + +allow lwsmd_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms; + +domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t) +domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t) +domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t) +domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t) +domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t) +domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t) +domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t) + +stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) +stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +################################# +# +# netlogond local policy +# + +allow netlogond_t self:capability dac_override; + +manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) + +stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +sysnet_dns_name_resolve(netlogond_t) +sysnet_use_ldap(netlogond_t) + +################################# +# +# srvsvcd local policy +# + +allow srvsvcd_t likewise_etc_t:dir search_dir_perms; + +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +corenet_all_recvfrom_netlabel(srvsvcd_t) +corenet_all_recvfrom_unlabeled(srvsvcd_t) +corenet_sendrecv_generic_server_packets(srvsvcd_t) +corenet_tcp_sendrecv_generic_if(srvsvcd_t) +corenet_tcp_sendrecv_generic_node(srvsvcd_t) +corenet_tcp_sendrecv_generic_port(srvsvcd_t) +corenet_tcp_bind_generic_node(srvsvcd_t) + +optional_policy(` + kerberos_use(srvsvcd_t) +') diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc new file mode 100644 index 000000000..79947d0ca --- /dev/null +++ b/policy/modules/services/lircd.fc @@ -0,0 +1,17 @@ +/dev/lircd -s gen_context(system_u:object_r:lircd_var_run_t,s0) + +/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0) +/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) + +/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) + +/usr/bin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0) + +/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) + +/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +/run/lircd\.pid -- gen_context(system_u:object_r:lircd_var_run_t,s0) diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if new file mode 100644 index 000000000..de2543bc0 --- /dev/null +++ b/policy/modules/services/lircd.if @@ -0,0 +1,95 @@ +## <summary>Linux infared remote control daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run lircd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`lircd_domtrans',` + gen_require(` + type lircd_t, lircd_exec_t; + ') + + corecmd_search_bin($1) + domain_auto_transition_pattern($1, lircd_exec_t, lircd_t) +') + +###################################### +## <summary> +## Connect to lircd over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lircd_stream_connect',` + gen_require(` + type lircd_var_run_t, lircd_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t) +') + +####################################### +## <summary> +## Read lircd etc files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lircd_read_config',` + gen_require(` + type lircd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, lircd_etc_t, lircd_etc_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate a lircd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`lircd_admin',` + gen_require(` + type lircd_t, lircd_var_run_t; + type lircd_initrc_exec_t, lircd_etc_t; + ') + + allow $1 lircd_t:process { ptrace signal_perms }; + ps_process_pattern($1, lircd_t) + + init_startstop_service($1, $2, lircd_t, lircd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, lircd_etc_t) + + files_search_pids($1) + admin_pattern($1, lircd_var_run_t) + dev_list_all_dev_nodes($1) +') diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te new file mode 100644 index 000000000..e85b2aa95 --- /dev/null +++ b/policy/modules/services/lircd.te @@ -0,0 +1,75 @@ +policy_module(lircd, 1.5.0) + +######################################## +# +# Declarations +# + +type lircd_t; +type lircd_exec_t; +init_daemon_domain(lircd_t, lircd_exec_t) + +type lircd_initrc_exec_t; +init_script_file(lircd_initrc_exec_t) + +type lircd_etc_t; +files_type(lircd_etc_t) + +type lircd_unit_t; +init_unit_file(lircd_unit_t) + +type lircd_var_run_t alias lircd_sock_t; +files_pid_file(lircd_var_run_t) + +######################################## +# +# Local policy +# + +allow lircd_t self:capability { chown kill sys_admin }; +allow lircd_t self:process signal; +allow lircd_t self:fifo_file rw_fifo_file_perms; +allow lircd_t self:tcp_socket { accept listen }; + +read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) + +manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) +manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) +manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) +files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) + +dev_filetrans(lircd_t, lircd_var_run_t, sock_file) + +kernel_request_load_module(lircd_t) + +corenet_all_recvfrom_unlabeled(lircd_t) +corenet_all_recvfrom_netlabel(lircd_t) +corenet_tcp_sendrecv_generic_if(lircd_t) +corenet_tcp_sendrecv_generic_node(lircd_t) +corenet_tcp_bind_generic_node(lircd_t) + +corenet_sendrecv_lirc_server_packets(lircd_t) +corenet_tcp_bind_lirc_port(lircd_t) +corenet_sendrecv_lirc_client_packets(lircd_t) +corenet_tcp_connect_lirc_port(lircd_t) +corenet_tcp_sendrecv_lirc_port(lircd_t) + +dev_rw_generic_usb_dev(lircd_t) +dev_read_mouse(lircd_t) +dev_filetrans_lirc(lircd_t) +dev_rw_lirc(lircd_t) +dev_rw_input_dev(lircd_t) +dev_read_sysfs(lircd_t) + +files_read_config_files(lircd_t) +files_list_var(lircd_t) +files_manage_generic_locks(lircd_t) +files_read_all_locks(lircd_t) + +term_use_ptmx(lircd_t) + +logging_send_syslog_msg(lircd_t) + +miscfiles_read_localization(lircd_t) + +sysnet_dns_name_resolve(lircd_t) diff --git a/policy/modules/services/lldpad.fc b/policy/modules/services/lldpad.fc new file mode 100644 index 000000000..305b8de7b --- /dev/null +++ b/policy/modules/services/lldpad.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0) + +/usr/bin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0) + +/usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0) + +/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0) + +/run/lldpad.* gen_context(system_u:object_r:lldpad_var_run_t,s0) diff --git a/policy/modules/services/lldpad.if b/policy/modules/services/lldpad.if new file mode 100644 index 000000000..8d7692a36 --- /dev/null +++ b/policy/modules/services/lldpad.if @@ -0,0 +1,55 @@ +## <summary>Intel LLDP Agent.</summary> + +####################################### +## <summary> +## Send to lldpad with a unix dgram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lldpad_dgram_send',` + gen_require(` + type lldpad_t, lldpad_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, lldpad_var_run_t, lldpad_var_run_t, lldpad_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an lldpad environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`lldpad_admin',` + gen_require(` + type lldpad_t, lldpad_initrc_exec_t, lldpad_var_lib_t; + type lldpad_var_run_t; + ') + + allow $1 lldpad_t:process { ptrace signal_perms }; + ps_process_pattern($1, lldpad_t) + + init_startstop_service($1, $2, lldpad_t, lldpad_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, lldpad_var_lib_t) + + files_search_pids($1) + admin_pattern($1, lldpad_var_run_t) +') diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te new file mode 100644 index 000000000..3251f91da --- /dev/null +++ b/policy/modules/services/lldpad.te @@ -0,0 +1,62 @@ +policy_module(lldpad, 1.4.0) + +######################################## +# +# Declarations +# + +type lldpad_t; +type lldpad_exec_t; +init_daemon_domain(lldpad_t, lldpad_exec_t) + +type lldpad_initrc_exec_t; +init_script_file(lldpad_initrc_exec_t) + +type lldpad_tmpfs_t; +files_tmpfs_file(lldpad_tmpfs_t) + +type lldpad_var_lib_t; +files_type(lldpad_var_lib_t) + +type lldpad_var_run_t; +files_pid_file(lldpad_var_run_t) + +######################################## +# +# Local policy +# + +allow lldpad_t self:capability { net_admin net_raw }; +allow lldpad_t self:shm create_shm_perms; +allow lldpad_t self:fifo_file rw_fifo_file_perms; +allow lldpad_t self:unix_stream_socket { accept listen }; +allow lldpad_t self:netlink_route_socket create_netlink_socket_perms; +allow lldpad_t self:packet_socket create_socket_perms; +allow lldpad_t self:udp_socket create_socket_perms; + +manage_files_pattern(lldpad_t, lldpad_tmpfs_t, lldpad_tmpfs_t) +fs_tmpfs_filetrans(lldpad_t, lldpad_tmpfs_t, file) + +manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t) +manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t) + +manage_dirs_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) +manage_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) +manage_sock_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) +files_pid_filetrans(lldpad_t, lldpad_var_run_t, { dir file sock_file }) + +kernel_read_all_sysctls(lldpad_t) +kernel_read_network_state(lldpad_t) +kernel_request_load_module(lldpad_t) + +dev_read_sysfs(lldpad_t) + +files_read_etc_files(lldpad_t) + +logging_send_syslog_msg(lldpad_t) + +miscfiles_read_localization(lldpad_t) + +optional_policy(` + fcoe_dgram_send_fcoemon(lldpad_t) +') diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc new file mode 100644 index 000000000..8916d38e6 --- /dev/null +++ b/policy/modules/services/lpd.fc @@ -0,0 +1,39 @@ +/dev/printer -s gen_context(system_u:object_r:printer_t,s0) + +/opt/gutenprint/bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0) +/opt/gutenprint/sbin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0) + +/usr/bin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0) +/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0) +/usr/bin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) + +/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0) +/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0) +/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) + +/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) + +/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) + +/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) +/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) +/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) + +/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) + +/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if new file mode 100644 index 000000000..62563717b --- /dev/null +++ b/policy/modules/services/lpd.if @@ -0,0 +1,255 @@ +## <summary>Line printer daemon.</summary> + +######################################## +## <summary> +## Role access for lpd. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`lpd_role',` + gen_require(` + attribute_role lpr_roles; + type lpr_t, lpr_exec_t; + ') + + ######################################## + # + # Declarations + # + + roleattribute $1 lpr_roles; + + ######################################## + # + # Policy + # + + domtrans_pattern($2, lpr_exec_t, lpr_t) + + allow $2 lpr_t:process { ptrace signal_perms }; + ps_process_pattern($2, lpr_t) + + dontaudit lpr_t $2:unix_stream_socket { read write }; + + optional_policy(` + cups_read_config($2) + ') +') + +######################################## +## <summary> +## Execute lpd in the lpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`lpd_domtrans_checkpc',` + gen_require(` + type checkpc_t, checkpc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, checkpc_exec_t, checkpc_t) +') + +######################################## +## <summary> +## Execute amrecover in the lpd +## domain, and allow the specified +## role the lpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`lpd_run_checkpc',` + gen_require(` + attribute_role checkpc_roles; + ') + + lpd_domtrans_checkpc($1) + roleattribute $2 checkpc_roles; +') + +######################################## +## <summary> +## List printer spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lpd_list_spool',` + gen_require(` + type print_spool_t; + ') + + files_search_spool($1) + allow $1 print_spool_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Read printer spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lpd_read_spool',` + gen_require(` + type print_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, print_spool_t, print_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## printer spool content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lpd_manage_spool',` + gen_require(` + type print_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, print_spool_t, print_spool_t) + manage_files_pattern($1, print_spool_t, print_spool_t) + manage_lnk_files_pattern($1, print_spool_t, print_spool_t) +') + +######################################## +## <summary> +## Relabel spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lpd_relabel_spool',` + gen_require(` + type print_spool_t; + ') + + files_search_spool($1) + allow $1 print_spool_t:file relabel_file_perms; +') + +######################################## +## <summary> +## Read printer configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`lpd_read_config',` + gen_require(` + type printconf_t; + ') + + allow $1 printconf_t:dir list_dir_perms; + read_files_pattern($1, printconf_t, printconf_t) +') + +######################################## +## <summary> +## Transition to a user lpr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +template(`lpd_domtrans_lpr',` + gen_require(` + type lpr_t, lpr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, lpr_exec_t, lpr_t) +') + +######################################## +## <summary> +## Execute lpr in the lpr domain, and +## allow the specified role the lpr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`lpd_run_lpr',` + gen_require(` + attribute_role lpr_roles; + ') + + lpd_domtrans_lpr($1) + roleattribute $2 lpr_roles; +') + +######################################## +## <summary> +## Execute lpr in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lpd_exec_lpr',` + gen_require(` + type lpr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, lpr_exec_t) +') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te new file mode 100644 index 000000000..149a30ac6 --- /dev/null +++ b/policy/modules/services/lpd.te @@ -0,0 +1,302 @@ +policy_module(lpd, 1.16.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether to support lpd server. +## </p> +## </desc> +gen_tunable(use_lpd_server, false) + +attribute_role checkpc_roles; +attribute_role lpr_roles; + +type checkpc_t; +type checkpc_exec_t; +init_system_domain(checkpc_t, checkpc_exec_t) +role checkpc_roles types checkpc_t; + +type checkpc_log_t; +logging_log_file(checkpc_log_t) + +type lpd_t; +type lpd_exec_t; +init_daemon_domain(lpd_t, lpd_exec_t) + +type lpd_tmp_t; +files_tmp_file(lpd_tmp_t) + +type lpd_var_run_t; +files_pid_file(lpd_var_run_t) + +type lpr_t; +type lpr_exec_t; +typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t }; +typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t }; +userdom_user_application_domain(lpr_t, lpr_exec_t) +role lpr_roles types lpr_t; + +type lpr_tmp_t; +typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t }; +typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t }; +userdom_user_tmp_file(lpr_tmp_t) + +type print_spool_t; +typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; +typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; +files_type(print_spool_t) +ubac_constrained(print_spool_t) + +type printer_t; +files_type(printer_t) + +type printconf_t; +files_config_file(printconf_t) + +######################################## +# +# Checkpc local policy +# + +allow checkpc_t self:capability { dac_override setgid setuid }; +allow checkpc_t self:process signal_perms; +allow checkpc_t self:unix_stream_socket create_socket_perms; +allow checkpc_t self:tcp_socket create_socket_perms; +allow checkpc_t self:udp_socket create_socket_perms; + +allow checkpc_t checkpc_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(checkpc_t, checkpc_log_t, file) + +allow checkpc_t lpd_var_run_t:dir search_dir_perms; + +rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) +delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) + +allow checkpc_t printconf_t:file getattr_file_perms; +allow checkpc_t printconf_t:dir list_dir_perms; + +kernel_read_system_state(checkpc_t) + +corenet_all_recvfrom_unlabeled(checkpc_t) +corenet_all_recvfrom_netlabel(checkpc_t) +corenet_tcp_sendrecv_generic_if(checkpc_t) +corenet_tcp_sendrecv_generic_node(checkpc_t) +corenet_tcp_sendrecv_all_ports(checkpc_t) + +corenet_sendrecv_all_client_packets(checkpc_t) +corenet_tcp_connect_all_ports(checkpc_t) + +corecmd_exec_shell(checkpc_t) +corecmd_exec_bin(checkpc_t) + +dev_append_printer(checkpc_t) + +domain_use_interactive_fds(checkpc_t) + +files_read_etc_files(checkpc_t) +files_read_etc_runtime_files(checkpc_t) +files_search_pids(checkpc_t) +files_search_spool(checkpc_t) + +init_use_script_ptys(checkpc_t) +init_use_fds(checkpc_t) + +sysnet_read_config(checkpc_t) + +userdom_use_user_terminals(checkpc_t) + +optional_policy(` + cron_system_entry(checkpc_t, checkpc_exec_t) +') + +optional_policy(` + logging_send_syslog_msg(checkpc_t) +') + +optional_policy(` + nis_use_ypbind(checkpc_t) +') + +######################################## +# +# Lpd local policy +# + +allow lpd_t self:capability { chown dac_override dac_read_search fowner setgid setuid }; +dontaudit lpd_t self:capability sys_tty_config; +allow lpd_t self:process signal_perms; +allow lpd_t self:fifo_file rw_fifo_file_perms; +allow lpd_t self:unix_stream_socket { accept listen }; +allow lpd_t self:tcp_socket create_stream_socket_perms; +allow lpd_t self:udp_socket create_stream_socket_perms; + +manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) +manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) +files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) + +manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) +manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) +manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) +files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file }) + +manage_files_pattern(lpd_t, print_spool_t, print_spool_t) + +allow lpd_t printconf_t:dir list_dir_perms; + +allow lpd_t printer_t:sock_file manage_sock_file_perms; +dev_filetrans(lpd_t, printer_t, sock_file) + +can_exec(lpd_t, printconf_t) + +kernel_read_kernel_sysctls(lpd_t) +kernel_read_system_state(lpd_t) + +corenet_all_recvfrom_unlabeled(lpd_t) +corenet_all_recvfrom_netlabel(lpd_t) +corenet_tcp_sendrecv_generic_if(lpd_t) +corenet_tcp_sendrecv_generic_node(lpd_t) +corenet_tcp_bind_generic_node(lpd_t) + +corenet_sendrecv_printer_server_packets(lpd_t) +corenet_tcp_bind_printer_port(lpd_t) +corenet_tcp_sendrecv_printer_port(lpd_t) + +corecmd_exec_bin(lpd_t) +corecmd_exec_shell(lpd_t) + +dev_read_sysfs(lpd_t) +dev_rw_printer(lpd_t) + +domain_use_interactive_fds(lpd_t) + +files_read_etc_runtime_files(lpd_t) +files_read_usr_files(lpd_t) +files_list_world_readable(lpd_t) +files_read_world_readable_files(lpd_t) +files_read_world_readable_symlinks(lpd_t) +files_list_var_lib(lpd_t) +files_read_var_lib_files(lpd_t) +files_read_var_lib_symlinks(lpd_t) +files_read_etc_files(lpd_t) +files_search_spool(lpd_t) + +fs_getattr_all_fs(lpd_t) +fs_search_auto_mountpoints(lpd_t) + +logging_send_syslog_msg(lpd_t) + +miscfiles_read_fonts(lpd_t) +miscfiles_read_localization(lpd_t) + +sysnet_read_config(lpd_t) + +userdom_dontaudit_use_unpriv_user_fds(lpd_t) +userdom_dontaudit_search_user_home_dirs(lpd_t) + +optional_policy(` + nis_use_ypbind(lpd_t) +') + +optional_policy(` + seutil_sigchld_newrole(lpd_t) +') + +optional_policy(` + udev_read_db(lpd_t) +') + +############################## +# +# Lpr local policy +# + +allow lpr_t self:capability { chown dac_override net_bind_service setuid }; +allow lpr_t self:unix_stream_socket { accept listen }; + +allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; + +can_exec(lpr_t, lpr_exec_t) + +kernel_read_crypto_sysctls(lpr_t) +kernel_read_kernel_sysctls(lpr_t) + +corenet_all_recvfrom_unlabeled(lpr_t) +corenet_all_recvfrom_netlabel(lpr_t) +corenet_tcp_sendrecv_generic_if(lpr_t) +corenet_tcp_sendrecv_generic_node(lpr_t) +corenet_tcp_sendrecv_all_ports(lpr_t) + +corenet_sendrecv_all_client_packets(lpr_t) +corenet_tcp_connect_all_ports(lpr_t) + +dev_read_rand(lpr_t) +dev_read_urand(lpr_t) + +domain_use_interactive_fds(lpr_t) + +files_search_spool(lpr_t) +files_read_usr_files(lpr_t) +files_list_home(lpr_t) + +fs_getattr_all_fs(lpr_t) + +term_use_controlling_term(lpr_t) +term_use_generic_ptys(lpr_t) + +auth_use_nsswitch(lpr_t) + +logging_send_syslog_msg(lpr_t) + +miscfiles_read_fonts(lpr_t) +miscfiles_read_localization(lpr_t) + +userdom_read_user_tmp_symlinks(lpr_t) +userdom_use_user_terminals(lpr_t) +userdom_read_user_home_content_files(lpr_t) +userdom_read_user_tmp_files(lpr_t) + +tunable_policy(`use_lpd_server',` + allow lpr_t lpd_t:process signal; + + write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t) + files_read_var_files(lpr_t) + + stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) + + manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir }) + + manage_files_pattern(lpr_t, print_spool_t, print_spool_t) + filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file) + + allow lpr_t printconf_t:dir list_dir_perms; + allow lpr_t printconf_t:file read_file_perms; + allow lpr_t printconf_t:lnk_file read_lnk_file_perms; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(lpr_t) + fs_read_nfs_files(lpr_t) + fs_read_nfs_symlinks(lpr_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_auto_mountpoints(lpr_t) + fs_read_cifs_files(lpr_t) + fs_read_cifs_symlinks(lpr_t) +') + +optional_policy(` + cups_read_config(lpr_t) + cups_stream_connect(lpr_t) + cups_read_pid_files(lpr_t) +') + +optional_policy(` + gnome_stream_connect_all_gkeyringd(lpr_t) +') diff --git a/policy/modules/services/lsm.fc b/policy/modules/services/lsm.fc new file mode 100644 index 000000000..f8a447096 --- /dev/null +++ b/policy/modules/services/lsm.fc @@ -0,0 +1,3 @@ +/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) + +/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/policy/modules/services/lsm.if b/policy/modules/services/lsm.if new file mode 100644 index 000000000..44910afaf --- /dev/null +++ b/policy/modules/services/lsm.if @@ -0,0 +1,30 @@ +## <summary>Storage array management library.</summary> + +######################################## +## <summary> +## All of the rules required to administrate +## an lsmd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role" unused="true"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`lsmd_admin',` + gen_require(` + type lsmd_t, lsmd_var_run_t; + ') + + allow $1 lsmd_t:process { ptrace signal_perms }; + ps_process_pattern($1, lsmd_t) + + files_search_pids($1) + admin_pattern($1, lsmd_var_run_t) +') diff --git a/policy/modules/services/lsm.te b/policy/modules/services/lsm.te new file mode 100644 index 000000000..c80e3e968 --- /dev/null +++ b/policy/modules/services/lsm.te @@ -0,0 +1,29 @@ +policy_module(lsm, 1.1.1) + +######################################## +# +# Declarations +# + +type lsmd_t; +type lsmd_exec_t; +init_daemon_domain(lsmd_t, lsmd_exec_t) + +type lsmd_var_run_t; +files_pid_file(lsmd_var_run_t) + +######################################## +# +# Local policy +# + +allow lsmd_t self:capability setgid; +allow lsmd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) + +logging_send_syslog_msg(lsmd_t) diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc new file mode 100644 index 000000000..fe7a51595 --- /dev/null +++ b/policy/modules/services/mailman.fc @@ -0,0 +1,29 @@ +/etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) + +/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) + +/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) +/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) + +/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) +/var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0) + +/var/log/mailman.* gen_context(system_u:object_r:mailman_log_t,s0) + +/run/mailman.* gen_context(system_u:object_r:mailman_var_run_t,s0) + +/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) + +/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + +/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + +/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if new file mode 100644 index 000000000..259f0c3e2 --- /dev/null +++ b/policy/modules/services/mailman.if @@ -0,0 +1,343 @@ +## <summary>Manage electronic mail discussion and e-newsletter lists.</summary> + +####################################### +## <summary> +## The template to define a mailman domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`mailman_domain_template',` + gen_require(` + attribute mailman_domain; + ') + + ######################################## + # + # Declarations + # + + type mailman_$1_t, mailman_domain; + type mailman_$1_exec_t; + domain_type(mailman_$1_t) + domain_entry_file(mailman_$1_t, mailman_$1_exec_t) + role system_r types mailman_$1_t; + + type mailman_$1_tmp_t; + files_tmp_file(mailman_$1_tmp_t) + + #################################### + # + # Policy + # + + manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) + manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) + files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) + + auth_use_nsswitch(mailman_$1_t) +') + +####################################### +## <summary> +## Execute mailman in the mailman domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mailman_domtrans',` + gen_require(` + type mailman_mail_exec_t, mailman_mail_t; + ') + + libs_search_lib($1) + domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) +') + +######################################## +## <summary> +## Execute the mailman program in the +## mailman domain and allow the +## specified role the mailman domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mailman_run',` + gen_require(` + attribute_role mailman_roles; + ') + + mailman_domtrans($1) + roleattribute $2 mailman_roles; +') + +####################################### +## <summary> +## Execute mailman CGI scripts in the +## mailman CGI domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mailman_domtrans_cgi',` + gen_require(` + type mailman_cgi_exec_t, mailman_cgi_t; + ') + + libs_search_lib($1) + domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) +') + +####################################### +## <summary> +## Execute mailman in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowd access. +## </summary> +## </param> +# +interface(`mailman_exec',` + gen_require(` + type mailman_mail_exec_t; + ') + + libs_search_lib($1) + can_exec($1, mailman_mail_exec_t) +') + +####################################### +## <summary> +## Send generic signals to mailman cgi. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_signal_cgi',` + gen_require(` + type mailman_cgi_t; + ') + + allow $1 mailman_cgi_t:process signal; +') + +####################################### +## <summary> +## Search mailman data directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_search_data',` + gen_require(` + type mailman_data_t; + ') + + files_search_spool($1) + allow $1 mailman_data_t:dir search_dir_perms; +') + +####################################### +## <summary> +## Read mailman data content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_read_data_files',` + gen_require(` + type mailman_data_t; + ') + + files_search_spool($1) + list_dirs_pattern($1, mailman_data_t, mailman_data_t) + read_files_pattern($1, mailman_data_t, mailman_data_t) + read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) +') + +####################################### +## <summary> +## Create, read, write, and delete +## mailman data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_manage_data_files',` + gen_require(` + type mailman_data_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, mailman_data_t, mailman_data_t) + manage_files_pattern($1, mailman_data_t, mailman_data_t) +') + +####################################### +## <summary> +## List mailman data directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_list_data',` + gen_require(` + type mailman_data_t; + ') + + files_search_spool($1) + allow $1 mailman_data_t:dir list_dir_perms; +') + +####################################### +## <summary> +## Read mailman data symbolic links. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_read_data_symlinks',` + gen_require(` + type mailman_data_t; + ') + + read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) +') + +####################################### +## <summary> +## Read mailman log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_read_log',` + gen_require(` + type mailman_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, mailman_log_t, mailman_log_t) +') + +####################################### +## <summary> +## Append mailman log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_append_log',` + gen_require(` + type mailman_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, mailman_log_t, mailman_log_t) +') + +####################################### +## <summary> +## Create, read, write, and delete +## mailman log content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_manage_log',` + gen_require(` + type mailman_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, mailman_log_t, mailman_log_t) + manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) +') + +####################################### +## <summary> +## Read mailman archive content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_read_archive',` + gen_require(` + type mailman_archive_t; + ') + + files_search_var_lib($1) + allow $1 mailman_archive_t:dir list_dir_perms; + read_files_pattern($1, mailman_archive_t, mailman_archive_t) + read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) +') + +####################################### +## <summary> +## Execute mailman_queue in the +## mailman_queue domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mailman_domtrans_queue',` + gen_require(` + type mailman_queue_exec_t, mailman_queue_t; + ') + + libs_search_lib($1) + domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) +') diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te new file mode 100644 index 000000000..ca7f7b450 --- /dev/null +++ b/policy/modules/services/mailman.te @@ -0,0 +1,269 @@ +policy_module(mailman, 1.13.0) + +######################################## +# +# Declarations +# + +attribute mailman_domain; + +attribute_role mailman_roles; + +mailman_domain_template(cgi) + +type mailman_data_t; +files_type(mailman_data_t) + +type mailman_archive_t; +files_type(mailman_archive_t) + +type mailman_log_t; +logging_log_file(mailman_log_t) + +type mailman_lock_t; +files_lock_file(mailman_lock_t) + +type mailman_var_run_t; +files_pid_file(mailman_var_run_t) + +mailman_domain_template(mail) +init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) +role mailman_roles types mailman_mail_t; + +mailman_domain_template(queue) + +######################################## +# +# Common local policy +# + +allow mailman_domain self:tcp_socket { accept listen }; + +manage_dirs_pattern(mailman_domain, mailman_archive_t, mailman_archive_t) +manage_files_pattern(mailman_domain, mailman_archive_t, mailman_archive_t) +manage_lnk_files_pattern(mailman_domain, mailman_archive_t, mailman_archive_t) + +manage_dirs_pattern(mailman_domain, mailman_data_t, mailman_data_t) +manage_files_pattern(mailman_domain, mailman_data_t, mailman_data_t) +manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t) + +manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t) +files_lock_filetrans(mailman_domain, mailman_lock_t, file) + +append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +logging_log_filetrans(mailman_domain, mailman_log_t, file) + +kernel_read_kernel_sysctls(mailman_domain) +kernel_read_system_state(mailman_domain) + +corenet_all_recvfrom_unlabeled(mailman_domain) +corenet_all_recvfrom_netlabel(mailman_domain) +corenet_tcp_sendrecv_generic_if(mailman_domain) +corenet_tcp_sendrecv_generic_node(mailman_domain) + +corenet_sendrecv_smtp_client_packets(mailman_domain) +corenet_tcp_connect_smtp_port(mailman_domain) +corenet_tcp_sendrecv_smtp_port(mailman_domain) + +corecmd_exec_all_executables(mailman_domain) + +files_exec_etc_files(mailman_domain) +files_list_usr(mailman_domain) +files_list_var(mailman_domain) +files_list_var_lib(mailman_domain) +files_read_var_lib_symlinks(mailman_domain) +files_read_etc_runtime_files(mailman_domain) +files_search_spool(mailman_domain) + +fs_getattr_all_fs(mailman_domain) + +libs_exec_ld_so(mailman_domain) +libs_exec_lib_files(mailman_domain) + +logging_send_syslog_msg(mailman_domain) + +miscfiles_read_localization(mailman_domain) + +######################################## +# +# CGI local policy +# + +allow mailman_cgi_t self:unix_dgram_socket { create connect }; + +allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; +allow mailman_cgi_t mailman_archive_t:file read_file_perms; + +allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; +allow mailman_cgi_t mailman_data_t:file manage_file_perms; +allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; +allow mailman_cgi_t mailman_lock_t:file manage_file_perms; + +allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; +allow mailman_cgi_t mailman_log_t:dir search_dir_perms; + +kernel_read_crypto_sysctls(mailman_cgi_t) +kernel_read_system_state(mailman_cgi_t) + +corecmd_exec_bin(mailman_cgi_t) + +dev_read_urand(mailman_cgi_t) + +files_search_locks(mailman_cgi_t) + +term_use_controlling_term(mailman_cgi_t) + +libs_dontaudit_write_lib_dirs(mailman_cgi_t) + +logging_search_logs(mailman_cgi_t) + +miscfiles_read_localization(mailman_cgi_t) + + +optional_policy(` + apache_sigchld(mailman_cgi_t) + apache_use_fds(mailman_cgi_t) + apache_dontaudit_append_log(mailman_cgi_t) + apache_search_sys_script_state(mailman_cgi_t) + apache_read_config(mailman_cgi_t) + apache_dontaudit_rw_stream_sockets(mailman_cgi_t) +') + +optional_policy(` + postfix_read_config(mailman_cgi_t) +') + +######################################## +# +# Mail local policy +# + +allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; +allow mailman_mail_t self:process { signal signull setsched }; + +allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; +allow mailman_mail_t mailman_archive_t:file manage_file_perms; +allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms; + +allow mailman_mail_t mailman_data_t:dir rw_dir_perms; +allow mailman_mail_t mailman_data_t:file manage_file_perms; +allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_mail_t mailman_lock_t:dir rw_dir_perms; +allow mailman_mail_t mailman_lock_t:file manage_file_perms; + +allow mailman_mail_t mailman_log_t:dir search; +allow mailman_mail_t mailman_log_t:file read_file_perms; + +domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t) +allow mailman_mail_t mailman_queue_exec_t:file ioctl; + +can_exec(mailman_mail_t, mailman_mail_exec_t) + +manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) +manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) +files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) + +kernel_read_system_state(mailman_mail_t) + +corenet_tcp_connect_smtp_port(mailman_mail_t) +corenet_sendrecv_spamd_client_packets(mailman_mail_t) +corenet_sendrecv_innd_client_packets(mailman_mail_t) +corenet_tcp_connect_innd_port(mailman_mail_t) +corenet_tcp_connect_spamd_port(mailman_mail_t) +corenet_tcp_sendrecv_innd_port(mailman_mail_t) +corenet_tcp_sendrecv_spamd_port(mailman_mail_t) + +dev_read_urand(mailman_mail_t) + +corecmd_exec_bin(mailman_mail_t) + +files_search_locks(mailman_mail_t) + +fs_rw_anon_inodefs_files(mailman_mail_t) + +# this is far from ideal, but systemd reduces the importance of initrc_t +init_signal_script(mailman_mail_t) +init_signull_script(mailman_mail_t) + +# for python .path file +libs_read_lib_files(mailman_mail_t) + +logging_search_logs(mailman_mail_t) + +miscfiles_read_localization(mailman_mail_t) + +mta_use_mailserver_fds(mailman_mail_t) +mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) +mta_dontaudit_rw_queue(mailman_mail_t) + +optional_policy(` + courier_read_spool(mailman_mail_t) +') + +optional_policy(` + cron_read_pipes(mailman_mail_t) +') + +optional_policy(` + postfix_search_spool(mailman_mail_t) + postfix_rw_inherited_master_pipes(mailman_mail_t) +') + +######################################## +# +# Queue local policy +# + +allow mailman_queue_t self:capability { setgid setuid }; +allow mailman_queue_t self:process { setsched signal_perms }; +allow mailman_queue_t self:fifo_file rw_fifo_file_perms; + +allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; +allow mailman_queue_t mailman_archive_t:file manage_file_perms; + +allow mailman_queue_t mailman_data_t:dir rw_dir_perms; +allow mailman_queue_t mailman_data_t:file manage_file_perms; +allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_queue_t mailman_lock_t:dir rw_dir_perms; +allow mailman_queue_t mailman_lock_t:file manage_file_perms; + +allow mailman_queue_t mailman_log_t:dir list_dir_perms; +allow mailman_queue_t mailman_log_t:file manage_file_perms; + +kernel_read_system_state(mailman_queue_t) + +auth_domtrans_chk_passwd(mailman_queue_t) + +corecmd_read_bin_files(mailman_queue_t) +corenet_sendrecv_innd_client_packets(mailman_queue_t) +corenet_tcp_connect_innd_port(mailman_queue_t) +corenet_tcp_sendrecv_innd_port(mailman_queue_t) + +files_dontaudit_search_pids(mailman_queue_t) +files_search_locks(mailman_queue_t) + +miscfiles_read_localization(mailman_queue_t) + +seutil_dontaudit_search_config(mailman_queue_t) + +userdom_search_user_home_dirs(mailman_queue_t) + +cron_rw_tmp_files(mailman_queue_t) + +optional_policy(` + apache_read_config(mailman_queue_t) +') + +optional_policy(` + cron_system_entry(mailman_queue_t, mailman_queue_exec_t) +') + +optional_policy(` + su_exec(mailman_queue_t) +') diff --git a/policy/modules/services/mailscanner.fc b/policy/modules/services/mailscanner.fc new file mode 100644 index 000000000..cc6a8f886 --- /dev/null +++ b/policy/modules/services/mailscanner.fc @@ -0,0 +1,15 @@ +/etc/MailScanner(/.*)? gen_context(system_u:object_r:mscan_etc_t,s0) + +/etc/rc\.d/init\.d/MailScanner -- gen_context(system_u:object_r:mscan_initrc_exec_t,s0) + +/etc/sysconfig/MailScanner -- gen_context(system_u:object_r:mscan_etc_t,s0) + +/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0) + +/usr/bin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0) + +/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0) + +/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0) + +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mscan_spool_t,s0) diff --git a/policy/modules/services/mailscanner.if b/policy/modules/services/mailscanner.if new file mode 100644 index 000000000..a684cfdb1 --- /dev/null +++ b/policy/modules/services/mailscanner.if @@ -0,0 +1,60 @@ +## <summary>E-mail security and anti-spam package for e-mail gateway systems.</summary> + +######################################## +## <summary> +## Create, read, write, and delete +## mscan spool content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mscan_manage_spool_content',` + gen_require(` + type mscan_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t) + manage_files_pattern($1, mscan_spool_t, mscan_spool_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an mscan environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mscan_admin',` + gen_require(` + type mscan_t, mscan_etc_t, mscan_initrc_exec_t; + type mscan_var_run_t, mscan_spool_t; + ') + + allow $1 mscan_t:process { ptrace signal_perms }; + ps_process_pattern($1, mscan_t) + + init_startstop_service($1, $2, mscan_t, mscan_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, mscan_etc_t) + + files_search_pids($1) + admin_pattern($1, mscan_var_run_t) + + files_search_spool($1) + admin_pattern($1, mscan_spool_t) +') diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te new file mode 100644 index 000000000..1011e3b26 --- /dev/null +++ b/policy/modules/services/mailscanner.te @@ -0,0 +1,101 @@ +policy_module(mailscanner, 1.4.0) + +######################################## +# +# Declarations +# + +type mscan_t; +type mscan_exec_t; +init_daemon_domain(mscan_t, mscan_exec_t) + +type mscan_initrc_exec_t; +init_script_file(mscan_initrc_exec_t) + +type mscan_etc_t; +files_config_file(mscan_etc_t) + +type mscan_spool_t; +files_type(mscan_spool_t) + +type mscan_tmp_t; +files_tmp_file(mscan_tmp_t) + +type mscan_var_run_t; +files_pid_file(mscan_var_run_t) + +######################################## +# +# Local policy +# + +allow mscan_t self:capability { chown dac_override setgid setuid }; +allow mscan_t self:process signal; +allow mscan_t self:fifo_file rw_fifo_file_perms; + +read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) + +manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) +files_pid_filetrans(mscan_t, mscan_var_run_t, file) + +manage_dirs_pattern(mscan_t, mscan_spool_t, mscan_spool_t) +manage_files_pattern(mscan_t, mscan_spool_t, mscan_spool_t) +files_spool_filetrans(mscan_t, mscan_spool_t, dir) + +manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t) +manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t) +files_tmp_filetrans(mscan_t, mscan_tmp_t, { dir file }) + +can_exec(mscan_t, mscan_exec_t) + +kernel_read_system_state(mscan_t) + +corecmd_exec_bin(mscan_t) +corecmd_exec_shell(mscan_t) + +corenet_all_recvfrom_netlabel(mscan_t) +corenet_all_recvfrom_unlabeled(mscan_t) +corenet_tcp_bind_generic_node(mscan_t) +corenet_udp_bind_generic_node(mscan_t) +corenet_tcp_sendrecv_generic_if(mscan_t) +corenet_udp_sendrecv_generic_if(mscan_t) +corenet_tcp_sendrecv_generic_node(mscan_t) +corenet_udp_sendrecv_generic_node(mscan_t) + +corenet_sendrecv_trisoap_client_packets(mscan_t) +corenet_tcp_connect_trisoap_port(mscan_t) +corenet_tcp_sendrecv_trisoap_port(mscan_t) + +corenet_sendrecv_generic_server_packets(mscan_t) +corenet_udp_bind_generic_port(mscan_t) +corenet_udp_sendrecv_all_ports(mscan_t) + +dev_read_urand(mscan_t) + +files_read_usr_files(mscan_t) + +fs_getattr_xattr_fs(mscan_t) + +auth_dontaudit_read_shadow(mscan_t) +auth_use_nsswitch(mscan_t) + +logging_send_syslog_msg(mscan_t) + +miscfiles_read_localization(mscan_t) + +optional_policy(` + clamav_domtrans_clamscan(mscan_t) +') + +optional_policy(` + mta_send_mail(mscan_t) + mta_manage_queue(mscan_t) +') + +optional_policy(` + procmail_domtrans(mscan_t) +') + +optional_policy(` + spamassassin_read_lib_files(mscan_t) +') diff --git a/policy/modules/services/mediawiki.fc b/policy/modules/services/mediawiki.fc new file mode 100644 index 000000000..99f7c4187 --- /dev/null +++ b/policy/modules/services/mediawiki.fc @@ -0,0 +1,8 @@ +/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) +/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) +/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) + +/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) + +/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) +/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) diff --git a/policy/modules/services/mediawiki.if b/policy/modules/services/mediawiki.if new file mode 100644 index 000000000..9771b4ba3 --- /dev/null +++ b/policy/modules/services/mediawiki.if @@ -0,0 +1 @@ +## <summary>Open source wiki package written in PHP.</summary> diff --git a/policy/modules/services/mediawiki.te b/policy/modules/services/mediawiki.te new file mode 100644 index 000000000..c528b9fa7 --- /dev/null +++ b/policy/modules/services/mediawiki.te @@ -0,0 +1,17 @@ +policy_module(mediawiki, 1.0.0) + +######################################## +# +# Declarations +# + +apache_content_template(mediawiki) + +######################################## +# +# Local policy +# + +files_search_var_lib(httpd_mediawiki_script_t) + +miscfiles_read_tetex_data(httpd_mediawiki_script_t) diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc new file mode 100644 index 000000000..37429fd4f --- /dev/null +++ b/policy/modules/services/memcached.fc @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0) + +/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) + +/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) +/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if new file mode 100644 index 000000000..5c12b31a3 --- /dev/null +++ b/policy/modules/services/memcached.if @@ -0,0 +1,131 @@ +## <summary>High-performance memory object caching system.</summary> + +######################################## +## <summary> +## Execute a domain transition to run memcached. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`memcached_domtrans',` + gen_require(` + type memcached_t,memcached_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, memcached_exec_t, memcached_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## memcached pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`memcached_manage_pid_files',` + gen_require(` + type memcached_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) +') + +######################################## +## <summary> +## Read memcached pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`memcached_read_pid_files',` + gen_require(` + type memcached_var_run_t; + ') + + files_search_pids($1) + allow $1 memcached_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Connect to memcached using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`memcached_stream_connect',` + gen_require(` + type memcached_t, memcached_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t) +') + +######################################## +## <summary> +## Connect to memcache over the network. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`memcached_tcp_connect',` + gen_require(` + type memcached_t; + ') + + corenet_sendrecv_memcache_client_packets($1) + corenet_tcp_connect_memcache_port($1) + corenet_tcp_recvfrom_labeled($1, memcached_t) + corenet_tcp_sendrecv_memcache_port($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an memcached environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`memcached_admin',` + gen_require(` + type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; + ') + + allow $1 memcached_t:process { ptrace signal_perms }; + ps_process_pattern($1, memcached_t) + + init_startstop_service($1, $2, memcached_t, memcached_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, memcached_var_run_t) +') diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te new file mode 100644 index 000000000..c90c632fe --- /dev/null +++ b/policy/modules/services/memcached.te @@ -0,0 +1,62 @@ +policy_module(memcached, 1.6.0) + +######################################## +# +# Declarations +# + +type memcached_t; +type memcached_exec_t; +init_daemon_domain(memcached_t, memcached_exec_t) + +type memcached_initrc_exec_t; +init_script_file(memcached_initrc_exec_t) + +type memcached_var_run_t; +files_pid_file(memcached_var_run_t) + +######################################## +# +# Local policy +# + +allow memcached_t self:capability { setgid setuid }; +dontaudit memcached_t self:capability sys_tty_config; +allow memcached_t self:process { setrlimit signal_perms }; +allow memcached_t self:tcp_socket { accept listen }; +allow memcached_t self:udp_socket { accept listen }; +allow memcached_t self:fifo_file rw_fifo_file_perms; +allow memcached_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +files_pid_filetrans(memcached_t, memcached_var_run_t, dir) + +kernel_read_kernel_sysctls(memcached_t) +kernel_read_system_state(memcached_t) + +corenet_all_recvfrom_unlabeled(memcached_t) +corenet_all_recvfrom_netlabel(memcached_t) +corenet_tcp_sendrecv_generic_if(memcached_t) +corenet_udp_sendrecv_generic_if(memcached_t) +corenet_tcp_sendrecv_generic_node(memcached_t) +corenet_udp_sendrecv_generic_node(memcached_t) +corenet_tcp_bind_generic_node(memcached_t) +corenet_udp_bind_generic_node(memcached_t) + +corenet_sendrecv_memcache_server_packets(memcached_t) +corenet_tcp_bind_memcache_port(memcached_t) +corenet_tcp_sendrecv_all_ports(memcached_t) +corenet_udp_bind_memcache_port(memcached_t) +corenet_udp_sendrecv_all_ports(memcached_t) + +dev_read_sysfs(memcached_t) + +term_dontaudit_use_all_ptys(memcached_t) +term_dontaudit_use_all_ttys(memcached_t) +term_dontaudit_use_console(memcached_t) + +auth_use_nsswitch(memcached_t) + +miscfiles_read_localization(memcached_t) diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc new file mode 100644 index 000000000..42fe5e941 --- /dev/null +++ b/policy/modules/services/milter.fc @@ -0,0 +1,25 @@ +/etc/rc\.d/init\.d/spamass-milter -- gen_context(system_u:object_r:spamass_milter_initrc_exec_t,s0) + +/usr/bin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +/usr/bin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +/usr/bin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +/usr/bin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) + +/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) + +/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) + +/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) + +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) +/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if new file mode 100644 index 000000000..ffb58f9fa --- /dev/null +++ b/policy/modules/services/milter.if @@ -0,0 +1,117 @@ +## <summary>Milter mail filters.</summary> + +####################################### +## <summary> +## The template to define a milter domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`milter_template',` + gen_require(` + attribute milter_data_type, milter_domains; + ') + + ######################################## + # + # Declarations + # + + type $1_milter_t, milter_domains; + type $1_milter_exec_t; + init_daemon_domain($1_milter_t, $1_milter_exec_t) + + type $1_milter_data_t, milter_data_type; + files_pid_file($1_milter_data_t) + + ######################################## + # + # Policy + # + + manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + + auth_use_nsswitch($1_milter_t) +') + +######################################## +## <summary> +## connect to all milter domains using +## a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_stream_connect_all',` + gen_require(` + attribute milter_data_type, milter_domains; + ') + + files_search_pids($1) + stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) +') + +######################################## +## <summary> +## Get attributes of all milter sock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_getattr_all_sockets',` + gen_require(` + attribute milter_data_type; + ') + + getattr_sock_files_pattern($1, milter_data_type, milter_data_type) +') + +######################################## +## <summary> +## Create, read, write, and delete +## spamassissin milter data content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_manage_spamass_state',` + gen_require(` + type spamass_milter_state_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) +') + +######################################## +## <summary> +## Get the attributes of the spamassissin milter data dir. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_getattr_data_dir',` + gen_require(` + type spamass_milter_data_t; + ') + + allow $1 spamass_milter_data_t:dir getattr; +') diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te new file mode 100644 index 000000000..6767e8310 --- /dev/null +++ b/policy/modules/services/milter.te @@ -0,0 +1,121 @@ +policy_module(milter, 1.8.0) + +######################################## +# +# Declarations +# + +attribute milter_domains; +attribute milter_data_type; + +milter_template(greylist) +milter_template(regex) +milter_template(spamass) + +type spamass_milter_initrc_exec_t; +init_script_file(spamass_milter_initrc_exec_t) + +type spamass_milter_state_t; +files_type(spamass_milter_state_t) + +####################################### +# +# Common local policy +# + +allow milter_domains self:fifo_file rw_fifo_file_perms; +allow milter_domains self:tcp_socket { accept listen }; + +corenet_all_recvfrom_unlabeled(milter_domains) +corenet_all_recvfrom_netlabel(milter_domains) +corenet_tcp_sendrecv_generic_if(milter_domains) +corenet_tcp_sendrecv_generic_node(milter_domains) +corenet_tcp_bind_generic_node(milter_domains) + +corenet_tcp_bind_milter_port(milter_domains) +corenet_tcp_sendrecv_all_ports(milter_domains) + +miscfiles_read_localization(milter_domains) + +logging_send_syslog_msg(milter_domains) + +######################################## +# +# greylist local policy +# + +allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; +allow greylist_milter_t self:process { getsched setsched }; + +files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) + +kernel_read_kernel_sysctls(greylist_milter_t) + +corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t) +corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) +corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t) +corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) +corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t) + +corenet_sendrecv_kismet_server_packets(greylist_milter_t) +corenet_tcp_bind_kismet_port(greylist_milter_t) +corenet_tcp_sendrecv_kismet_port(greylist_milter_t) + +corecmd_exec_bin(greylist_milter_t) +corecmd_exec_shell(greylist_milter_t) + +dev_read_rand(greylist_milter_t) +dev_read_urand(greylist_milter_t) + +files_read_usr_files(greylist_milter_t) +files_search_var_lib(greylist_milter_t) + +mta_read_config(greylist_milter_t) + +miscfiles_read_localization(greylist_milter_t) + +optional_policy(` + mysql_stream_connect(greylist_milter_t) +') + +######################################## +# +# regex local policy +# + +allow regex_milter_t self:capability { dac_override setgid setuid }; + +files_search_spool(regex_milter_t) + +mta_read_config(regex_milter_t) + +######################################## +# +# spamass local policy +# + +allow spamass_milter_t self:process sigkill; +allow spamass_milter_t self:unix_stream_socket { accept listen }; + +allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; + +kernel_read_system_state(spamass_milter_t) +kernel_read_vm_overcommit_sysctl(spamass_milter_t) + +corecmd_exec_shell(spamass_milter_t) + +dev_read_sysfs(spamass_milter_t) + +files_search_var_lib(spamass_milter_t) + +optional_policy(` + mta_send_mail(spamass_milter_t) +') + +optional_policy(` + postfix_search_spool(spamass_milter_t) +') + +optional_policy(` + spamassassin_domtrans_client(spamass_milter_t) +') diff --git a/policy/modules/services/minidlna.fc b/policy/modules/services/minidlna.fc new file mode 100644 index 000000000..79af2d745 --- /dev/null +++ b/policy/modules/services/minidlna.fc @@ -0,0 +1,16 @@ +/etc/rc\.d/init\.d/minidlna -- gen_context(system_u:object_r:minidlna_initrc_exec_t,s0) + +/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_conf_t,s0) + +/usr/bin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0) + +/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0) + +/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0) + +/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0) + +/var/log/minidlna(/.*)? gen_context(system_u:object_r:minidlna_log_t,s0) +/var/log/minidlna\.log.* -- gen_context(system_u:object_r:minidlna_log_t,s0) + +/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0) diff --git a/policy/modules/services/minidlna.if b/policy/modules/services/minidlna.if new file mode 100644 index 000000000..7aa4fc997 --- /dev/null +++ b/policy/modules/services/minidlna.if @@ -0,0 +1,61 @@ +## <summary>MiniDLNA lightweight DLNA/UPnP media server</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an minidlna environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`minidlna_admin',` + gen_require(` + type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t; + type minidlna_conf_t, minidlna_log_t, minidlna_db_t; + ') + + allow $1 minidlna_t:process { ptrace signal_perms }; + ps_process_pattern($1, minidlna_t) + + init_startstop_service($1, $2, minidlna_t, minidlna_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, minidlna_conf_t) + + logging_search_logs($1) + admin_pattern($1, minidlna_log_t) + + files_search_var_lib($1) + admin_pattern($1, minidlna_db_t) + + files_search_pids($1) + admin_pattern($1, minidlna_var_run_t) +') + +######################################## +## <summary> +## Execute minidlna init scripts in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`minidlna_initrc_domtrans',` + gen_require(` + type minidlna_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, minidlna_initrc_exec_t) +') diff --git a/policy/modules/services/minidlna.te b/policy/modules/services/minidlna.te new file mode 100644 index 000000000..565f60900 --- /dev/null +++ b/policy/modules/services/minidlna.te @@ -0,0 +1,106 @@ +policy_module(minidlna, 1.2.1) + +############################################# +# +# Declarations +# + +## <desc> +## <p> +## Determine whether minidlna can read generic user content. +## </p> +## </desc> +gen_tunable(minidlna_read_generic_user_content, false) + +type minidlna_t; +type minidlna_exec_t; +init_daemon_domain(minidlna_t, minidlna_exec_t) + +type minidlna_conf_t; +files_config_file(minidlna_conf_t) + +type minidlna_db_t; +files_type(minidlna_db_t) + +type minidlna_initrc_exec_t; +init_script_file(minidlna_initrc_exec_t) + +type minidlna_log_t; +logging_log_file(minidlna_log_t) + +type minidlna_var_run_t; +files_pid_file(minidlna_var_run_t) + +############################################### +# +# Local policy +# + +allow minidlna_t self:process setsched; +allow minidlna_t self:tcp_socket create_stream_socket_perms; +allow minidlna_t self:udp_socket create_socket_perms; +allow minidlna_t self:netlink_route_socket r_netlink_socket_perms; +allow minidlna_t minidlna_conf_t:file read_file_perms; + +allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms }; +allow minidlna_t minidlna_db_t:file manage_file_perms; + +allow minidlna_t minidlna_log_t:file append_file_perms; +create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t) + +allow minidlna_t minidlna_var_run_t:file manage_file_perms; +allow minidlna_t minidlna_var_run_t:dir rw_dir_perms; +files_pid_filetrans(minidlna_t, minidlna_var_run_t, file) + +kernel_read_fs_sysctls(minidlna_t) +kernel_read_system_state(minidlna_t) + +corecmd_exec_bin(minidlna_t) +corecmd_exec_shell(minidlna_t) + +corenet_all_recvfrom_netlabel(minidlna_t) +corenet_all_recvfrom_unlabeled(minidlna_t) + +corenet_sendrecv_ssdp_server_packets(minidlna_t) +corenet_sendrecv_trivnet1_server_packets(minidlna_t) + +corenet_tcp_bind_generic_node(minidlna_t) +corenet_tcp_bind_trivnet1_port(minidlna_t) +corenet_tcp_sendrecv_generic_if(minidlna_t) +corenet_tcp_sendrecv_generic_node(minidlna_t) +corenet_tcp_sendrecv_trivnet1_port(minidlna_t) + +corenet_udp_bind_generic_node(minidlna_t) +corenet_udp_bind_ssdp_port(minidlna_t) +corenet_udp_sendrecv_generic_if(minidlna_t) +corenet_udp_sendrecv_generic_node(minidlna_t) +corenet_udp_sendrecv_ssdp_port(minidlna_t) + +files_search_var_lib(minidlna_t) + +auth_use_nsswitch(minidlna_t) + +logging_search_logs(minidlna_t) + +miscfiles_read_localization(minidlna_t) +miscfiles_read_public_files(minidlna_t) + +xdg_read_music(minidlna_t) +xdg_read_pictures(minidlna_t) +xdg_read_videos(minidlna_t) + +tunable_policy(`minidlna_read_generic_user_content',` + userdom_list_user_tmp(minidlna_t) + userdom_read_user_home_content_files(minidlna_t) + userdom_read_user_home_content_symlinks(minidlna_t) + userdom_read_user_tmp_files(minidlna_t) + userdom_read_user_tmp_symlinks(minidlna_t) +',` + files_dontaudit_list_home(minidlna_t) + files_dontaudit_list_tmp(minidlna_t) + + userdom_dontaudit_list_user_home_dirs(minidlna_t) + userdom_dontaudit_list_user_tmp(minidlna_t) + userdom_dontaudit_read_user_home_content_files(minidlna_t) + userdom_dontaudit_read_user_tmp_files(minidlna_t) +') diff --git a/policy/modules/services/minissdpd.fc b/policy/modules/services/minissdpd.fc new file mode 100644 index 000000000..cdad38ed2 --- /dev/null +++ b/policy/modules/services/minissdpd.fc @@ -0,0 +1,10 @@ +/etc/default/minissdpd -- gen_context(system_u:object_r:minissdpd_conf_t,s0) + +/etc/rc\.d/init\.d/minissdpd -- gen_context(system_u:object_r:minissdpd_initrc_exec_t,s0) + +/usr/bin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0) + +/usr/sbin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0) + +/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_var_run_t,s0) +/run/minissdpd\.sock -s gen_context(system_u:object_r:minissdpd_var_run_t,s0) diff --git a/policy/modules/services/minissdpd.if b/policy/modules/services/minissdpd.if new file mode 100644 index 000000000..d4bdf6c40 --- /dev/null +++ b/policy/modules/services/minissdpd.if @@ -0,0 +1,55 @@ +## <summary>Daemon used by MiniUPnPc to speed up device discoveries.</summary> + +######################################## +## <summary> +## Read minissdpd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`minissdpd_read_config',` + gen_require(` + type minissdpd_conf_t; + ') + + files_search_etc($1) + allow $1 minissdpd_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an minissdpd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`minissdpd_admin',` + gen_require(` + type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t; + type minissdpd_var_run_t; + ') + + allow $1 minissdpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, minissdpd_t) + + init_startstop_service($1, $2, minissdpd_t, minissdpd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, minissdpd_conf_t) + + files_search_pids($1) + admin_pattern($1, minissdpd_var_run_t) +') diff --git a/policy/modules/services/minissdpd.te b/policy/modules/services/minissdpd.te new file mode 100644 index 000000000..86d0d54e5 --- /dev/null +++ b/policy/modules/services/minissdpd.te @@ -0,0 +1,51 @@ +policy_module(minissdpd, 1.4.0) + +######################################## +# +# Declarations +# + +type minissdpd_t; +type minissdpd_exec_t; +init_daemon_domain(minissdpd_t, minissdpd_exec_t) + +type minissdpd_initrc_exec_t; +init_script_file(minissdpd_initrc_exec_t) + +type minissdpd_conf_t; +files_config_file(minissdpd_conf_t) + +type minissdpd_var_run_t; +files_pid_file(minissdpd_var_run_t) + +######################################## +# +# Local policy +# + +allow minissdpd_t self:capability { net_admin sys_module }; +allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms; +allow minissdpd_t self:udp_socket create_socket_perms; +allow minissdpd_t self:unix_dgram_socket create_socket_perms; + +allow minissdpd_t minissdpd_var_run_t:file manage_file_perms; +allow minissdpd_t minissdpd_var_run_t:sock_file manage_sock_file_perms; +files_pid_filetrans(minissdpd_t, minissdpd_var_run_t, { file sock_file }) + +kernel_load_module(minissdpd_t) +kernel_read_network_state(minissdpd_t) +kernel_request_load_module(minissdpd_t) + +corenet_all_recvfrom_unlabeled(minissdpd_t) +corenet_all_recvfrom_netlabel(minissdpd_t) +corenet_udp_sendrecv_generic_if(minissdpd_t) +corenet_udp_sendrecv_generic_node(minissdpd_t) +corenet_udp_bind_generic_node(minissdpd_t) + +corenet_sendrecv_ssdp_server_packets(minissdpd_t) +corenet_udp_bind_ssdp_port(minissdpd_t) +corenet_udp_sendrecv_ssdp_port(minissdpd_t) + +logging_send_syslog_msg(minissdpd_t) + +miscfiles_read_localization(minissdpd_t)
\ No newline at end of file diff --git a/policy/modules/services/modemmanager.fc b/policy/modules/services/modemmanager.fc new file mode 100644 index 000000000..88d8ff3f6 --- /dev/null +++ b/policy/modules/services/modemmanager.fc @@ -0,0 +1,5 @@ +/usr/bin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) +/usr/bin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) + +/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) +/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) diff --git a/policy/modules/services/modemmanager.if b/policy/modules/services/modemmanager.if new file mode 100644 index 000000000..b1ac8b5d8 --- /dev/null +++ b/policy/modules/services/modemmanager.if @@ -0,0 +1,41 @@ +## <summary>Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.</summary> + +######################################## +## <summary> +## Execute a domain transition to run modemmanager. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`modemmanager_domtrans',` + gen_require(` + type modemmanager_t, modemmanager_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, modemmanager_exec_t, modemmanager_t) +') + +######################################## +## <summary> +## Send and receive messages from +## modemmanager over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`modemmanager_dbus_chat',` + gen_require(` + type modemmanager_t; + class dbus send_msg; + ') + + allow $1 modemmanager_t:dbus send_msg; + allow modemmanager_t $1:dbus send_msg; +') diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te new file mode 100644 index 000000000..9efe585d2 --- /dev/null +++ b/policy/modules/services/modemmanager.te @@ -0,0 +1,62 @@ +policy_module(modemmanager, 1.6.0) + +######################################## +# +# Declarations +# + +type modemmanager_t; +type modemmanager_exec_t; +init_daemon_domain(modemmanager_t, modemmanager_exec_t) +typealias modemmanager_t alias ModemManager_t; +typealias modemmanager_exec_t alias ModemManager_exec_t; + +######################################## +# +# Local policy +# + +allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; +allow modemmanager_t self:process { getsched signal }; +allow modemmanager_t self:fifo_file rw_fifo_file_perms; +allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; +allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; + +kernel_read_system_state(modemmanager_t) + +dev_read_sysfs(modemmanager_t) +dev_rw_modem(modemmanager_t) + +files_read_etc_files(modemmanager_t) + +term_use_generic_ptys(modemmanager_t) +term_use_unallocated_ttys(modemmanager_t) + +miscfiles_read_localization(modemmanager_t) + +logging_send_syslog_msg(modemmanager_t) + +optional_policy(` + dbus_system_domain(modemmanager_t, modemmanager_exec_t) + + optional_policy(` + devicekit_dbus_chat_power(modemmanager_t) + ') + + optional_policy(` + networkmanager_dbus_chat(modemmanager_t) + ') + + optional_policy(` + policykit_dbus_chat(modemmanager_t) + ') +') + +optional_policy(` + systemd_write_inherited_logind_inhibit_pipes(modemmanager_t) +') + +optional_policy(` + udev_read_db(modemmanager_t) + udev_manage_pid_files(modemmanager_t) +') diff --git a/policy/modules/services/mojomojo.fc b/policy/modules/services/mojomojo.fc new file mode 100644 index 000000000..7b827ca7f --- /dev/null +++ b/policy/modules/services/mojomojo.fc @@ -0,0 +1,5 @@ +/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) + +/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) + +/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if new file mode 100644 index 000000000..6680a0877 --- /dev/null +++ b/policy/modules/services/mojomojo.if @@ -0,0 +1 @@ +## <summary>MojoMojo Wiki.</summary> diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te new file mode 100644 index 000000000..b22d0d983 --- /dev/null +++ b/policy/modules/services/mojomojo.te @@ -0,0 +1,27 @@ +policy_module(mojomojo, 1.2.1) + +######################################## +# +# Declarations +# + +apache_content_template(mojomojo) + +######################################## +# +# Local policy +# + +apache_rw_stream_sockets(httpd_mojomojo_script_t) + +corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) +corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) +corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) + +files_search_var_lib(httpd_mojomojo_script_t) + +sysnet_dns_name_resolve(httpd_mojomojo_script_t) + +optional_policy(` + mta_send_mail(httpd_mojomojo_script_t) +') diff --git a/policy/modules/services/mon.fc b/policy/modules/services/mon.fc new file mode 100644 index 000000000..71b42ee79 --- /dev/null +++ b/policy/modules/services/mon.fc @@ -0,0 +1,13 @@ +/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0) + +/usr/bin/mon -- gen_context(system_u:object_r:mon_exec_t,s0) + +/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0) +/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0) +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0) +/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0) + +/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0) + +/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0) +/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0) diff --git a/policy/modules/services/mon.if b/policy/modules/services/mon.if new file mode 100644 index 000000000..4701724e6 --- /dev/null +++ b/policy/modules/services/mon.if @@ -0,0 +1,38 @@ +## <summary>mon network monitoring daemon.</summary> + +###################################### +## <summary> +## dontaudit using an inherited fd from mon_t +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit +## </summary> +## </param> +# +interface(`mon_dontaudit_use_fds',` + gen_require(` + type mon_t; + ') + + dontaudit $1 mon_t:fd use; +') + +###################################### +## <summary> +## dontaudit searching /var/lib/mon +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit +## </summary> +## </param> +# +interface(`mon_dontaudit_search_var_lib',` + gen_require(` + type mon_var_lib_t; + ') + + dontaudit $1 mon_var_lib_t:dir search; +') + diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te new file mode 100644 index 000000000..ae2ef764b --- /dev/null +++ b/policy/modules/services/mon.te @@ -0,0 +1,230 @@ +policy_module(mon, 1.2.0) + +######################################## +# +# Declarations +# + +type mon_t; +type mon_exec_t; +init_daemon_domain(mon_t, mon_exec_t) + +type mon_net_test_t; +typealias mon_net_test_t alias mon_test_t; +type mon_net_test_exec_t; +typealias mon_net_test_exec_t alias mon_test_exec_t; + +domain_type(mon_net_test_t) +domain_entry_file(mon_net_test_t, mon_net_test_exec_t) +role system_r types mon_net_test_t; +domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t) + +type mon_local_test_t; +type mon_local_test_exec_t; +domain_type(mon_local_test_t) +domain_entry_file(mon_local_test_t, mon_local_test_exec_t) +role system_r types mon_local_test_t; + +type mon_var_run_t; +files_pid_file(mon_var_run_t) + +type mon_var_lib_t; +files_type(mon_var_lib_t) + +type mon_var_log_t; +logging_log_file(mon_var_log_t) + +type mon_tmp_t; +files_tmp_file(mon_tmp_t) + +######################################## +# +# Local policy +# mon_t is for the main mon process and for sending alerts +# + +allow mon_t self:fifo_file rw_fifo_file_perms; +allow mon_t self:tcp_socket create_stream_socket_perms; +# for mailxmpp.alert to set ulimit +allow mon_t self:process setrlimit; + +domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) + +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t) +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t) +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir }) + +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t) + +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t) + +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t) +files_pid_filetrans(mon_t, mon_var_run_t, file) + +kernel_read_kernel_sysctls(mon_t) +kernel_read_network_state(mon_t) +kernel_read_system_state(mon_t) + +corecmd_exec_bin(mon_t) +corecmd_exec_shell(mon_t) + +corenet_tcp_bind_mon_port(mon_t) +corenet_udp_bind_mon_port(mon_t) +corenet_tcp_bind_generic_node(mon_t) +corenet_udp_bind_generic_node(mon_t) +corenet_tcp_connect_jabber_client_port(mon_t) + +dev_read_urand(mon_t) +dev_read_sysfs(mon_t) + +domain_use_interactive_fds(mon_t) + +files_read_etc_files(mon_t) +files_read_etc_runtime_files(mon_t) +files_read_usr_files(mon_t) +files_search_var_lib(mon_t) + +fs_getattr_all_fs(mon_t) +fs_search_auto_mountpoints(mon_t) + +term_dontaudit_search_ptys(mon_t) + +application_signull(mon_t) + +init_read_utmp(mon_t) + +logging_send_syslog_msg(mon_t) +logging_search_logs(mon_t) + +miscfiles_read_localization(mon_t) + +sysnet_dns_name_resolve(mon_t) + +userdom_dontaudit_use_unpriv_user_fds(mon_t) +userdom_dontaudit_search_user_home_dirs(mon_t) + +optional_policy(` + mta_send_mail(mon_t) +') + +######################################## +# +# Local policy +# mon_net_test_t is for running tests that need network access +# + +allow mon_net_test_t self:fifo_file rw_file_perms; + +can_exec(mon_net_test_t, mon_net_test_exec_t) +manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t) + +kernel_dontaudit_getattr_core_if(mon_net_test_t) +kernel_getattr_proc(mon_net_test_t) +kernel_read_system_state(mon_net_test_t) + +corecmd_exec_bin(mon_net_test_t) +corecmd_exec_shell(mon_net_test_t) + +corenet_tcp_connect_all_ports(mon_net_test_t) +corenet_udp_bind_generic_node(mon_net_test_t) + +dev_dontaudit_getattr_all_chr_files(mon_net_test_t) +dev_getattr_sysfs(mon_net_test_t) +dev_read_sysfs(mon_net_test_t) +dev_read_urand(mon_net_test_t) + +files_read_usr_files(mon_net_test_t) + +fs_getattr_xattr_fs(mon_net_test_t) + +auth_use_nsswitch(mon_net_test_t) + +miscfiles_read_generic_certs(mon_net_test_t) +miscfiles_read_localization(mon_net_test_t) + +netutils_domtrans_ping(mon_net_test_t) + +sysnet_read_config(mon_net_test_t) + +optional_policy(` + bind_read_zone(mon_net_test_t) +') + +######################################## +# +# Local policy +# mon_local_test_t is for running tests that don't need network access +# this domain has much more access to the local system! +# +# try not to use dontaudit rules for this +# + +allow mon_local_test_t self:capability sys_admin; +allow mon_local_test_t self:fifo_file rw_file_perms; + +can_exec(mon_local_test_t, mon_local_test_exec_t) + +manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t) + +kernel_dontaudit_getattr_core_if(mon_local_test_t) +kernel_getattr_proc(mon_local_test_t) +kernel_read_software_raid_state(mon_local_test_t) +kernel_read_system_state(mon_local_test_t) + +corecmd_exec_bin(mon_local_test_t) +corecmd_exec_shell(mon_local_test_t) + +dev_dontaudit_getattr_all_chr_files(mon_local_test_t) +dev_getattr_sysfs(mon_local_test_t) +dev_read_urand(mon_local_test_t) +dev_read_sysfs(mon_local_test_t) + +domain_read_all_domains_state(mon_local_test_t) + +files_read_usr_files(mon_local_test_t) +files_search_mnt(mon_local_test_t) +files_search_spool(mon_local_test_t) +files_list_boot(mon_local_test_t) + +fs_search_auto_mountpoints(mon_local_test_t) +fs_getattr_nfs(mon_local_test_t) +fs_getattr_xattr_fs(mon_local_test_t) +fs_list_hugetlbfs(mon_local_test_t) +fs_list_tmpfs(mon_local_test_t) +fs_search_nfs(mon_local_test_t) + +storage_getattr_fixed_disk_dev(mon_local_test_t) +storage_getattr_removable_dev(mon_local_test_t) + +term_getattr_generic_ptys(mon_local_test_t) +term_list_ptys(mon_local_test_t) + +application_exec_all(mon_local_test_t) + +auth_use_nsswitch(mon_local_test_t) + +init_getattr_initctl(mon_local_test_t) + +logging_send_syslog_msg(mon_local_test_t) + +miscfiles_read_localization(mon_local_test_t) + +sysnet_read_config(mon_local_test_t) + +userdom_dontaudit_read_user_tmpfs_files(mon_local_test_t) + +optional_policy(` + gpm_getattr_gpmctl(mon_local_test_t) +') + +optional_policy(` + postfix_search_spool(mon_local_test_t) +') + +optional_policy(` + rpc_read_nfs_content(mon_local_test_t) +') + +optional_policy(` + xserver_rw_console(mon_local_test_t) +') diff --git a/policy/modules/services/mongodb.fc b/policy/modules/services/mongodb.fc new file mode 100644 index 000000000..8d8517cd7 --- /dev/null +++ b/policy/modules/services/mongodb.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) + +/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) + +/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0) + +/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0) + +/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) diff --git a/policy/modules/services/mongodb.if b/policy/modules/services/mongodb.if new file mode 100644 index 000000000..9a184f2a4 --- /dev/null +++ b/policy/modules/services/mongodb.if @@ -0,0 +1,39 @@ +## <summary>Scalable, high-performance, open source NoSQL database.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an mongodb environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mongodb_admin',` + gen_require(` + type mongod_t, mongod_initrc_exec_t, mongod_log_t; + type mongod_var_lib_t, mongod_var_run_t; + ') + + allow $1 mongod_t:process { ptrace signal_perms }; + ps_process_pattern($1, mongod_t) + + init_startstop_service($1, $2, mongod_t, mongod_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, mongod_log_t) + + files_search_var_lib($1) + admin_pattern($1, mongod_var_lib_t) + + files_search_pids($1) + admin_pattern($1, mongod_var_run_t) +') diff --git a/policy/modules/services/mongodb.te b/policy/modules/services/mongodb.te new file mode 100644 index 000000000..bf2b56f75 --- /dev/null +++ b/policy/modules/services/mongodb.te @@ -0,0 +1,61 @@ +policy_module(mongodb, 1.3.0) + +######################################## +# +# Declarations +# + +type mongod_t; +type mongod_exec_t; +init_daemon_domain(mongod_t, mongod_exec_t) + +type mongod_initrc_exec_t; +init_script_file(mongod_initrc_exec_t) + +type mongod_log_t; +logging_log_file(mongod_log_t) + +type mongod_var_lib_t; +files_type(mongod_var_lib_t) + +type mongod_var_run_t; +files_pid_file(mongod_var_run_t) + +######################################## +# +# Local policy +# + +allow mongod_t self:process signal; +allow mongod_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) +append_files_pattern(mongod_t, mongod_log_t, mongod_log_t) +create_files_pattern(mongod_t, mongod_log_t, mongod_log_t) +setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t) +logging_log_filetrans(mongod_t, mongod_log_t, dir) + +manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) +manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) +files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) + +manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) +manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) +files_pid_filetrans(mongod_t, mongod_var_run_t, dir) + +kernel_read_system_state(mongod_t) + +corenet_all_recvfrom_unlabeled(mongod_t) +corenet_all_recvfrom_netlabel(mongod_t) +corenet_tcp_sendrecv_generic_if(mongod_t) +corenet_tcp_sendrecv_generic_node(mongod_t) +corenet_tcp_bind_generic_node(mongod_t) + +dev_read_sysfs(mongod_t) +dev_read_urand(mongod_t) + +files_read_etc_files(mongod_t) + +fs_getattr_all_fs(mongod_t) + +miscfiles_read_localization(mongod_t) diff --git a/policy/modules/services/monit.fc b/policy/modules/services/monit.fc new file mode 100644 index 000000000..1cd0238ed --- /dev/null +++ b/policy/modules/services/monit.fc @@ -0,0 +1,14 @@ +/etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9) + +/etc/monit(/.*)? gen_context(system_u:object_r:monit_conf_t,s0) + +/run/monit\.pid -- gen_context(system_u:object_r:monit_runtime_t,s0) +/run/monit\.socket -s gen_context(system_u:object_r:monit_runtime_t,s0) + +/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0) + +/usr/lib/systemd/system/monit.* -- gen_context(system_u:object_r:monit_unit_t,s0) + +/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0) + +/var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0) diff --git a/policy/modules/services/monit.if b/policy/modules/services/monit.if new file mode 100644 index 000000000..832cdca8c --- /dev/null +++ b/policy/modules/services/monit.if @@ -0,0 +1,126 @@ +## <summary>Monit - utility for monitoring services on a Unix system.</summary> + +######################################## +## <summary> +## Execute a domain transition to run monit cli. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`monit_domtrans_cli',` + gen_require(` + type monit_cli_t, monit_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, monit_exec_t, monit_cli_t) +') + +######################################## +## <summary> +## Execute monit in the monit cli domain, +## and allow the specified role +## the monit cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`monit_run_cli',` + gen_require(` + attribute_role monit_cli_roles; + ') + + monit_domtrans_cli($1) + roleattribute $2 monit_cli_roles; +') + +######################################## +## <summary> +## Reload the monit daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`monit_reload',` + gen_require(` + class service { reload status }; + type monit_initrc_exec_t, monit_unit_t; + ') + + allow $1 { monit_initrc_exec_t monit_unit_t }:service { reload status }; +') + +######################################## +## <summary> +## Start and stop the monit daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`monit_startstop_service',` + gen_require(` + class service { start status stop }; + type monit_initrc_exec_t, monit_unit_t; + ') + + allow $1 { monit_initrc_exec_t monit_unit_t }:service { start status stop }; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an monit environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`monit_admin',` + gen_require(` + type monit_t, monit_conf_t, monit_initrc_exec_t; + type monit_log_t, monit_runtime_t; + type monit_unit_t, monit_var_lib_t; + ') + + admin_process_pattern($1, monit_t) + + init_startstop_service($1, $2, monit_t, monit_initrc_exec_t, monit_unit_t) + + files_search_etc($1) + admin_pattern($1, monit_conf_t) + + logging_search_logs($1) + admin_pattern($1, monit_log_t) + + files_search_pids($1) + admin_pattern($1, monit_runtime_t) + + files_search_var_lib($1) + admin_pattern($1, monit_var_lib_t) + + monit_run_cli($1, $2) +') diff --git a/policy/modules/services/monit.te b/policy/modules/services/monit.te new file mode 100644 index 000000000..54e411b23 --- /dev/null +++ b/policy/modules/services/monit.te @@ -0,0 +1,179 @@ +policy_module(monit, 1.2.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow monit to start/stop services +## </p> +## </desc> +gen_tunable(monit_startstop_services, false) + +attribute_role monit_cli_roles; + +attribute monit_domain; + +type monit_t, monit_domain; +type monit_exec_t; +init_daemon_domain(monit_t, monit_exec_t) + +type monit_conf_t alias monit_etc_t; +files_security_file(monit_conf_t) # may contain password for monit webinterface + +type monit_initrc_exec_t; +init_script_file(monit_initrc_exec_t) + +type monit_cli_t, monit_domain; +application_domain(monit_cli_t, monit_exec_t) +role monit_cli_roles types monit_cli_t; + +type monit_log_t; +logging_log_file(monit_log_t) + +type monit_runtime_t alias monit_pid_t; +files_pid_file(monit_runtime_t) + +type monit_unit_t; +init_unit_file(monit_unit_t) + +type monit_var_lib_t; +files_type(monit_var_lib_t) + +######################################## +# +# Common monit domain policy +# + +allow monit_domain self:unix_stream_socket create_stream_socket_perms; +allow monit_domain monit_t:process { getpgid sigkill signal }; + +allow monit_domain monit_conf_t:dir list_dir_perms; +allow monit_domain monit_conf_t:file read_file_perms; +allow monit_domain monit_conf_t:lnk_file read_lnk_file_perms; + +kernel_read_system_state(monit_domain) + +# can not use with attributes +#auth_use_nsswitch(monit_domain) + +# read /sys/class/net/eth0 /sys/devices/system/cpu +dev_read_sysfs(monit_domain) +dev_read_urand(monit_domain) + +files_getattr_all_mountpoints(monit_domain) + +fs_getattr_dos_fs(monit_domain) +fs_getattr_dos_dirs(monit_domain) +fs_getattr_tmpfs(monit_domain) +fs_getattr_xattr_fs(monit_domain) + +miscfiles_read_generic_certs(monit_domain) +miscfiles_read_localization(monit_domain) + +logging_send_syslog_msg(monit_domain) + +# disk usage of sd card +storage_getattr_removable_dev(monit_domain) +storage_getattr_fixed_disk_dev(monit_domain) + +######################################## +# +# Daemon policy +# + +# dac_read_search : read /run/exim/* +# net_raw : create raw sockets +# sys_ptrace : trace processes +allow monit_t self:capability { dac_read_search net_raw sys_ptrace }; +# setsockopt +dontaudit monit_t self:capability net_admin; + +allow monit_t self:fifo_file rw_fifo_file_perms; +allow monit_t self:rawip_socket connected_socket_perms; +allow monit_t self:tcp_socket server_stream_socket_perms; + +allow monit_t monit_log_t:file { create read_file_perms append_file_perms }; +logging_log_filetrans(monit_t, monit_log_t, file) + +allow monit_t monit_runtime_t:file manage_file_perms; +allow monit_t monit_runtime_t:sock_file manage_sock_file_perms; +files_pid_filetrans(monit_t, monit_runtime_t, { file sock_file }) + +allow monit_t monit_var_lib_t:dir manage_dir_perms; +allow monit_t monit_var_lib_t:file manage_file_perms; + +# entropy +kernel_read_kernel_sysctls(monit_t) +kernel_read_vm_overcommit_sysctl(monit_t) + +auth_use_nsswitch(monit_t) + +corecmd_exec_bin(monit_t) +corecmd_exec_shell(monit_t) + +corenet_tcp_bind_generic_node(monit_t) +corenet_tcp_bind_monit_port(monit_t) +corenet_tcp_connect_all_ports(monit_t) + +domain_getattr_all_domains(monit_t) +domain_getpgid_all_domains(monit_t) +domain_read_all_domains_state(monit_t) + +files_read_all_pids(monit_t) +files_read_usr_files(monit_t) + +selinux_get_enforce_mode(monit_t) + +userdom_dontaudit_search_user_home_dirs(monit_t) + +ifdef(`init_systemd',` + # systemctl is-system-running + init_stream_connect(monit_t) + init_get_system_status(monit_t) +') + +tunable_policy(`monit_startstop_services',` + init_get_all_units_status(monit_t) + init_start_all_units(monit_t) + init_stop_all_units(monit_t) +') + +optional_policy(` + dbus_system_bus_client(monit_t) +') + +######################################## +# +# Client policy +# + +allow monit_cli_t monit_t:unix_stream_socket connectto; + +allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms }; + +allow monit_cli_t monit_runtime_t:file rw_file_perms; +allow monit_cli_t monit_runtime_t:sock_file write; + +allow monit_cli_t monit_var_lib_t:dir search_dir_perms; +allow monit_cli_t monit_var_lib_t:file rw_file_perms; + +auth_use_nsswitch(monit_cli_t) + +corecmd_check_exec_bin_files(monit_cli_t) + +corenet_tcp_connect_monit_port(monit_cli_t) + +dev_read_rand(monit_cli_t) + +domain_use_interactive_fds(monit_cli_t) + +files_search_pids(monit_cli_t) +files_search_var_lib(monit_cli_t) + +logging_search_logs(monit_cli_t) + +userdom_dontaudit_search_user_home_dirs(monit_cli_t) +userdom_use_inherited_user_terminals(monit_cli_t) diff --git a/policy/modules/services/monop.fc b/policy/modules/services/monop.fc new file mode 100644 index 000000000..f89b50f91 --- /dev/null +++ b/policy/modules/services/monop.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/monopd -- gen_context(system_u:object_r:monopd_initrc_exec_t,s0) + +/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0) + +/usr/bin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0) + +/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0) + +/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0) + +/run/monopd\.pid -- gen_context(system_u:object_r:monopd_var_run_t,s0) diff --git a/policy/modules/services/monop.if b/policy/modules/services/monop.if new file mode 100644 index 000000000..01060047e --- /dev/null +++ b/policy/modules/services/monop.if @@ -0,0 +1,39 @@ +## <summary>Monopoly daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an monop environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`monop_admin',` + gen_require(` + type monopd_t, monopd_initrc_exec_t, monopd_share_t; + type monopd_etc_t, monopd_var_run_t; + ') + + allow $1 monopd_t:process { ptrace signal_perms }; + ps_process_pattern($1, monopd_t) + + init_startstop_service($1, $2, monopd_t, monopd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, monopd_etc_t) + + files_search_pids($1) + admin_pattern($1, monopd_var_run_t) + + files_search_usr($1) + admin_pattern($1, monopd_share_t) +') diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te new file mode 100644 index 000000000..b27c06c34 --- /dev/null +++ b/policy/modules/services/monop.te @@ -0,0 +1,84 @@ +policy_module(monop, 1.11.0) + +######################################## +# +# Declarations +# + +type monopd_t; +type monopd_exec_t; +init_daemon_domain(monopd_t, monopd_exec_t) + +type monopd_initrc_exec_t; +init_script_file(monopd_initrc_exec_t) + +type monopd_etc_t; +files_config_file(monopd_etc_t) + +type monopd_share_t; +files_type(monopd_share_t) + +type monopd_var_run_t; +files_pid_file(monopd_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit monopd_t self:capability sys_tty_config; +allow monopd_t self:process signal_perms; +allow monopd_t self:tcp_socket { accept listen }; + +allow monopd_t monopd_etc_t:file read_file_perms; + +allow monopd_t monopd_share_t:dir list_dir_perms; +read_files_pattern(monopd_t, monopd_share_t, monopd_share_t) +read_lnk_files_pattern(monopd_t, monopd_share_t, monopd_share_t) + +manage_files_pattern(monopd_t, monopd_var_run_t, monopd_var_run_t) +files_pid_filetrans(monopd_t, monopd_var_run_t, file) + +kernel_read_kernel_sysctls(monopd_t) +kernel_list_proc(monopd_t) +kernel_read_proc_symlinks(monopd_t) + +corenet_all_recvfrom_unlabeled(monopd_t) +corenet_all_recvfrom_netlabel(monopd_t) +corenet_tcp_sendrecv_generic_if(monopd_t) +corenet_tcp_sendrecv_generic_node(monopd_t) +corenet_tcp_bind_generic_node(monopd_t) + +corenet_sendrecv_monopd_server_packets(monopd_t) +corenet_tcp_bind_monopd_port(monopd_t) +corenet_tcp_sendrecv_monopd_port(monopd_t) + +dev_read_sysfs(monopd_t) + +domain_use_interactive_fds(monopd_t) + +files_read_etc_files(monopd_t) + +fs_getattr_all_fs(monopd_t) +fs_search_auto_mountpoints(monopd_t) + +logging_send_syslog_msg(monopd_t) + +miscfiles_read_localization(monopd_t) + +sysnet_dns_name_resolve(monopd_t) + +userdom_dontaudit_use_unpriv_user_fds(monopd_t) +userdom_dontaudit_search_user_home_dirs(monopd_t) + +optional_policy(` + nis_use_ypbind(monopd_t) +') + +optional_policy(` + seutil_sigchld_newrole(monopd_t) +') + +optional_policy(` + udev_read_db(monopd_t) +') diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc new file mode 100644 index 000000000..313ce521c --- /dev/null +++ b/policy/modules/services/mpd.fc @@ -0,0 +1,11 @@ +/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) + +/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0) + +/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0) + +/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) +/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) +/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) + +/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if new file mode 100644 index 000000000..02faa37e8 --- /dev/null +++ b/policy/modules/services/mpd.if @@ -0,0 +1,347 @@ +## <summary>Music Player Daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run mpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mpd_domtrans',` + gen_require(` + type mpd_t, mpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mpd_exec_t, mpd_t) +') + +######################################## +## <summary> +## Execute mpd server in the mpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mpd_initrc_domtrans',` + gen_require(` + type mpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, mpd_initrc_exec_t) +') + +####################################### +## <summary> +## Read mpd data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_read_data_files',` + gen_require(` + type mpd_data_t; + ') + + mpd_search_lib($1) + read_files_pattern($1, mpd_data_t, mpd_data_t) +') + +###################################### +## <summary> +## Create, read, write, and delete +## mpd data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_data_files',` + gen_require(` + type mpd_data_t; + ') + + mpd_search_lib($1) + manage_files_pattern($1, mpd_data_t, mpd_data_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## mpd user data content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_user_data_content',` + gen_require(` + type mpd_user_data_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mpd_user_data_t:dir manage_dir_perms; + allow $1 mpd_user_data_t:file manage_file_perms; + allow $1 mpd_user_data_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Relabel mpd user data content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_relabel_user_data_content',` + gen_require(` + type mpd_user_data_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mpd_user_data_t:dir relabel_dir_perms; + allow $1 mpd_user_data_t:file relabel_file_perms; + allow $1 mpd_user_data_t:lnk_file relabel_lnk_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the mpd user data type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mpd_home_filetrans_user_data',` + gen_require(` + type mpd_user_data_t; + ') + + userdom_user_home_dir_filetrans($1, mpd_user_data_t, $2, $3) +') + +####################################### +## <summary> +## Read mpd tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_read_tmpfs_files',` + gen_require(` + type mpd_tmpfs_t; + ') + + fs_search_tmpfs($1) + read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +################################### +## <summary> +## Create, read, write, and delete +## mpd tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_tmpfs_files',` + gen_require(` + type mpd_tmpfs_t; + ') + + fs_search_tmpfs($1) + manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) + manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +######################################## +## <summary> +## Search mpd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_search_lib',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 mpd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read mpd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_read_lib_files',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## mpd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_lib_files',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +####################################### +## <summary> +## Create specified objects in mpd +## lib directories with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mpd_var_lib_filetrans',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + filetrans_pattern($1, mpd_var_lib_t, $2, $3, $4) +') + +######################################## +## <summary> +## Create, read, write, and delete +## mpd lib dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_lib_dirs',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an mpd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mpd_admin',` + gen_require(` + type mpd_t, mpd_initrc_exec_t, mpd_etc_t; + type mpd_data_t, mpd_log_t, mpd_var_lib_t; + type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; + ') + + allow $1 mpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, mpd_t) + + init_startstop_service($1, $2, mpd_t, mpd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, mpd_etc_t) + + files_search_var_lib($1) + admin_pattern($1, { mpd_data_t mpd_user_data_t mpd_var_lib_t }) + + logging_search_logs($1) + admin_pattern($1, mpd_log_t) + + files_search_tmp($1) + admin_pattern($1, mpd_tmp_t) + + fs_search_tmpfs($1) + admin_pattern($1, mpd_tmpfs_t) +') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te new file mode 100644 index 000000000..43de2d97a --- /dev/null +++ b/policy/modules/services/mpd.te @@ -0,0 +1,208 @@ +policy_module(mpd, 1.4.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether mpd can traverse +## user home directories. +## </p> +## </desc> +gen_tunable(mpd_enable_homedirs, false) + +## <desc> +## <p> +## Determine whether mpd can use +## cifs file systems. +## </p> +## </desc> +gen_tunable(mpd_use_cifs, false) + +## <desc> +## <p> +## Determine whether mpd can use +## nfs file systems. +## </p> +## </desc> +gen_tunable(mpd_use_nfs, false) + +type mpd_t; +type mpd_exec_t; +init_daemon_domain(mpd_t, mpd_exec_t) +application_executable_file(mpd_exec_t) + +type mpd_data_t; +files_type(mpd_data_t) + +type mpd_etc_t; +files_config_file(mpd_etc_t) + +type mpd_initrc_exec_t; +init_script_file(mpd_initrc_exec_t) + +type mpd_log_t; +logging_log_file(mpd_log_t) + +type mpd_tmp_t; +files_tmp_file(mpd_tmp_t) + +type mpd_tmpfs_t; +files_tmpfs_file(mpd_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(mpd_tmpfs_t) +') + +type mpd_var_lib_t; +files_type(mpd_var_lib_t) + +type mpd_user_data_t; +userdom_user_home_content(mpd_user_data_t) # customizable + +######################################## +# +# Local policy +# + +allow mpd_t self:capability { dac_override kill setgid setuid }; +allow mpd_t self:process { getsched setsched setrlimit signal signull setcap }; +allow mpd_t self:fifo_file rw_fifo_file_perms; +allow mpd_t self:unix_stream_socket { accept connectto listen }; +allow mpd_t self:unix_dgram_socket sendto; +allow mpd_t self:tcp_socket { accept listen }; +allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; + +allow mpd_t mpd_data_t:dir manage_dir_perms; +allow mpd_t mpd_data_t:file manage_file_perms; +allow mpd_t mpd_data_t:lnk_file read_lnk_file_perms; + +read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) + +allow mpd_t mpd_log_t:dir setattr_dir_perms; +append_files_pattern(mpd_t, mpd_log_t, mpd_log_t) +create_files_pattern(mpd_t, mpd_log_t, mpd_log_t) +setattr_files_pattern(mpd_t, mpd_log_t, mpd_log_t) +logging_log_filetrans(mpd_t, mpd_log_t, { dir file }) + +manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file }) + +allow mpd_t mpd_tmpfs_t:file manage_file_perms; +fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file) + +allow mpd_t mpd_user_data_t:dir list_dir_perms; +allow mpd_t mpd_user_data_t:file read_file_perms; +allow mpd_t mpd_user_data_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir) + +kernel_getattr_proc(mpd_t) +kernel_read_system_state(mpd_t) +kernel_read_kernel_sysctls(mpd_t) + +corecmd_exec_bin(mpd_t) + +corenet_all_recvfrom_unlabeled(mpd_t) +corenet_all_recvfrom_netlabel(mpd_t) +corenet_tcp_sendrecv_generic_if(mpd_t) +corenet_tcp_sendrecv_generic_node(mpd_t) +corenet_tcp_bind_generic_node(mpd_t) + +corenet_sendrecv_mpd_server_packets(mpd_t) +corenet_tcp_bind_mpd_port(mpd_t) +corenet_tcp_sendrecv_mpd_port(mpd_t) + +corenet_sendrecv_soundd_server_packets(mpd_t) +corenet_tcp_bind_soundd_port(mpd_t) +corenet_sendrecv_soundd_client_packets(mpd_t) +corenet_tcp_connect_soundd_port(mpd_t) +corenet_tcp_sendrecv_soundd_port(mpd_t) + +corenet_sendrecv_http_client_packets(mpd_t) +corenet_tcp_connect_http_port(mpd_t) +corenet_tcp_sendrecv_http_port(mpd_t) + +corenet_sendrecv_http_cache_client_packets(mpd_t) +corenet_tcp_connect_http_cache_port(mpd_t) +corenet_tcp_sendrecv_http_cache_port(mpd_t) + +dev_read_urand(mpd_t) +dev_read_sound(mpd_t) +dev_write_sound(mpd_t) +dev_read_sysfs(mpd_t) + +files_read_usr_files(mpd_t) + +fs_getattr_all_fs(mpd_t) +fs_list_inotifyfs(mpd_t) +fs_rw_anon_inodefs_files(mpd_t) +fs_search_auto_mountpoints(mpd_t) + +auth_use_nsswitch(mpd_t) + +logging_send_syslog_msg(mpd_t) + +miscfiles_read_localization(mpd_t) + +tunable_policy(`mpd_enable_homedirs',` + userdom_search_user_home_dirs(mpd_t) +') + +tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(mpd_t) + fs_read_nfs_symlinks(mpd_t) +') + +tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(mpd_t) + fs_read_cifs_symlinks(mpd_t) +') + +tunable_policy(`mpd_use_cifs',` + fs_manage_cifs_dirs(mpd_t) + fs_manage_cifs_files(mpd_t) + fs_manage_cifs_symlinks(mpd_t) +') + +tunable_policy(`mpd_use_nfs',` + fs_manage_nfs_dirs(mpd_t) + fs_manage_nfs_files(mpd_t) + fs_manage_nfs_symlinks(mpd_t) +') + +optional_policy(` + alsa_read_config(mpd_t) +') + +optional_policy(` + dbus_system_bus_client(mpd_t) + + optional_policy(` + consolekit_dbus_chat(mpd_t) + ') +') + +optional_policy(` + pulseaudio_domtrans(mpd_t) +') + +optional_policy(` + rpc_search_nfs_state_data(mpd_t) +') + +optional_policy(` + udev_read_db(mpd_t) +') + +optional_policy(` + xserver_stream_connect(mpd_t) + xserver_read_xdm_pid(mpd_t) +') diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc new file mode 100644 index 000000000..66634b0c7 --- /dev/null +++ b/policy/modules/services/mta.fc @@ -0,0 +1,40 @@ +HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/\.msmtprc -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) + +/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) +/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/msmtprc -- gen_context(system_u:object_r:etc_mail_t,s0) +/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) + +/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/bin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/bin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/bin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/bin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/bin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + +/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if new file mode 100644 index 000000000..f98346fe0 --- /dev/null +++ b/policy/modules/services/mta.if @@ -0,0 +1,1160 @@ +## <summary>Common e-mail transfer agent policy.</summary> + +######################################## +## <summary> +## MTA stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_stub',` + gen_require(` + type sendmail_exec_t; + ') +') + +####################################### +## <summary> +## The template to define a mail domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`mta_base_mail_template',` + gen_require(` + attribute user_mail_domain; + type sendmail_exec_t; + ') + + ######################################## + # + # Declarations + # + + type $1_mail_t, user_mail_domain; + application_domain($1_mail_t, sendmail_exec_t) + + type $1_mail_tmp_t; + files_tmp_file($1_mail_tmp_t) + + ######################################## + # + # Declarations + # + + manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) + manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) + files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) + + auth_use_nsswitch($1_mail_t) + + optional_policy(` + postfix_domtrans_user_mail_handler($1_mail_t) + ') +') + +######################################## +## <summary> +## Role access for mta. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`mta_role',` + gen_require(` + attribute mta_user_agent; + attribute_role user_mail_roles; + type user_mail_t, sendmail_exec_t, mail_home_t; + type user_mail_tmp_t, mail_home_rw_t; + ') + + roleattribute $1 user_mail_roles; + + # this is something i need to fix + # i dont know if and why it is needed + # will role attribute work? + role $1 types mta_user_agent; + + domtrans_pattern($2, sendmail_exec_t, user_mail_t) + allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; + + allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms }; + ps_process_pattern($2, { user_mail_t mta_user_agent }) + + allow $2 mail_home_t:file { manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue") + userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward") + userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc") + userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter") + + allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms }; + allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir") + userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir") + + allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms }; + + optional_policy(` + exim_run($2, $1) + ') + + optional_policy(` + mailman_run($2, $1) + ') +') + +######################################## +## <summary> +## Make the specified domain usable for a mail server. +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a mail server domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +# +interface(`mta_mailserver',` + gen_require(` + attribute mailserver_domain; + ') + + init_daemon_domain($1, $2) + typeattribute $1 mailserver_domain; +') + +######################################## +## <summary> +## Make the specified type a MTA executable file. +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a mail client. +## </summary> +## </param> +# +interface(`mta_agent_executable',` + gen_require(` + attribute mta_exec_type; + ') + + typeattribute $1 mta_exec_type; + + application_executable_file($1) +') + +####################################### +## <summary> +## Read mta mail home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_read_mail_home_files',` + gen_require(` + type mail_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mail_home_t:file read_file_perms; +') + +####################################### +## <summary> +## Create, read, write, and delete +## mta mail home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_manage_mail_home_files',` + gen_require(` + type mail_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mail_home_t:file manage_file_perms; +') + +######################################## +## <summary> +## Create specified objects in user home +## directories with the generic mail +## home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mta_home_filetrans_mail_home',` + gen_require(` + type mail_home_t; + ') + + userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3) +') + +####################################### +## <summary> +## Create, read, write, and delete +## mta mail home rw content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_manage_mail_home_rw_content',` + gen_require(` + type mail_home_rw_t; + ') + + userdom_search_user_home_dirs($1) + manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) + manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) +') + +######################################## +## <summary> +## Create specified objects in user home +## directories with the generic mail +## home rw type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mta_home_filetrans_mail_home_rw',` + gen_require(` + type mail_home_rw_t; + ') + + userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3) +') + +######################################## +## <summary> +## Make the specified type by a system MTA. +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a mail client. +## </summary> +## </param> +# +interface(`mta_system_content',` + gen_require(` + attribute mailcontent_type; + ') + + typeattribute $1 mailcontent_type; +') + +######################################## +## <summary> +## Modified mailserver interface for +## sendmail daemon use. +## </summary> +## <desc> +## <p> +## A modified MTA mail server interface for +## the sendmail program. It's design does +## not fit well with policy, and using the +## regular interface causes a type_transition +## conflict if direct running of init scripts +## is enabled. +## </p> +## <p> +## This interface should most likely only be used +## by the sendmail policy. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## The type to be used for the mail server. +## </summary> +## </param> +# +interface(`mta_sendmail_mailserver',` + gen_require(` + attribute mailserver_domain; + type sendmail_exec_t; + ') + + init_system_domain($1, sendmail_exec_t) + + typeattribute $1 mailserver_domain; +') + +######################################## +## <summary> +## Inherit FDs from mailserver_domain domains +## </summary> +## <param name="type"> +## <summary> +## Type for a list server or delivery agent that inherits fds +## </summary> +## </param> +# +interface(`mta_use_mailserver_fds',` + gen_require(` + attribute mailserver_domain; + ') + + allow $1 mailserver_domain:fd use; +') + +####################################### +## <summary> +## Make a type a mailserver type used +## for sending mail. +## </summary> +## <param name="domain"> +## <summary> +## Mail server domain type used for sending mail. +## </summary> +## </param> +# +interface(`mta_mailserver_sender',` + gen_require(` + attribute mailserver_sender; + ') + + typeattribute $1 mailserver_sender; +') + +####################################### +## <summary> +## Make a type a mailserver type used +## for delivering mail to local users. +## </summary> +## <param name="domain"> +## <summary> +## Mail server domain type used for delivering mail. +## </summary> +## </param> +# +interface(`mta_mailserver_delivery',` + gen_require(` + attribute mailserver_delivery; + ') + + typeattribute $1 mailserver_delivery; +') + +####################################### +## <summary> +## Make a type a mailserver type used +## for sending mail on behalf of local +## users to the local mail spool. +## </summary> +## <param name="domain"> +## <summary> +## Mail server domain type used for sending local mail. +## </summary> +## </param> +# +interface(`mta_mailserver_user_agent',` + gen_require(` + attribute mta_user_agent; + ') + + typeattribute $1 mta_user_agent; +') + +######################################## +## <summary> +## Send mail from the system. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mta_send_mail',` + gen_require(` + type system_mail_t; + attribute mta_exec_type; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mta_exec_type, system_mail_t) + + allow $1 mta_exec_type:lnk_file read_lnk_file_perms; + + ifdef(`distro_gentoo',` + gen_require(` + attribute mta_user_agent; + ') + + dontaudit mta_user_agent $1:fd use; + ') +') + +######################################## +## <summary> +## Execute send mail in a specified domain. +## </summary> +## <desc> +## <p> +## Execute send mail in a specified domain. +## </p> +## <p> +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +## </p> +## </desc> +## <param name="source_domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="target_domain"> +## <summary> +## Domain to transition to. +## </summary> +## </param> +# +interface(`mta_sendmail_domtrans',` + gen_require(` + type sendmail_exec_t; + ') + + corecmd_search_bin($1) + domain_auto_transition_pattern($1, sendmail_exec_t, $2) + + allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Send signals to system mail. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`mta_signal_system_mail',` + gen_require(` + type system_mail_t; + ') + + allow $1 system_mail_t:process signal; +') + +######################################## +## <summary> +## Send kill signals to system mail. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_kill_system_mail',` + gen_require(` + type system_mail_t; + ') + + allow $1 system_mail_t:process sigkill; +') + +######################################## +## <summary> +## Execute sendmail in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_sendmail_exec',` + gen_require(` + type sendmail_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, sendmail_exec_t) +') + +######################################## +## <summary> +## Make sendmail usable as an entry +## point for the domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain to be entered. +## </summary> +## </param> +# +interface(`mta_sendmail_entry_point',` + gen_require(` + type sendmail_exec_t; + ') + + domain_entry_file($1, sendmail_exec_t) +') + +######################################## +## <summary> +## Read mail server configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mta_read_config',` + gen_require(` + type etc_mail_t; + ') + + files_search_etc($1) + allow $1 etc_mail_t:dir list_dir_perms; + allow $1 etc_mail_t:file read_file_perms; + allow $1 etc_mail_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Write mail server configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mta_write_config',` + gen_require(` + type etc_mail_t; + ') + + files_search_etc($1) + write_files_pattern($1, etc_mail_t, etc_mail_t) +') + +######################################## +## <summary> +## Read mail address alias files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_read_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) + allow $1 etc_aliases_t:file read_file_perms; + + ifdef(`distro_gentoo',` + gen_require(` + type etc_mail_t; + ') + + search_dirs_pattern($1, etc_mail_t, etc_aliases_t) + read_files_pattern($1, etc_mail_t, etc_aliases_t) + ') +') + +######################################## +## <summary> +## Read mail address alias files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_map_aliases',` + gen_require(` + type etc_aliases_t; + ') + + allow $1 etc_aliases_t:file map; +') + +######################################## +## <summary> +## Create, read, write, and delete +## mail address alias content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_manage_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) + manage_files_pattern($1, etc_aliases_t, etc_aliases_t) + manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) + + ifdef(`distro_gentoo',` + gen_require(` + type etc_mail_t; + ') + + search_dirs_pattern($1, etc_mail_t, etc_aliases_t) + manage_files_pattern($1, etc_mail_t, etc_aliases_t) + manage_lnk_files_pattern($1, etc_mail_t, etc_aliases_t) + ') +') + +######################################## +## <summary> +## Create specified object in generic +## etc directories with the mail address +## alias type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mta_etc_filetrans_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_etc_filetrans($1, etc_aliases_t, $2, $3) +') + +######################################## +## <summary> +## Create specified objects in specified +## directories with a type transition to +## the mail address alias type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="file_type"> +## <summary> +## Directory to transition on. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mta_spec_filetrans_aliases',` + gen_require(` + type etc_aliases_t; + ') + + filetrans_pattern($1, $2, etc_aliases_t, $3, $4) +') + +######################################## +## <summary> +## Read and write mail alias files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mta_rw_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) + allow $1 etc_aliases_t:file rw_file_perms; + + ifdef(`distro_gentoo',` + gen_require(` + type etc_mail_t; + ') + + search_dirs_pattern($1, etc_mail_t, etc_aliases_t) + rw_files_pattern($1, etc_mail_t, etc_aliases_t) + ') +') + +####################################### +## <summary> +## Do not audit attempts to read +## and write TCP sockets of mail +## delivery domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mta_dontaudit_rw_delivery_tcp_sockets',` + gen_require(` + attribute mailserver_delivery; + ') + + dontaudit $1 mailserver_delivery:tcp_socket { read write }; +') + +####################################### +## <summary> +## Do not audit attempts to read +## mail spool symlinks. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mta_dontaudit_read_spool_symlinks',` + gen_require(` + type mail_spool_t; + ') + + dontaudit $1 mail_spool_t:lnk_file read; +') + +######################################## +## <summary> +## Get attributes of mail spool content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_getattr_spool',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; + getattr_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) +') + +######################################## +## <summary> +## Do not audit attempts to get +## attributes of mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mta_dontaudit_getattr_spool_files',` + gen_require(` + type mail_spool_t; + ') + + files_dontaudit_search_spool($1) + dontaudit $1 mail_spool_t:dir search_dir_perms; + dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms; + dontaudit $1 mail_spool_t:file getattr_file_perms; +') + +####################################### +## <summary> +## Create specified objects in the +## mail spool directory with a +## private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mta_spool_filetrans',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + filetrans_pattern($1, mail_spool_t, $2, $3, $4) +') + +####################################### +## <summary> +## Read mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_read_spool_files',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, mail_spool_t, mail_spool_t) +') + +######################################## +## <summary> +## Read and write mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_rw_spool',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; + allow $1 mail_spool_t:file rw_file_perms; + allow $1 mail_spool_t:lnk_file read_lnk_file_perms; +') + +####################################### +## <summary> +## Create, read, and write mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_append_spool',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; + manage_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:lnk_file read_lnk_file_perms; +') + +####################################### +## <summary> +## Delete mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_delete_spool',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + delete_files_pattern($1, mail_spool_t, mail_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## mail spool content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_manage_spool',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, mail_spool_t, mail_spool_t) + manage_files_pattern($1, mail_spool_t, mail_spool_t) + manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) +') + +####################################### +## <summary> +## Create specified objects in the +## mail queue spool directory with a +## private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mta_queue_filetrans',` + gen_require(` + type mqueue_spool_t; + ') + + files_search_spool($1) + filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) +') + +######################################## +## <summary> +## Search mail queue directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_search_queue',` + gen_require(` + type mqueue_spool_t; + ') + + files_search_spool($1) + allow $1 mqueue_spool_t:dir search_dir_perms; +') + +####################################### +## <summary> +## List mail queue directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_list_queue',` + gen_require(` + type mqueue_spool_t; + ') + + files_search_spool($1) + allow $1 mqueue_spool_t:dir list_dir_perms; +') + +####################################### +## <summary> +## Read mail queue files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_read_queue',` + gen_require(` + type mqueue_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) +') + +####################################### +## <summary> +## Do not audit attempts to read and +## write mail queue content. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mta_dontaudit_rw_queue',` + gen_require(` + type mqueue_spool_t; + ') + + dontaudit $1 mqueue_spool_t:dir search_dir_perms; + dontaudit $1 mqueue_spool_t:file rw_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## mail queue content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_manage_queue',` + gen_require(` + type mqueue_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) + manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) +') + +####################################### +## <summary> +## Read sendmail binary. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_read_sendmail_bin',` + gen_require(` + type sendmail_exec_t; + ') + + allow $1 sendmail_exec_t:file read_file_perms; +') + +####################################### +## <summary> +## Read and write unix domain stream +## sockets of all base mail domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_rw_user_mail_stream_sockets',` + gen_require(` + attribute user_mail_domain; + ') + + allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te new file mode 100644 index 000000000..b64e23226 --- /dev/null +++ b/policy/modules/services/mta.te @@ -0,0 +1,431 @@ +policy_module(mta, 2.10.2) + +######################################## +# +# Declarations +# + +attribute mailcontent_type; +attribute mta_exec_type; +attribute mta_user_agent; +attribute mailserver_delivery; +attribute mailserver_domain; +attribute mailserver_sender; + +attribute user_mail_domain; + +attribute_role user_mail_roles; + +type etc_aliases_t; +files_type(etc_aliases_t) + +type etc_mail_t; +files_config_file(etc_mail_t) + +type mail_home_t alias mail_forward_t; +userdom_user_home_content(mail_home_t) + +type mail_home_rw_t; +userdom_user_home_content(mail_home_rw_t) + +type mqueue_spool_t; +files_mountpoint(mqueue_spool_t) + +type mail_spool_t; +files_mountpoint(mail_spool_t) + +type sendmail_exec_t; +mta_agent_executable(sendmail_exec_t) + +mta_base_mail_template(system) +role system_r types system_mail_t; + +mta_base_mail_template(user) +typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; +typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; +userdom_user_application_type(user_mail_t) +role user_mail_roles types user_mail_t; + +typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; +typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; +userdom_user_tmp_file(user_mail_tmp_t) + +######################################## +# +# Common base mail policy +# + +allow user_mail_domain self:capability { chown setgid setuid }; +allow user_mail_domain self:process { signal_perms setrlimit }; +allow user_mail_domain self:fifo_file rw_fifo_file_perms; + +allow user_mail_domain mta_exec_type:file entrypoint; + +allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms }; + +manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) +manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) +manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) +userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir") +userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir") + +read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t }) + +manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t }) +read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t }) + +allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; + +can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t }) + +kernel_read_crypto_sysctls(user_mail_domain) +kernel_read_system_state(user_mail_domain) +kernel_read_kernel_sysctls(user_mail_domain) +kernel_read_network_state(user_mail_domain) +kernel_request_load_module(user_mail_domain) + +corenet_all_recvfrom_netlabel(user_mail_domain) +corenet_tcp_sendrecv_generic_if(user_mail_domain) +corenet_tcp_sendrecv_generic_node(user_mail_domain) + +corenet_sendrecv_all_client_packets(user_mail_domain) +corenet_tcp_connect_all_ports(user_mail_domain) +corenet_tcp_sendrecv_all_ports(user_mail_domain) + +corecmd_exec_bin(user_mail_domain) + +dev_read_urand(user_mail_domain) + +domain_use_interactive_fds(user_mail_domain) + +files_read_etc_runtime_files(user_mail_domain) +files_read_usr_files(user_mail_domain) +files_search_spool(user_mail_domain) +files_dontaudit_search_pids(user_mail_domain) + +fs_getattr_all_fs(user_mail_domain) + +init_dontaudit_rw_utmp(user_mail_domain) + +logging_send_syslog_msg(user_mail_domain) + +miscfiles_read_all_certs(user_mail_domain) +miscfiles_read_localization(user_mail_domain) + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(user_mail_domain) + fs_manage_cifs_files(user_mail_domain) + fs_read_cifs_symlinks(user_mail_domain) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(user_mail_domain) + fs_manage_nfs_files(user_mail_domain) + fs_read_nfs_symlinks(user_mail_domain) +') + +optional_policy(` + courier_manage_spool_dirs(user_mail_domain) + courier_manage_spool_files(user_mail_domain) + courier_rw_spool_pipes(user_mail_domain) +') + +optional_policy(` + exim_domtrans(user_mail_domain) + exim_manage_log(user_mail_domain) + exim_manage_spool_files(user_mail_domain) + exim_read_var_lib_files(user_mail_domain) +') + +optional_policy(` + files_getattr_tmp_dirs(user_mail_domain) + + postfix_exec_master(user_mail_domain) + postfix_read_config(user_mail_domain) + postfix_search_spool(user_mail_domain) + postfix_rw_inherited_master_pipes(user_mail_domain) + + ifdef(`distro_redhat',` + postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) + ') +') + +optional_policy(` + procmail_exec(user_mail_domain) +') + +optional_policy(` + qmail_domtrans_inject(user_mail_domain) +') + +optional_policy(` + sendmail_manage_log(user_mail_domain) + sendmail_log_filetrans_sendmail_log(user_mail_domain, file) +') + +optional_policy(` + uucp_manage_spool(user_mail_domain) +') + +######################################## +# +# System local policy +# + +allow system_mail_t self:capability { dac_override fowner }; + +read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) + +read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) + +allow system_mail_t mail_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue") +userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward") +userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc") +userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter") + +allow system_mail_t user_mail_domain:dir list_dir_perms; +allow system_mail_t user_mail_domain:file read_file_perms; +allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms; + +corecmd_exec_shell(system_mail_t) + +dev_read_rand(system_mail_t) +dev_read_sysfs(system_mail_t) + +fs_rw_anon_inodefs_files(system_mail_t) + +selinux_getattr_fs(system_mail_t) + +term_dontaudit_use_unallocated_ttys(system_mail_t) + +init_use_script_ptys(system_mail_t) +init_use_fds(system_mail_t) +init_rw_stream_sockets(system_mail_t) + +userdom_use_user_terminals(system_mail_t) + +optional_policy(` + apt_use_fds(system_mail_t) + apt_use_ptys(system_mail_t) +') + +optional_policy(` + apache_read_squirrelmail_data(system_mail_t) + apache_append_squirrelmail_data(system_mail_t) + apache_dontaudit_append_log(system_mail_t) + apache_dontaudit_rw_stream_sockets(system_mail_t) + apache_dontaudit_rw_tcp_sockets(system_mail_t) + apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) +') + +optional_policy(` + arpwatch_manage_tmp_files(system_mail_t) + + ifdef(`hide_broken_symptoms',` + arpwatch_dontaudit_rw_packet_sockets(system_mail_t) + ') +') + +optional_policy(` + bugzilla_search_content(system_mail_t) + bugzilla_dontaudit_rw_stream_sockets(system_mail_t) +') + +optional_policy(` + clamav_stream_connect(system_mail_t) + clamav_append_log(system_mail_t) +') + +optional_policy(` + cron_read_system_job_tmp_files(system_mail_t) + cron_dontaudit_write_pipes(system_mail_t) + cron_rw_system_job_stream_sockets(system_mail_t) + cron_rw_tmp_files(system_mail_t) +') + +optional_policy(` + courier_stream_connect_authdaemon(system_mail_t) +') + +optional_policy(` + cvs_read_data(system_mail_t) +') + +optional_policy(` + fail2ban_dontaudit_rw_stream_sockets(system_mail_t) + fail2ban_append_log(system_mail_t) + fail2ban_rw_inherited_tmp_files(system_mail_t) +') + +optional_policy(` + logrotate_read_tmp_files(system_mail_t) +') + +optional_policy(` + logwatch_read_tmp_files(system_mail_t) +') + +optional_policy(` + milter_getattr_all_sockets(system_mail_t) +') + +optional_policy(` + nagios_read_tmp_files(system_mail_t) +') + +optional_policy(` + manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) +') + +optional_policy(` + sxid_read_log(system_mail_t) +') + +optional_policy(` + userdom_dontaudit_use_user_ptys(system_mail_t) + + optional_policy(` + cron_dontaudit_append_system_job_tmp_files(system_mail_t) + ') +') + +optional_policy(` + spamassassin_stream_connect_spamd(system_mail_t) +') + +optional_policy(` + smartmon_read_tmp_files(system_mail_t) +') + +optional_policy(` + unconfined_use_fds(system_mail_t) +') + +######################################## +# +# MTA user agent local policy +# + +userdom_use_user_terminals(mta_user_agent) + +optional_policy(` + apache_append_log(mta_user_agent) +') + +optional_policy(` + arpwatch_manage_tmp_files(mta_user_agent) + + ifdef(`hide_broken_symptoms',` + arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) + ') + + optional_policy(` + cron_read_system_job_tmp_files(mta_user_agent) + ') +') + +optional_policy(` + mon_dontaudit_use_fds(mta_user_agent) +') + +######################################## +# +# Mailserver delivery local policy +# + +allow mailserver_delivery self:fifo_file rw_fifo_file_perms; + +allow mailserver_delivery mail_spool_t:dir list_dir_perms; +create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) + +manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) +manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t }) +manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) +userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue") +userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward") +userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc") +userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter") +userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir") +userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir") + +read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mailserver_delivery) + fs_manage_cifs_files(mailserver_delivery) + fs_read_cifs_symlinks(mailserver_delivery) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mailserver_delivery) + fs_manage_nfs_files(mailserver_delivery) + fs_read_nfs_symlinks(mailserver_delivery) +') + +optional_policy(` + arpwatch_search_data(mailserver_delivery) +') + +optional_policy(` + dovecot_manage_spool(mailserver_delivery) + dovecot_domtrans_deliver(mailserver_delivery) +') + +optional_policy(` + files_search_var_lib(mailserver_delivery) + + mailman_domtrans(mailserver_delivery) + mailman_read_data_symlinks(mailserver_delivery) +') + +optional_policy(` + mon_dontaudit_search_var_lib(mailserver_delivery) +') + +optional_policy(` + postfix_rw_inherited_master_pipes(mailserver_delivery) +') + +optional_policy(` + uucp_domtrans_uux(mailserver_delivery) +') + +######################################## +# +# User local policy +# + +manage_files_pattern(user_mail_t, mail_home_t, mail_home_t) +userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue") +userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward") +userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc") +userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter") + +dev_read_sysfs(user_mail_t) + +userdom_use_user_terminals(user_mail_t) + +optional_policy(` + allow user_mail_t self:capability dac_override; + + userdom_rw_user_tmp_files(user_mail_t) + + postfix_read_config(user_mail_t) + postfix_list_spool(user_mail_t) +') + +ifdef(`distro_gentoo',` + optional_policy(` + at_rw_inherited_job_log_files(system_mail_t) + ') +') diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc new file mode 100644 index 000000000..8beeff98f --- /dev/null +++ b/policy/modules/services/munin.fc @@ -0,0 +1,77 @@ +/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) + +/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) + +/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + +/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + +/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + +/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0) + +/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) + +/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) + +/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + +/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) + +/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + +/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) + +/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) + +/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0) + +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if new file mode 100644 index 000000000..cd6749943 --- /dev/null +++ b/policy/modules/services/munin.if @@ -0,0 +1,194 @@ +## <summary>Munin network-wide load graphing.</summary> + +####################################### +## <summary> +## The template to define a munin plugin domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`munin_plugin_template',` + gen_require(` + attribute munin_plugin_domain, munin_plugin_tmp_content; + type munin_t; + ') + + ######################################## + # + # Declarations + # + + type $1_munin_plugin_t, munin_plugin_domain; + type $1_munin_plugin_exec_t; + typealias $1_munin_plugin_t alias munin_$1_plugin_t; + typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; + application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t) + role system_r types $1_munin_plugin_t; + + type $1_munin_plugin_tmp_t, munin_plugin_tmp_content; + typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t; + files_tmp_file($1_munin_plugin_tmp_t) + + ######################################## + # + # Policy + # + + domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) + + manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) + manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) + files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) +') + +######################################## +## <summary> +## Connect to munin over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`munin_stream_connect',` + gen_require(` + type munin_var_run_t, munin_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t) +') + +####################################### +## <summary> +## Read munin configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`munin_read_config',` + gen_require(` + type munin_etc_t; + ') + + files_search_etc($1) + allow $1 munin_etc_t:dir list_dir_perms; + allow $1 munin_etc_t:file read_file_perms; + allow $1 munin_etc_t:lnk_file read_lnk_file_perms; +') + +####################################### +## <summary> +## Append munin log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`munin_append_log',` + gen_require(` + type munin_log_t; + ') + + logging_search_logs($1) + allow $1 munin_log_t:dir list_dir_perms; + append_files_pattern($1, munin_log_t, munin_log_t) +') + +####################################### +## <summary> +## Search munin library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`munin_search_lib',` + gen_require(` + type munin_var_lib_t; + ') + + allow $1 munin_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +####################################### +## <summary> +## Do not audit attempts to search +## munin library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`munin_dontaudit_search_lib',` + gen_require(` + type munin_var_lib_t; + ') + + dontaudit $1 munin_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an munin environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`munin_admin',` + gen_require(` + attribute munin_plugin_domain, munin_plugin_tmp_content; + type munin_t, munin_etc_t, munin_tmp_t; + type munin_log_t, munin_var_lib_t, munin_var_run_t; + type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; + ') + + allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { munin_plugin_domain munin_t }) + + init_startstop_service($1, $2, munin_t, munin_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content }) + + logging_list_logs($1) + admin_pattern($1, munin_log_t) + + files_list_etc($1) + admin_pattern($1, munin_etc_t) + + files_list_var_lib($1) + admin_pattern($1, { munin_var_lib_t munin_plugin_state_t }) + + files_list_pids($1) + admin_pattern($1, munin_var_run_t) + + admin_pattern($1, httpd_munin_content_t) +') diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te new file mode 100644 index 000000000..137c82e67 --- /dev/null +++ b/policy/modules/services/munin.te @@ -0,0 +1,426 @@ +policy_module(munin, 1.13.0) + +######################################## +# +# Declarations +# + +attribute munin_plugin_domain; +attribute munin_plugin_tmp_content; + +type munin_t alias lrrd_t; +type munin_exec_t alias lrrd_exec_t; +init_daemon_domain(munin_t, munin_exec_t) + +type munin_etc_t alias lrrd_etc_t; +files_config_file(munin_etc_t) + +type munin_initrc_exec_t; +init_script_file(munin_initrc_exec_t) + +type munin_log_t alias lrrd_log_t; +logging_log_file(munin_log_t) + +type munin_tmp_t alias lrrd_tmp_t; +files_tmp_file(munin_tmp_t) + +type munin_var_lib_t alias lrrd_var_lib_t; +files_type(munin_var_lib_t) + +type munin_plugin_state_t; +files_type(munin_plugin_state_t) + +type munin_var_run_t alias lrrd_var_run_t; +files_pid_file(munin_var_run_t) + +munin_plugin_template(disk) +munin_plugin_template(mail) +munin_plugin_template(selinux) +munin_plugin_template(services) + +type services_munin_plugin_tmpfs_t; +files_tmpfs_file(services_munin_plugin_tmpfs_t) + +munin_plugin_template(system) +munin_plugin_template(unconfined) + +################################ +# +# Common munin plugin local policy +# + +allow munin_plugin_domain self:process signal; +allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; + +allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; + +read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) + +allow munin_plugin_domain munin_exec_t:file read_file_perms; + +allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; + +manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) + +kernel_read_system_state(munin_plugin_domain) + +corenet_all_recvfrom_unlabeled(munin_plugin_domain) +corenet_all_recvfrom_netlabel(munin_plugin_domain) +corenet_tcp_sendrecv_generic_if(munin_plugin_domain) +corenet_tcp_sendrecv_generic_node(munin_plugin_domain) + +corecmd_exec_bin(munin_plugin_domain) +corecmd_exec_shell(munin_plugin_domain) + +files_read_etc_files(munin_plugin_domain) +files_read_usr_files(munin_plugin_domain) +files_search_var_lib(munin_plugin_domain) + +fs_getattr_all_fs(munin_plugin_domain) + +miscfiles_read_localization(munin_plugin_domain) + +optional_policy(` + nscd_use(munin_plugin_domain) +') + +######################################## +# +# Local policy +# + +allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio }; +dontaudit munin_t self:capability sys_tty_config; +allow munin_t self:process { getsched setsched signal_perms }; +allow munin_t self:unix_stream_socket { accept connectto listen }; +allow munin_t self:unix_dgram_socket sendto; +allow munin_t self:tcp_socket { accept listen }; +allow munin_t self:fifo_file manage_fifo_file_perms; + +allow munin_t munin_plugin_domain:process signal_perms; + +allow munin_t munin_etc_t:dir list_dir_perms; +allow munin_t munin_etc_t:file read_file_perms; +allow munin_t munin_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) +append_files_pattern(munin_t, munin_log_t, munin_log_t) +create_files_pattern(munin_t, munin_log_t, munin_log_t) +setattr_files_pattern(munin_t, munin_log_t, munin_log_t) +logging_log_filetrans(munin_t, munin_log_t, { file dir }) + +manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) +manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) +manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) +files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file }) + +manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) + +read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) + +manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) +manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) +manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) +files_pid_filetrans(munin_t, munin_var_run_t, { dir file }) + +can_exec(munin_t, munin_exec_t) + +kernel_read_system_state(munin_t) +kernel_read_network_state(munin_t) +kernel_read_all_sysctls(munin_t) + +corecmd_exec_bin(munin_t) +corecmd_exec_shell(munin_t) + +corenet_all_recvfrom_unlabeled(munin_t) +corenet_all_recvfrom_netlabel(munin_t) +corenet_tcp_sendrecv_generic_if(munin_t) +corenet_tcp_sendrecv_generic_node(munin_t) +corenet_tcp_bind_generic_node(munin_t) + +corenet_sendrecv_munin_server_packets(munin_t) +corenet_tcp_bind_munin_port(munin_t) +corenet_sendrecv_munin_client_packets(munin_t) +corenet_tcp_connect_munin_port(munin_t) +corenet_tcp_sendrecv_munin_port(munin_t) + +corenet_sendrecv_http_client_packets(munin_t) +corenet_tcp_connect_http_port(munin_t) +corenet_tcp_sendrecv_http_port(munin_t) + +dev_read_sysfs(munin_t) +dev_read_urand(munin_t) + +domain_use_interactive_fds(munin_t) +domain_read_all_domains_state(munin_t) + +files_read_etc_runtime_files(munin_t) +files_read_usr_files(munin_t) +files_list_spool(munin_t) + +fs_getattr_all_fs(munin_t) +fs_search_auto_mountpoints(munin_t) + +auth_use_nsswitch(munin_t) + +logging_send_syslog_msg(munin_t) +logging_read_all_logs(munin_t) + +miscfiles_read_fonts(munin_t) +miscfiles_read_localization(munin_t) +miscfiles_setattr_fonts_cache_dirs(munin_t) + +sysnet_exec_ifconfig(munin_t) + +userdom_dontaudit_use_unpriv_user_fds(munin_t) +userdom_dontaudit_search_user_home_dirs(munin_t) + +optional_policy(` + apache_content_template(munin) + + manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + apache_search_sys_content(munin_t) +') + +optional_policy(` + cron_system_entry(munin_t, munin_exec_t) +') + +optional_policy(` + fstools_domtrans(munin_t) +') + +optional_policy(` + lpd_domtrans_lpr(munin_t) +') + +optional_policy(` + mta_list_queue(munin_t) + mta_read_config(munin_t) + mta_read_queue(munin_t) + mta_send_mail(munin_t) +') + +optional_policy(` + mysql_read_config(munin_t) + mysql_stream_connect(munin_t) +') + +optional_policy(` + netutils_domtrans_ping(munin_t) + netutils_kill_ping(munin_t) + netutils_signal_ping(munin_t) +') + +optional_policy(` + postfix_list_spool(munin_t) + postfix_getattr_all_spool_files(munin_t) +') + +optional_policy(` + rpc_search_nfs_state_data(munin_t) +') + +optional_policy(` + sendmail_read_log(munin_t) +') + +optional_policy(` + seutil_sigchld_newrole(munin_t) +') + +optional_policy(` + udev_read_db(munin_t) +') + +################################### +# +# Disk local policy +# + +allow disk_munin_plugin_t self:capability { sys_admin sys_rawio }; +allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; + +rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) + +corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) +corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) +corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t) + +dev_getattr_all_blk_files(disk_munin_plugin_t) +dev_getattr_lvm_control(disk_munin_plugin_t) +dev_read_sysfs(disk_munin_plugin_t) +dev_read_urand(disk_munin_plugin_t) + +files_read_etc_runtime_files(disk_munin_plugin_t) + +fs_getattr_all_fs(disk_munin_plugin_t) +fs_getattr_all_dirs(disk_munin_plugin_t) + +storage_getattr_fixed_disk_dev(disk_munin_plugin_t) + +sysnet_read_config(disk_munin_plugin_t) + +optional_policy(` + hddtemp_exec(disk_munin_plugin_t) +') + +optional_policy(` + fstools_exec(disk_munin_plugin_t) +') + +#################################### +# +# Mail local policy +# + +allow mail_munin_plugin_t self:capability dac_override; + +rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) + +dev_read_urand(mail_munin_plugin_t) + +logging_read_generic_logs(mail_munin_plugin_t) + +optional_policy(` + mta_list_queue(mail_munin_plugin_t) + mta_read_config(mail_munin_plugin_t) + mta_read_queue(mail_munin_plugin_t) + mta_send_mail(mail_munin_plugin_t) +') + +optional_policy(` + nscd_use(mail_munin_plugin_t) +') + +optional_policy(` + postfix_getattr_all_spool_files(mail_munin_plugin_t) + postfix_read_config(mail_munin_plugin_t) + postfix_list_spool(mail_munin_plugin_t) +') + +optional_policy(` + sendmail_read_log(mail_munin_plugin_t) +') + +################################## +# +# Selinux local policy +# + +selinux_get_enforce_mode(selinux_munin_plugin_t) + +################################### +# +# Service local policy +# + +allow services_munin_plugin_t self:shm create_sem_perms; +allow services_munin_plugin_t self:sem create_sem_perms; +allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; +allow services_munin_plugin_t self:udp_socket create_socket_perms; +allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; + +manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) +manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) +fs_tmpfs_filetrans(services_munin_plugin_t, services_munin_plugin_tmpfs_t, { dir file }) + +corenet_sendrecv_all_client_packets(services_munin_plugin_t) +corenet_tcp_connect_all_ports(services_munin_plugin_t) +corenet_tcp_connect_http_port(services_munin_plugin_t) +corenet_tcp_sendrecv_all_ports(services_munin_plugin_t) + +dev_read_urand(services_munin_plugin_t) +dev_read_rand(services_munin_plugin_t) + +sysnet_read_config(services_munin_plugin_t) + +optional_policy(` + bind_read_config(munin_services_plugin_t) +') + +optional_policy(` + cups_read_config(services_munin_plugin_t) + cups_stream_connect(services_munin_plugin_t) +') + +optional_policy(` + lpd_exec_lpr(services_munin_plugin_t) +') + +optional_policy(` + mysql_read_config(services_munin_plugin_t) + mysql_stream_connect(services_munin_plugin_t) +') + +optional_policy(` + netutils_domtrans_ping(services_munin_plugin_t) +') + +optional_policy(` + nscd_use(services_munin_plugin_t) +') + +optional_policy(` + postgresql_stream_connect(services_munin_plugin_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(services_munin_plugin_t) +') + +optional_policy(` + sssd_stream_connect(services_munin_plugin_t) +') + +optional_policy(` + varnishd_read_lib_files(services_munin_plugin_t) +') + +################################## +# +# System local policy +# + +allow system_munin_plugin_t self:capability net_admin; +allow system_munin_plugin_t self:udp_socket create_socket_perms; + +rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) + +read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) + +kernel_read_network_state(system_munin_plugin_t) +kernel_read_all_sysctls(system_munin_plugin_t) + +dev_read_sysfs(system_munin_plugin_t) +dev_read_urand(system_munin_plugin_t) + +domain_read_all_domains_state(system_munin_plugin_t) + +files_read_usr_files(system_munin_plugin_t) + +init_read_utmp(system_munin_plugin_t) + +logging_search_logs(system_munin_plugin_t) + +sysnet_exec_ifconfig(system_munin_plugin_t) + +term_getattr_unallocated_ttys(system_munin_plugin_t) +term_getattr_all_ttys(system_munin_plugin_t) +term_getattr_all_ptys(system_munin_plugin_t) + +optional_policy(` + bind_read_config(system_munin_plugin_t) +') + +####################################### +# +# Unconfined plugin local policy +# + +optional_policy(` + unconfined_domain(unconfined_munin_plugin_t) +') diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc new file mode 100644 index 000000000..8213e53ca --- /dev/null +++ b/policy/modules/services/mysql.fc @@ -0,0 +1,37 @@ +HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) + +/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) +/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) +/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) + +/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) + +/usr/bin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) +/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/bin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) +/usr/bin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +/usr/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0) + +/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) +/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) +/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0) + +/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) + +/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) +/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) +/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) + + +ifdef(`distro_gentoo',` +/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +') diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if new file mode 100644 index 000000000..af59114ab --- /dev/null +++ b/policy/modules/services/mysql.if @@ -0,0 +1,501 @@ +## <summary>Open source database.</summary> + +###################################### +## <summary> +## Execute MySQL in the mysql domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mysql_domtrans',` + gen_require(` + type mysqld_t, mysqld_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mysqld_exec_t, mysqld_t) +') + +######################################## +## <summary> +## Execute mysqld in the mysqld domain, and +## allow the specified role the mysqld domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`mysql_run_mysqld',` + gen_require(` + attribute_role mysqld_roles; + ') + + mysql_domtrans($1) + roleattribute $2 mysqld_roles; +') + +######################################## +## <summary> +## Send generic signals to mysqld. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_signal',` + gen_require(` + type mysqld_t; + ') + + allow $1 mysqld_t:process signal; +') + +######################################## +## <summary> +## Connect to mysqld with a tcp socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_tcp_connect',` + gen_require(` + type mysqld_t; + ') + + corenet_tcp_recvfrom_labeled($1, mysqld_t) + corenet_tcp_sendrecv_mysqld_port($1) + corenet_tcp_connect_mysqld_port($1) + corenet_sendrecv_mysqld_client_packets($1) +') + +######################################## +## <summary> +## Connect to mysqld with a unix +# domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mysql_stream_connect',` + gen_require(` + type mysqld_t, mysqld_var_run_t, mysqld_db_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) +') + +######################################## +## <summary> +## Read mysqld configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mysql_read_config',` + gen_require(` + type mysqld_etc_t; + ') + + files_search_etc($1) + allow $1 mysqld_etc_t:dir list_dir_perms; + allow $1 mysqld_etc_t:file read_file_perms; + allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Search mysqld db directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_search_db',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + allow $1 mysqld_db_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read and write mysqld database directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_rw_db_dirs',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + allow $1 mysqld_db_t:dir rw_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## mysqld database directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_manage_db_dirs',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + allow $1 mysqld_db_t:dir manage_dir_perms; +') + +####################################### +## <summary> +## Append mysqld database files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_append_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + append_files_pattern($1, mysqld_db_t, mysqld_db_t) +') + +####################################### +## <summary> +## Read and write mysqld database files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_rw_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, mysqld_db_t, mysqld_db_t) +') + +####################################### +## <summary> +## Create, read, write, and delete +## mysqld database files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_manage_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, mysqld_db_t, mysqld_db_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## mysqld home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_manage_mysqld_home_files',` + gen_require(` + type mysqld_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mysqld_home_t:file manage_file_perms; +') + +######################################## +## <summary> +## Relabel mysqld home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_relabel_mysqld_home_files',` + gen_require(` + type mysqld_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mysqld_home_t:file relabel_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the mysqld home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mysql_home_filetrans_mysqld_home',` + gen_require(` + type mysqld_home_t; + ') + + userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3) +') + +######################################## +## <summary> +## Write mysqld log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_write_log',` + gen_require(` + type mysqld_log_t; + ') + + logging_search_logs($1) + allow $1 mysqld_log_t:file write_file_perms; +') + +###################################### +## <summary> +## Execute mysqld safe in the +## mysqld safe domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mysql_domtrans_mysql_safe',` + gen_require(` + type mysqld_safe_t, mysqld_safe_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) +') + +##################################### +## <summary> +## Read mysqld pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_read_pid_files',` + gen_require(` + type mysqld_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + +##################################### +## <summary> +## Search mysqld pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## +# +interface(`mysql_search_pid_files',` + gen_require(` + type mysqld_var_run_t; + ') + + files_search_pids($1) + search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an mysqld environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mysql_admin',` + gen_require(` + type mysqld_t, mysqld_var_run_t, mysqld_etc_t; + type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; + type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; + type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t; + ') + + allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) + + init_startstop_service($1, $2, mysqld_t, mysqld_initrc_exec_t) + init_startstop_service($1, $2, mysqlmanagerd_t, mysqlmanagerd_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) + + files_search_var_lib($1) + admin_pattern($1, mysqld_db_t) + + files_search_etc($1) + admin_pattern($1, { mysqld_etc_t mysqld_home_t }) + + logging_search_logs($1) + admin_pattern($1, mysqld_log_t) + + files_search_tmp($1) + admin_pattern($1, mysqld_tmp_t) + + mysql_run_mysqld($1, $2) +') + +####################################### +## <summary> +## Set the attributes of the MySQL run directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`mysql_setattr_run_dirs',` + gen_require(` + type mysqld_var_run_t; + ') + + setattr_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + +####################################### +## <summary> +## Create MySQL run directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`mysql_create_run_dirs',` + gen_require(` + type mysqld_var_run_t; + ') + + create_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + +####################################### +## <summary> +## Automatically use the MySQL run label for created resources in generic +## run locations. This method is deprecated in favor of the +## init_daemon_run_dir call. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="class"> +## <summary> +## Type of the resource created for which the automatic file transition +## should occur +## </summary> +## </param> +## <param name="filename" optional="true"> +## <summary> +## The name of the resource being created +## </summary> +## </param> +# +interface(`mysql_generic_run_filetrans_run',` + refpolicywarn(`$0($*) has been deprecated.') +') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te new file mode 100644 index 000000000..df8e78996 --- /dev/null +++ b/policy/modules/services/mysql.te @@ -0,0 +1,264 @@ +policy_module(mysql, 1.20.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether mysqld can +## connect to all TCP ports. +## </p> +## </desc> +gen_tunable(mysql_connect_any, false) + +attribute_role mysqld_roles; + +type mysqld_t; +type mysqld_exec_t; +init_daemon_domain(mysqld_t, mysqld_exec_t) +application_domain(mysqld_t, mysqld_exec_t) +role mysqld_roles types mysqld_t; + +type mysqld_safe_t; +type mysqld_safe_exec_t; +init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) + +type mysqld_var_run_t; +files_pid_file(mysqld_var_run_t) +init_daemon_pid_file(mysqld_var_run_t, dir, "mysqld") + +type mysqld_db_t; +files_type(mysqld_db_t) + +type mysqld_etc_t alias etc_mysqld_t; +files_config_file(mysqld_etc_t) + +type mysqld_home_t; +userdom_user_home_content(mysqld_home_t) + +type mysqld_initrc_exec_t; +init_script_file(mysqld_initrc_exec_t) + +type mysqld_log_t; +logging_log_file(mysqld_log_t) + +type mysqld_tmp_t; +files_tmp_file(mysqld_tmp_t) + +type mysqld_unit_t; +init_unit_file(mysqld_unit_t) + +type mysqlmanagerd_t; +type mysqlmanagerd_exec_t; +init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t) + +type mysqlmanagerd_initrc_exec_t; +init_script_file(mysqlmanagerd_initrc_exec_t) + +type mysqlmanagerd_var_run_t; +files_pid_file(mysqlmanagerd_var_run_t) + +######################################## +# +# Local policy +# + +allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; +dontaudit mysqld_t self:capability sys_tty_config; +allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; +allow mysqld_t self:fifo_file rw_fifo_file_perms; +allow mysqld_t self:shm create_shm_perms; +allow mysqld_t self:unix_stream_socket { connectto accept listen }; +allow mysqld_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) +manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) +manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) +files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) + +filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) + +allow mysqld_t mysqld_etc_t:dir list_dir_perms; +allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; +allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) +manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) +manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) +logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) + +manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) + +manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) + +kernel_read_kernel_sysctls(mysqld_t) +kernel_read_network_state(mysqld_t) +kernel_read_system_state(mysqld_t) +kernel_read_vm_sysctls(mysqld_t) + +corenet_all_recvfrom_unlabeled(mysqld_t) +corenet_all_recvfrom_netlabel(mysqld_t) +corenet_tcp_sendrecv_generic_if(mysqld_t) +corenet_tcp_sendrecv_generic_node(mysqld_t) +corenet_tcp_bind_generic_node(mysqld_t) + +corenet_sendrecv_mysqld_server_packets(mysqld_t) +corenet_tcp_bind_mysqld_port(mysqld_t) +corenet_sendrecv_mysqld_client_packets(mysqld_t) +corenet_tcp_connect_mysqld_port(mysqld_t) +corenet_tcp_sendrecv_mysqld_port(mysqld_t) + +corecmd_exec_bin(mysqld_t) +corecmd_exec_shell(mysqld_t) + +dev_read_sysfs(mysqld_t) +dev_read_urand(mysqld_t) + +domain_use_interactive_fds(mysqld_t) + +fs_getattr_all_fs(mysqld_t) +fs_search_auto_mountpoints(mysqld_t) +fs_rw_hugetlbfs_files(mysqld_t) + +files_read_etc_runtime_files(mysqld_t) +files_read_usr_files(mysqld_t) + +auth_use_nsswitch(mysqld_t) + +logging_send_syslog_msg(mysqld_t) + +miscfiles_read_localization(mysqld_t) + +userdom_search_user_home_dirs(mysqld_t) +userdom_dontaudit_use_unpriv_user_fds(mysqld_t) + +tunable_policy(`mysql_connect_any',` + corenet_sendrecv_all_client_packets(mysqld_t) + corenet_tcp_connect_all_ports(mysqld_t) + corenet_tcp_sendrecv_all_ports(mysqld_t) +') + +optional_policy(` + daemontools_service_domain(mysqld_t, mysqld_exec_t) +') + +optional_policy(` + seutil_sigchld_newrole(mysqld_t) +') + +optional_policy(` + udev_read_db(mysqld_t) +') + +####################################### +# +# Safe local policy +# + +allow mysqld_safe_t self:capability { chown dac_override fowner kill }; +allow mysqld_safe_t self:process { setsched getsched setrlimit }; +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + +allow mysqld_safe_t mysqld_t:process { signull sigkill }; + +read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) +manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) + +allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms; +allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; +allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms; + +list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) + +manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) +delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t) + +domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) + +kernel_read_system_state(mysqld_safe_t) +kernel_read_kernel_sysctls(mysqld_safe_t) + +corecmd_exec_bin(mysqld_safe_t) +corecmd_exec_shell(mysqld_safe_t) + +dev_read_sysfs(mysqld_safe_t) + +domain_read_all_domains_state(mysqld_safe_t) + +files_read_etc_files(mysqld_safe_t) +files_read_usr_files(mysqld_safe_t) +files_search_pids(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) +files_dontaudit_search_all_mountpoints(mysqld_safe_t) + +logging_send_syslog_msg(mysqld_safe_t) + +miscfiles_read_localization(mysqld_safe_t) + +userdom_search_user_home_dirs(mysqld_safe_t) + +optional_policy(` + hostname_exec(mysqld_safe_t) +') + +######################################## +# +# Manager local policy +# + +allow mysqlmanagerd_t self:capability { dac_override kill }; +allow mysqlmanagerd_t self:process signal; +allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; +allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; + +allow mysqlmanagerd_t mysqld_t:process signal; + +allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms; +allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; +allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms; + +domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) + +manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) + +stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) + +kernel_read_system_state(mysqlmanagerd_t) + +corecmd_exec_shell(mysqlmanagerd_t) + +corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) +corenet_all_recvfrom_netlabel(mysqlmanagerd_t) +corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) +corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) +corenet_tcp_bind_generic_node(mysqlmanagerd_t) + +corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) +corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) +corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) +corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) +corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t) + +dev_read_urand(mysqlmanagerd_t) + +files_read_etc_files(mysqlmanagerd_t) +files_read_usr_files(mysqlmanagerd_t) +files_search_pids(mysqlmanagerd_t) +files_search_var_lib(mysqlmanagerd_t) + +miscfiles_read_localization(mysqlmanagerd_t) + +userdom_search_user_home_dirs(mysqlmanagerd_t) diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc new file mode 100644 index 000000000..ee84bd7b7 --- /dev/null +++ b/policy/modules/services/nagios.fc @@ -0,0 +1,88 @@ +/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) +/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) + +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) + +/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) + +/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) + +/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + +/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + +/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) + +/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) + +/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + +/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) + +/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + +/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + +/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) + +/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) + +/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) + +/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) +/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) + +/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if new file mode 100644 index 000000000..5df0af435 --- /dev/null +++ b/policy/modules/services/nagios.if @@ -0,0 +1,226 @@ +## <summary>Network monitoring server.</summary> + +####################################### +## <summary> +## The template to define a nagios plugin domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`nagios_plugin_template',` + gen_require(` + attribute nagios_plugin_domain; + type nagios_t, nrpe_t; + ') + + ######################################## + # + # Declarations + # + + type nagios_$1_plugin_t, nagios_plugin_domain; + type nagios_$1_plugin_exec_t; + application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) + role system_r types nagios_$1_plugin_t; + + ######################################## + # + # Policy + # + + domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) + allow nagios_t nagios_$1_plugin_exec_t:file ioctl; + + domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) +') + +######################################## +## <summary> +## Do not audit attempts to read or +## write nagios unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +## <rolecap/> +# +interface(`nagios_dontaudit_rw_pipes',` + gen_require(` + type nagios_t; + ') + + dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Read nagios configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nagios_read_config',` + gen_require(` + type nagios_etc_t; + ') + + files_search_etc($1) + allow $1 nagios_etc_t:dir list_dir_perms; + allow $1 nagios_etc_t:file read_file_perms; + allow $1 nagios_etc_t:lnk_file read_lnk_file_perms; +') + +###################################### +## <summary> +## Read nagios log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nagios_read_log',` + gen_require(` + type nagios_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, nagios_log_t, nagios_log_t) +') + +######################################## +## <summary> +## Do not audit attempts to read or +## write nagios log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`nagios_dontaudit_rw_log',` + gen_require(` + type nagios_log_t; + ') + + dontaudit $1 nagios_log_t:file rw_file_perms; +') + +######################################## +## <summary> +## Search nagios spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nagios_search_spool',` + gen_require(` + type nagios_spool_t; + ') + + files_search_spool($1) + allow $1 nagios_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read nagios temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nagios_read_tmp_files',` + gen_require(` + type nagios_tmp_t; + ') + + files_search_tmp($1) + allow $1 nagios_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute nrpe with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nagios_domtrans_nrpe',` + gen_require(` + type nrpe_t, nrpe_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nrpe_exec_t, nrpe_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an nagios environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nagios_admin',` + gen_require(` + attribute nagios_plugin_domain; + type nagios_t, nrpe_t, nagios_initrc_exec_t; + type nagios_tmp_t, nagios_log_t, nagios_var_lib_t; + type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t; + type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t; + type nagios_eventhandler_plugin_tmp_t; + ') + + allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms }; + ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain }) + + init_startstop_service($1, $2, nagios_t, nagios_initrc_exec_t) + + files_search_tmp($1) + admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t }) + + logging_search_logs($1) + admin_pattern($1, nagios_log_t) + + files_search_etc($1) + admin_pattern($1, { nrpe_etc_t nagios_etc_t }) + + files_search_spool($1) + admin_pattern($1, nagios_spool_t) + + files_search_pids($1) + admin_pattern($1, { nrpe_var_run_t nagios_var_run_t }) + + files_search_var_lib($1) + admin_pattern($1, nagios_var_lib_t) +') diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te new file mode 100644 index 000000000..031c43e46 --- /dev/null +++ b/policy/modules/services/nagios.te @@ -0,0 +1,455 @@ +policy_module(nagios, 1.16.0) + +######################################## +# +# Declarations +# + +attribute nagios_plugin_domain; + +type nagios_t; +type nagios_exec_t; +init_daemon_domain(nagios_t, nagios_exec_t) + +type nagios_etc_t; +files_config_file(nagios_etc_t) + +type nagios_initrc_exec_t; +init_script_file(nagios_initrc_exec_t) + +type nagios_log_t; +logging_log_file(nagios_log_t) + +type nagios_tmp_t; +files_tmp_file(nagios_tmp_t) + +type nagios_var_run_t; +files_pid_file(nagios_var_run_t) + +type nagios_spool_t; +files_type(nagios_spool_t) + +type nagios_var_lib_t; +files_type(nagios_var_lib_t) + +nagios_plugin_template(admin) +nagios_plugin_template(checkdisk) +nagios_plugin_template(mail) +nagios_plugin_template(services) +nagios_plugin_template(system) +nagios_plugin_template(unconfined) +nagios_plugin_template(eventhandler) + +type nagios_eventhandler_plugin_tmp_t; +files_tmp_file(nagios_eventhandler_plugin_tmp_t) + +type nagios_system_plugin_tmp_t; +files_tmp_file(nagios_system_plugin_tmp_t) + +type nrpe_t; +type nrpe_exec_t; +init_daemon_domain(nrpe_t, nrpe_exec_t) + +type nrpe_etc_t; +files_config_file(nrpe_etc_t) + +type nrpe_var_run_t; +files_pid_file(nrpe_var_run_t) + +###################################### +# +# Common plugin domain local policy +# + +allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; + +dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write }; +dontaudit nagios_plugin_domain nagios_log_t:file { read write }; + +kernel_read_system_state(nagios_plugin_domain) + +dev_read_urand(nagios_plugin_domain) +dev_read_rand(nagios_plugin_domain) + +files_read_usr_files(nagios_plugin_domain) + +miscfiles_read_localization(nagios_plugin_domain) + +userdom_use_user_terminals(nagios_plugin_domain) + +######################################## +# +# Nagios local policy +# + +allow nagios_t self:capability { dac_override setgid setuid }; +dontaudit nagios_t self:capability sys_tty_config; +allow nagios_t self:process { setpgid signal_perms }; +allow nagios_t self:fifo_file rw_fifo_file_perms; +allow nagios_t self:tcp_socket { accept listen }; + +allow nagios_t nagios_plugin_domain:process signal_perms; + +allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms; + +allow nagios_t nagios_etc_t:dir list_dir_perms; +allow nagios_t nagios_etc_t:file read_file_perms; +allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms; + +allow nagios_t nagios_log_t:dir setattr_dir_perms; +append_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +create_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +logging_log_filetrans(nagios_t, nagios_log_t, file) + +manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) +manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) +files_tmp_filetrans(nagios_t, nagios_tmp_t, { dir file }) + +manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) +files_pid_filetrans(nagios_t, nagios_var_run_t, file) + +manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) +files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) + +manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) +manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) +files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file fifo_file }) + +kernel_read_system_state(nagios_t) +kernel_read_kernel_sysctls(nagios_t) +kernel_read_software_raid_state(nagios_t) + +corecmd_exec_bin(nagios_t) +corecmd_exec_shell(nagios_t) + +corenet_all_recvfrom_unlabeled(nagios_t) +corenet_all_recvfrom_netlabel(nagios_t) +corenet_tcp_sendrecv_generic_if(nagios_t) +corenet_tcp_sendrecv_generic_node(nagios_t) + +corenet_sendrecv_all_client_packets(nagios_t) +corenet_tcp_connect_all_ports(nagios_t) +corenet_tcp_sendrecv_all_ports(nagios_t) + +corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t) +corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) + +dev_read_sysfs(nagios_t) +dev_read_urand(nagios_t) + +domain_use_interactive_fds(nagios_t) +domain_read_all_domains_state(nagios_t) + +files_read_etc_runtime_files(nagios_t) +files_read_kernel_symbol_table(nagios_t) +files_read_usr_files(nagios_t) +files_search_spool(nagios_t) + +fs_getattr_all_fs(nagios_t) +fs_search_auto_mountpoints(nagios_t) + +auth_use_nsswitch(nagios_t) + +logging_send_syslog_msg(nagios_t) + +miscfiles_read_localization(nagios_t) + +userdom_dontaudit_use_unpriv_user_fds(nagios_t) +userdom_dontaudit_search_user_home_dirs(nagios_t) + +optional_policy(` + mta_send_mail(nagios_t) + mta_signal_system_mail(nagios_t) + mta_kill_system_mail(nagios_t) +') + +optional_policy(` + netutils_kill_ping(nagios_t) +') + +optional_policy(` + seutil_sigchld_newrole(nagios_t) +') + +optional_policy(` + udev_read_db(nagios_t) +') + +######################################## +# +# CGI local policy +# +optional_policy(` + apache_content_template(nagios) + typealias httpd_nagios_script_t alias nagios_cgi_t; + typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; + + allow httpd_nagios_script_t self:process signal_perms; + + read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + + allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; + allow httpd_nagios_script_t nagios_etc_t:file read_file_perms; + allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms; + + files_search_spool(httpd_nagios_script_t) + rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) + + allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; + read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) + read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) + + kernel_read_system_state(httpd_nagios_script_t) + + domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) + + files_read_etc_runtime_files(httpd_nagios_script_t) + files_read_kernel_symbol_table(httpd_nagios_script_t) + + logging_send_syslog_msg(httpd_nagios_script_t) +') + +######################################## +# +# Nrpe local policy +# + +allow nrpe_t self:capability { dac_override setgid setuid }; +dontaudit nrpe_t self:capability { sys_resource sys_tty_config }; +allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; +allow nrpe_t self:fifo_file rw_fifo_file_perms; +allow nrpe_t self:tcp_socket { accept listen }; + +allow nrpe_t nagios_etc_t:dir list_dir_perms; +allow nrpe_t nagios_etc_t:file read_file_perms; + +allow nrpe_t nagios_plugin_domain:process { signal sigkill }; + +read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t) + +manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) +files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) + +domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) + +kernel_read_kernel_sysctls(nrpe_t) +kernel_read_software_raid_state(nrpe_t) +kernel_read_system_state(nrpe_t) + +corecmd_exec_bin(nrpe_t) +corecmd_exec_shell(nrpe_t) + +corenet_all_recvfrom_unlabeled(nrpe_t) +corenet_all_recvfrom_netlabel(nrpe_t) +corenet_tcp_sendrecv_generic_if(nrpe_t) +corenet_tcp_sendrecv_generic_node(nrpe_t) +corenet_tcp_bind_generic_node(nrpe_t) + +corenet_sendrecv_inetd_child_server_packets(nrpe_t) +corenet_tcp_bind_inetd_child_port(nrpe_t) +corenet_tcp_sendrecv_inetd_child_port(nrpe_t) + +dev_read_sysfs(nrpe_t) +dev_read_urand(nrpe_t) + +domain_use_interactive_fds(nrpe_t) +domain_read_all_domains_state(nrpe_t) + +files_read_etc_runtime_files(nrpe_t) +files_read_usr_files(nrpe_t) + +fs_getattr_all_fs(nrpe_t) +fs_search_auto_mountpoints(nrpe_t) + +auth_use_nsswitch(nrpe_t) + +logging_send_syslog_msg(nrpe_t) + +miscfiles_read_localization(nrpe_t) + +userdom_dontaudit_use_unpriv_user_fds(nrpe_t) + +optional_policy(` + inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) +') + +optional_policy(` + mta_send_mail(nrpe_t) +') + +optional_policy(` + seutil_sigchld_newrole(nrpe_t) +') + +optional_policy(` + tcpd_wrapped_domain(nrpe_t, nrpe_exec_t) +') + +optional_policy(` + udev_read_db(nrpe_t) +') + +##################################### +# +# Admin local policy +# + +corecmd_read_bin_files(nagios_admin_plugin_t) + +dev_getattr_all_chr_files(nagios_admin_plugin_t) +dev_getattr_all_blk_files(nagios_admin_plugin_t) + +files_getattr_all_dirs(nagios_admin_plugin_t) +files_getattr_all_files(nagios_admin_plugin_t) +files_getattr_all_symlinks(nagios_admin_plugin_t) +files_getattr_all_pipes(nagios_admin_plugin_t) +files_getattr_all_sockets(nagios_admin_plugin_t) +files_getattr_all_file_type_fs(nagios_admin_plugin_t) + +###################################### +# +# Mail local policy +# + +allow nagios_mail_plugin_t self:capability { dac_override setgid setuid }; +allow nagios_mail_plugin_t self:tcp_socket { accept listen }; + +kernel_read_kernel_sysctls(nagios_mail_plugin_t) + +corecmd_read_bin_files(nagios_mail_plugin_t) + +files_read_etc_files(nagios_mail_plugin_t) + +logging_send_syslog_msg(nagios_mail_plugin_t) + +sysnet_dns_name_resolve(nagios_mail_plugin_t) + +optional_policy(` + mta_send_mail(nagios_mail_plugin_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(nagios_mail_plugin_t) +') + +optional_policy(` + postfix_stream_connect_master(nagios_mail_plugin_t) + postfix_exec_postqueue(nagios_mail_plugin_t) +') + +###################################### +# +# Disk local policy +# + +allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; + +kernel_read_software_raid_state(nagios_checkdisk_plugin_t) + +files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) +files_read_etc_runtime_files(nagios_checkdisk_plugin_t) + +fs_getattr_all_fs(nagios_checkdisk_plugin_t) + +storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) + +####################################### +# +# Services local policy +# + +allow nagios_services_plugin_t self:capability net_raw; +allow nagios_services_plugin_t self:process { signal sigkill }; +allow nagios_services_plugin_t self:tcp_socket { accept listen }; + +corecmd_exec_bin(nagios_services_plugin_t) + +corenet_all_recvfrom_unlabeled(nagios_services_plugin_t) +corenet_all_recvfrom_netlabel(nagios_services_plugin_t) +corenet_tcp_sendrecv_generic_if(nagios_services_plugin_t) +corenet_udp_sendrecv_generic_if(nagios_services_plugin_t) +corenet_tcp_sendrecv_generic_node(nagios_services_plugin_t) +corenet_udp_sendrecv_generic_node(nagios_services_plugin_t) +corenet_udp_bind_generic_node(nagios_services_plugin_t) + +corenet_sendrecv_all_client_packets(nagios_services_plugin_t) +corenet_tcp_connect_all_ports(nagios_services_plugin_t) +corenet_tcp_sendrecv_all_ports(nagios_services_plugin_t) + +corenet_sendrecv_dhcpc_server_packets(nagios_services_plugin_t) +corenet_udp_bind_dhcpc_port(nagios_services_plugin_t) +corenet_udp_sendrecv_dhcpc_port(nagios_services_plugin_t) + +auth_use_nsswitch(nagios_services_plugin_t) + +domain_read_all_domains_state(nagios_services_plugin_t) + +optional_policy(` + netutils_domtrans_ping(nagios_services_plugin_t) + netutils_signal_ping(nagios_services_plugin_t) + netutils_kill_ping(nagios_services_plugin_t) +') + +optional_policy(` + mysql_stream_connect(nagios_services_plugin_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(nagios_services_plugin_t) +') + +###################################### +# +# System local policy +# + +allow nagios_system_plugin_t self:capability dac_override; +dontaudit nagios_system_plugin_t self:capability { setgid setuid }; + +read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) + +manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) +manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) +files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) + +kernel_read_kernel_sysctls(nagios_system_plugin_t) + +corecmd_exec_bin(nagios_system_plugin_t) +corecmd_exec_shell(nagios_system_plugin_t) + +dev_read_sysfs(nagios_system_plugin_t) + +domain_read_all_domains_state(nagios_system_plugin_t) + +files_read_etc_files(nagios_system_plugin_t) + +fs_getattr_all_fs(nagios_system_plugin_t) + +optional_policy(` + init_read_utmp(nagios_system_plugin_t) +') + +####################################### +# +# Event local policy +# + +manage_files_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t) +manage_dirs_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t) +files_tmp_filetrans(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, { dir file }) + +corecmd_exec_bin(nagios_eventhandler_plugin_t) +corecmd_exec_shell(nagios_eventhandler_plugin_t) + +init_domtrans_script(nagios_eventhandler_plugin_t) + +######################################## +# +# Unconfined plugin policy +# + +optional_policy(` + unconfined_domain(nagios_unconfined_plugin_t) +') diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc new file mode 100644 index 000000000..2065c1b88 --- /dev/null +++ b/policy/modules/services/nessus.fc @@ -0,0 +1,15 @@ +/etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0) + +/etc/rc\.d/init\.d/nessusd -- gen_context(system_u:object_r:nessusd_initrc_exec_t,s0) + +/usr/bin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) + +/usr/lib/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0) + +/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) + +/var/lib/nessus(/.*)? gen_context(system_u:object_r:nessusd_db_t,s0) + +/var/log/nessus(/.*)? gen_context(system_u:object_r:nessusd_log_t,s0) + +/run/nessus.* -- gen_context(system_u:object_r:nessusd_var_run_t,s0) diff --git a/policy/modules/services/nessus.if b/policy/modules/services/nessus.if new file mode 100644 index 000000000..57bed0335 --- /dev/null +++ b/policy/modules/services/nessus.if @@ -0,0 +1,42 @@ +## <summary>Network scanning daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an nessus environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nessus_admin',` + gen_require(` + type nessusd_t, nessusd_db_t, nessusd_initrc_exec_t; + type nessusd_etc_t, nessusd_log_t, nessusd_var_run_t; + ') + + allow $1 nessusd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nessusd_t) + + init_startstop_service($1, $2, nessusd_t, nessusd_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, nessusd_log_t) + + files_search_etc($1) + admin_pattern($1, nessusd_etc_t) + + files_search_pids($1) + admin_pattern($1, nessusd_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, nessusd_db_t) +') diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te new file mode 100644 index 000000000..a9eaab63c --- /dev/null +++ b/policy/modules/services/nessus.te @@ -0,0 +1,110 @@ +policy_module(nessus, 1.12.0) + +######################################## +# +# Local policy +# + +type nessusd_t; +type nessusd_exec_t; +init_daemon_domain(nessusd_t, nessusd_exec_t) + +type nessusd_initrc_exec_t; +init_script_file(nessusd_initrc_exec_t) + +type nessusd_db_t; +files_type(nessusd_db_t) + +type nessusd_etc_t; +files_config_file(nessusd_etc_t) + +type nessusd_log_t; +logging_log_file(nessusd_log_t) + +type nessusd_var_run_t; +files_pid_file(nessusd_var_run_t) + +######################################## +# +# Declarations +# + +allow nessusd_t self:capability net_raw; +dontaudit nessusd_t self:capability sys_tty_config; +allow nessusd_t self:process { setsched signal_perms }; +allow nessusd_t self:fifo_file rw_fifo_file_perms; +allow nessusd_t self:tcp_socket create_stream_socket_perms; +allow nessusd_t self:udp_socket create_socket_perms; +allow nessusd_t self:rawip_socket create_socket_perms; +allow nessusd_t self:packet_socket create_socket_perms; + +manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) +manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) +manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) + +allow nessusd_t nessusd_etc_t:file read_file_perms; + +allow nessusd_t nessusd_log_t:dir setattr_dir_perms; +append_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) +create_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) +setattr_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) +logging_log_filetrans(nessusd_t, nessusd_log_t, file) + +manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t) +files_pid_filetrans(nessusd_t, nessusd_var_run_t, file) + +kernel_read_system_state(nessusd_t) +kernel_read_kernel_sysctls(nessusd_t) + +corecmd_exec_bin(nessusd_t) + +corenet_all_recvfrom_unlabeled(nessusd_t) +corenet_all_recvfrom_netlabel(nessusd_t) +corenet_tcp_sendrecv_generic_if(nessusd_t) +corenet_udp_sendrecv_generic_if(nessusd_t) +corenet_raw_sendrecv_generic_if(nessusd_t) +corenet_tcp_sendrecv_generic_node(nessusd_t) +corenet_udp_sendrecv_generic_node(nessusd_t) +corenet_raw_sendrecv_generic_node(nessusd_t) +corenet_tcp_sendrecv_all_ports(nessusd_t) +corenet_udp_sendrecv_all_ports(nessusd_t) +corenet_tcp_bind_generic_node(nessusd_t) + +corenet_sendrecv_nessus_server_packets(nessusd_t) +corenet_tcp_bind_nessus_port(nessusd_t) + +corenet_sendrecv_all_client_packets(nessusd_t) +corenet_tcp_connect_all_ports(nessusd_t) + +dev_read_sysfs(nessusd_t) +dev_read_urand(nessusd_t) + +domain_use_interactive_fds(nessusd_t) + +files_list_var_lib(nessusd_t) +files_read_etc_files(nessusd_t) +files_read_etc_runtime_files(nessusd_t) + +fs_getattr_all_fs(nessusd_t) +fs_search_auto_mountpoints(nessusd_t) + +logging_send_syslog_msg(nessusd_t) + +miscfiles_read_localization(nessusd_t) + +sysnet_read_config(nessusd_t) + +userdom_dontaudit_use_unpriv_user_fds(nessusd_t) +userdom_dontaudit_search_user_home_dirs(nessusd_t) + +optional_policy(` + nis_use_ypbind(nessusd_t) +') + +optional_policy(` + seutil_sigchld_newrole(nessusd_t) +') + +optional_policy(` + udev_read_db(nessusd_t) +') diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc new file mode 100644 index 000000000..16b3c06f9 --- /dev/null +++ b/policy/modules/services/networkmanager.fc @@ -0,0 +1,50 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + +/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) +/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) +/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) +/etc/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + +/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) + +/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) + +/usr/lib/NetworkManager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/usr/lib/networkmanager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +# Systemd unit files +/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0) +/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0) + +/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/bin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/bin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/bin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) +/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) +/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) +/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) + +/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) +/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) + +/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if new file mode 100644 index 000000000..371ebfbd2 --- /dev/null +++ b/policy/modules/services/networkmanager.if @@ -0,0 +1,424 @@ +## <summary>Manager for dynamically switching between networks.</summary> + +######################################## +## <summary> +## Read and write networkmanager udp sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_rw_udp_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:udp_socket { read write }; +') + +######################################## +## <summary> +## Read and write networkmanager packet sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_rw_packet_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:packet_socket { read write }; +') + +####################################### +## <summary> +## Relabel networkmanager tun socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_attach_tun_iface',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') + +######################################## +## <summary> +## Read and write networkmanager netlink +## routing sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_rw_routing_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:netlink_route_socket { read write }; +') + +######################################## +## <summary> +## Execute networkmanager with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`networkmanager_domtrans',` + gen_require(` + type NetworkManager_t, NetworkManager_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) +') + +######################################## +## <summary> +## Execute networkmanager scripts with +## an automatic domain transition to initrc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`networkmanager_initrc_domtrans',` + gen_require(` + type NetworkManager_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) +') + +######################################## +## <summary> +## Send and receive messages from +## networkmanager over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_dbus_chat',` + gen_require(` + type NetworkManager_t; + class dbus send_msg; + ') + + allow $1 NetworkManager_t:dbus send_msg; + allow NetworkManager_t $1:dbus send_msg; +') + +####################################### +## <summary> +## Read metworkmanager process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_read_state',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:dir search_dir_perms; + allow $1 NetworkManager_t:file read_file_perms; + allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Send generic signals to networkmanager. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_signal',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:process signal; +') + +######################################## +## <summary> +## Read networkmanager etc files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_read_etc_files',` + gen_require(` + type NetworkManager_etc_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t) + read_files_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t) +') + +######################################## +## <summary> +## Create, read, and write +## networkmanager library files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_manage_lib_files',` + gen_require(` + type NetworkManager_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + allow $1 NetworkManager_var_lib_t:file map; +') + +######################################## +## <summary> +## Read networkmanager lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_read_lib_files',` + gen_require(` + type NetworkManager_var_lib_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + allow $1 NetworkManager_var_lib_t:file map; +') + +######################################## +## <summary> +## Append networkmanager log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_append_log_files',` + gen_require(` + type NetworkManager_log_t; + ') + + logging_search_logs($1) + allow $1 NetworkManager_log_t:dir list_dir_perms; + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') + +######################################## +## <summary> +## Read networkmanager pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_read_pid_files',` + gen_require(` + type NetworkManager_var_run_t; + ') + + files_search_pids($1) + allow $1 NetworkManager_var_run_t:dir search_dir_perms; + allow $1 NetworkManager_var_run_t:file read_file_perms; +') + +#################################### +## <summary> +## Connect to networkmanager over +## a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_stream_connect',` + gen_require(` + type NetworkManager_t, NetworkManager_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an networkmanager environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`networkmanager_admin',` + gen_require(` + type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; + type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; + type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t; + ') + + allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) + + init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t }) + + logging_search_logs($1) + admin_pattern($1, NetworkManager_log_t) + + files_search_var_lib($1) + admin_pattern($1, NetworkManager_var_lib_t) + allow $1 NetworkManager_var_lib_t:file map; + + files_search_pids($1) + admin_pattern($1, NetworkManager_var_run_t) + + files_search_tmp($1) + admin_pattern($1, NetworkManager_tmp_t) +') + +######################################## +## <summary> +## Do not audit use of wpa_cli file descriptors +## </summary> +## <param name="domain"> +## <summary> +## Domain to dontaudit access. +## </summary> +## </param> +# +interface(`networkmanager_dontaudit_use_wpa_cli_fds',` + gen_require(` + type wpa_cli_t; + ') + + dontaudit $1 wpa_cli_t:fd use; +') + + +######################################## +## <summary> +## Execute wpa_cli in the wpa_cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`networkmanager_domtrans_wpa_cli',` + gen_require(` + type wpa_cli_t, wpa_cli_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t) +') + +######################################## +## <summary> +## Execute wpa cli in the wpa_cli domain, and +## allow the specified role the wpa_cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`networkmanager_run_wpa_cli',` + gen_require(` + type wpa_cli_exec_t; + ') + + networkmanager_domtrans_wpa_cli($1) + role $2 types wpa_cli_t; +') + +# Gentoo specific interfaces follow but not allowed ifdef + +######################################## +## <summary> +## Read and write networkmanager rawip sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_rw_rawip_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:rawip_socket { read write }; +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te new file mode 100644 index 000000000..e65eb0940 --- /dev/null +++ b/policy/modules/services/networkmanager.te @@ -0,0 +1,442 @@ +policy_module(networkmanager, 1.22.1) + +######################################## +# +# Declarations +# + +type NetworkManager_t; +type NetworkManager_exec_t; +init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) + +type NetworkManager_etc_t; +files_config_file(NetworkManager_etc_t) + +type NetworkManager_etc_rw_t; +files_config_file(NetworkManager_etc_rw_t) + +type NetworkManager_initrc_exec_t; +init_script_file(NetworkManager_initrc_exec_t) + +type NetworkManager_log_t; +logging_log_file(NetworkManager_log_t) + +type NetworkManager_tmp_t; +files_tmp_file(NetworkManager_tmp_t) + +type NetworkManager_unit_t; +init_unit_file(NetworkManager_unit_t) + +type NetworkManager_var_lib_t; +files_type(NetworkManager_var_lib_t) + +type NetworkManager_var_run_t; +files_pid_file(NetworkManager_var_run_t) + +type wpa_cli_t; +type wpa_cli_exec_t; +init_system_domain(wpa_cli_t, wpa_cli_exec_t) + +ifdef(`distro_gentoo',` + type wpa_cli_var_run_t; + files_pid_file(wpa_cli_var_run_t) +') + +######################################## +# +# Local policy +# + +allow NetworkManager_t self:capability { chown dac_override fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice }; +dontaudit NetworkManager_t self:capability { sys_module sys_ptrace sys_tty_config }; +allow NetworkManager_t self:capability2 wake_alarm; +allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; +allow NetworkManager_t self:fifo_file rw_fifo_file_perms; +allow NetworkManager_t self:unix_dgram_socket sendto; +allow NetworkManager_t self:unix_stream_socket { accept listen }; +allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; +allow NetworkManager_t self:netlink_socket create_socket_perms; +allow NetworkManager_t self:netlink_generic_socket create_socket_perms; +allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; +allow NetworkManager_t self:tcp_socket { accept listen }; +allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto }; +allow NetworkManager_t self:packet_socket create_socket_perms; +allow NetworkManager_t self:socket create_socket_perms; + +allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; + +allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms; +allow NetworkManager_t NetworkManager_etc_t:file read_file_perms; +allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) +manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) +filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) + +allow NetworkManager_t NetworkManager_log_t:dir setattr_dir_perms; +append_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) +create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) +setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) +logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) + +manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) + +manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir) + +manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) + +can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) + +kernel_read_crypto_sysctls(NetworkManager_t) +kernel_read_system_state(NetworkManager_t) +kernel_read_network_state(NetworkManager_t) +kernel_read_kernel_sysctls(NetworkManager_t) +kernel_read_vm_overcommit_sysctl(NetworkManager_t) +kernel_request_load_module(NetworkManager_t) +kernel_read_debugfs(NetworkManager_t) +kernel_rw_net_sysctls(NetworkManager_t) + +corenet_all_recvfrom_unlabeled(NetworkManager_t) +corenet_all_recvfrom_netlabel(NetworkManager_t) +corenet_tcp_sendrecv_generic_if(NetworkManager_t) +corenet_udp_sendrecv_generic_if(NetworkManager_t) +corenet_raw_sendrecv_generic_if(NetworkManager_t) +corenet_tcp_sendrecv_generic_node(NetworkManager_t) +corenet_udp_sendrecv_generic_node(NetworkManager_t) +corenet_raw_sendrecv_generic_node(NetworkManager_t) +corenet_tcp_sendrecv_all_ports(NetworkManager_t) +corenet_udp_sendrecv_all_ports(NetworkManager_t) +corenet_udp_bind_generic_node(NetworkManager_t) + +corenet_sendrecv_isakmp_server_packets(NetworkManager_t) +corenet_udp_bind_isakmp_port(NetworkManager_t) + +corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) +corenet_udp_bind_dhcpc_port(NetworkManager_t) + +corenet_sendrecv_all_client_packets(NetworkManager_t) +corenet_tcp_connect_all_ports(NetworkManager_t) + +corenet_rw_tun_tap_dev(NetworkManager_t) +corenet_getattr_ppp_dev(NetworkManager_t) + +corenet_ib_access_unlabeled_pkeys(NetworkManager_t) + +corecmd_exec_shell(NetworkManager_t) +corecmd_exec_bin(NetworkManager_t) + +dev_rw_sysfs(NetworkManager_t) +dev_read_rand(NetworkManager_t) +dev_read_urand(NetworkManager_t) +dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +dev_getattr_all_chr_files(NetworkManager_t) +dev_rw_wireless(NetworkManager_t) + +domain_use_interactive_fds(NetworkManager_t) +domain_read_all_domains_state(NetworkManager_t) + +files_read_etc_runtime_files(NetworkManager_t) +files_read_usr_files(NetworkManager_t) +files_read_usr_src_files(NetworkManager_t) + +fs_getattr_all_fs(NetworkManager_t) +fs_search_auto_mountpoints(NetworkManager_t) +fs_list_inotifyfs(NetworkManager_t) + +mls_file_read_all_levels(NetworkManager_t) + +selinux_dontaudit_search_fs(NetworkManager_t) + +storage_getattr_fixed_disk_dev(NetworkManager_t) + +init_read_utmp(NetworkManager_t) +init_dontaudit_write_utmp(NetworkManager_t) +init_domtrans_script(NetworkManager_t) + +auth_use_nsswitch(NetworkManager_t) + +logging_send_audit_msgs(NetworkManager_t) +logging_send_syslog_msg(NetworkManager_t) + +miscfiles_read_generic_certs(NetworkManager_t) +miscfiles_read_localization(NetworkManager_t) + +seutil_read_config(NetworkManager_t) + +sysnet_domtrans_ifconfig(NetworkManager_t) +sysnet_domtrans_dhcpc(NetworkManager_t) +sysnet_signal_dhcpc(NetworkManager_t) +sysnet_signull_dhcpc(NetworkManager_t) +sysnet_read_dhcpc_pid(NetworkManager_t) +sysnet_read_dhcp_config(NetworkManager_t) +sysnet_delete_dhcpc_pid(NetworkManager_t) +sysnet_kill_dhcpc(NetworkManager_t) +sysnet_read_dhcpc_state(NetworkManager_t) +sysnet_delete_dhcpc_state(NetworkManager_t) +sysnet_search_dhcp_state(NetworkManager_t) +sysnet_manage_config(NetworkManager_t) +sysnet_etc_filetrans_config(NetworkManager_t) + +# certificates in user home directories (cert_home_t in ~/\.pki) +userdom_read_user_certs(NetworkManager_t) + +userdom_write_user_tmp_sockets(NetworkManager_t) +userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) +userdom_dontaudit_use_user_ttys(NetworkManager_t) + +optional_policy(` + avahi_domtrans(NetworkManager_t) + avahi_kill(NetworkManager_t) + avahi_signal(NetworkManager_t) + avahi_signull(NetworkManager_t) +') + +optional_policy(` + bind_domtrans(NetworkManager_t) + bind_manage_cache(NetworkManager_t) + bind_kill(NetworkManager_t) + bind_signal(NetworkManager_t) + bind_signull(NetworkManager_t) +') + +optional_policy(` + bluetooth_dontaudit_read_helper_state(NetworkManager_t) +') + +optional_policy(` + consolekit_read_pid_files(NetworkManager_t) +') + +optional_policy(` + consoletype_exec(NetworkManager_t) +') + +optional_policy(` + cron_read_system_job_lib_files(NetworkManager_t) +') + +optional_policy(` + dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) + init_dbus_chat(NetworkManager_t) + + optional_policy(` + avahi_dbus_chat(NetworkManager_t) + ') + + optional_policy(` + consolekit_dbus_chat(NetworkManager_t) + consolekit_use_inhibit_lock(NetworkManager_t) + ') + + optional_policy(` + cups_dbus_chat(NetworkManager_t) + ') + + optional_policy(` + policykit_dbus_chat(NetworkManager_t) + ') + + optional_policy(` + xserver_dbus_chat_xdm(NetworkManager_t) + ') + + optional_policy(` + unconfined_dbus_send(NetworkManager_t) + ') +') + +optional_policy(` + dnsmasq_read_pid_files(NetworkManager_t) + dnsmasq_delete_pid_files(NetworkManager_t) + dnsmasq_domtrans(NetworkManager_t) + dnsmasq_initrc_domtrans(NetworkManager_t) + dnsmasq_kill(NetworkManager_t) + dnsmasq_signal(NetworkManager_t) + dnsmasq_signull(NetworkManager_t) +') + +optional_policy(` + gnome_stream_connect_all_gkeyringd(NetworkManager_t) +') + +optional_policy(` + hal_write_log(NetworkManager_t) +') + +optional_policy(` + howl_signal(NetworkManager_t) +') + +optional_policy(` + ipsec_domtrans_mgmt(NetworkManager_t) + ipsec_kill_mgmt(NetworkManager_t) + ipsec_signal_mgmt(NetworkManager_t) + ipsec_signull_mgmt(NetworkManager_t) +') + +optional_policy(` + iptables_domtrans(NetworkManager_t) +') + +optional_policy(` + libs_exec_ldconfig(NetworkManager_t) +') + +optional_policy(` + modutils_domtrans(NetworkManager_t) +') + +optional_policy(` + netutils_exec(NetworkManager_t) + netutils_exec_ping(NetworkManager_t) +') + +optional_policy(` + nscd_domtrans(NetworkManager_t) + nscd_signal(NetworkManager_t) + nscd_signull(NetworkManager_t) + nscd_kill(NetworkManager_t) + nscd_initrc_domtrans(NetworkManager_t) +') + +optional_policy(` + ntp_initrc_domtrans(NetworkManager_t) +') + +optional_policy(` + openvpn_read_config(NetworkManager_t) + openvpn_domtrans(NetworkManager_t) + openvpn_kill(NetworkManager_t) + openvpn_signal(NetworkManager_t) + openvpn_signull(NetworkManager_t) +') + +optional_policy(` + policykit_domtrans_auth(NetworkManager_t) + policykit_read_lib(NetworkManager_t) + policykit_read_reload(NetworkManager_t) + userdom_read_all_users_state(NetworkManager_t) +') + +optional_policy(` + polipo_initrc_domtrans(NetworkManager_t) +') + +optional_policy(` + ppp_initrc_domtrans(NetworkManager_t) + ppp_domtrans(NetworkManager_t) + ppp_manage_pid_files(NetworkManager_t) + ppp_kill(NetworkManager_t) + ppp_signal(NetworkManager_t) + ppp_signull(NetworkManager_t) + ppp_read_config(NetworkManager_t) +') + +optional_policy(` + rpm_exec(NetworkManager_t) + rpm_read_db(NetworkManager_t) + rpm_dontaudit_manage_db(NetworkManager_t) +') + +optional_policy(` + seutil_sigchld_newrole(NetworkManager_t) +') + +optional_policy(` + systemd_read_logind_sessions_files(NetworkManager_t) + systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t) +') + +optional_policy(` + udev_exec(NetworkManager_t) + udev_read_db(NetworkManager_t) + udev_read_pid_files(NetworkManager_t) +') + +optional_policy(` + # unconfined_dgram_send(NetworkManager_t) + unconfined_stream_connect(NetworkManager_t) +') + +optional_policy(` + vpn_domtrans(NetworkManager_t) + vpn_kill(NetworkManager_t) + vpn_signal(NetworkManager_t) + vpn_signull(NetworkManager_t) + vpn_relabelfrom_tun_socket(NetworkManager_t) +') + +######################################## +# +# wpa_cli local policy +# + +allow wpa_cli_t self:capability dac_override; +allow wpa_cli_t self:unix_dgram_socket create_socket_perms; + +allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; + +manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file) + +list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) + +init_dontaudit_use_fds(wpa_cli_t) +init_use_script_ptys(wpa_cli_t) + +miscfiles_read_localization(wpa_cli_t) + +term_dontaudit_use_console(wpa_cli_t) + +ifdef(`distro_gentoo',` + # + # NetworkManager_t policy + # + + # bug #538110 + allow NetworkManager_t self:rawip_socket create_socket_perms; + allow NetworkManager_t self:unix_stream_socket connectto; + + # listing /etc/NetworkManager/dispatch.d/ + list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) + read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) + init_labeled_script_domtrans(NetworkManager_t, NetworkManager_initrc_exec_t) + + optional_policy(` + resolvconf_client_domain(NetworkManager_t) + ') + + # + # wpa_cli_t policy + # + manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t) + files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, file) + + corecmd_exec_bin(wpa_cli_t) + corecmd_exec_shell(wpa_cli_t) + + domain_use_interactive_fds(wpa_cli_t) + + files_read_etc_files(wpa_cli_t) + files_search_pids(wpa_cli_t) + + term_dontaudit_use_console(wpa_cli_t) + + getty_use_fds(wpa_cli_t) + + init_domtrans_script(wpa_cli_t) + + logging_send_syslog_msg(wpa_cli_t) + + sysnet_domtrans_dhcpc(wpa_cli_t) + + userdom_use_user_terminals(wpa_cli_t) +') diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc new file mode 100644 index 000000000..46f101bcc --- /dev/null +++ b/policy/modules/services/nis.fc @@ -0,0 +1,30 @@ +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) +/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) + +/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) + +/usr/bin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) +/usr/bin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +/usr/bin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) +/usr/bin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) + +/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) + +/usr/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0) +/usr/lib/systemd/system/yppasswdd.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0) +/usr/lib/systemd/system/ypserv.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0) +/usr/lib/systemd/system/ypxfrd.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0) + +/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) +/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) +/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) + +/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) + +/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) +/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) +/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if new file mode 100644 index 000000000..66a3ba284 --- /dev/null +++ b/policy/modules/services/nis.if @@ -0,0 +1,374 @@ +## <summary>Policy for NIS (YP) servers and clients.</summary> + +######################################## +## <summary> +## Use the ypbind service to access NIS services +## unconditionally. +## </summary> +## <desc> +## <p> +## Use the ypbind service to access NIS services +## unconditionally. +## </p> +## <p> +## This interface was added because of apache and +## spamassassin, to fix a nested conditionals problem. +## When that support is added, this should be removed, +## and the regular interface should be used. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_use_ypbind_uncond',` + gen_require(` + type var_yp_t; + ') + + allow $1 self:capability net_bind_service; + + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; + + allow $1 var_yp_t:dir list_dir_perms; + allow $1 var_yp_t:file read_file_perms; + allow $1 var_yp_t:lnk_file read_lnk_file_perms; + + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_all_ports($1) + corenet_udp_sendrecv_all_ports($1) + corenet_tcp_bind_generic_node($1) + corenet_udp_bind_generic_node($1) + corenet_tcp_bind_generic_port($1) + corenet_udp_bind_generic_port($1) + corenet_dontaudit_tcp_bind_all_reserved_ports($1) + corenet_dontaudit_udp_bind_all_reserved_ports($1) + corenet_dontaudit_tcp_bind_all_ports($1) + corenet_dontaudit_udp_bind_all_ports($1) + corenet_tcp_connect_portmap_port($1) + corenet_tcp_connect_reserved_port($1) + corenet_tcp_connect_generic_port($1) + corenet_dontaudit_tcp_connect_all_ports($1) + corenet_sendrecv_portmap_client_packets($1) + corenet_sendrecv_generic_client_packets($1) + corenet_sendrecv_generic_server_packets($1) + + sysnet_read_config($1) +') + +######################################## +## <summary> +## Use the ypbind service to access NIS services. +## </summary> +## <desc> +## <p> +## Allow the specified domain to use the ypbind service +## to access Network Information Service (NIS) services. +## Information that can be retreived from NIS includes +## usernames, passwords, home directories, and groups. +## If the network is configured to have a single sign-on +## using NIS, it is likely that any program that does +## authentication will need this access. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <infoflow type="both" weight="10"/> +## <rolecap/> +# +interface(`nis_use_ypbind',` + tunable_policy(`allow_ypbind',` + nis_use_ypbind_uncond($1) + ') +') + +######################################## +## <summary> +## Use nis to authenticate passwords. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nis_authenticate',` + tunable_policy(`allow_ypbind',` + nis_use_ypbind_uncond($1) + corenet_tcp_bind_all_rpc_ports($1) + corenet_udp_bind_all_rpc_ports($1) + ') +') + +######################################## +## <summary> +## Execute ypbind in the ypbind domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nis_domtrans_ypbind',` + gen_require(` + type ypbind_t, ypbind_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ypbind_exec_t, ypbind_t) +') + +####################################### +## <summary> +## Execute ypbind in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_exec_ypbind',` + gen_require(` + type ypbind_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, ypbind_exec_t) +') + +######################################## +## <summary> +## Execute ypbind in the ypbind domain, and +## allow the specified role the ypbind domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nis_run_ypbind',` + gen_require(` + attribute_role ypbind_roles; + ') + + nis_domtrans_ypbind($1) + roleattribute $2 ypbind_roles; +') + +######################################## +## <summary> +## Send generic signals to ypbind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_signal_ypbind',` + gen_require(` + type ypbind_t; + ') + + allow $1 ypbind_t:process signal; +') + +######################################## +## <summary> +## List nis data directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_list_var_yp',` + gen_require(` + type var_yp_t; + ') + + files_search_var($1) + allow $1 var_yp_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Read ypbind pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_read_ypbind_pid',` + gen_require(` + type ypbind_var_run_t; + ') + + files_search_pids($1) + allow $1 ypbind_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Delete ypbind pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_delete_ypbind_pid',` + gen_require(` + type ypbind_var_run_t; + ') + + allow $1 ypbind_var_run_t:file delete_file_perms; +') + +######################################## +## <summary> +## Read ypserv configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_read_ypserv_config',` + gen_require(` + type ypserv_conf_t; + ') + + files_search_etc($1) + allow $1 ypserv_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute ypxfr in the ypxfr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nis_domtrans_ypxfr',` + gen_require(` + type ypxfr_t, ypxfr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) +') + +######################################## +## <summary> +## Execute nis init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +# +interface(`nis_initrc_domtrans',` + gen_require(` + type nis_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, nis_initrc_exec_t) +') + +######################################## +## <summary> +## Execute ypbind init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nis_initrc_domtrans_ypbind',` + gen_require(` + type ypbind_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ypbind_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an nis environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nis_admin',` + gen_require(` + type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; + type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; + type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; + type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t; + ') + + allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t }) + + init_startstop_service($1, $2, ypbind_t, ypbind_initrc_exec_t) + init_startstop_service($1, $2, ypserv_t, nis_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t }) + + files_list_pids($1) + admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t }) + + files_list_etc($1) + admin_pattern($1, ypserv_conf_t) + + files_search_var($1) + admin_pattern($1, var_yp_t) + + nis_run_ypbind($1, $2) +') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te new file mode 100644 index 000000000..cb1fc97a6 --- /dev/null +++ b/policy/modules/services/nis.te @@ -0,0 +1,364 @@ +policy_module(nis, 1.16.0) + +######################################## +# +# Declarations +# + +attribute_role ypbind_roles; + +type nis_initrc_exec_t; +init_script_file(nis_initrc_exec_t) + +type nis_unit_t; +init_unit_file(nis_unit_t) + +type var_yp_t; +files_type(var_yp_t) + +type ypbind_t; +type ypbind_exec_t; +init_daemon_domain(ypbind_t, ypbind_exec_t) +role ypbind_roles types ypbind_t; + +type ypbind_initrc_exec_t; +init_script_file(ypbind_initrc_exec_t) + +type ypbind_tmp_t; +files_tmp_file(ypbind_tmp_t) + +type ypbind_unit_t; +init_unit_file(ypbind_unit_t) + +type ypbind_var_run_t; +files_pid_file(ypbind_var_run_t) + +type yppasswdd_t; +type yppasswdd_exec_t; +init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) +domain_obj_id_change_exemption(yppasswdd_t) + +type yppasswdd_var_run_t; +files_pid_file(yppasswdd_var_run_t) + +type ypserv_t; +type ypserv_exec_t; +init_daemon_domain(ypserv_t, ypserv_exec_t) + +type ypserv_conf_t; +files_type(ypserv_conf_t) + +type ypserv_tmp_t; +files_tmp_file(ypserv_tmp_t) + +type ypserv_var_run_t; +files_pid_file(ypserv_var_run_t) + +type ypxfr_t; +type ypxfr_exec_t; +init_daemon_domain(ypxfr_t, ypxfr_exec_t) + +type ypxfr_var_run_t; +files_pid_file(ypxfr_var_run_t) + +######################################## +# +# ypbind local policy + +dontaudit ypbind_t self:capability { net_admin sys_tty_config }; +allow ypbind_t self:fifo_file rw_fifo_file_perms; +allow ypbind_t self:process signal_perms; +allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; +allow ypbind_t self:tcp_socket create_stream_socket_perms; +allow ypbind_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) +manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) +files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir }) + +manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t) +files_pid_filetrans(ypbind_t, ypbind_var_run_t, file) + +manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) + +kernel_read_system_state(ypbind_t) +kernel_read_kernel_sysctls(ypbind_t) + +corenet_all_recvfrom_unlabeled(ypbind_t) +corenet_all_recvfrom_netlabel(ypbind_t) +corenet_tcp_sendrecv_generic_if(ypbind_t) +corenet_udp_sendrecv_generic_if(ypbind_t) +corenet_tcp_sendrecv_generic_node(ypbind_t) +corenet_udp_sendrecv_generic_node(ypbind_t) +corenet_tcp_sendrecv_all_ports(ypbind_t) +corenet_udp_sendrecv_all_ports(ypbind_t) +corenet_tcp_bind_generic_node(ypbind_t) +corenet_udp_bind_generic_node(ypbind_t) + +corenet_tcp_bind_generic_port(ypbind_t) +corenet_udp_bind_generic_port(ypbind_t) +corenet_tcp_bind_reserved_port(ypbind_t) +corenet_udp_bind_reserved_port(ypbind_t) +corenet_tcp_bind_all_rpc_ports(ypbind_t) +corenet_udp_bind_all_rpc_ports(ypbind_t) +corenet_tcp_connect_all_ports(ypbind_t) +corenet_sendrecv_all_client_packets(ypbind_t) +corenet_sendrecv_generic_server_packets(ypbind_t) + +corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) +corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) + +dev_read_sysfs(ypbind_t) + +fs_getattr_all_fs(ypbind_t) +fs_search_auto_mountpoints(ypbind_t) + +domain_use_interactive_fds(ypbind_t) + +files_read_etc_files(ypbind_t) +files_list_var(ypbind_t) + +logging_send_syslog_msg(ypbind_t) + +miscfiles_read_localization(ypbind_t) + +sysnet_read_config(ypbind_t) + +userdom_dontaudit_use_unpriv_user_fds(ypbind_t) +userdom_dontaudit_search_user_home_dirs(ypbind_t) + +optional_policy(` + dbus_system_bus_client(ypbind_t) + dbus_connect_system_bus(ypbind_t) + + init_dbus_chat_script(ypbind_t) + + optional_policy(` + networkmanager_dbus_chat(ypbind_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(ypbind_t) +') + +optional_policy(` + udev_read_db(ypbind_t) +') + +######################################## +# +# yppasswdd local policy +# + +allow yppasswdd_t self:capability dac_override; +dontaudit yppasswdd_t self:capability sys_tty_config; +allow yppasswdd_t self:fifo_file rw_fifo_file_perms; +allow yppasswdd_t self:process { getsched setfscreate signal_perms }; +allow yppasswdd_t self:unix_stream_socket { accept listen }; +allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; +allow yppasswdd_t self:tcp_socket create_stream_socket_perms; +allow yppasswdd_t self:udp_socket create_socket_perms; + +manage_files_pattern(yppasswdd_t, yppasswdd_var_run_t, yppasswdd_var_run_t) +files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) + +manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) +manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) + +can_exec(yppasswdd_t, yppasswdd_exec_t) + +kernel_list_proc(yppasswdd_t) +kernel_read_proc_symlinks(yppasswdd_t) +kernel_getattr_proc_files(yppasswdd_t) +kernel_read_kernel_sysctls(yppasswdd_t) + +corenet_all_recvfrom_unlabeled(yppasswdd_t) +corenet_all_recvfrom_netlabel(yppasswdd_t) +corenet_tcp_sendrecv_generic_if(yppasswdd_t) +corenet_udp_sendrecv_generic_if(yppasswdd_t) +corenet_tcp_sendrecv_generic_node(yppasswdd_t) +corenet_udp_sendrecv_generic_node(yppasswdd_t) +corenet_tcp_sendrecv_all_ports(yppasswdd_t) +corenet_udp_sendrecv_all_ports(yppasswdd_t) +corenet_tcp_bind_generic_node(yppasswdd_t) +corenet_udp_bind_generic_node(yppasswdd_t) + +corenet_tcp_bind_all_rpc_ports(yppasswdd_t) +corenet_udp_bind_all_rpc_ports(yppasswdd_t) +corenet_sendrecv_generic_server_packets(yppasswdd_t) + +corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) +corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) + +corecmd_exec_bin(yppasswdd_t) +corecmd_exec_shell(yppasswdd_t) + +domain_use_interactive_fds(yppasswdd_t) + +files_read_etc_files(yppasswdd_t) +files_read_etc_runtime_files(yppasswdd_t) +files_relabel_etc_files(yppasswdd_t) + +dev_read_sysfs(yppasswdd_t) + +fs_getattr_all_fs(yppasswdd_t) +fs_search_auto_mountpoints(yppasswdd_t) + +selinux_get_fs_mount(yppasswdd_t) + +auth_manage_shadow(yppasswdd_t) +auth_relabel_shadow(yppasswdd_t) +auth_etc_filetrans_shadow(yppasswdd_t) + +logging_send_syslog_msg(yppasswdd_t) + +miscfiles_read_localization(yppasswdd_t) + +sysnet_read_config(yppasswdd_t) + +userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t) +userdom_dontaudit_search_user_home_dirs(yppasswdd_t) + +optional_policy(` + hostname_exec(yppasswdd_t) +') + +optional_policy(` + seutil_sigchld_newrole(yppasswdd_t) +') + +optional_policy(` + udev_read_db(yppasswdd_t) +') + +######################################## +# +# ypserv local policy +# + +dontaudit ypserv_t self:capability sys_tty_config; +allow ypserv_t self:fifo_file rw_fifo_file_perms; +allow ypserv_t self:process signal_perms; +allow ypserv_t self:unix_stream_socket { accept listen }; +allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; +allow ypserv_t self:tcp_socket connected_stream_socket_perms; +allow ypserv_t self:udp_socket create_socket_perms; + +manage_files_pattern(ypserv_t, var_yp_t, var_yp_t) + +allow ypserv_t ypserv_conf_t:file read_file_perms; + +manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) +manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) +files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir }) + +manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t) +files_pid_filetrans(ypserv_t, ypserv_var_run_t, file) + +kernel_read_kernel_sysctls(ypserv_t) +kernel_list_proc(ypserv_t) +kernel_read_proc_symlinks(ypserv_t) + +corenet_all_recvfrom_unlabeled(ypserv_t) +corenet_all_recvfrom_netlabel(ypserv_t) +corenet_tcp_sendrecv_generic_if(ypserv_t) +corenet_udp_sendrecv_generic_if(ypserv_t) +corenet_tcp_sendrecv_generic_node(ypserv_t) +corenet_udp_sendrecv_generic_node(ypserv_t) +corenet_tcp_sendrecv_all_ports(ypserv_t) +corenet_udp_sendrecv_all_ports(ypserv_t) +corenet_tcp_bind_generic_node(ypserv_t) +corenet_udp_bind_generic_node(ypserv_t) + +corenet_tcp_bind_reserved_port(ypserv_t) +corenet_udp_bind_reserved_port(ypserv_t) +corenet_tcp_bind_all_rpc_ports(ypserv_t) +corenet_udp_bind_all_rpc_ports(ypserv_t) +corenet_sendrecv_generic_server_packets(ypserv_t) + +corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) +corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) + +corecmd_exec_bin(ypserv_t) + +files_read_etc_files(ypserv_t) +files_read_var_files(ypserv_t) + +dev_read_sysfs(ypserv_t) + +domain_use_interactive_fds(ypserv_t) + +fs_getattr_all_fs(ypserv_t) +fs_search_auto_mountpoints(ypserv_t) + +logging_send_syslog_msg(ypserv_t) + +miscfiles_read_localization(ypserv_t) + +nis_domtrans_ypxfr(ypserv_t) + +sysnet_read_config(ypserv_t) + +userdom_dontaudit_use_unpriv_user_fds(ypserv_t) +userdom_dontaudit_search_user_home_dirs(ypserv_t) + +optional_policy(` + seutil_sigchld_newrole(ypserv_t) +') + +optional_policy(` + udev_read_db(ypserv_t) +') + +######################################## +# +# ypxfr local policy +# + +allow ypxfr_t self:unix_stream_socket { accept listen }; +allow ypxfr_t self:unix_dgram_socket { accept listen }; +allow ypxfr_t self:tcp_socket create_stream_socket_perms; +allow ypxfr_t self:udp_socket create_socket_perms; +allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; + +manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t) + +allow ypxfr_t ypserv_t:tcp_socket { read write }; +allow ypxfr_t ypserv_t:udp_socket { read write }; + +allow ypxfr_t ypserv_conf_t:file read_file_perms; + +manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) +files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) + +corenet_all_recvfrom_unlabeled(ypxfr_t) +corenet_all_recvfrom_netlabel(ypxfr_t) +corenet_tcp_sendrecv_generic_if(ypxfr_t) +corenet_udp_sendrecv_generic_if(ypxfr_t) +corenet_tcp_sendrecv_generic_node(ypxfr_t) +corenet_udp_sendrecv_generic_node(ypxfr_t) +corenet_tcp_sendrecv_all_ports(ypxfr_t) +corenet_udp_sendrecv_all_ports(ypxfr_t) +corenet_tcp_bind_generic_node(ypxfr_t) +corenet_udp_bind_generic_node(ypxfr_t) + +corenet_tcp_bind_reserved_port(ypxfr_t) +corenet_udp_bind_reserved_port(ypxfr_t) +corenet_tcp_bind_all_rpc_ports(ypxfr_t) +corenet_udp_bind_all_rpc_ports(ypxfr_t) +corenet_tcp_connect_all_ports(ypxfr_t) +corenet_sendrecv_generic_server_packets(ypxfr_t) +corenet_sendrecv_all_client_packets(ypxfr_t) + +corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) +corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) + +files_read_etc_files(ypxfr_t) +files_search_usr(ypxfr_t) + +logging_send_syslog_msg(ypxfr_t) + +miscfiles_read_localization(ypxfr_t) + +sysnet_read_config(ypxfr_t) diff --git a/policy/modules/services/nscd.fc b/policy/modules/services/nscd.fc new file mode 100644 index 000000000..4857b5b73 --- /dev/null +++ b/policy/modules/services/nscd.fc @@ -0,0 +1,15 @@ +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) + +/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) + +/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) + +/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + +/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + +/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) + +/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) +/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if new file mode 100644 index 000000000..d6b3687a0 --- /dev/null +++ b/policy/modules/services/nscd.if @@ -0,0 +1,311 @@ +## <summary>Name service cache daemon.</summary> + +######################################## +## <summary> +## Send generic signals to nscd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_signal',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:process signal; +') + +######################################## +## <summary> +## Send kill signals to nscd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_kill',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:process sigkill; +') + +######################################## +## <summary> +## Send null signals to nscd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_signull',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:process signull; +') + +######################################## +## <summary> +## Execute nscd in the nscd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nscd_domtrans',` + gen_require(` + type nscd_t, nscd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nscd_exec_t, nscd_t) +') + +######################################## +## <summary> +## Execute nscd in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_exec',` + gen_require(` + type nscd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, nscd_exec_t) +') + +######################################## +## <summary> +## Use nscd services by connecting using +## a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_socket_use',` + gen_require(` + type nscd_t, nscd_var_run_t; + class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; + ') + + allow $1 self:unix_stream_socket create_socket_perms; + + allow $1 nscd_t:nscd { getpwd getgrp gethost }; + + dontaudit $1 nscd_t:fd use; + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; + + files_search_pids($1) + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + dontaudit $1 nscd_var_run_t:file read_file_perms; + + ps_process_pattern(nscd_t, $1) +') + +######################################## +## <summary> +## Use nscd services by mapping the +## database from an inherited nscd +## file descriptor. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_shm_use',` + gen_require(` + type nscd_t, nscd_var_run_t; + class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + ') + + allow $1 self:unix_stream_socket create_stream_socket_perms; + + allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + allow $1 nscd_t:fd use; + + files_search_pids($1) + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + dontaudit $1 nscd_var_run_t:file read_file_perms; + + allow $1 nscd_var_run_t:dir list_dir_perms; + allow $1 nscd_var_run_t:sock_file read_sock_file_perms; +') + +######################################## +## <summary> +## Use nscd services. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_use',` + tunable_policy(`nscd_use_shm',` + nscd_shm_use($1) + ',` + nscd_socket_use($1) + ') +') + +######################################## +## <summary> +## Do not audit attempts to search +## nscd pid directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`nscd_dontaudit_search_pid',` + gen_require(` + type nscd_var_run_t; + ') + + dontaudit $1 nscd_var_run_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read nscd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_read_pid',` + gen_require(` + type nscd_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, nscd_var_run_t, nscd_var_run_t) +') + +######################################## +## <summary> +## Unconfined access to nscd services. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_unconfined',` + gen_require(` + type nscd_t; + class nscd all_nscd_perms; + ') + + allow $1 nscd_t:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv }; +') + +######################################## +## <summary> +## Execute nscd in the nscd domain, and +## allow the specified role the nscd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`nscd_run',` + gen_require(` + attribute_role nscd_roles; + ') + + nscd_domtrans($1) + roleattribute $2 nscd_roles; +') + +######################################## +## <summary> +## Execute the nscd server init +## script in the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nscd_initrc_domtrans',` + gen_require(` + type nscd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, nscd_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an nscd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nscd_admin',` + gen_require(` + type nscd_t, nscd_log_t, nscd_var_run_t; + type nscd_initrc_exec_t; + ') + + allow $1 nscd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nscd_t) + + init_startstop_service($1, $2, nscd_t, nscd_initrc_exec_t) + + logging_list_logs($1) + admin_pattern($1, nscd_log_t) + + files_list_pids($1) + admin_pattern($1, nscd_var_run_t) + + nscd_run($1, $2) +') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te new file mode 100644 index 000000000..6a905d983 --- /dev/null +++ b/policy/modules/services/nscd.te @@ -0,0 +1,143 @@ +policy_module(nscd, 1.16.0) + +gen_require(` + class nscd all_nscd_perms; +') + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether confined applications +## can use nscd shared memory. +## </p> +## </desc> +gen_tunable(nscd_use_shm, false) + +attribute_role nscd_roles; + +type nscd_var_run_t; +files_pid_file(nscd_var_run_t) +init_daemon_pid_file(nscd_var_run_t, dir, "nscd") + +type nscd_t; +type nscd_exec_t; +init_daemon_domain(nscd_t, nscd_exec_t) +role nscd_roles types nscd_t; + +type nscd_initrc_exec_t; +init_script_file(nscd_initrc_exec_t) + +type nscd_log_t; +logging_log_file(nscd_log_t) + +type nscd_unit_t; +init_unit_file(nscd_unit_t) + +######################################## +# +# Local policy +# + +allow nscd_t self:capability { kill setgid setuid }; +dontaudit nscd_t self:capability sys_tty_config; +allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; +allow nscd_t self:fifo_file read_fifo_file_perms; +allow nscd_t self:unix_stream_socket { accept listen }; +allow nscd_t self:netlink_selinux_socket create_socket_perms; + +allow nscd_t self:nscd { admin getstat }; + +allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(nscd_t, nscd_log_t, file) + +manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) +manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) +files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) + +can_exec(nscd_t, nscd_exec_t) + +kernel_list_proc(nscd_t) +kernel_read_kernel_sysctls(nscd_t) +kernel_read_network_state(nscd_t) +kernel_read_proc_symlinks(nscd_t) + +corecmd_search_bin(nscd_t) + +dev_read_sysfs(nscd_t) +dev_read_rand(nscd_t) +dev_read_urand(nscd_t) + +domain_search_all_domains_state(nscd_t) +domain_use_interactive_fds(nscd_t) + +files_read_generic_tmp_symlinks(nscd_t) +files_read_etc_runtime_files(nscd_t) + +fs_getattr_all_fs(nscd_t) +fs_search_auto_mountpoints(nscd_t) +fs_list_inotifyfs(nscd_t) + +auth_getattr_shadow(nscd_t) +auth_use_nsswitch(nscd_t) + +corenet_all_recvfrom_unlabeled(nscd_t) +corenet_all_recvfrom_netlabel(nscd_t) +corenet_tcp_sendrecv_generic_if(nscd_t) +corenet_tcp_sendrecv_generic_node(nscd_t) + +corenet_sendrecv_all_client_packets(nscd_t) +corenet_tcp_connect_all_ports(nscd_t) +corenet_tcp_sendrecv_all_ports(nscd_t) + +corenet_rw_tun_tap_dev(nscd_t) + +selinux_get_fs_mount(nscd_t) +selinux_validate_context(nscd_t) +selinux_compute_access_vector(nscd_t) +selinux_compute_create_context(nscd_t) +selinux_compute_relabel_context(nscd_t) +selinux_compute_user_contexts(nscd_t) + +logging_send_audit_msgs(nscd_t) +logging_send_syslog_msg(nscd_t) + +miscfiles_read_localization(nscd_t) + +seutil_read_config(nscd_t) +seutil_read_default_contexts(nscd_t) +seutil_sigchld_newrole(nscd_t) + +userdom_dontaudit_use_user_terminals(nscd_t) +userdom_dontaudit_use_unpriv_user_fds(nscd_t) +userdom_dontaudit_search_user_home_dirs(nscd_t) + +optional_policy(` + accountsd_dontaudit_rw_fifo_file(nscd_t) +') + +optional_policy(` + cron_read_system_job_tmp_files(nscd_t) +') + +optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(nscd_t) + samba_dontaudit_use_fds(nscd_t) + ') + + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') + +optional_policy(` + udev_read_db(nscd_t) +') + +optional_policy(` + xen_dontaudit_rw_unix_stream_sockets(nscd_t) + xen_append_log(nscd_t) +') diff --git a/policy/modules/services/nsd.fc b/policy/modules/services/nsd.fc new file mode 100644 index 000000000..d4fc584e4 --- /dev/null +++ b/policy/modules/services/nsd.fc @@ -0,0 +1,21 @@ +/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0) + +/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) +/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) +/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) +/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) + +/usr/bin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/bin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/bin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/bin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) + +/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) + +/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) +/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) + +/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) diff --git a/policy/modules/services/nsd.if b/policy/modules/services/nsd.if new file mode 100644 index 000000000..e071bcd05 --- /dev/null +++ b/policy/modules/services/nsd.if @@ -0,0 +1,39 @@ +## <summary>Authoritative only name server.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an nsd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nsd_admin',` + gen_require(` + type nsd_t, nsd_conf_t, nsd_var_run_t; + type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t; + ') + + allow $1 nsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nsd_t) + + init_startstop_service($1, $2, nsd_t, nsd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, { nsd_conf_t nsd_db_t }) + + files_search_var_lib($1) + admin_pattern($1, nsd_zone_t) + + files_list_pids($1) + admin_pattern($1, nsd_var_run_t) +') diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te new file mode 100644 index 000000000..eb4051147 --- /dev/null +++ b/policy/modules/services/nsd.te @@ -0,0 +1,161 @@ +policy_module(nsd, 1.11.0) + +######################################## +# +# Declarations +# + +type nsd_t; +type nsd_exec_t; +init_daemon_domain(nsd_t, nsd_exec_t) + +type nsd_initrc_exec_t; +init_script_file(nsd_initrc_exec_t) + +type nsd_conf_t; +files_type(nsd_conf_t) + +type nsd_crond_t; +domain_type(nsd_crond_t) +domain_entry_file(nsd_crond_t, nsd_exec_t) +role system_r types nsd_crond_t; + +type nsd_db_t; +files_type(nsd_db_t) + +type nsd_var_run_t; +files_pid_file(nsd_var_run_t) + +type nsd_zone_t; +files_type(nsd_zone_t) + +######################################## +# +# Local policy +# + +allow nsd_t self:capability { chown dac_override kill setgid setuid }; +dontaudit nsd_t self:capability sys_tty_config; +allow nsd_t self:process signal_perms; +allow nsd_t self:fifo_file rw_fifo_file_perms; +allow nsd_t self:tcp_socket { accept listen }; + +allow nsd_t nsd_conf_t:dir list_dir_perms; +allow nsd_t nsd_conf_t:file read_file_perms; +allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms; + +allow nsd_t nsd_db_t:file manage_file_perms; +filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) + +manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) +files_pid_filetrans(nsd_t, nsd_var_run_t, file) + +manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t) +manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) +manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) +files_var_lib_filetrans(nsd_t, nsd_zone_t, dir) + +can_exec(nsd_t, nsd_exec_t) + +kernel_read_system_state(nsd_t) +kernel_read_kernel_sysctls(nsd_t) + +corecmd_exec_bin(nsd_t) + +corenet_all_recvfrom_unlabeled(nsd_t) +corenet_all_recvfrom_netlabel(nsd_t) +corenet_tcp_sendrecv_generic_if(nsd_t) +corenet_udp_sendrecv_generic_if(nsd_t) +corenet_tcp_sendrecv_generic_node(nsd_t) +corenet_udp_sendrecv_generic_node(nsd_t) +corenet_tcp_sendrecv_all_ports(nsd_t) +corenet_udp_sendrecv_all_ports(nsd_t) +corenet_tcp_bind_generic_node(nsd_t) +corenet_udp_bind_generic_node(nsd_t) + +corenet_sendrecv_dns_server_packets(nsd_t) +corenet_tcp_bind_dns_port(nsd_t) +corenet_udp_bind_dns_port(nsd_t) + +dev_read_sysfs(nsd_t) + +domain_use_interactive_fds(nsd_t) + +files_read_etc_runtime_files(nsd_t) + +fs_getattr_all_fs(nsd_t) +fs_search_auto_mountpoints(nsd_t) + +auth_use_nsswitch(nsd_t) + +logging_send_syslog_msg(nsd_t) + +miscfiles_read_localization(nsd_t) + +userdom_dontaudit_use_unpriv_user_fds(nsd_t) +userdom_dontaudit_search_user_home_dirs(nsd_t) + +optional_policy(` + seutil_sigchld_newrole(nsd_t) +') + +optional_policy(` + udev_read_db(nsd_t) +') + +######################################## +# +# Cron local policy +# + +allow nsd_crond_t self:capability { dac_override kill }; +dontaudit nsd_crond_t self:capability sys_nice; +allow nsd_crond_t self:process { setsched signal_perms }; +allow nsd_crond_t self:fifo_file rw_fifo_file_perms; + +allow nsd_crond_t nsd_t:process signal; +ps_process_pattern(nsd_crond_t, nsd_t) + +allow nsd_crond_t nsd_conf_t:dir list_dir_perms; +allow nsd_crond_t nsd_conf_t:file read_file_perms; +allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms; + +allow nsd_crond_t nsd_db_t:file manage_file_perms; +filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file) + +manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) +filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) + +can_exec(nsd_crond_t, nsd_exec_t) + +kernel_read_system_state(nsd_crond_t) + +corecmd_exec_bin(nsd_crond_t) +corecmd_exec_shell(nsd_crond_t) + +corenet_all_recvfrom_unlabeled(nsd_crond_t) +corenet_all_recvfrom_netlabel(nsd_crond_t) +corenet_tcp_sendrecv_generic_if(nsd_crond_t) +corenet_tcp_sendrecv_generic_node(nsd_crond_t) + +corenet_sendrecv_all_client_packets(nsd_crond_t) +corenet_tcp_connect_all_ports(nsd_crond_t) +corenet_tcp_sendrecv_all_ports(nsd_crond_t) + +dev_read_urand(nsd_crond_t) + +domain_dontaudit_read_all_domains_state(nsd_crond_t) + +files_read_etc_runtime_files(nsd_crond_t) + +auth_use_nsswitch(nsd_crond_t) + +logging_send_syslog_msg(nsd_crond_t) + +miscfiles_read_localization(nsd_crond_t) + +userdom_dontaudit_search_user_home_dirs(nsd_crond_t) + +optional_policy(` + cron_system_entry(nsd_crond_t, nsd_exec_t) +') diff --git a/policy/modules/services/nslcd.fc b/policy/modules/services/nslcd.fc new file mode 100644 index 000000000..89543b3e0 --- /dev/null +++ b/policy/modules/services/nslcd.fc @@ -0,0 +1,9 @@ +/etc/nss-ldapd\.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) + +/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) + +/usr/bin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) + +/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) + +/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if new file mode 100644 index 000000000..b3747dab4 --- /dev/null +++ b/policy/modules/services/nslcd.if @@ -0,0 +1,112 @@ +## <summary>Local LDAP name service daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run nslcd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nslcd_domtrans',` + gen_require(` + type nslcd_t, nslcd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nslcd_exec_t, nslcd_t) +') + +######################################## +## <summary> +## Execute nslcd server in the nslcd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nslcd_initrc_domtrans',` + gen_require(` + type nslcd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, nslcd_initrc_exec_t) +') + +######################################## +## <summary> +## Read nslcd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nslcd_read_pid_files',` + gen_require(` + type nslcd_var_run_t; + ') + + files_search_pids($1) + allow $1 nslcd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Connect to nslcd over an unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nslcd_stream_connect',` + gen_require(` + type nslcd_t, nslcd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an nslcd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nslcd_admin',` + gen_require(` + type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t; + type nslcd_conf_t; + ') + + allow $1 nslcd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nslcd_t) + + init_startstop_service($1, $2, nslcd_t, nslcd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, nslcd_conf_t) + + files_search_pids($1) + admin_pattern($1, nslcd_var_run_t) +') diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te new file mode 100644 index 000000000..9f30667af --- /dev/null +++ b/policy/modules/services/nslcd.te @@ -0,0 +1,63 @@ +policy_module(nslcd, 1.8.0) + +######################################## +# +# Declarations +# + +type nslcd_t; +type nslcd_exec_t; +init_daemon_domain(nslcd_t, nslcd_exec_t) + +type nslcd_initrc_exec_t; +init_script_file(nslcd_initrc_exec_t) + +type nslcd_var_run_t; +files_pid_file(nslcd_var_run_t) + +type nslcd_conf_t; +files_config_file(nslcd_conf_t) + +######################################## +# +# Local policy +# + +allow nslcd_t self:capability { dac_override setgid setuid }; +allow nslcd_t self:process signal; +allow nslcd_t self:unix_stream_socket { accept listen }; + +allow nslcd_t nslcd_conf_t:file read_file_perms; + +manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) + +kernel_read_system_state(nslcd_t) + +corenet_all_recvfrom_unlabeled(nslcd_t) +corenet_all_recvfrom_netlabel(nslcd_t) +corenet_tcp_sendrecv_generic_if(nslcd_t) +corenet_tcp_sendrecv_generic_node(nslcd_t) + +corenet_sendrecv_ldap_client_packets(nslcd_t) +corenet_tcp_connect_ldap_port(nslcd_t) +corenet_tcp_sendrecv_ldap_port(nslcd_t) + +dev_read_sysfs(nslcd_t) + +files_read_usr_symlinks(nslcd_t) +files_list_tmp(nslcd_t) + +auth_use_nsswitch(nslcd_t) + +logging_send_syslog_msg(nslcd_t) + +miscfiles_read_localization(nslcd_t) + +userdom_read_user_tmp_files(nslcd_t) + +optional_policy(` + ldap_stream_connect(nslcd_t) +') diff --git a/policy/modules/services/ntop.fc b/policy/modules/services/ntop.fc new file mode 100644 index 000000000..3ededdd2f --- /dev/null +++ b/policy/modules/services/ntop.fc @@ -0,0 +1,11 @@ +/etc/ntop.* gen_context(system_u:object_r:ntop_etc_t,s0) + +/etc/rc\.d/init\.d/ntop -- gen_context(system_u:object_r:ntop_initrc_exec_t,s0) + +/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0) + +/usr/sbin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0) + +/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) + +/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) diff --git a/policy/modules/services/ntop.if b/policy/modules/services/ntop.if new file mode 100644 index 000000000..60c779397 --- /dev/null +++ b/policy/modules/services/ntop.if @@ -0,0 +1,39 @@ +## <summary>A network traffic probe similar to the UNIX top command.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an ntop environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ntop_admin',` + gen_require(` + type ntop_t, ntop_etc_t, ntop_var_run_t; + type ntop_initrc_exec_t, ntop_var_lib_t; + ') + + allow $1 ntop_t:process { ptrace signal_perms }; + ps_process_pattern($1, ntop_t) + + init_startstop_service($1, $2, ntop_t, ntop_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, ntop_etc_t) + + files_search_var_lib($1) + admin_pattern($1, ntop_var_lib_t) + + files_list_pids($1) + admin_pattern($1, ntop_var_run_t) +') diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te new file mode 100644 index 000000000..178bbb1d7 --- /dev/null +++ b/policy/modules/services/ntop.te @@ -0,0 +1,109 @@ +policy_module(ntop, 1.13.0) + +######################################## +# +# Declarations +# + +type ntop_t; +type ntop_exec_t; +init_daemon_domain(ntop_t, ntop_exec_t) + +type ntop_initrc_exec_t; +init_script_file(ntop_initrc_exec_t) + +type ntop_etc_t; +files_config_file(ntop_etc_t) + +type ntop_tmp_t; +files_tmp_file(ntop_tmp_t) + +type ntop_var_lib_t; +files_type(ntop_var_lib_t) + +type ntop_var_run_t; +files_pid_file(ntop_var_run_t) + +######################################## +# +# Local Policy +# + +allow ntop_t self:capability { net_admin net_raw setgid setuid sys_admin }; +dontaudit ntop_t self:capability sys_tty_config; +allow ntop_t self:process signal_perms; +allow ntop_t self:fifo_file rw_fifo_file_perms; +allow ntop_t self:tcp_socket { accept listen }; +allow ntop_t self:unix_stream_socket { accept listen }; +allow ntop_t self:packet_socket create_socket_perms; +allow ntop_t self:socket create_socket_perms; + +allow ntop_t ntop_etc_t:dir list_dir_perms; +allow ntop_t ntop_etc_t:file read_file_perms; +allow ntop_t ntop_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) +manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) +files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir }) + +manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) +manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) +files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } ) + +manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) +files_pid_filetrans(ntop_t, ntop_var_run_t, file) + +kernel_request_load_module(ntop_t) +kernel_read_system_state(ntop_t) +kernel_read_network_state(ntop_t) +kernel_read_kernel_sysctls(ntop_t) + +corenet_all_recvfrom_unlabeled(ntop_t) +corenet_all_recvfrom_netlabel(ntop_t) +corenet_tcp_sendrecv_generic_if(ntop_t) +corenet_raw_sendrecv_generic_if(ntop_t) +corenet_tcp_sendrecv_generic_node(ntop_t) +corenet_raw_sendrecv_generic_node(ntop_t) +corenet_tcp_bind_generic_node(ntop_t) + +corenet_sendrecv_ntop_server_packets(ntop_t) +corenet_tcp_bind_ntop_port(ntop_t) +corenet_sendrecv_ntop_client_packets(ntop_t) +corenet_tcp_connect_ntop_port(ntop_t) +corenet_tcp_sendrecv_ntop_port(ntop_t) + +corenet_sendrecv_http_client_packets(ntop_t) +corenet_tcp_connect_http_port(ntop_t) +corenet_tcp_sendrecv_http_port(ntop_t) + +dev_read_sysfs(ntop_t) +dev_rw_generic_usb_dev(ntop_t) + +domain_use_interactive_fds(ntop_t) + +files_read_usr_files(ntop_t) + +fs_getattr_all_fs(ntop_t) +fs_search_auto_mountpoints(ntop_t) + +auth_use_nsswitch(ntop_t) + +logging_send_syslog_msg(ntop_t) + +miscfiles_read_fonts(ntop_t) +miscfiles_read_localization(ntop_t) + +userdom_dontaudit_use_unpriv_user_fds(ntop_t) +userdom_dontaudit_search_user_home_dirs(ntop_t) + +optional_policy(` + apache_read_sys_content(ntop_t) +') + +optional_policy(` + seutil_sigchld_newrole(ntop_t) +') + +optional_policy(` + udev_read_db(ntop_t) +') diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc new file mode 100644 index 000000000..38436f38a --- /dev/null +++ b/policy/modules/services/ntp.fc @@ -0,0 +1,47 @@ +/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0) +/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) +/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) + +/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0) +/etc/ntp\.drift -- gen_context(system_u:object_r:ntp_drift_t,s0) +/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) +/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) +/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) +/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) + +/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) + +/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0) + +/usr/bin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) +/usr/bin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) +/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + +/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0) +/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0) +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0) +/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) + +/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) +/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) +/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + +/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0) + +/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0) + +/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) +/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) +/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) +/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0) + +ifdef(`distro_gentoo',` +/var/lib/openntpd/ntpd.drift -- gen_context(system_u:object_r:ntp_drift_t,s0) + +# hardlinked to ntpd +/usr/sbin/ntpctl -- gen_context(system_u:object_r:ntpd_exec_t,s0) +') diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if new file mode 100644 index 000000000..31f711083 --- /dev/null +++ b/policy/modules/services/ntp.if @@ -0,0 +1,255 @@ +## <summary>Network time protocol daemon.</summary> + +######################################## +## <summary> +## NTP stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_stub',` + gen_require(` + type ntpd_t; + ') +') + +######################################## +## <summary> +## Read ntp.conf +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_read_config',` + gen_require(` + type ntp_conf_t; + ') + + allow $1 ntp_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute ntp server in the ntpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ntp_domtrans',` + gen_require(` + type ntpd_t, ntpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ntpd_exec_t, ntpd_t) +') + +######################################## +## <summary> +## Execute ntp in the ntp domain, and +## allow the specified role the ntp domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ntp_run',` + gen_require(` + attribute_role ntpd_roles; + ') + + ntp_domtrans($1) + roleattribute $2 ntpd_roles; +') + +######################################## +## <summary> +## Execute ntpdate server in the ntpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ntp_domtrans_ntpdate',` + gen_require(` + type ntpd_t, ntpdate_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ntpdate_exec_t, ntpd_t) +') + +######################################## +## <summary> +## Execute ntpd init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ntp_initrc_domtrans',` + gen_require(` + type ntpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) +') + +######################################## +## <summary> +## Read ntp conf files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_read_conf_files',` + gen_require(` + type ntp_conf_t; + ') + + files_search_etc($1) + read_files_pattern($1, ntp_conf_t, ntp_conf_t) +') + +######################################## +## <summary> +## Read ntp drift files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_read_drift_files',` + gen_require(` + type ntp_drift_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, ntp_drift_t, ntp_drift_t) +') + +######################################## +## <summary> +## Read and write ntpd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_rw_shm',` + gen_require(` + type ntpd_t, ntpd_tmpfs_t; + ') + + allow $1 ntpd_t:shm rw_shm_perms; + list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ntp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ntp_admin',` + gen_require(` + type ntpd_t, ntpd_tmp_t, ntpd_log_t; + type ntpd_key_t, ntpd_pid_t, ntp_conf_t; + type ntpd_initrc_exec_t, ntp_drift_t; + type ntpd_unit_t; + ') + + allow $1 ntpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ntpd_t) + + init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t) + + files_list_etc($1) + admin_pattern($1, { ntpd_key_t ntp_conf_t }) + + logging_list_logs($1) + admin_pattern($1, ntpd_log_t) + + files_list_tmp($1) + admin_pattern($1, ntpd_tmp_t) + + files_list_var_lib($1) + admin_pattern($1, ntp_drift_t) + + files_list_pids($1) + admin_pattern($1, ntpd_pid_t) + + ntp_run($1, $2) + + ifdef(`init_systemd',` + gen_require(` + class dbus send_msg; + ') + + allow $1 ntpd_t:dbus send_msg; + allow ntpd_t $1:dbus send_msg; + ') +') + +# This should be in an ifdef distro_gentoo but that is not allowed in if files + +######################################## +## <summary> +## Manage ntp(d) configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_manage_config',` + gen_require(` + type ntp_conf_t; + ') + + manage_files_pattern($1, ntp_conf_t, ntp_conf_t) +') diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te new file mode 100644 index 000000000..da6bd1458 --- /dev/null +++ b/policy/modules/services/ntp.te @@ -0,0 +1,193 @@ +policy_module(ntp, 1.17.1) + +######################################## +# +# Declarations +# + +attribute_role ntpd_roles; + +type ntp_conf_t; +files_config_file(ntp_conf_t) + +type ntp_drift_t; +files_type(ntp_drift_t) + +type ntpd_t; +type ntpd_exec_t; +init_daemon_domain(ntpd_t, ntpd_exec_t) +role ntpd_roles types ntpd_t; + +type ntpd_initrc_exec_t; +init_script_file(ntpd_initrc_exec_t) + +type ntpd_key_t; +files_type(ntpd_key_t) + +type ntpd_lock_t; +files_lock_file(ntpd_lock_t) +init_daemon_lock_file(ntpd_lock_t, file, "ntpdate") + +type ntpd_log_t; +logging_log_file(ntpd_log_t) + +type ntpd_pid_t; +typealias ntpd_pid_t alias ntpd_var_run_t; +files_pid_file(ntpd_pid_t) + +type ntpd_tmp_t; +files_tmp_file(ntpd_tmp_t) + +type ntpd_tmpfs_t; +files_tmpfs_file(ntpd_tmpfs_t) + +type ntpd_unit_t; +init_unit_file(ntpd_unit_t) + +type ntpdate_exec_t; +init_system_domain(ntpd_t, ntpdate_exec_t) + +######################################## +# +# Local policy +# + +# sys_time : modify system time +allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice }; +dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice sys_resource }; +allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; +allow ntpd_t self:fifo_file rw_fifo_file_perms; +allow ntpd_t self:shm create_shm_perms; +allow ntpd_t self:socket create; +allow ntpd_t self:unix_dgram_socket sendto; + +allow ntpd_t ntp_conf_t:file read_file_perms; + +manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) +manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) +files_etc_filetrans(ntpd_t, ntp_drift_t, file) +files_var_filetrans(ntpd_t, ntp_drift_t, file) + +read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) +read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + +allow ntpd_t ntpd_lock_t:file rw_file_perms; + +allow ntpd_t ntpd_log_t:dir setattr_dir_perms; +append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) +create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) +setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) +logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) + +manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t) +manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t) +files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file }) + +manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) +manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) +files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) + +manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) +manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) +fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) + +can_exec(ntpd_t, ntpd_exec_t) + +kernel_read_kernel_sysctls(ntpd_t) +kernel_read_system_state(ntpd_t) +kernel_read_network_state(ntpd_t) +kernel_request_load_module(ntpd_t) + +corenet_all_recvfrom_unlabeled(ntpd_t) +corenet_all_recvfrom_netlabel(ntpd_t) +corenet_udp_sendrecv_generic_if(ntpd_t) +corenet_udp_sendrecv_generic_node(ntpd_t) +corenet_udp_bind_generic_node(ntpd_t) + +corenet_sendrecv_ntp_client_packets(ntpd_t) +corenet_sendrecv_ntp_server_packets(ntpd_t) +corenet_udp_bind_ntp_port(ntpd_t) +corenet_udp_sendrecv_ntp_port(ntpd_t) + +corecmd_exec_bin(ntpd_t) +corecmd_exec_shell(ntpd_t) + +dev_read_sysfs(ntpd_t) +dev_read_urand(ntpd_t) +dev_rw_realtime_clock(ntpd_t) + +domain_use_interactive_fds(ntpd_t) +domain_dontaudit_list_all_domains_state(ntpd_t) + +files_read_etc_runtime_files(ntpd_t) +files_read_usr_files(ntpd_t) +files_list_var_lib(ntpd_t) + +fs_getattr_all_fs(ntpd_t) +fs_search_auto_mountpoints(ntpd_t) + +term_use_ptmx(ntpd_t) + +auth_use_nsswitch(ntpd_t) + +init_exec_script_files(ntpd_t) + +logging_send_syslog_msg(ntpd_t) + +miscfiles_read_localization(ntpd_t) + +userdom_dontaudit_use_unpriv_user_fds(ntpd_t) +userdom_list_user_home_dirs(ntpd_t) + +ifdef(`init_systemd',` + dbus_system_bus_client(ntpd_t) + dbus_connect_system_bus(ntpd_t) + init_dbus_chat(ntpd_t) + init_get_system_status(ntpd_t) + allow ntpd_t self:capability { fowner setpcap }; + init_reload(ntpd_t) + + # for /var/lib/systemd/clock + init_list_var_lib_dirs(ntpd_t) + + # for /run/systemd/netif/links + init_list_pids(ntpd_t) + + optional_policy(` + unconfined_dbus_send(ntpd_t) + ') +') + +optional_policy(` + clock_read_adjtime(ntpd_t) +') + +optional_policy(` + cron_system_entry(ntpd_t, ntpdate_exec_t) +') + +optional_policy(` + gpsd_rw_shm(ntpd_t) +') + +optional_policy(` + firstboot_dontaudit_use_fds(ntpd_t) + firstboot_dontaudit_rw_pipes(ntpd_t) + firstboot_dontaudit_rw_stream_sockets(ntpd_t) +') + +optional_policy(` + hal_dontaudit_write_log(ntpd_t) +') + +optional_policy(` + logrotate_exec(ntpd_t) +') + +optional_policy(` + seutil_sigchld_newrole(ntpd_t) +') + +optional_policy(` + udev_read_db(ntpd_t) +') diff --git a/policy/modules/services/numad.fc b/policy/modules/services/numad.fc new file mode 100644 index 000000000..277ad1dd0 --- /dev/null +++ b/policy/modules/services/numad.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0) + +/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) + +/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0) + +/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) diff --git a/policy/modules/services/numad.if b/policy/modules/services/numad.if new file mode 100644 index 000000000..d1c6b8f3b --- /dev/null +++ b/policy/modules/services/numad.if @@ -0,0 +1,36 @@ +## <summary>Non-Uniform Memory Alignment Daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an numad environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`numad_admin',` + gen_require(` + type numad_t, numad_initrc_exec_t, numad_log_t; + type numad_var_run_t; + ') + + allow $1 numad_t:process { ptrace signal_perms }; + ps_process_pattern($1, numad_t) + + init_startstop_service($1, $2, numad_t, numad_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, numad_log_t) + + files_search_pids($1) + admin_pattern($1, numad_var_run_t) +') diff --git a/policy/modules/services/numad.te b/policy/modules/services/numad.te new file mode 100644 index 000000000..f3d831ae5 --- /dev/null +++ b/policy/modules/services/numad.te @@ -0,0 +1,44 @@ +policy_module(numad, 1.3.0) + +######################################## +# +# Declarations +# + +type numad_t; +type numad_exec_t; +init_daemon_domain(numad_t, numad_exec_t) +application_executable_file(numad_exec_t) + +type numad_initrc_exec_t; +init_script_file(numad_initrc_exec_t) + +type numad_log_t; +logging_log_file(numad_log_t) + +type numad_var_run_t; +files_pid_file(numad_var_run_t) + +######################################## +# +# Local policy +# + +allow numad_t self:fifo_file rw_fifo_file_perms; +allow numad_t self:msg { send receive }; +allow numad_t self:msgq create_msgq_perms; +allow numad_t self:unix_stream_socket create_stream_socket_perms; + +allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(numad_t, numad_log_t, file) + +manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) +files_pid_filetrans(numad_t, numad_var_run_t, file) + +kernel_read_system_state(numad_t) + +dev_read_sysfs(numad_t) + +files_read_etc_files(numad_t) + +miscfiles_read_localization(numad_t) diff --git a/policy/modules/services/nut.fc b/policy/modules/services/nut.fc new file mode 100644 index 000000000..6dbfbde13 --- /dev/null +++ b/policy/modules/services/nut.fc @@ -0,0 +1,27 @@ +/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) +/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) + +/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) + +/usr/bin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) +/usr/bin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) +/usr/bin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) + +/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) + +/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) +/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) +/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) + +/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) + +/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) + +ifdef(`distro_gentoo',` +/usr/lib/nut/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) +') diff --git a/policy/modules/services/nut.if b/policy/modules/services/nut.if new file mode 100644 index 000000000..462c079ea --- /dev/null +++ b/policy/modules/services/nut.if @@ -0,0 +1,36 @@ +## <summary>Network UPS Tools </summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an nut environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nut_admin',` + gen_require(` + attribute nut_domain; + type nut_initrc_exec_t, nut_var_run_t, nut_conf_t; + ') + + allow $1 nut_domain:process { ptrace signal_perms }; + ps_process_pattern($1, nut_domain) + + init_startstop_service($1, $2, nut_domain, nut_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, nut_conf_t) + + files_search_pids($1) + admin_pattern($1, nut_var_run_t) +') diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te new file mode 100644 index 000000000..05be01952 --- /dev/null +++ b/policy/modules/services/nut.te @@ -0,0 +1,162 @@ +policy_module(nut, 1.7.0) + +######################################## +# +# Declarations +# + +attribute nut_domain; + +type nut_conf_t; +files_config_file(nut_conf_t) + +type nut_upsd_t, nut_domain; +type nut_upsd_exec_t; +init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) + +type nut_upsmon_t, nut_domain; +type nut_upsmon_exec_t; +init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) + +type nut_upsdrvctl_t, nut_domain; +type nut_upsdrvctl_exec_t; +init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) + +type nut_initrc_exec_t; +init_script_file(nut_initrc_exec_t) + +type nut_var_run_t; +files_pid_file(nut_var_run_t) +init_daemon_pid_file(nut_var_run_t, dir, "nut") + +######################################## +# +# Common nut domain local policy +# + +allow nut_domain self:capability { dac_override kill setgid setuid }; +allow nut_domain self:process signal_perms; +allow nut_domain self:fifo_file rw_fifo_file_perms; +allow nut_domain self:unix_dgram_socket sendto; + +allow nut_domain nut_conf_t:dir list_dir_perms; +allow nut_domain nut_conf_t:file read_file_perms; +allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) +manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) + +kernel_read_kernel_sysctls(nut_domain) + +logging_send_syslog_msg(nut_domain) + +miscfiles_read_localization(nut_domain) + +######################################## +# +# Upsd local policy +# + +allow nut_upsd_t self:tcp_socket { accept listen }; + +manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) + +stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) + +corenet_all_recvfrom_unlabeled(nut_upsd_t) +corenet_all_recvfrom_netlabel(nut_upsd_t) +corenet_tcp_sendrecv_generic_if(nut_upsd_t) +corenet_tcp_sendrecv_generic_node(nut_upsd_t) +corenet_tcp_sendrecv_all_ports(nut_upsd_t) +corenet_tcp_bind_generic_node(nut_upsd_t) + +corenet_sendrecv_ups_server_packets(nut_upsd_t) +corenet_tcp_bind_ups_port(nut_upsd_t) + +corenet_sendrecv_generic_server_packets(nut_upsd_t) +corenet_tcp_bind_generic_port(nut_upsd_t) + +files_read_usr_files(nut_upsd_t) + +auth_use_nsswitch(nut_upsd_t) + +######################################## +# +# Upsmon local policy +# + +allow nut_upsmon_t self:capability dac_read_search; +allow nut_upsmon_t self:unix_stream_socket connectto; + +kernel_read_system_state(nut_upsmon_t) + +corecmd_exec_bin(nut_upsmon_t) +corecmd_exec_shell(nut_upsmon_t) + +corenet_all_recvfrom_unlabeled(nut_upsmon_t) +corenet_all_recvfrom_netlabel(nut_upsmon_t) +corenet_tcp_sendrecv_generic_if(nut_upsmon_t) +corenet_tcp_sendrecv_generic_node(nut_upsmon_t) +corenet_tcp_sendrecv_all_ports(nut_upsmon_t) +corenet_tcp_bind_generic_node(nut_upsmon_t) + +corenet_sendrecv_ups_client_packets(nut_upsmon_t) +corenet_tcp_connect_ups_port(nut_upsmon_t) + +corenet_sendrecv_generic_client_packets(nut_upsmon_t) +corenet_tcp_connect_generic_port(nut_upsmon_t) + +files_manage_etc_runtime_files(nut_upsmon_t) +files_etc_filetrans_etc_runtime(nut_upsmon_t, file) +files_search_usr(nut_upsmon_t) + +term_write_all_terms(nut_upsmon_t) + +auth_use_nsswitch(nut_upsmon_t) + +optional_policy(` + mta_send_mail(nut_upsmon_t) +') + +optional_policy(` + shutdown_domtrans(nut_upsmon_t) +') + +######################################## +# +# Upsdrvctl local policy +# + +allow nut_upsdrvctl_t self:fd use; + +manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) + +corecmd_exec_bin(nut_upsdrvctl_t) + +dev_read_sysfs(nut_upsdrvctl_t) +dev_read_urand(nut_upsdrvctl_t) +dev_rw_generic_usb_dev(nut_upsdrvctl_t) + +term_use_unallocated_ttys(nut_upsdrvctl_t) + +auth_use_nsswitch(nut_upsdrvctl_t) + +init_sigchld(nut_upsdrvctl_t) + +####################################### +# +# Cgi local policy +# + +optional_policy(` + apache_content_template(nutups_cgi) + + allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms; + allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms; + allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms; + + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) +') diff --git a/policy/modules/services/nx.fc b/policy/modules/services/nx.fc new file mode 100644 index 000000000..73b84d806 --- /dev/null +++ b/policy/modules/services/nx.fc @@ -0,0 +1,13 @@ +/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) +/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) +/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) +/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) + +/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) + +/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) +/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) +/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) + +/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) +/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if new file mode 100644 index 000000000..251d6816a --- /dev/null +++ b/policy/modules/services/nx.if @@ -0,0 +1,92 @@ +## <summary>NX remote desktop.</summary> + +######################################## +## <summary> +## Transition to nx server. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nx_spec_domtrans_server',` + gen_require(` + type nx_server_t, nx_server_exec_t; + ') + + corecmd_search_bin($1) + spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) +') + +######################################## +## <summary> +## Read nx home directory content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nx_read_home_files',` + gen_require(` + type nx_server_home_ssh_t, nx_server_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t) +') + +######################################## +## <summary> +## Search nx lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nx_search_var_lib',` + gen_require(` + type nx_server_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 nx_server_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create specified objects in nx lib +## directories with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`nx_var_lib_filetrans',` + gen_require(` + type nx_server_var_lib_t; + ') + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4) +') diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te new file mode 100644 index 000000000..091f87272 --- /dev/null +++ b/policy/modules/services/nx.te @@ -0,0 +1,80 @@ +policy_module(nx, 1.7.0) + +######################################## +# +# Declarations +# + +type nx_server_t; +type nx_server_exec_t; +domain_type(nx_server_t) +domain_entry_file(nx_server_t, nx_server_exec_t) +domain_user_exemption_target(nx_server_t) + +role nx_server_r; +role nx_server_r types nx_server_t; +allow system_r nx_server_r; + +type nx_server_devpts_t; +term_user_pty(nx_server_t, nx_server_devpts_t) + +type nx_server_tmp_t; +files_tmp_file(nx_server_tmp_t) + +type nx_server_var_lib_t; +files_type(nx_server_var_lib_t) + +type nx_server_var_run_t; +files_pid_file(nx_server_var_run_t) + +######################################## +# +# Local policy +# + +allow nx_server_t self:fifo_file rw_fifo_file_perms; +allow nx_server_t self:tcp_socket create_socket_perms; +allow nx_server_t self:udp_socket create_socket_perms; + +allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(nx_server_t, nx_server_devpts_t) + +manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) +manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) +files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir }) + +manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) +manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) +files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) + +manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) +files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) + +kernel_read_system_state(nx_server_t) +kernel_read_kernel_sysctls(nx_server_t) + +corecmd_exec_shell(nx_server_t) +corecmd_exec_bin(nx_server_t) + +corenet_all_recvfrom_unlabeled(nx_server_t) +corenet_all_recvfrom_netlabel(nx_server_t) +corenet_tcp_sendrecv_generic_if(nx_server_t) +corenet_tcp_sendrecv_generic_node(nx_server_t) +corenet_tcp_sendrecv_all_ports(nx_server_t) + +corenet_tcp_connect_all_ports(nx_server_t) +corenet_sendrecv_all_client_packets(nx_server_t) + +dev_read_urand(nx_server_t) + +files_read_etc_files(nx_server_t) +files_read_etc_runtime_files(nx_server_t) +files_read_usr_files(nx_server_t) + +miscfiles_read_localization(nx_server_t) + +seutil_dontaudit_search_config(nx_server_t) + +sysnet_read_config(nx_server_t) + +ssh_basic_client_template(nx_server, nx_server_t, nx_server_r) diff --git a/policy/modules/services/oav.fc b/policy/modules/services/oav.fc new file mode 100644 index 000000000..dabf41ee4 --- /dev/null +++ b/policy/modules/services/oav.fc @@ -0,0 +1,12 @@ +/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0) +/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0) + +/usr/bin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0) +/usr/bin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0) + +/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0) +/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0) + +/var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0) +/var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0) +/var/log/scannerdaemon\.log.* -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if new file mode 100644 index 000000000..b096e3fb8 --- /dev/null +++ b/policy/modules/services/oav.if @@ -0,0 +1,47 @@ +## <summary>Open AntiVirus scannerdaemon and signature update.</summary> + +######################################## +## <summary> +## Execute oav_update in the oav_update domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`oav_domtrans_update',` + gen_require(` + type oav_update_t, oav_update_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, oav_update_exec_t, oav_update_t) +') + +######################################## +## <summary> +## Execute oav_update in the oav update +## domain, and allow the specified role +## the oav_update domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`oav_run_update',` + gen_require(` + attribute_role oav_update_roles; + ') + + oav_domtrans_update($1) + roleattribute $2 oav_update_roles; +') diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te new file mode 100644 index 000000000..e2b36d4f9 --- /dev/null +++ b/policy/modules/services/oav.te @@ -0,0 +1,125 @@ +policy_module(oav, 1.11.0) + +######################################## +# +# Declarations +# + +attribute_role oav_update_roles; + +type oav_update_t; +type oav_update_exec_t; +application_domain(oav_update_t, oav_update_exec_t) +role oav_update_roles types oav_update_t; + +type oav_update_etc_t; +files_config_file(oav_update_etc_t) + +type oav_update_var_lib_t; +files_type(oav_update_var_lib_t) + +type scannerdaemon_t; +type scannerdaemon_exec_t; +init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t) + +type scannerdaemon_etc_t; +files_config_file(scannerdaemon_etc_t) + +type scannerdaemon_log_t; +logging_log_file(scannerdaemon_log_t) + +type scannerdaemon_var_run_t; +files_pid_file(scannerdaemon_var_run_t) + +######################################## +# +# Update local policy +# + +allow oav_update_t self:tcp_socket create_stream_socket_perms; +allow oav_update_t self:udp_socket create_socket_perms; + +allow oav_update_t oav_update_etc_t:dir list_dir_perms; +allow oav_update_t oav_update_etc_t:file read_file_perms; + +manage_dirs_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) +manage_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) +read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) + +corecmd_exec_all_executables(oav_update_t) + +files_exec_etc_files(oav_update_t) + +libs_exec_ld_so(oav_update_t) +libs_exec_lib_files(oav_update_t) + +logging_send_syslog_msg(oav_update_t) + +sysnet_read_config(oav_update_t) + +userdom_use_user_terminals(oav_update_t) + +optional_policy(` + cron_system_entry(oav_update_t, oav_update_exec_t) +') + +######################################## +# +# Scannerdaemon local policy +# + +dontaudit scannerdaemon_t self:capability sys_tty_config; +allow scannerdaemon_t self:process signal_perms; +allow scannerdaemon_t self:fifo_file rw_fifo_file_perms; +allow scannerdaemon_t self:tcp_socket create_stream_socket_perms; +allow scannerdaemon_t self:udp_socket create_socket_perms; + +allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms; +allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms; + +allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms; + +allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms; +logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file) + +manage_files_pattern(scannerdaemon_t, scannerdaemon_var_run_t, scannerdaemon_var_run_t) +files_pid_filetrans(scannerdaemon_t, scannerdaemon_var_run_t, file) + +kernel_read_system_state(scannerdaemon_t) +kernel_read_kernel_sysctls(scannerdaemon_t) + +corecmd_exec_all_executables(scannerdaemon_t) + +dev_read_sysfs(scannerdaemon_t) + +domain_use_interactive_fds(scannerdaemon_t) + +files_exec_etc_files(scannerdaemon_t) +files_read_etc_files(scannerdaemon_t) +files_read_etc_runtime_files(scannerdaemon_t) +files_search_var_lib(scannerdaemon_t) + +fs_getattr_all_fs(scannerdaemon_t) +fs_search_auto_mountpoints(scannerdaemon_t) + +auth_dontaudit_read_shadow(scannerdaemon_t) + +libs_exec_ld_so(scannerdaemon_t) +libs_exec_lib_files(scannerdaemon_t) + +logging_send_syslog_msg(scannerdaemon_t) + +miscfiles_read_localization(scannerdaemon_t) + +sysnet_read_config(scannerdaemon_t) + +userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t) +userdom_dontaudit_search_user_home_dirs(scannerdaemon_t) + +optional_policy(` + seutil_sigchld_newrole(scannerdaemon_t) +') + +optional_policy(` + udev_read_db(scannerdaemon_t) +') diff --git a/policy/modules/services/obex.fc b/policy/modules/services/obex.fc new file mode 100644 index 000000000..03fa56040 --- /dev/null +++ b/policy/modules/services/obex.fc @@ -0,0 +1 @@ +/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) diff --git a/policy/modules/services/obex.if b/policy/modules/services/obex.if new file mode 100644 index 000000000..6723697ee --- /dev/null +++ b/policy/modules/services/obex.if @@ -0,0 +1,88 @@ +## <summary>D-Bus service providing high-level OBEX client and server side functionality.</summary> + +####################################### +## <summary> +## The role template for obex. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`obex_role_template',` + gen_require(` + attribute_role obex_roles; + type obex_t, obex_exec_t; + ') + + ######################################## + # + # Declarations + # + + roleattribute $2 obex_roles; + + ######################################## + # + # Policy + # + + allow $3 obex_t:process { ptrace signal_perms }; + ps_process_pattern($3, obex_t) + + dbus_spec_session_domain($1, obex_t, obex_exec_t) + + obex_dbus_chat($3) +') + +######################################## +## <summary> +## Execute obex in the obex domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`obex_domtrans',` + gen_require(` + type obex_t, obex_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, obex_exec_t, obex_t) +') + +######################################## +## <summary> +## Send and receive messages from +## obex over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`obex_dbus_chat',` + gen_require(` + type obex_t; + class dbus send_msg; + ') + + allow $1 obex_t:dbus send_msg; + allow obex_t $1:dbus send_msg; +') diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te new file mode 100644 index 000000000..c0e368920 --- /dev/null +++ b/policy/modules/services/obex.te @@ -0,0 +1,43 @@ +policy_module(obex, 1.1.1) + +######################################## +# +# Declarations +# + +attribute_role obex_roles; + +type obex_t; +type obex_exec_t; +userdom_user_application_domain(obex_t, obex_exec_t) +role obex_roles types obex_t; + +######################################## +# +# Local policy +# + +allow obex_t self:fifo_file rw_fifo_file_perms; +allow obex_t self:socket create_stream_socket_perms; + +dev_read_urand(obex_t) + +files_read_etc_files(obex_t) + +logging_send_syslog_msg(obex_t) + +miscfiles_read_localization(obex_t) + +userdom_search_user_home_content(obex_t) + +optional_policy(` + bluetooth_stream_connect(obex_t) +') + +optional_policy(` + dbus_system_bus_client(obex_t) + + optional_policy(` + bluetooth_dbus_chat(obex_t) + ') +') diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc new file mode 100644 index 000000000..f1c819ef4 --- /dev/null +++ b/policy/modules/services/oddjob.fc @@ -0,0 +1,11 @@ +/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + +/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + +/usr/bin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) +/usr/bin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + +/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) +/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + +/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if new file mode 100644 index 000000000..baa890a94 --- /dev/null +++ b/policy/modules/services/oddjob.if @@ -0,0 +1,150 @@ +## <summary>D-BUS service which runs odd jobs on behalf of client applications.</summary> + +######################################## +## <summary> +## Execute a domain transition to run oddjob. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`oddjob_domtrans',` + gen_require(` + type oddjob_t, oddjob_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, oddjob_exec_t, oddjob_t) +') + +######################################## +## <summary> +## Make the specified program domain +## accessable from the oddjob. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process to transition to. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type of the file used as an entrypoint to this domain. +## </summary> +## </param> +# +interface(`oddjob_system_entry',` + gen_require(` + type oddjob_t; + ') + + domtrans_pattern(oddjob_t, $2, $1) +') + +######################################## +## <summary> +## Send and receive messages from +## oddjob over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`oddjob_dbus_chat',` + gen_require(` + type oddjob_t; + class dbus send_msg; + ') + + allow $1 oddjob_t:dbus send_msg; + allow oddjob_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute a domain transition to +## run oddjob mkhomedir. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`oddjob_domtrans_mkhomedir',` + gen_require(` + type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) +') + +######################################## +## <summary> +## Execute oddjob mkhomedir in the +## oddjob mkhomedir domain and allow +## the specified role the oddjob +## mkhomedir domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`oddjob_run_mkhomedir',` + gen_require(` + attribute_role oddjob_mkhomedir_roles; + ') + + oddjob_domtrans_mkhomedir($1) + roleattribute $2 oddjob_mkhomedir_roles; +') + +##################################### +## <summary> +## Do not audit attempts to read and write +## oddjob fifo files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`oddjob_dontaudit_rw_fifo_files',` + gen_require(` + type oddjob_t; + ') + + dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms; +') + +###################################### +## <summary> +## Send child terminated signals to oddjob. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`oddjob_sigchld',` + gen_require(` + type oddjob_t; + ') + + allow $1 oddjob_t:process sigchld; +') diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te new file mode 100644 index 000000000..39e2dcf5d --- /dev/null +++ b/policy/modules/services/oddjob.te @@ -0,0 +1,105 @@ +policy_module(oddjob, 1.12.0) + +######################################## +# +# Declarations +# + +attribute_role oddjob_mkhomedir_roles; + +type oddjob_t; +type oddjob_exec_t; +domain_type(oddjob_t) +init_daemon_domain(oddjob_t, oddjob_exec_t) +domain_obj_id_change_exemption(oddjob_t) +domain_role_change_exemption(oddjob_t) +domain_subj_id_change_exemption(oddjob_t) + +type oddjob_mkhomedir_t; +type oddjob_mkhomedir_exec_t; +domain_type(oddjob_mkhomedir_t) +domain_obj_id_change_exemption(oddjob_mkhomedir_t) +init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +role oddjob_mkhomedir_roles types oddjob_mkhomedir_t; + +type oddjob_var_run_t; +files_pid_file(oddjob_var_run_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) +') + +######################################## +# +# Local policy +# + +allow oddjob_t self:capability setgid; +allow oddjob_t self:process { setexec signal }; +allow oddjob_t self:fifo_file rw_fifo_file_perms; +allow oddjob_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) +manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) +files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) + +domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) + +kernel_read_system_state(oddjob_t) + +corecmd_exec_bin(oddjob_t) +corecmd_exec_shell(oddjob_t) + +mcs_process_set_categories(oddjob_t) + +selinux_compute_create_context(oddjob_t) + +auth_use_nsswitch(oddjob_t) + +miscfiles_read_localization(oddjob_t) + +locallogin_dontaudit_use_fds(oddjob_t) + +optional_policy(` + dbus_system_bus_client(oddjob_t) + dbus_connect_system_bus(oddjob_t) +') + +optional_policy(` + unconfined_domtrans(oddjob_t) +') + +######################################## +# +# Mkhomedir local policy +# + +allow oddjob_mkhomedir_t self:capability { chown dac_override fowner fsetid }; +allow oddjob_mkhomedir_t self:process setfscreate; +allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; +allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen }; + +kernel_read_system_state(oddjob_mkhomedir_t) + +auth_use_nsswitch(oddjob_mkhomedir_t) + +logging_send_syslog_msg(oddjob_mkhomedir_t) + +miscfiles_read_localization(oddjob_mkhomedir_t) + +selinux_get_fs_mount(oddjob_mkhomedir_t) +selinux_validate_context(oddjob_mkhomedir_t) +selinux_compute_access_vector(oddjob_mkhomedir_t) +selinux_compute_create_context(oddjob_mkhomedir_t) +selinux_compute_relabel_context(oddjob_mkhomedir_t) +selinux_compute_user_contexts(oddjob_mkhomedir_t) + +seutil_read_config(oddjob_mkhomedir_t) +seutil_read_file_contexts(oddjob_mkhomedir_t) +seutil_read_default_contexts(oddjob_mkhomedir_t) + +userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content_files(oddjob_mkhomedir_t) +userdom_manage_user_home_dirs(oddjob_mkhomedir_t) +userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) diff --git a/policy/modules/services/oident.fc b/policy/modules/services/oident.fc new file mode 100644 index 000000000..584d948f1 --- /dev/null +++ b/policy/modules/services/oident.fc @@ -0,0 +1,10 @@ +HOME_DIR/\.oidentd\.conf -- gen_context(system_u:object_r:oidentd_home_t,s0) + +/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t,s0) +/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t,s0) + +/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t,s0) + +/usr/bin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t,s0) + +/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t,s0) diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if new file mode 100644 index 000000000..95b329ef5 --- /dev/null +++ b/policy/modules/services/oident.if @@ -0,0 +1,119 @@ +## <summary>An ident daemon with IP masq/NAT support and the ability to specify responses.</summary> + +######################################## +## <summary> +## Read oidentd user home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`oident_read_user_content', ` + gen_require(` + type oidentd_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 oidentd_home_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## oidentd user home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`oident_manage_user_content', ` + gen_require(` + type oidentd_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 oidentd_home_t:file manage_file_perms; +') + +######################################## +## <summary> +## Relabel oidentd user home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`oident_relabel_user_content', ` + gen_require(` + type oidentd_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 oidentd_home_t:file relabel_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the oidentd home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`oident_home_filetrans_oidentd_home',` + gen_require(` + type oidentd_home_t; + ') + + userdom_user_home_dir_filetrans($1, oidentd_home_t, $2, $3) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an oident environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`oident_admin',` + gen_require(` + type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; + ') + + allow $1 oidentd_t:process { ptrace signal_perms }; + ps_process_pattern($1, oidentd_t) + + init_startstop_service($1, $2, oidentd_t, oidentd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, oidentd_config_t) +') diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te new file mode 100644 index 000000000..96e4d87c2 --- /dev/null +++ b/policy/modules/services/oident.te @@ -0,0 +1,71 @@ +policy_module(oident, 2.5.0) + +######################################## +# +# Declarations +# + +type oidentd_t; +type oidentd_exec_t; +init_daemon_domain(oidentd_t, oidentd_exec_t) + +type oidentd_home_t; +typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t }; +typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t }; +userdom_user_home_content(oidentd_home_t) + +type oidentd_initrc_exec_t; +init_script_file(oidentd_initrc_exec_t) + +type oidentd_config_t; +files_config_file(oidentd_config_t) + +######################################## +# +# Local policy +# + +allow oidentd_t self:capability { setgid setuid }; +allow oidentd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow oidentd_t self:tcp_socket { accept listen }; + +allow oidentd_t oidentd_config_t:file read_file_perms; + +allow oidentd_t oidentd_home_t:file read_file_perms; + +kernel_read_kernel_sysctls(oidentd_t) +kernel_read_network_state(oidentd_t) +kernel_read_network_state_symlinks(oidentd_t) +kernel_read_sysctl(oidentd_t) +kernel_request_load_module(oidentd_t) + +corenet_all_recvfrom_unlabeled(oidentd_t) +corenet_all_recvfrom_netlabel(oidentd_t) +corenet_tcp_sendrecv_generic_if(oidentd_t) +corenet_tcp_sendrecv_generic_node(oidentd_t) +corenet_tcp_bind_generic_node(oidentd_t) + +corenet_sendrecv_auth_server_packets(oidentd_t) +corenet_tcp_bind_auth_port(oidentd_t) +corenet_tcp_sendrecv_auth_port(oidentd_t) + +fs_getattr_all_fs(oidentd_t) +fs_search_auto_mountpoints(oidentd_t) + +auth_use_nsswitch(oidentd_t) + +logging_send_syslog_msg(oidentd_t) + +miscfiles_read_localization(oidentd_t) + +userdom_search_user_home_dirs(oidentd_t) + +tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(oidentd_t) + fs_read_cifs_files(oidentd_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(oidentd_t) + fs_read_nfs_files(oidentd_t) +') diff --git a/policy/modules/services/openca.fc b/policy/modules/services/openca.fc new file mode 100644 index 000000000..2e485b91b --- /dev/null +++ b/policy/modules/services/openca.fc @@ -0,0 +1,9 @@ +/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0) +/etc/openca/.*\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0) +/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0) + +/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0) +/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0) + +/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0) +/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0) diff --git a/policy/modules/services/openca.if b/policy/modules/services/openca.if new file mode 100644 index 000000000..e20879efc --- /dev/null +++ b/policy/modules/services/openca.if @@ -0,0 +1,76 @@ +## <summary>Open Certificate Authority.</summary> + +######################################## +## <summary> +## Execute the openca with +## a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`openca_domtrans',` + gen_require(` + type openca_ca_t, openca_ca_exec_t, openca_usr_share_t; + ') + + files_search_usr($1) + allow $1 openca_usr_share_t:dir search_dir_perms; + domtrans_pattern($1, openca_ca_exec_t, openca_ca_t) +') + +######################################## +## <summary> +## Send generic signals to openca. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openca_signal',` + gen_require(` + type openca_ca_t; + ') + + allow $1 openca_ca_t:process signal; +') + +######################################## +## <summary> +## Send stop signals to openca. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openca_sigstop',` + gen_require(` + type openca_ca_t; + ') + + allow $1 openca_ca_t:process sigstop; +') + +######################################## +## <summary> +## Send kill signals to openca. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openca_kill',` + gen_require(` + type openca_ca_t; + ') + + allow $1 openca_ca_t:process sigkill; +') diff --git a/policy/modules/services/openca.te b/policy/modules/services/openca.te new file mode 100644 index 000000000..0fc3a58d5 --- /dev/null +++ b/policy/modules/services/openca.te @@ -0,0 +1,66 @@ +policy_module(openca, 1.3.0) + +######################################## +# +# Declarations +# + +type openca_ca_t; +type openca_ca_exec_t; +domain_type(openca_ca_t) +domain_entry_file(openca_ca_t, openca_ca_exec_t) +role system_r types openca_ca_t; + +type openca_etc_t; +files_config_file(openca_etc_t) + +type openca_etc_in_t; +files_type(openca_etc_in_t) + +type openca_etc_writeable_t; +files_type(openca_etc_writeable_t) + +type openca_usr_share_t; +files_type(openca_usr_share_t) + +type openca_var_lib_t; +files_type(openca_var_lib_t) + +type openca_var_lib_keys_t; +files_type(openca_var_lib_keys_t) + +######################################## +# +# Local policy +# + +allow openca_ca_t openca_etc_t:dir list_dir_perms; +allow openca_ca_t openca_etc_t:file read_file_perms; +allow openca_ca_t openca_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) +manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) + +manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) +manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) + +manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) +manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) + +allow openca_ca_t openca_usr_share_t:dir list_dir_perms; +allow openca_ca_t openca_usr_share_t:file read_file_perms; +allow openca_ca_t openca_usr_share_t:lnk_file read_lnk_file_perms; + +corecmd_exec_bin(openca_ca_t) + +dev_read_rand(openca_ca_t) + +files_list_default(openca_ca_t) + +init_use_fds(openca_ca_t) +init_use_script_fds(openca_ca_t) + +libs_exec_lib_files(openca_ca_t) + +apache_append_log(openca_ca_t) +apache_rw_cache_files(openca_ca_t) diff --git a/policy/modules/services/openct.fc b/policy/modules/services/openct.fc new file mode 100644 index 000000000..4c0236d2a --- /dev/null +++ b/policy/modules/services/openct.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/openct -- gen_context(system_u:object_r:openct_initrc_exec_t,s0) + +/usr/bin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0) +/usr/bin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0) + +/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0) +/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0) + +/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0) diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if new file mode 100644 index 000000000..61c3eb8bc --- /dev/null +++ b/policy/modules/services/openct.if @@ -0,0 +1,127 @@ +## <summary>Service for handling smart card readers.</summary> + +######################################## +## <summary> +## Send null signals to openct. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_signull',` + gen_require(` + type openct_t; + ') + + allow $1 openct_t:process signull; +') + +######################################## +## <summary> +## Execute openct in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_exec',` + gen_require(` + type openct_t, openct_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, openct_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run openct. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`openct_domtrans',` + gen_require(` + type openct_t, openct_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, openct_exec_t, openct_t) +') + +######################################## +## <summary> +## Read openct pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_read_pid_files',` + gen_require(` + type openct_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, openct_var_run_t, openct_var_run_t) +') + +######################################## +## <summary> +## Connect to openct over an unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_stream_connect',` + gen_require(` + type openct_t, openct_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an openct environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`openct_admin',` + gen_require(` + type openct_t, openct_initrc_exec_t, openct_var_run_t; + ') + + allow $1 openct_t:process { ptrace signal_perms }; + ps_process_pattern($1, openct_t) + + init_startstop_service($1, $2, openct_t, openct_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, openct_var_run_t) +') diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te new file mode 100644 index 000000000..3f424656d --- /dev/null +++ b/policy/modules/services/openct.te @@ -0,0 +1,67 @@ +policy_module(openct, 1.10.0) + +######################################## +# +# Declarations +# + +type openct_t; +type openct_exec_t; +init_daemon_domain(openct_t, openct_exec_t) + +type openct_initrc_exec_t; +init_script_file(openct_initrc_exec_t) + +type openct_var_run_t; +files_pid_file(openct_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit openct_t self:capability sys_tty_config; +allow openct_t self:process signal_perms; +allow openct_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) +manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) +manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) +files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) + +can_exec(openct_t, openct_exec_t) + +kernel_read_kernel_sysctls(openct_t) +kernel_list_proc(openct_t) +kernel_read_proc_symlinks(openct_t) + +dev_read_sysfs(openct_t) +dev_rw_usbfs(openct_t) +dev_rw_smartcard(openct_t) +dev_rw_generic_usb_dev(openct_t) + +domain_use_interactive_fds(openct_t) + +files_read_etc_files(openct_t) + +fs_getattr_all_fs(openct_t) +fs_search_auto_mountpoints(openct_t) + +logging_send_syslog_msg(openct_t) + +miscfiles_read_localization(openct_t) + +userdom_dontaudit_use_unpriv_user_fds(openct_t) +userdom_dontaudit_search_user_home_dirs(openct_t) + +optional_policy(` + pcscd_stream_connect(openct_t) +') + +optional_policy(` + seutil_sigchld_newrole(openct_t) +') + +optional_policy(` + udev_read_db(openct_t) +') diff --git a/policy/modules/services/openhpi.fc b/policy/modules/services/openhpi.fc new file mode 100644 index 000000000..1ce9da3d4 --- /dev/null +++ b/policy/modules/services/openhpi.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0) + +/usr/bin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0) + +/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0) + +/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0) + +/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0) diff --git a/policy/modules/services/openhpi.if b/policy/modules/services/openhpi.if new file mode 100644 index 000000000..ca1e226e2 --- /dev/null +++ b/policy/modules/services/openhpi.if @@ -0,0 +1,36 @@ +## <summary>Open source implementation of the Service Availability Forum Hardware Platform Interface.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an openhpi environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`openhpi_admin',` + gen_require(` + type openhpid_t, openhpid_initrc_exec_t, openhpid_var_lib_t; + type openhpid_var_run_t; + ') + + allow $1 openhpid_t:process { ptrace signal_perms }; + ps_process_pattern($1, openhpid_t) + + init_startstop_service($1, $2, openhpid_t, openhpid_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, openhpid_var_lib_t) + + files_search_pids($1) + admin_pattern($1, openhpid_var_run_t) +') diff --git a/policy/modules/services/openhpi.te b/policy/modules/services/openhpi.te new file mode 100644 index 000000000..65b538c0b --- /dev/null +++ b/policy/modules/services/openhpi.te @@ -0,0 +1,57 @@ +policy_module(openhpi, 1.4.0) + +######################################## +# +# Declarations +# + +type openhpid_t; +type openhpid_exec_t; +init_daemon_domain(openhpid_t, openhpid_exec_t) + +type openhpid_initrc_exec_t; +init_script_file(openhpid_initrc_exec_t) + +type openhpid_var_lib_t; +files_type(openhpid_var_lib_t) + +type openhpid_var_run_t; +files_pid_file(openhpid_var_run_t) + +######################################## +# +# Local policy +# + +allow openhpid_t self:capability kill; +allow openhpid_t self:process signal; +allow openhpid_t self:fifo_file rw_fifo_file_perms; +allow openhpid_t self:netlink_route_socket r_netlink_socket_perms; +allow openhpid_t self:unix_stream_socket { accept listen }; +allow openhpid_t self:tcp_socket create_stream_socket_perms; +allow openhpid_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) +manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) +files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir) + +manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t) +files_pid_filetrans(openhpid_t, openhpid_var_run_t, file) + +corenet_all_recvfrom_unlabeled(openhpid_t) +corenet_all_recvfrom_netlabel(openhpid_t) +corenet_tcp_sendrecv_generic_if(openhpid_t) +corenet_tcp_sendrecv_generic_node(openhpid_t) +corenet_tcp_bind_generic_node(openhpid_t) + +corenet_sendrecv_openhpid_server_packets(openhpid_t) +corenet_tcp_bind_openhpid_port(openhpid_t) +corenet_tcp_sendrecv_openhpid_port(openhpid_t) + +dev_read_urand(openhpid_t) + +files_read_etc_files(openhpid_t) + +logging_send_syslog_msg(openhpid_t) + +miscfiles_read_localization(openhpid_t) diff --git a/policy/modules/services/openvpn.fc b/policy/modules/services/openvpn.fc new file mode 100644 index 000000000..7a00b7a8f --- /dev/null +++ b/policy/modules/services/openvpn.fc @@ -0,0 +1,15 @@ +/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) +/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) +/etc/openvpn/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) + +/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) + +/usr/bin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) + +/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) + +/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) +/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) + +/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) +/run/openvpn\.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if new file mode 100644 index 000000000..a03c2582e --- /dev/null +++ b/policy/modules/services/openvpn.if @@ -0,0 +1,163 @@ +## <summary>full-featured SSL VPN solution.</summary> + +######################################## +## <summary> +## Execute openvpn clients in the +## openvpn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`openvpn_domtrans',` + gen_require(` + type openvpn_t, openvpn_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, openvpn_exec_t, openvpn_t) +') + +######################################## +## <summary> +## Execute openvpn clients in the +## openvpn domain, and allow the +## specified role the openvpn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`openvpn_run',` + gen_require(` + attribute_role openvpn_roles; + ') + + openvpn_domtrans($1) + roleattribute $2 openvpn_roles; +') + +######################################## +## <summary> +## Send kill signals to openvpn. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openvpn_kill',` + gen_require(` + type openvpn_t; + ') + + allow $1 openvpn_t:process sigkill; +') + +######################################## +## <summary> +## Send generic signals to openvpn. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openvpn_signal',` + gen_require(` + type openvpn_t; + ') + + allow $1 openvpn_t:process signal; +') + +######################################## +## <summary> +## Send null signals to openvpn. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openvpn_signull',` + gen_require(` + type openvpn_t; + ') + + allow $1 openvpn_t:process signull; +') + +######################################## +## <summary> +## Read openvpn configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`openvpn_read_config',` + gen_require(` + type openvpn_etc_t; + ') + + files_search_etc($1) + allow $1 openvpn_etc_t:dir list_dir_perms; + allow $1 openvpn_etc_t:file read_file_perms; + allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an openvpn environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`openvpn_admin',` + gen_require(` + type openvpn_t, openvpn_etc_t, openvpn_var_log_t; + type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t; + type openvpn_status_t; + ') + + allow $1 openvpn_t:process { ptrace signal_perms }; + ps_process_pattern($1, openvpn_t) + + init_startstop_service($1, $2, openvpn_t, openvpn_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t }) + + logging_list_logs($1) + admin_pattern($1, { openvpn_status_t openvpn_var_log_t }) + + files_list_pids($1) + admin_pattern($1, openvpn_var_run_t) +') diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te new file mode 100644 index 000000000..f282b1fe5 --- /dev/null +++ b/policy/modules/services/openvpn.te @@ -0,0 +1,177 @@ +policy_module(openvpn, 1.16.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether openvpn can +## read generic user home content files. +## </p> +## </desc> +gen_tunable(openvpn_enable_homedirs, false) + +## <desc> +## <p> +## Determine whether openvpn can +## connect to the TCP network. +## </p> +## </desc> +gen_tunable(openvpn_can_network_connect, false) + +attribute_role openvpn_roles; + +type openvpn_t; +type openvpn_exec_t; +init_daemon_domain(openvpn_t, openvpn_exec_t) +role openvpn_roles types openvpn_t; + +type openvpn_etc_t; +files_config_file(openvpn_etc_t) + +type openvpn_etc_rw_t; +files_config_file(openvpn_etc_rw_t) + +type openvpn_initrc_exec_t; +init_script_file(openvpn_initrc_exec_t) + +type openvpn_status_t; +logging_log_file(openvpn_status_t) + +type openvpn_tmp_t; +files_tmp_file(openvpn_tmp_t) + +type openvpn_var_log_t; +logging_log_file(openvpn_var_log_t) + +type openvpn_var_run_t; +files_pid_file(openvpn_var_run_t) + +######################################## +# +# Local policy +# + +allow openvpn_t self:capability { dac_override dac_read_search ipc_lock net_admin setgid setuid sys_chroot sys_nice sys_tty_config }; +allow openvpn_t self:process { signal getsched setsched }; +allow openvpn_t self:fifo_file rw_fifo_file_perms; +allow openvpn_t self:unix_dgram_socket sendto; +allow openvpn_t self:unix_stream_socket { accept connectto listen }; +allow openvpn_t self:tcp_socket server_stream_socket_perms; +allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto }; +allow openvpn_t self:netlink_route_socket nlmsg_write; + +allow openvpn_t openvpn_etc_t:dir list_dir_perms; +allow openvpn_t openvpn_etc_t:file read_file_perms; +allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) +filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) + +allow openvpn_t openvpn_status_t:file manage_file_perms; +logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") + +allow openvpn_t openvpn_tmp_t:file manage_file_perms; +files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) + +manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) + +manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) +manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) +files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) + +can_exec(openvpn_t, openvpn_etc_t) + +kernel_read_kernel_sysctls(openvpn_t) +kernel_read_net_sysctls(openvpn_t) +kernel_read_network_state(openvpn_t) +kernel_read_system_state(openvpn_t) +kernel_request_load_module(openvpn_t) + +corecmd_exec_bin(openvpn_t) +corecmd_exec_shell(openvpn_t) + +corenet_all_recvfrom_unlabeled(openvpn_t) +corenet_all_recvfrom_netlabel(openvpn_t) +corenet_tcp_sendrecv_generic_if(openvpn_t) +corenet_udp_sendrecv_generic_if(openvpn_t) +corenet_tcp_sendrecv_generic_node(openvpn_t) +corenet_udp_sendrecv_generic_node(openvpn_t) +corenet_tcp_bind_generic_node(openvpn_t) +corenet_udp_bind_generic_node(openvpn_t) + +corenet_sendrecv_openvpn_server_packets(openvpn_t) +corenet_tcp_bind_openvpn_port(openvpn_t) +corenet_udp_bind_openvpn_port(openvpn_t) +corenet_sendrecv_openvpn_client_packets(openvpn_t) +corenet_tcp_connect_openvpn_port(openvpn_t) +corenet_tcp_sendrecv_openvpn_port(openvpn_t) +corenet_udp_sendrecv_openvpn_port(openvpn_t) + +corenet_sendrecv_http_server_packets(openvpn_t) +corenet_tcp_bind_http_port(openvpn_t) +corenet_sendrecv_http_client_packets(openvpn_t) +corenet_tcp_connect_http_port(openvpn_t) +corenet_tcp_sendrecv_http_port(openvpn_t) + +corenet_sendrecv_http_cache_client_packets(openvpn_t) +corenet_tcp_connect_http_cache_port(openvpn_t) +corenet_tcp_sendrecv_http_cache_port(openvpn_t) + +corenet_rw_tun_tap_dev(openvpn_t) + +dev_read_rand(openvpn_t) + +files_read_etc_runtime_files(openvpn_t) + +fs_getattr_all_fs(openvpn_t) +fs_search_auto_mountpoints(openvpn_t) + +auth_use_pam(openvpn_t) + +miscfiles_read_localization(openvpn_t) +miscfiles_read_all_certs(openvpn_t) + +sysnet_exec_ifconfig(openvpn_t) +sysnet_manage_config(openvpn_t) +sysnet_etc_filetrans_config(openvpn_t) +sysnet_use_ldap(openvpn_t) + +userdom_use_user_terminals(openvpn_t) + +tunable_policy(`openvpn_enable_homedirs',` + userdom_read_user_home_content_files(openvpn_t) +') + +tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(openvpn_t) +') + +tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(openvpn_t) +') + +tunable_policy(`openvpn_can_network_connect',` + corenet_sendrecv_all_client_packets(openvpn_t) + corenet_tcp_connect_all_ports(openvpn_t) + corenet_tcp_sendrecv_all_ports(openvpn_t) +') + +optional_policy(` + daemontools_service_domain(openvpn_t, openvpn_exec_t) +') + +optional_policy(` + dbus_system_bus_client(openvpn_t) + dbus_connect_system_bus(openvpn_t) + + optional_policy(` + networkmanager_dbus_chat(openvpn_t) + ') +') diff --git a/policy/modules/services/openvswitch.fc b/policy/modules/services/openvswitch.fc new file mode 100644 index 000000000..04dabe8cb --- /dev/null +++ b/policy/modules/services/openvswitch.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0) + +/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0) + +/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0) + +/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) + +/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) + +/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) diff --git a/policy/modules/services/openvswitch.if b/policy/modules/services/openvswitch.if new file mode 100644 index 000000000..f0133ed3f --- /dev/null +++ b/policy/modules/services/openvswitch.if @@ -0,0 +1,80 @@ +## <summary>Multilayer virtual switch.</summary> + +######################################## +## <summary> +## Execute openvswitch in the openvswitch domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`openvswitch_domtrans',` + gen_require(` + type openvswitch_t, openvswitch_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) +') + +######################################## +## <summary> +## Read openvswitch pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openvswitch_read_pid_files',` + gen_require(` + type openvswitch_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an openvswitch environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`openvswitch_admin',` + gen_require(` + type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t; + type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t; + ') + + allow $1 openvswitch_t:process { ptrace signal_perms }; + ps_process_pattern($1, openvswitch_t) + + init_startstop_service($1, $2, openvswitch_t, openvswitch_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, openvswitch_conf_t) + + files_search_var_lib($1) + admin_pattern($1, openvswitch_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, openvswitch_log_t) + + files_search_pids($1) + admin_pattern($1, openvswitch_var_run_t) +') diff --git a/policy/modules/services/openvswitch.te b/policy/modules/services/openvswitch.te new file mode 100644 index 000000000..b9790021c --- /dev/null +++ b/policy/modules/services/openvswitch.te @@ -0,0 +1,97 @@ +policy_module(openvswitch, 1.4.0) + +######################################## +# +# Declarations +# + +type openvswitch_t; +type openvswitch_exec_t; +init_daemon_domain(openvswitch_t, openvswitch_exec_t) + +type openvswitch_initrc_exec_t; +init_script_file(openvswitch_initrc_exec_t) + +type openvswitch_conf_t; +files_config_file(openvswitch_conf_t) + +type openvswitch_var_lib_t; +files_type(openvswitch_var_lib_t) + +type openvswitch_log_t; +logging_log_file(openvswitch_log_t) + +type openvswitch_tmp_t; +files_tmp_file(openvswitch_tmp_t) + +type openvswitch_var_run_t; +files_pid_file(openvswitch_var_run_t) + +######################################## +# +# Local policy +# + +allow openvswitch_t self:capability { ipc_lock net_admin sys_nice sys_resource }; +allow openvswitch_t self:process { setrlimit setsched signal }; +allow openvswitch_t self:fifo_file rw_fifo_file_perms; +allow openvswitch_t self:rawip_socket create_socket_perms; +allow openvswitch_t self:unix_stream_socket { accept connectto listen }; + +manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) +manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) + +manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) +manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) +files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) + +manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) + +manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) +manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) +files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir }) + +manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) + +can_exec(openvswitch_t, openvswitch_exec_t) + +kernel_read_network_state(openvswitch_t) +kernel_read_system_state(openvswitch_t) + +corenet_all_recvfrom_unlabeled(openvswitch_t) +corenet_all_recvfrom_netlabel(openvswitch_t) +corenet_raw_sendrecv_generic_if(openvswitch_t) +corenet_raw_sendrecv_generic_node(openvswitch_t) + +corecmd_exec_bin(openvswitch_t) + +dev_read_urand(openvswitch_t) + +domain_use_interactive_fds(openvswitch_t) + +files_read_etc_files(openvswitch_t) + +fs_getattr_all_fs(openvswitch_t) +fs_search_cgroup_dirs(openvswitch_t) + +logging_send_syslog_msg(openvswitch_t) + +miscfiles_read_localization(openvswitch_t) + +sysnet_dns_name_resolve(openvswitch_t) + +optional_policy(` + iptables_domtrans(openvswitch_t) +') diff --git a/policy/modules/services/pacemaker.fc b/policy/modules/services/pacemaker.fc new file mode 100644 index 000000000..3b398450f --- /dev/null +++ b/policy/modules/services/pacemaker.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0) + +/usr/bin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0) + +/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0) + +/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) +/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) +/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) + +/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0) diff --git a/policy/modules/services/pacemaker.if b/policy/modules/services/pacemaker.if new file mode 100644 index 000000000..44d1cf636 --- /dev/null +++ b/policy/modules/services/pacemaker.if @@ -0,0 +1,36 @@ +## <summary>A scalable high-availability cluster resource manager.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an pacemaker environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pacemaker_admin',` + gen_require(` + type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t; + type pacemaker_var_run_t; + ') + + allow $1 pacemaker_t:process { ptrace signal_perms }; + ps_process_pattern($1, pacemaker_t) + + init_startstop_service($1, $2, pacemaker_t, pacemaker_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, pacemaker_var_lib_t) + + files_search_pids($1) + admin_pattern($1, pacemaker_var_run_t) +') diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te new file mode 100644 index 000000000..a7c5c2f9e --- /dev/null +++ b/policy/modules/services/pacemaker.te @@ -0,0 +1,83 @@ +policy_module(pacemaker, 1.4.0) + +######################################## +# +# Declarations +# + +type pacemaker_t; +type pacemaker_exec_t; +init_daemon_domain(pacemaker_t, pacemaker_exec_t) + +type pacemaker_initrc_exec_t; +init_script_file(pacemaker_initrc_exec_t) + +type pacemaker_tmp_t; +files_tmp_file(pacemaker_tmp_t) + +type pacemaker_tmpfs_t; +files_tmpfs_file(pacemaker_tmpfs_t) + +type pacemaker_var_lib_t; +files_type(pacemaker_var_lib_t) + +type pacemaker_var_run_t; +files_pid_file(pacemaker_var_run_t) + +######################################## +# +# Local policy +# + +allow pacemaker_t self:capability { chown dac_override fowner fsetid kill setuid }; +allow pacemaker_t self:process { setrlimit signal setpgid }; +allow pacemaker_t self:fifo_file rw_fifo_file_perms; +allow pacemaker_t self:unix_stream_socket { connectto accept listen }; + +manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) +manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) +files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir }) + +manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) +manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) +fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file }) + +manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t) +manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t) +files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file }) + +manage_dirs_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t) +manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t) +files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file }) + +kernel_getattr_core_if(pacemaker_t) +kernel_read_all_sysctls(pacemaker_t) +kernel_read_messages(pacemaker_t) +kernel_read_network_state(pacemaker_t) +kernel_read_software_raid_state(pacemaker_t) +kernel_read_system_state(pacemaker_t) + +corecmd_exec_bin(pacemaker_t) +corecmd_exec_shell(pacemaker_t) + +dev_getattr_mtrr_dev(pacemaker_t) +dev_read_rand(pacemaker_t) +dev_read_urand(pacemaker_t) + +domain_read_all_domains_state(pacemaker_t) +domain_use_interactive_fds(pacemaker_t) + +files_read_kernel_symbol_table(pacemaker_t) + +fs_getattr_all_fs(pacemaker_t) + +auth_use_nsswitch(pacemaker_t) + +logging_send_syslog_msg(pacemaker_t) + +miscfiles_read_localization(pacemaker_t) + +optional_policy(` + corosync_read_log(pacemaker_t) + corosync_stream_connect(pacemaker_t) +') diff --git a/policy/modules/services/pads.fc b/policy/modules/services/pads.fc new file mode 100644 index 000000000..8a7e20b57 --- /dev/null +++ b/policy/modules/services/pads.fc @@ -0,0 +1,10 @@ +/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t,s0) +/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t,s0) +/etc/pads\.conf -- gen_context(system_u:object_r:pads_config_t,s0) +/etc/pads-assets\.csv -- gen_context(system_u:object_r:pads_config_t,s0) + +/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t,s0) + +/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t,s0) + +/run/pads\.pid -- gen_context(system_u:object_r:pads_var_run_t,s0) diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if new file mode 100644 index 000000000..4dd357452 --- /dev/null +++ b/policy/modules/services/pads.if @@ -0,0 +1,36 @@ +## <summary>Passive Asset Detection System.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an pads environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pads_admin', ` + gen_require(` + type pads_t, pads_config_t, pads_var_run_t; + type pads_initrc_exec_t; + ') + + allow $1 pads_t:process { ptrace signal_perms }; + ps_process_pattern($1, pads_t) + + init_startstop_service($1, $2, pads_t, pads_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, pads_var_run_t) + + files_search_etc($1) + admin_pattern($1, pads_config_t) +') diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te new file mode 100644 index 000000000..98d22bfd0 --- /dev/null +++ b/policy/modules/services/pads.te @@ -0,0 +1,66 @@ +policy_module(pads, 1.3.0) + +######################################## +# +# Declarations +# + +type pads_t; +type pads_exec_t; +init_daemon_domain(pads_t, pads_exec_t) +application_executable_file(pads_exec_t) + +type pads_initrc_exec_t; +init_script_file(pads_initrc_exec_t) + +type pads_config_t; +files_config_file(pads_config_t) + +type pads_var_run_t; +files_pid_file(pads_var_run_t) + +######################################## +# +# Declarations +# + +allow pads_t self:capability { dac_override net_raw }; +allow pads_t self:packet_socket create_socket_perms; +allow pads_t self:socket create_socket_perms; + +allow pads_t pads_config_t:file manage_file_perms; +files_etc_filetrans(pads_t, pads_config_t, file) + +allow pads_t pads_var_run_t:file manage_file_perms; +files_pid_filetrans(pads_t, pads_var_run_t, file) + +kernel_read_sysctl(pads_t) +kernel_read_network_state(pads_t) + +corecmd_search_bin(pads_t) + +corenet_all_recvfrom_unlabeled(pads_t) +corenet_all_recvfrom_netlabel(pads_t) +corenet_tcp_sendrecv_generic_if(pads_t) +corenet_tcp_sendrecv_generic_node(pads_t) + +corenet_sendrecv_prelude_client_packets(pads_t) +corenet_tcp_connect_prelude_port(pads_t) +corenet_tcp_sendrecv_prelude_port(pads_t) + +dev_read_rand(pads_t) +dev_read_urand(pads_t) +dev_read_sysfs(pads_t) + +files_read_etc_files(pads_t) +files_search_spool(pads_t) + +miscfiles_read_localization(pads_t) + +logging_send_syslog_msg(pads_t) + +sysnet_dns_name_resolve(pads_t) + +optional_policy(` + prelude_manage_spool(pads_t) +') diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc new file mode 100644 index 000000000..4d667ea2f --- /dev/null +++ b/policy/modules/services/pcscd.fc @@ -0,0 +1,14 @@ +/etc/rc\.d/init\.d/pcscd -- gen_context(system_u:object_r:pcscd_initrc_exec_t,s0) + +/usr/bin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) + +/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*pcscd.* -- gen_context(system_u:object_r:pcscd_unit_t,s0) + +/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) +/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) +/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) +/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) +/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if new file mode 100644 index 000000000..412c24aa4 --- /dev/null +++ b/policy/modules/services/pcscd.if @@ -0,0 +1,93 @@ +## <summary>PCSC smart card service.</summary> + +######################################## +## <summary> +## Execute a domain transition to run pcscd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pcscd_domtrans',` + gen_require(` + type pcscd_t, pcscd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, pcscd_exec_t, pcscd_t) +') + +######################################## +## <summary> +## Read pcscd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcscd_read_pid_files',` + gen_require(` + type pcscd_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) +') + +######################################## +## <summary> +## Connect to pcscd over an unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcscd_stream_connect',` + gen_require(` + type pcscd_t, pcscd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) + + allow pcscd_t $1:dir list_dir_perms; + allow pcscd_t $1:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an pcscd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pcscd_admin',` + gen_require(` + type pcscd_t, pcscd_initrc_exec_t, pcscd_var_run_t; + ') + + allow $1 pcscd_t:process { ptrace signal_perms }; + ps_process_pattern($1, pcscd_t) + + init_startstop_service($1, $2, pcscd_t, pcscd_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, pcscd_var_run_t) +') diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te new file mode 100644 index 000000000..247fe5c8a --- /dev/null +++ b/policy/modules/services/pcscd.te @@ -0,0 +1,94 @@ +policy_module(pcscd, 1.13.0) + +######################################## +# +# Declarations +# + +type pcscd_t; +type pcscd_exec_t; +init_daemon_domain(pcscd_t, pcscd_exec_t) + +type pcscd_initrc_exec_t; +init_script_file(pcscd_initrc_exec_t) + +type pcscd_unit_t; +init_unit_file(pcscd_unit_t) + +type pcscd_var_run_t; +files_pid_file(pcscd_var_run_t) +init_daemon_pid_file(pcscd_var_run_t, dir, "pcscd") + +######################################## +# +# Local policy +# + +allow pcscd_t self:capability { dac_override dac_read_search fsetid }; +allow pcscd_t self:process signal; +allow pcscd_t self:fifo_file rw_fifo_file_perms; +allow pcscd_t self:unix_stream_socket { accept listen }; +allow pcscd_t self:tcp_socket { accept listen }; +allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) + +kernel_read_system_state(pcscd_t) + +corenet_all_recvfrom_unlabeled(pcscd_t) +corenet_all_recvfrom_netlabel(pcscd_t) +corenet_tcp_sendrecv_generic_if(pcscd_t) +corenet_tcp_sendrecv_generic_node(pcscd_t) + +corenet_sendrecv_http_client_packets(pcscd_t) +corenet_tcp_connect_http_port(pcscd_t) +corenet_tcp_sendrecv_http_port(pcscd_t) + +dev_rw_generic_usb_dev(pcscd_t) +dev_rw_smartcard(pcscd_t) +dev_rw_usbfs(pcscd_t) +dev_read_sysfs(pcscd_t) + +files_read_etc_files(pcscd_t) +files_read_etc_runtime_files(pcscd_t) + +term_use_unallocated_ttys(pcscd_t) +term_dontaudit_getattr_pty_dirs(pcscd_t) + +locallogin_use_fds(pcscd_t) + +logging_send_syslog_msg(pcscd_t) + +miscfiles_read_localization(pcscd_t) + +sysnet_dns_name_resolve(pcscd_t) + +optional_policy(` + dbus_system_bus_client(pcscd_t) + + optional_policy(` + hal_dbus_chat(pcscd_t) + ') + + optional_policy(` + policykit_dbus_chat(pcscd_t) + ') +') + +optional_policy(` + openct_stream_connect(pcscd_t) + openct_read_pid_files(pcscd_t) + openct_signull(pcscd_t) +') + +optional_policy(` + rpm_use_script_fds(pcscd_t) +') + +optional_policy(` + udev_read_db(pcscd_t) +') diff --git a/policy/modules/services/pegasus.fc b/policy/modules/services/pegasus.fc new file mode 100644 index 000000000..0f7fe6172 --- /dev/null +++ b/policy/modules/services/pegasus.fc @@ -0,0 +1,18 @@ +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) +/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) + +/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) + +/usr/bin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/bin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) + +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) + +/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) + +/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) + +/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) + +/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) diff --git a/policy/modules/services/pegasus.if b/policy/modules/services/pegasus.if new file mode 100644 index 000000000..eadb01296 --- /dev/null +++ b/policy/modules/services/pegasus.if @@ -0,0 +1,49 @@ +## <summary>The Open Group Pegasus CIM/WBEM Server.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an pegasus environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pegasus_admin',` + gen_require(` + type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t; + type pegasus_cache_t, pegasus_data_t, pegasus_conf_t; + type pegasus_mof_t, pegasus_var_run_t; + ') + + allow $1 pegasus_t:process { ptrace signal_perms }; + ps_process_pattern($1, pegasus_t) + + init_startstop_service($1, $2, pegasus_t, pegasus_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, pegasus_conf_t) + + files_search_usr($1) + admin_pattern($1, pegasus_mof_t) + + files_search_tmp($1) + admin_pattern($1, pegasus_tmp_t) + + files_search_var($1) + admin_pattern($1, pegasus_cache_t) + + files_search_var_lib($1) + admin_pattern($1, pegasus_data_t) + + files_search_pids($1) + admin_pattern($1, pegasus_var_run_t) +') diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te new file mode 100644 index 000000000..2af2dda53 --- /dev/null +++ b/policy/modules/services/pegasus.te @@ -0,0 +1,195 @@ +policy_module(pegasus, 1.13.0) + +######################################## +# +# Declarations +# + +type pegasus_t; +type pegasus_exec_t; +init_daemon_domain(pegasus_t, pegasus_exec_t) + +type pegasus_initrc_exec_t; +init_script_file(pegasus_initrc_exec_t) + +type pegasus_cache_t; +files_type(pegasus_cache_t) + +type pegasus_data_t; +files_type(pegasus_data_t) + +type pegasus_tmp_t; +files_tmp_file(pegasus_tmp_t) + +type pegasus_conf_t; +files_config_file(pegasus_conf_t) + +type pegasus_mof_t; +files_type(pegasus_mof_t) + +type pegasus_var_run_t; +files_pid_file(pegasus_var_run_t) + +######################################## +# +# Local policy +# + +allow pegasus_t self:capability { chown dac_override ipc_lock kill net_admin net_bind_service setgid setuid sys_nice }; +dontaudit pegasus_t self:capability sys_tty_config; +allow pegasus_t self:process signal; +allow pegasus_t self:fifo_file rw_fifo_file_perms; +allow pegasus_t self:unix_stream_socket { connectto accept listen }; +allow pegasus_t self:tcp_socket { accept listen }; + +allow pegasus_t pegasus_conf_t:dir rw_dir_perms; +allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms }; +allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) +manage_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) +manage_lnk_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) +files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) + +manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) +manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) +manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) +filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file }) + +allow pegasus_t pegasus_mof_t:dir list_dir_perms; +allow pegasus_t pegasus_mof_t:file read_file_perms; +allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) +manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) +files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file }) + +manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) +manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) +manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) +files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file }) + +can_exec(pegasus_t, pegasus_exec_t) + +kernel_read_network_state(pegasus_t) +kernel_read_kernel_sysctls(pegasus_t) +kernel_read_fs_sysctls(pegasus_t) +kernel_read_system_state(pegasus_t) +kernel_search_vm_sysctl(pegasus_t) +kernel_read_net_sysctls(pegasus_t) +kernel_read_xen_state(pegasus_t) +kernel_write_xen_state(pegasus_t) + +corenet_all_recvfrom_unlabeled(pegasus_t) +corenet_all_recvfrom_netlabel(pegasus_t) +corenet_tcp_sendrecv_generic_if(pegasus_t) +corenet_tcp_sendrecv_generic_node(pegasus_t) +corenet_tcp_sendrecv_all_ports(pegasus_t) +corenet_tcp_bind_generic_node(pegasus_t) + +corenet_sendrecv_pegasus_http_server_packets(pegasus_t) +corenet_tcp_bind_pegasus_http_port(pegasus_t) + +corenet_sendrecv_pegasus_https_server_packets(pegasus_t) +corenet_tcp_bind_pegasus_https_port(pegasus_t) + +corenet_sendrecv_pegasus_http_client_packets(pegasus_t) +corenet_tcp_connect_pegasus_http_port(pegasus_t) + +corenet_sendrecv_pegasus_https_client_packets(pegasus_t) +corenet_tcp_connect_pegasus_https_port(pegasus_t) + +corenet_sendrecv_generic_client_packets(pegasus_t) +corenet_tcp_connect_generic_port(pegasus_t) + +corecmd_exec_bin(pegasus_t) +corecmd_exec_shell(pegasus_t) + +dev_rw_sysfs(pegasus_t) +dev_read_urand(pegasus_t) + +fs_getattr_all_fs(pegasus_t) +fs_search_auto_mountpoints(pegasus_t) +files_getattr_all_dirs(pegasus_t) + +auth_use_nsswitch(pegasus_t) +auth_domtrans_chk_passwd(pegasus_t) + +domain_use_interactive_fds(pegasus_t) +domain_read_all_domains_state(pegasus_t) + +files_list_var_lib(pegasus_t) +files_read_var_lib_files(pegasus_t) +files_read_var_lib_symlinks(pegasus_t) + +init_rw_utmp(pegasus_t) +init_stream_connect_script(pegasus_t) + +logging_send_audit_msgs(pegasus_t) +logging_send_syslog_msg(pegasus_t) + +miscfiles_read_localization(pegasus_t) + +userdom_dontaudit_use_unpriv_user_fds(pegasus_t) +userdom_dontaudit_search_user_home_dirs(pegasus_t) + +optional_policy(` + dbus_system_bus_client(pegasus_t) + dbus_connect_system_bus(pegasus_t) + + optional_policy(` + networkmanager_dbus_chat(pegasus_t) + ') +') + +optional_policy(` + dmidecode_domtrans(pegasus_t) +') + +optional_policy(` + hostname_exec(pegasus_t) +') + +optional_policy(` + lldpad_dgram_send(pegasus_t) +') + +optional_policy(` + rpm_exec(pegasus_t) +') + +optional_policy(` + samba_manage_config(pegasus_t) +') + +optional_policy(` + seutil_sigchld_newrole(pegasus_t) + seutil_dontaudit_read_config(pegasus_t) +') + +optional_policy(` + ssh_exec(pegasus_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(pegasus_t) +') + +optional_policy(` + udev_read_db(pegasus_t) +') + +optional_policy(` + unconfined_signull(pegasus_t) +') + +optional_policy(` + virt_domtrans(pegasus_t) + virt_stream_connect(pegasus_t) + virt_manage_config(pegasus_t) +') + +optional_policy(` + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') diff --git a/policy/modules/services/perdition.fc b/policy/modules/services/perdition.fc new file mode 100644 index 000000000..f9f88dfb6 --- /dev/null +++ b/policy/modules/services/perdition.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/perdition -- gen_context(system_u:object_r:perdition_initrc_exec_t,s0) + +/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0) + +/usr/bin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0) + +/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0) + +/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0) diff --git a/policy/modules/services/perdition.if b/policy/modules/services/perdition.if new file mode 100644 index 000000000..4d69d9092 --- /dev/null +++ b/policy/modules/services/perdition.if @@ -0,0 +1,36 @@ +## <summary>Perdition POP and IMAP proxy.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an perdition environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`perdition_admin',` + gen_require(` + type perdition_t, perdition_initrc_exec_t, perdition_etc_t; + type perdition_var_run_t; + ') + + allow $1 perdition_t:process { ptrace signal_perms }; + ps_process_pattern($1, perdition_t) + + init_startstop_service($1, $2, perdition_t, perdition_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, perdition_etc_t) + + files_search_pids($1) + admin_pattern($1, perdition_var_run_t) +') diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te new file mode 100644 index 000000000..82e24cc8e --- /dev/null +++ b/policy/modules/services/perdition.te @@ -0,0 +1,86 @@ +policy_module(perdition, 1.11.0) + +######################################## +# +# Declarations +# + +type perdition_t; +type perdition_exec_t; +init_daemon_domain(perdition_t, perdition_exec_t) + +type perdition_initrc_exec_t; +init_script_file(perdition_initrc_exec_t) + +type perdition_etc_t; +files_config_file(perdition_etc_t) + +type perdition_var_run_t; +files_pid_file(perdition_var_run_t) + +######################################## +# +# Local policy +# + +allow perdition_t self:capability { chown dac_override fowner setgid setuid }; +dontaudit perdition_t self:capability sys_tty_config; +allow perdition_t self:process signal_perms; +allow perdition_t self:tcp_socket { accept listen }; + +allow perdition_t perdition_etc_t:dir list_dir_perms; +allow perdition_t perdition_etc_t:file read_file_perms; +allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) +manage_dirs_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) +files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(perdition_t) +kernel_list_proc(perdition_t) +kernel_read_proc_symlinks(perdition_t) + +corenet_all_recvfrom_unlabeled(perdition_t) +corenet_all_recvfrom_netlabel(perdition_t) +corenet_tcp_sendrecv_generic_if(perdition_t) +corenet_tcp_sendrecv_generic_node(perdition_t) +corenet_tcp_sendrecv_all_ports(perdition_t) +corenet_tcp_bind_generic_node(perdition_t) +corenet_tcp_connect_pop_port(perdition_t) +corenet_sendrecv_pop_server_packets(perdition_t) +corenet_tcp_bind_pop_port(perdition_t) +corenet_tcp_sendrecv_pop_port(perdition_t) +corenet_tcp_connect_sieve_port(perdition_t) +corenet_sendrecv_sieve_server_packets(perdition_t) +corenet_tcp_bind_sieve_port(perdition_t) +corenet_tcp_sendrecv_sieve_port(perdition_t) + +dev_read_sysfs(perdition_t) +dev_read_urand(perdition_t) + +domain_use_interactive_fds(perdition_t) + +fs_getattr_all_fs(perdition_t) +fs_search_auto_mountpoints(perdition_t) + +auth_use_nsswitch(perdition_t) + +logging_send_syslog_msg(perdition_t) + +miscfiles_read_localization(perdition_t) + +userdom_dontaudit_use_unpriv_user_fds(perdition_t) +userdom_dontaudit_search_user_home_dirs(perdition_t) + +optional_policy(` + mysql_tcp_connect(perdition_t) + mysql_stream_connect(perdition_t) +') + +optional_policy(` + seutil_sigchld_newrole(perdition_t) +') + +optional_policy(` + udev_read_db(perdition_t) +') diff --git a/policy/modules/services/pingd.fc b/policy/modules/services/pingd.fc new file mode 100644 index 000000000..1cbbf6d8f --- /dev/null +++ b/policy/modules/services/pingd.fc @@ -0,0 +1,9 @@ +/etc/pingd\.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) + +/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0) + +/usr/bin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) + +/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0) + +/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if new file mode 100644 index 000000000..fe9acb09c --- /dev/null +++ b/policy/modules/services/pingd.if @@ -0,0 +1,94 @@ +## <summary>Pingd of the Whatsup cluster node up/down detection utility.</summary> + +######################################## +## <summary> +## Execute a domain transition to run pingd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pingd_domtrans',` + gen_require(` + type pingd_t, pingd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, pingd_exec_t, pingd_t) +') + +####################################### +## <summary> +## Read pingd etc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pingd_read_config',` + gen_require(` + type pingd_etc_t; + ') + + files_search_etc($1) + allow $1 pingd_etc_t:file read_file_perms; +') + +####################################### +## <summary> +## Create, read, write, and delete +## pingd etc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pingd_manage_config',` + gen_require(` + type pingd_etc_t; + ') + + files_search_etc($1) + allow $1 pingd_etc_t:file manage_file_perms; +') + +####################################### +## <summary> +## All of the rules required to +## administrate an pingd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pingd_admin',` + gen_require(` + type pingd_t, pingd_etc_t, pingd_modules_t; + type pingd_initrc_exec_t; + ') + + allow $1 pingd_t:process { ptrace signal_perms }; + ps_process_pattern($1, pingd_t) + + init_startstop_service($1, $2, pingd_t, pingd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, pingd_etc_t) + + files_list_usr($1) + admin_pattern($1, pingd_modules_t) +') diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te new file mode 100644 index 000000000..e20b15f87 --- /dev/null +++ b/policy/modules/services/pingd.te @@ -0,0 +1,54 @@ +policy_module(pingd, 1.3.0) + +######################################## +# +# Declarations +# + +type pingd_t; +type pingd_exec_t; +init_daemon_domain(pingd_t, pingd_exec_t) + +type pingd_etc_t; +files_type(pingd_etc_t) + +type pingd_initrc_exec_t; +init_script_file(pingd_initrc_exec_t) + +type pingd_modules_t; +files_type(pingd_modules_t) + +######################################## +# +# Local policy +# + +allow pingd_t self:capability net_raw; +allow pingd_t self:tcp_socket { accept listen }; +allow pingd_t self:rawip_socket create_socket_perms; + +allow pingd_t pingd_etc_t:file read_file_perms; + +read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) +mmap_exec_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) + +corenet_all_recvfrom_unlabeled(pingd_t) +corenet_all_recvfrom_netlabel(pingd_t) +corenet_tcp_sendrecv_generic_if(pingd_t) +corenet_raw_sendrecv_generic_if(pingd_t) +corenet_tcp_sendrecv_generic_node(pingd_t) +corenet_raw_sendrecv_generic_node(pingd_t) +corenet_tcp_sendrecv_all_ports(pingd_t) +corenet_raw_bind_generic_node(pingd_t) +corenet_tcp_bind_generic_node(pingd_t) + +corenet_sendrecv_pingd_server_packets(pingd_t) +corenet_tcp_bind_pingd_port(pingd_t) + +auth_use_nsswitch(pingd_t) + +files_search_usr(pingd_t) + +logging_send_syslog_msg(pingd_t) + +miscfiles_read_localization(pingd_t) diff --git a/policy/modules/services/pkcs.fc b/policy/modules/services/pkcs.fc new file mode 100644 index 000000000..e920f4270 --- /dev/null +++ b/policy/modules/services/pkcs.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0) + +/usr/bin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0) + +/usr/lib/systemd/system/pkcsslotd.service gen_context(system_u:object_r:pkcs_slotd_unit_t,s0) + +/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0) + +/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0) + +/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) diff --git a/policy/modules/services/pkcs.if b/policy/modules/services/pkcs.if new file mode 100644 index 000000000..9d1af4e5e --- /dev/null +++ b/policy/modules/services/pkcs.if @@ -0,0 +1,42 @@ +## <summary>Implementations of the Cryptoki specification.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an pkcs slotd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pkcs_admin_slotd',` + gen_require(` + type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t; + type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; + ') + + allow $1 pkcs_slotd_t:process { ptrace signal_perms }; + ps_process_pattern($1, pkcs_slotd_t) + + init_startstop_service($1, $2, pkcs_slotd_t, pkcs_slotd_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, pkcs_slotd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, pkcs_slotd_var_run_t) + + files_search_tmp($1) + admin_pattern($1, pkcs_slotd_tmp_t) + + fs_search_tmpfs($1) + admin_pattern($1, pkcs_slotd_tmpfs_t) +') diff --git a/policy/modules/services/pkcs.te b/policy/modules/services/pkcs.te new file mode 100644 index 000000000..19915e31f --- /dev/null +++ b/policy/modules/services/pkcs.te @@ -0,0 +1,65 @@ +policy_module(pkcs, 1.5.0) + +######################################## +# +# Declarations +# + +type pkcs_slotd_t; +type pkcs_slotd_exec_t; +init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t) + +type pkcs_slotd_initrc_exec_t; +init_script_file(pkcs_slotd_initrc_exec_t) + +type pkcs_slotd_var_lib_t; +files_type(pkcs_slotd_var_lib_t) + +type pkcs_slotd_var_run_t; +files_pid_file(pkcs_slotd_var_run_t) + +type pkcs_slotd_tmp_t; +files_tmp_file(pkcs_slotd_tmp_t) + +type pkcs_slotd_tmpfs_t; +files_tmpfs_file(pkcs_slotd_tmpfs_t) + +type pkcs_slotd_unit_t; +init_unit_file(pkcs_slotd_unit_t) + +######################################## +# +# Local policy +# + +allow pkcs_slotd_t self:capability { chown fsetid kill }; +allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; +allow pkcs_slotd_t self:sem create_sem_perms; +allow pkcs_slotd_t self:shm create_shm_perms; +allow pkcs_slotd_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir) + +manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) +manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) +manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) +files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, { sock_file file dir }) + +manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) +manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) +files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir) + +manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) +manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) +fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, { dir file }) + +files_read_etc_files(pkcs_slotd_t) + +auth_use_nsswitch(pkcs_slotd_t) + +logging_send_syslog_msg(pkcs_slotd_t) + +miscfiles_read_localization(pkcs_slotd_t) diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc new file mode 100644 index 000000000..c99ccd2d7 --- /dev/null +++ b/policy/modules/services/plymouthd.fc @@ -0,0 +1,15 @@ +/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) +/usr/bin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0) + +/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) + +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) + +/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) + +/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) + +/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if new file mode 100644 index 000000000..04e0c734f --- /dev/null +++ b/policy/modules/services/plymouthd.if @@ -0,0 +1,269 @@ +## <summary>Plymouth graphical boot.</summary> + +######################################## +## <summary> +## Execute a domain transition to run plymouthd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`plymouthd_domtrans',` + gen_require(` + type plymouthd_t, plymouthd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) +') + +######################################## +## <summary> +## Execute plymouthd in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_exec',` + gen_require(` + type plymouthd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, plymouthd_exec_t) +') + +######################################## +## <summary> +## Connect to plymouthd using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_stream_connect',` + gen_require(` + type plymouthd_t, plymouthd_spool_t; + ') + + files_search_spool($1) + stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) +') + +######################################## +## <summary> +## Execute plymouth in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_exec_plymouth',` + gen_require(` + type plymouth_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, plymouth_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run plymouth. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`plymouthd_domtrans_plymouth',` + gen_require(` + type plymouth_t, plymouth_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, plymouth_exec_t, plymouth_t) +') + +######################################## +## <summary> +## Search plymouthd spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_search_spool',` + gen_require(` + type plymouthd_spool_t; + ') + + files_search_spool($1) + allow $1 plymouthd_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read plymouthd spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_read_spool_files',` + gen_require(` + type plymouthd_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## plymouthd spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_manage_spool_files',` + gen_require(` + type plymouthd_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) +') + +######################################## +## <summary> +## Search plymouthd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_search_lib',` + gen_require(` + type plymouthd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 plymouthd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read plymouthd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_read_lib_files',` + gen_require(` + type plymouthd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## plymouthd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_manage_lib_files',` + gen_require(` + type plymouthd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) +') + +######################################## +## <summary> +## Read plymouthd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_read_pid_files',` + gen_require(` + type plymouthd_var_run_t; + ') + + files_search_pids($1) + allow $1 plymouthd_var_run_t:dir search_dir_perms; + allow $1 plymouthd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an plymouthd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role" unused="true"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`plymouthd_admin',` + gen_require(` + type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; + type plymouthd_var_run_t; + ') + + allow $1 plymouthd_t:process { ptrace signal_perms }; + read_files_pattern($1, plymouthd_t, plymouthd_t) + + files_search_spool($1) + admin_pattern($1, plymouthd_spool_t) + + files_search_var_lib($1) + admin_pattern($1, plymouthd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, plymouthd_var_run_t) +') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te new file mode 100644 index 000000000..8b265787a --- /dev/null +++ b/policy/modules/services/plymouthd.te @@ -0,0 +1,134 @@ +policy_module(plymouthd, 1.5.1) + +######################################## +# +# Declarations +# + +type plymouth_t; +type plymouth_exec_t; +init_system_domain(plymouth_t, plymouth_exec_t) + +type plymouthd_t; +type plymouthd_exec_t; +init_daemon_domain(plymouthd_t, plymouthd_exec_t) + +type plymouthd_spool_t; +files_type(plymouthd_spool_t) + +type plymouthd_unit_t; +init_unit_file(plymouthd_unit_t) + +type plymouthd_var_lib_t; +files_type(plymouthd_var_lib_t) + +type plymouthd_var_log_t; +logging_log_file(plymouthd_var_log_t) + +type plymouthd_var_run_t; +files_pid_file(plymouthd_var_run_t) + +######################################## +# +# Daemon local policy +# + +allow plymouthd_t self:capability { sys_admin sys_tty_config }; +dontaudit plymouthd_t self:capability dac_override; +allow plymouthd_t self:capability2 block_suspend; +allow plymouthd_t self:process { signal getsched }; +allow plymouthd_t self:fifo_file rw_fifo_file_perms; +allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) +manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) +manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) +files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file }) + +manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) +manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) +files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) + +manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) + +manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) +manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) +files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) + +kernel_read_system_state(plymouthd_t) +kernel_request_load_module(plymouthd_t) +kernel_change_ring_buffer_level(plymouthd_t) + +dev_rw_dri(plymouthd_t) +dev_read_sysfs(plymouthd_t) +dev_read_framebuffer(plymouthd_t) +dev_write_framebuffer(plymouthd_t) + +domain_use_interactive_fds(plymouthd_t) + +fs_getattr_all_fs(plymouthd_t) + +files_read_etc_files(plymouthd_t) +files_read_usr_files(plymouthd_t) + +term_getattr_pty_fs(plymouthd_t) +term_use_all_terms(plymouthd_t) +term_use_ptmx(plymouthd_t) + +miscfiles_read_localization(plymouthd_t) +miscfiles_read_fonts(plymouthd_t) +miscfiles_manage_fonts_cache(plymouthd_t) + +optional_policy(` + gnome_read_generic_home_content(plymouthd_t) +') + +optional_policy(` + sssd_stream_connect(plymouthd_t) +') + +optional_policy(` + xserver_read_xdm_state(plymouthd_t) +') + +######################################## +# +# Client local policy +# + +allow plymouth_t self:process signal; +allow plymouth_t self:fifo_file rw_fifo_file_perms; +allow plymouth_t self:unix_stream_socket create_stream_socket_perms; + +stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) + +kernel_read_system_state(plymouth_t) +kernel_stream_connect(plymouth_t) + +domain_use_interactive_fds(plymouth_t) + +files_read_etc_files(plymouth_t) + +term_use_console(plymouth_t) +term_use_ptmx(plymouth_t) + +init_use_fds(plymouth_t) + +miscfiles_read_localization(plymouth_t) + +sysnet_read_config(plymouth_t) + +ifdef(`hide_broken_symptoms',` + optional_policy(` + hal_dontaudit_write_log(plymouth_t) + hal_dontaudit_rw_pipes(plymouth_t) + ') +') + +optional_policy(` + lvm_domtrans(plymouth_t) +') diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc new file mode 100644 index 000000000..588b9823d --- /dev/null +++ b/policy/modules/services/policykit.fc @@ -0,0 +1,26 @@ +/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) + +/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*polkit.* -- gen_context(system_u:object_r:policykit_unit_t,s0) + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) + +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) + +/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if new file mode 100644 index 000000000..390622626 --- /dev/null +++ b/policy/modules/services/policykit.if @@ -0,0 +1,248 @@ +## <summary>Policy framework for controlling privileges for system-wide services.</summary> + +######################################## +## <summary> +## Send and receive messages from +## policykit over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_dbus_chat',` + gen_require(` + type policykit_t; + class dbus send_msg; + ') + + allow $1 policykit_t:dbus send_msg; + allow policykit_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## policykit auth over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_dbus_chat_auth',` + gen_require(` + type policykit_auth_t; + class dbus send_msg; + ') + + allow $1 policykit_auth_t:dbus send_msg; + allow policykit_auth_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute a domain transition to run polkit_auth. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans_auth',` + gen_require(` + type policykit_auth_t, policykit_auth_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) +') + +######################################## +## <summary> +## Execute a policy_auth in the policy +## auth domain, and allow the specified +## role the policy auth domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`policykit_run_auth',` + gen_require(` + attribute_role policykit_auth_roles; + ') + + policykit_domtrans_auth($1) + roleattribute $2 policykit_auth_roles; +') + +####################################### +## <summary> +## Send generic signals to +## policykit auth. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_signal_auth',` + gen_require(` + type policykit_auth_t; + ') + + allow $1 policykit_auth_t:process signal; +') + +######################################## +## <summary> +## Execute a domain transition to run polkit grant. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans_grant',` + gen_require(` + type policykit_grant_t, policykit_grant_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) +') + +######################################## +## <summary> +## Execute a policy_grant in the policy +## grant domain, and allow the specified +## role the policy grant domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`policykit_run_grant',` + gen_require(` + attribute_role policykit_grant_roles; + ') + + policykit_domtrans_grant($1) + roleattribute $2 policykit_grant_roles; +') + +######################################## +## <summary> +## Read policykit reload files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_read_reload',` + gen_require(` + type policykit_reload_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, policykit_reload_t, policykit_reload_t) +') + +######################################## +## <summary> +## Read and write policykit reload files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_rw_reload',` + gen_require(` + type policykit_reload_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, policykit_reload_t, policykit_reload_t) +') + +######################################## +## <summary> +## Execute a domain transition to run polkit resolve. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans_resolve',` + gen_require(` + type policykit_resolve_t, policykit_resolve_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) +') + +######################################## +## <summary> +## Search policykit lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_search_lib',` + gen_require(` + type policykit_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 policykit_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read policykit lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_read_lib',` + gen_require(` + type policykit_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) +') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te new file mode 100644 index 000000000..0fd3d3f6d --- /dev/null +++ b/policy/modules/services/policykit.te @@ -0,0 +1,303 @@ +policy_module(policykit, 1.8.0) + +######################################## +# +# Declarations +# + +attribute policykit_domain; + +attribute_role policykit_auth_roles; +attribute_role policykit_grant_roles; + +type policykit_t, policykit_domain; +type policykit_exec_t; +init_daemon_domain(policykit_t, policykit_exec_t) + +type policykit_auth_t, policykit_domain; +type policykit_auth_exec_t; +init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) +role policykit_auth_roles types policykit_auth_t; + +type policykit_grant_t, policykit_domain; +type policykit_grant_exec_t; +init_system_domain(policykit_grant_t, policykit_grant_exec_t) +role policykit_grant_roles types policykit_grant_t; + +type policykit_resolve_t, policykit_domain; +type policykit_resolve_exec_t; +init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) + +type policykit_reload_t alias polkit_reload_t; +files_type(policykit_reload_t) + +type policykit_tmp_t; +files_tmp_file(policykit_tmp_t) + +type policykit_unit_t; +init_unit_file(policykit_unit_t) + +type policykit_var_lib_t alias polkit_var_lib_t; +files_type(policykit_var_lib_t) + +type policykit_var_run_t alias polkit_var_run_t; +files_pid_file(policykit_var_run_t) + +####################################### +# +# Common policykit domain local policy +# + +allow policykit_domain self:process { execmem getattr }; +allow policykit_domain self:fifo_file rw_fifo_file_perms; + +kernel_search_proc(policykit_domain) + +corecmd_exec_bin(policykit_domain) + +dev_read_sysfs(policykit_domain) + +files_read_usr_files(policykit_domain) + +logging_send_syslog_msg(policykit_domain) + +miscfiles_read_localization(policykit_domain) + +######################################## +# +# Local policy +# + +allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; +allow policykit_t self:process { getsched setsched signal }; +allow policykit_t self:unix_stream_socket { accept connectto listen }; + +rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) + +manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) + +manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) + +can_exec(policykit_t, policykit_exec_t) + +domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t) +domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t) + +kernel_read_crypto_sysctls(policykit_t) +kernel_read_kernel_sysctls(policykit_t) +kernel_read_system_state(policykit_t) + +dev_read_urand(policykit_t) +dev_read_urand(policykit_t) + +domain_read_all_domains_state(policykit_t) + +files_dontaudit_search_all_mountpoints(policykit_t) + +fs_getattr_xattr_fs(policykit_t) +fs_list_inotifyfs(policykit_t) +fs_getattr_tmpfs(policykit_t) +fs_getattr_cgroup(policykit_t) + +auth_use_nsswitch(policykit_t) + +userdom_getattr_all_users(policykit_t) +userdom_read_all_users_state(policykit_t) + +optional_policy(` + dbus_system_domain(policykit_t, policykit_exec_t) + + userdom_dbus_send_all_users(policykit_t) + + optional_policy(` + consolekit_dbus_chat(policykit_t) + ') + + optional_policy(` + rpm_dbus_chat(policykit_t) + ') + + optional_policy(` + xserver_dbus_chat_xdm(policykit_t) + ') +') + +optional_policy(` + consolekit_read_pid_files(policykit_t) +') + +optional_policy(` + gnome_read_generic_home_content(policykit_t) +') + +optional_policy(` + kerberos_manage_host_rcache(policykit_t) + kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0") +') + +optional_policy(` + # for /run/systemd/machines + systemd_read_machines(policykit_t) + + # for /run/systemd/seats/seat* + systemd_read_logind_sessions_files(policykit_t) + + # for /run/systemd/users/* + systemd_read_logind_pids(policykit_t) +') + +######################################## +# +# Auth local policy +# + +allow policykit_auth_t self:capability { dac_override ipc_lock setgid setuid sys_nice }; +dontaudit policykit_auth_t self:capability { dac_read_search sys_tty_config }; +allow policykit_auth_t self:process { getsched setsched signal }; +allow policykit_auth_t self:unix_stream_socket { accept listen }; + +ps_process_pattern(policykit_auth_t, policykit_domain) + +rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) + +manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t) +manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t) +files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir }) + +manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t) + +manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) + +can_exec(policykit_auth_t, policykit_auth_exec_t) + +kernel_read_system_state(policykit_auth_t) +kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) +kernel_dontaudit_search_sysctl(policykit_auth_t) + +dev_read_video_dev(policykit_auth_t) + +domain_use_interactive_fds(policykit_auth_t) + +files_read_etc_runtime_files(policykit_auth_t) +files_search_home(policykit_auth_t) + +fs_getattr_all_fs(policykit_auth_t) +fs_search_tmpfs(policykit_auth_t) + +auth_read_shadow(policykit_auth_t) +auth_rw_var_auth(policykit_auth_t) +auth_use_nsswitch(policykit_auth_t) +auth_domtrans_chk_passwd(policykit_auth_t) + +miscfiles_read_fonts(policykit_auth_t) +miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) + +userdom_dontaudit_read_user_home_content_files(policykit_auth_t) + +optional_policy(` + dbus_system_domain(policykit_auth_t, policykit_auth_exec_t) + dbus_all_session_bus_client(policykit_auth_t) + + optional_policy(` + consolekit_dbus_chat(policykit_auth_t) + ') + + optional_policy(` + policykit_dbus_chat(policykit_auth_t) + ') +') + +optional_policy(` + hal_read_state(policykit_auth_t) +') + +optional_policy(` + kerberos_manage_host_rcache(policykit_auth_t) + kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0") +') + +optional_policy(` + xserver_stream_connect(policykit_auth_t) + xserver_read_xdm_pid(policykit_auth_t) + xserver_rw_xsession_log(policykit_auth_t) +') + +######################################## +# +# Grant local policy +# + +allow policykit_grant_t self:capability setuid; +allow policykit_grant_t self:unix_dgram_socket create_socket_perms; +allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; + +ps_process_pattern(policykit_grant_t, policykit_domain) + +rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) + +manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t) + +manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) + +can_exec(policykit_grant_t, policykit_grant_exec_t) + +domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t) +domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t) + +auth_domtrans_chk_passwd(policykit_grant_t) +auth_use_nsswitch(policykit_grant_t) + +userdom_read_all_users_state(policykit_grant_t) + +optional_policy(` + cron_manage_system_job_lib_files(policykit_grant_t) +') + +optional_policy(` + dbus_system_bus_client(policykit_grant_t) + + optional_policy(` + consolekit_dbus_chat(policykit_grant_t) + ') +') + +######################################## +# +# Resolve local policy +# + +allow policykit_resolve_t self:capability { setuid sys_nice }; +allow policykit_resolve_t self:unix_stream_socket { accept listen }; + +ps_process_pattern(policykit_resolve_t, policykit_domain) + +read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t) + +read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t) + +can_exec(policykit_resolve_t, policykit_resolve_exec_t) + +domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) + +mcs_ptrace_all(policykit_resolve_t) + +auth_use_nsswitch(policykit_resolve_t) + +userdom_read_all_users_state(policykit_resolve_t) + +optional_policy(` + dbus_system_bus_client(policykit_resolve_t) + + optional_policy(` + consolekit_dbus_chat(policykit_resolve_t) + ') +') + +optional_policy(` + hal_read_state(policykit_resolve_t) +') + diff --git a/policy/modules/services/polipo.fc b/policy/modules/services/polipo.fc new file mode 100644 index 000000000..1cfd0761c --- /dev/null +++ b/policy/modules/services/polipo.fc @@ -0,0 +1,15 @@ +HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0) +HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0) +HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0) + +/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0) + +/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0) + +/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0) + +/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0) + +/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0) + +/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0) diff --git a/policy/modules/services/polipo.if b/policy/modules/services/polipo.if new file mode 100644 index 000000000..4b1988dec --- /dev/null +++ b/policy/modules/services/polipo.if @@ -0,0 +1,141 @@ +## <summary>Lightweight forwarding and caching proxy server.</summary> + +######################################## +## <summary> +## Role access for Polipo session. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +template(`polipo_role',` + gen_require(` + type polipo_session_t, polipo_exec_t, polipo_config_home_t; + type polipo_cache_home_t; + ') + + ######################################## + # + # Declarations + # + + role $1 types polipo_session_t; + + ######################################## + # + # Policy + # + + allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms }; + + userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden") + userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo") + userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache") + + allow $2 polipo_session_t:process { ptrace signal_perms }; + ps_process_pattern($2, polipo_session_t) + + tunable_policy(`polipo_session_users',` + domtrans_pattern($2, polipo_exec_t, polipo_session_t) + ',` + can_exec($2, polipo_exec_t) + ') +') + +######################################## +## <summary> +## Execute Polipo in the Polipo +## system domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`polipo_initrc_domtrans',` + gen_require(` + type polipo_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, polipo_initrc_exec_t) +') + +######################################## +## <summary> +## Create specified objects in generic +## log directories with the polipo +## log file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`polipo_log_filetrans_log',` + gen_require(` + type polipo_log_t; + ') + + logging_log_filetrans($1, polipo_log_t, $2, $3) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an polipo environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`polipo_admin',` + gen_require(` + type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t; + type polipo_conf_t, polipo_log_t, polipo_var_run_t; + ') + + allow $1 polipo_system_t:process { ptrace signal_perms }; + ps_process_pattern($1, polipo_system_t) + + init_startstop_service($1, $2, polipo_t, polipo_initrc_exec_t) + + files_search_var($1) + admin_pattern($1, polipo_cache_t) + + files_search_etc($1) + admin_pattern($1, polipo_conf_t) + + logging_search_logs($1) + admin_pattern($1, polipo_log_t) + + files_search_pids($1) + admin_pattern($1, polipo_var_run_t) +') diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te new file mode 100644 index 000000000..5f724161f --- /dev/null +++ b/policy/modules/services/polipo.te @@ -0,0 +1,171 @@ +policy_module(polipo, 1.4.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether Polipo system +## daemon can access CIFS file systems. +## </p> +## </desc> +gen_tunable(polipo_system_use_cifs, false) + +## <desc> +## <p> +## Determine whether Polipo system +## daemon can access NFS file systems. +## </p> +## </desc> +gen_tunable(polipo_system_use_nfs, false) + +## <desc> +## <p> +## Determine whether calling user domains +## can execute Polipo daemon in the +## polipo_session_t domain. +## </p> +## </desc> +gen_tunable(polipo_session_users, false) + +## <desc> +## <p> +## Determine whether Polipo session daemon +## can send syslog messages. +## </p> +## </desc> +gen_tunable(polipo_session_send_syslog_msg, false) + +attribute polipo_daemon; + +type polipo_system_t, polipo_daemon; +type polipo_exec_t; +init_daemon_domain(polipo_system_t, polipo_exec_t) + +type polipo_initrc_exec_t; +init_script_file(polipo_initrc_exec_t) + +type polipo_conf_t; +files_config_file(polipo_conf_t) + +type polipo_cache_t; +files_type(polipo_cache_t) + +type polipo_log_t; +logging_log_file(polipo_log_t) + +type polipo_var_run_t; +files_pid_file(polipo_var_run_t) + +type polipo_session_t, polipo_daemon; +userdom_user_application_domain(polipo_session_t, polipo_exec_t) + +type polipo_cache_home_t; +userdom_user_home_content(polipo_cache_home_t) + +type polipo_config_home_t; +userdom_user_home_content(polipo_config_home_t) + +######################################## +# +# Session local policy +# + +allow polipo_session_t polipo_config_home_t:file read_file_perms; + +manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) +manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) +userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache") + +auth_use_nsswitch(polipo_session_t) + +userdom_use_user_terminals(polipo_session_t) + +tunable_policy(`polipo_session_send_syslog_msg',` + logging_send_syslog_msg(polipo_session_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(polipo_session_t) +',` + fs_dontaudit_read_nfs_files(polipo_session_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(polipo_session_t) +',` + fs_dontaudit_read_cifs_files(polipo_session_t) +') + +######################################## +# +# System local policy +# + +read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t) + +manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) +manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) +files_var_filetrans(polipo_system_t, polipo_cache_t, dir) + +append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) +create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) +setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) +logging_log_filetrans(polipo_system_t, polipo_log_t, file) + +manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t) +files_pid_filetrans(polipo_system_t, polipo_var_run_t, file) + +auth_use_nsswitch(polipo_system_t) + +logging_send_syslog_msg(polipo_system_t) + +optional_policy(` + cron_system_entry(polipo_system_t, polipo_exec_t) +') + +tunable_policy(`polipo_system_use_cifs',` + fs_manage_cifs_files(polipo_system_t) +',` + fs_dontaudit_read_cifs_files(polipo_system_t) +') + +tunable_policy(`polipo_system_use_nfs',` + fs_manage_nfs_files(polipo_system_t) +',` + fs_dontaudit_read_nfs_files(polipo_system_t) +') + +######################################## +# +# Polipo global local policy +# + +allow polipo_daemon self:fifo_file rw_fifo_file_perms; +allow polipo_daemon self:tcp_socket { listen accept }; + +corenet_all_recvfrom_unlabeled(polipo_daemon) +corenet_all_recvfrom_netlabel(polipo_daemon) +corenet_tcp_sendrecv_generic_if(polipo_daemon) +corenet_tcp_sendrecv_generic_node(polipo_daemon) +corenet_tcp_bind_generic_node(polipo_daemon) + +corenet_sendrecv_http_client_packets(polipo_daemon) +corenet_tcp_sendrecv_http_port(polipo_daemon) +corenet_tcp_connect_http_port(polipo_daemon) + +corenet_sendrecv_http_cache_server_packets(polipo_daemon) +corenet_tcp_sendrecv_http_cache_port(polipo_daemon) +corenet_tcp_bind_http_cache_port(polipo_daemon) + +corenet_sendrecv_tor_client_packets(polipo_daemon) +corenet_tcp_sendrecv_tor_port(polipo_daemon) +corenet_tcp_connect_tor_port(polipo_daemon) + +files_read_usr_files(polipo_daemon) + +fs_search_auto_mountpoints(polipo_daemon) + +miscfiles_read_localization(polipo_daemon) diff --git a/policy/modules/services/portmap.fc b/policy/modules/services/portmap.fc new file mode 100644 index 000000000..b33b5f4ed --- /dev/null +++ b/policy/modules/services/portmap.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/portmap -- gen_context(system_u:object_r:portmap_initrc_exec_t,s0) + +/usr/bin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) +/usr/bin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) +/usr/bin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) + +/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) +/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) +/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) + +/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) +/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if new file mode 100644 index 000000000..52208ce0a --- /dev/null +++ b/policy/modules/services/portmap.if @@ -0,0 +1,82 @@ +## <summary>RPC port mapping service.</summary> + +######################################## +## <summary> +## Execute portmap helper in the helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portmap_domtrans_helper',` + gen_require(` + type portmap_helper_t, portmap_helper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t) +') + +######################################## +## <summary> +## Execute portmap helper in the helper +## domain, and allow the specified role +## the helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`portmap_run_helper',` + gen_require(` + attribute_role portmap_helper_roles; + ') + + portmap_domtrans_helper($1) + roleattribute $2 portmap_helper_roles; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an portmap environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`portmap_admin',` + gen_require(` + type portmap_t, portmap_initrc_exec_t, portmap_helper_t; + type portmap_var_run_t, portmap_tmp_t; + ') + + allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { portmap_t portmap_helper_t }) + + init_startstop_service($1, $2, portmap_t, portmap_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, portmap_var_run_t) + + files_search_tmp($1) + admin_pattern($1, portmap_tmp_t) +') diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te new file mode 100644 index 000000000..4620bb8c7 --- /dev/null +++ b/policy/modules/services/portmap.te @@ -0,0 +1,142 @@ +policy_module(portmap, 1.14.0) + +######################################## +# +# Declarations +# + +attribute_role portmap_helper_roles; + +type portmap_t; +type portmap_exec_t; +init_daemon_domain(portmap_t, portmap_exec_t) + +type portmap_helper_t; +type portmap_helper_exec_t; +init_system_domain(portmap_helper_t, portmap_helper_exec_t) +role portmap_helper_roles types portmap_helper_t; + +type portmap_initrc_exec_t; +init_script_file(portmap_initrc_exec_t) + +type portmap_tmp_t; +files_tmp_file(portmap_tmp_t) + +type portmap_var_run_t; +files_pid_file(portmap_var_run_t) + +######################################## +# +# Local policy +# + +allow portmap_t self:capability { setgid setuid }; +dontaudit portmap_t self:capability sys_tty_config; +allow portmap_t self:unix_stream_socket { accept listen }; +allow portmap_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) +manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) +files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir }) + +manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) +files_pid_filetrans(portmap_t, portmap_var_run_t, file) + +kernel_read_system_state(portmap_t) +kernel_read_kernel_sysctls(portmap_t) + +corenet_all_recvfrom_unlabeled(portmap_t) +corenet_all_recvfrom_netlabel(portmap_t) +corenet_tcp_sendrecv_generic_if(portmap_t) +corenet_udp_sendrecv_generic_if(portmap_t) +corenet_tcp_sendrecv_generic_node(portmap_t) +corenet_udp_sendrecv_generic_node(portmap_t) +corenet_tcp_sendrecv_all_ports(portmap_t) +corenet_udp_sendrecv_all_ports(portmap_t) +corenet_tcp_bind_generic_node(portmap_t) +corenet_udp_bind_generic_node(portmap_t) + +corenet_sendrecv_all_client_packets(portmap_t) +corenet_sendrecv_all_server_packets(portmap_t) + +corenet_tcp_bind_portmap_port(portmap_t) +corenet_udp_bind_portmap_port(portmap_t) + +corenet_tcp_connect_all_ports(portmap_t) + +corenet_tcp_bind_generic_port(portmap_t) +corenet_udp_bind_generic_port(portmap_t) + +corenet_tcp_bind_reserved_port(portmap_t) +corenet_udp_bind_reserved_port(portmap_t) + +corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t) +corenet_dontaudit_udp_bind_all_ports(portmap_t) + +dev_read_sysfs(portmap_t) + +fs_getattr_all_fs(portmap_t) +fs_search_auto_mountpoints(portmap_t) + +domain_use_interactive_fds(portmap_t) + +logging_send_syslog_msg(portmap_t) + +miscfiles_read_localization(portmap_t) + +userdom_dontaudit_use_unpriv_user_fds(portmap_t) +userdom_dontaudit_search_user_home_dirs(portmap_t) + +optional_policy(` + seutil_sigchld_newrole(portmap_t) +') + +optional_policy(` + udev_read_db(portmap_t) +') + +######################################## +# +# Helper local policy +# + +dontaudit portmap_helper_t self:capability net_admin; +allow portmap_helper_t self:tcp_socket { accept listen }; + +allow portmap_helper_t portmap_var_run_t:file manage_file_perms; +files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) + +corenet_all_recvfrom_unlabeled(portmap_helper_t) +corenet_all_recvfrom_netlabel(portmap_helper_t) +corenet_tcp_sendrecv_generic_if(portmap_helper_t) +corenet_udp_sendrecv_generic_if(portmap_helper_t) +corenet_tcp_sendrecv_generic_node(portmap_helper_t) +corenet_udp_sendrecv_generic_node(portmap_helper_t) +corenet_tcp_sendrecv_all_ports(portmap_helper_t) +corenet_udp_sendrecv_all_ports(portmap_helper_t) +corenet_tcp_bind_generic_node(portmap_helper_t) +corenet_udp_bind_generic_node(portmap_helper_t) + +corenet_sendrecv_all_client_packets(portmap_helper_t) +corenet_sendrecv_all_server_packets(portmap_helper_t) + +corenet_tcp_bind_reserved_port(portmap_helper_t) +corenet_udp_bind_reserved_port(portmap_helper_t) + +corenet_tcp_connect_all_ports(portmap_helper_t) + +corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t) +corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t) + +domain_dontaudit_use_interactive_fds(portmap_helper_t) + +files_rw_generic_pids(portmap_helper_t) + +auth_use_nsswitch(portmap_helper_t) + +init_rw_utmp(portmap_helper_t) + +logging_send_syslog_msg(portmap_helper_t) + +userdom_use_user_terminals(portmap_helper_t) +userdom_dontaudit_use_all_users_fds(portmap_helper_t) diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc new file mode 100644 index 000000000..d649d58dc --- /dev/null +++ b/policy/modules/services/portreserve.fc @@ -0,0 +1,9 @@ +/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) + +/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) + +/usr/bin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) + +/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) + +/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if new file mode 100644 index 000000000..0a90afd62 --- /dev/null +++ b/policy/modules/services/portreserve.if @@ -0,0 +1,118 @@ +## <summary>Reserve well-known ports in the RPC port range.</summary> + +######################################## +## <summary> +## Execute a domain transition to run portreserve. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portreserve_domtrans',` + gen_require(` + type portreserve_t, portreserve_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, portreserve_exec_t, portreserve_t) +') + +####################################### +## <summary> +## Read portreserve configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`portreserve_read_config',` + gen_require(` + type portreserve_etc_t; + ') + + files_search_etc($1) + allow $1 portreserve_etc_t:dir list_dir_perms; + allow $1 portreserve_etc_t:file read_file_perms; + allow $1 portreserve_etc_t:lnk_file read_lnk_file_perms; +') + +####################################### +## <summary> +## Create, read, write, and delete +## portreserve configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`portreserve_manage_config',` + gen_require(` + type portreserve_etc_t; + ') + + files_search_etc($1) + allow $1 portreserve_etc_t:dir manage_dir_perms; + allow $1 portreserve_etc_t:file manage_file_perms; + allow $1 portreserve_etc_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Execute portreserve init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portreserve_initrc_domtrans',` + gen_require(` + type portreserve_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, portreserve_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an portreserve environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`portreserve_admin',` + gen_require(` + type portreserve_t, portreserve_etc_t, portreserve_var_run_t; + type portreserve_initrc_exec_t; + ') + + allow $1 portreserve_t:process { ptrace signal_perms }; + ps_process_pattern($1, portreserve_t) + + init_startstop_service($1, $2, portreserve_t, portreserve_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, portreserve_etc_t) + + files_list_pids($1) + admin_pattern($1, portreserve_var_run_t) +') diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te new file mode 100644 index 000000000..4a42d7ceb --- /dev/null +++ b/policy/modules/services/portreserve.te @@ -0,0 +1,61 @@ +policy_module(portreserve, 1.7.0) + +######################################## +# +# Declarations +# + +type portreserve_t; +type portreserve_exec_t; +init_daemon_domain(portreserve_t, portreserve_exec_t) + +type portreserve_initrc_exec_t; +init_script_file(portreserve_initrc_exec_t) + +type portreserve_etc_t; +files_config_file(portreserve_etc_t) + +type portreserve_var_run_t; +files_pid_file(portreserve_var_run_t) + +######################################## +# +# Local policy +# + +allow portreserve_t self:capability { dac_override dac_read_search }; +allow portreserve_t self:fifo_file rw_fifo_file_perms; +allow portreserve_t self:unix_stream_socket create_stream_socket_perms; +allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; +allow portreserve_t self:tcp_socket create_socket_perms; +allow portreserve_t self:udp_socket create_socket_perms; + +allow portreserve_t portreserve_etc_t:dir list_dir_perms; +allow portreserve_t portreserve_etc_t:file read_file_perms; +allow portreserve_t portreserve_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }) + +corecmd_getattr_bin_files(portreserve_t) + +corenet_all_recvfrom_unlabeled(portreserve_t) +corenet_all_recvfrom_netlabel(portreserve_t) +corenet_tcp_sendrecv_generic_if(portreserve_t) +corenet_udp_sendrecv_generic_if(portreserve_t) +corenet_tcp_sendrecv_generic_node(portreserve_t) +corenet_udp_sendrecv_generic_node(portreserve_t) +corenet_tcp_sendrecv_all_ports(portreserve_t) +corenet_udp_sendrecv_all_ports(portreserve_t) +corenet_tcp_bind_generic_node(portreserve_t) +corenet_udp_bind_generic_node(portreserve_t) + +corenet_sendrecv_all_server_packets(portreserve_t) +corenet_tcp_bind_all_ports(portreserve_t) +corenet_udp_bind_all_ports(portreserve_t) + +files_read_etc_files(portreserve_t) + +userdom_dontaudit_search_user_home_content(portreserve_t) diff --git a/policy/modules/services/portslave.fc b/policy/modules/services/portslave.fc new file mode 100644 index 000000000..1afb19760 --- /dev/null +++ b/policy/modules/services/portslave.fc @@ -0,0 +1,9 @@ +/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0) + +/usr/bin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0) +/usr/bin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0) + +/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0) +/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0) + +/var/lock/subsys/portslave -- gen_context(system_u:object_r:portslave_lock_t,s0) diff --git a/policy/modules/services/portslave.if b/policy/modules/services/portslave.if new file mode 100644 index 000000000..c2919e262 --- /dev/null +++ b/policy/modules/services/portslave.if @@ -0,0 +1,20 @@ +## <summary>Portslave terminal server software.</summary> + +######################################## +## <summary> +## Execute portslave with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portslave_domtrans',` + gen_require(` + type portslave_t, portslave_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, portslave_exec_t, portslave_t) +') diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te new file mode 100644 index 000000000..1d61734d1 --- /dev/null +++ b/policy/modules/services/portslave.te @@ -0,0 +1,111 @@ +policy_module(portslave, 1.9.0) + +######################################## +# +# Declarations +# + +type portslave_t; +type portslave_exec_t; +init_domain(portslave_t, portslave_exec_t) +init_daemon_domain(portslave_t, portslave_exec_t) + +type portslave_etc_t; +files_config_file(portslave_etc_t) + +type portslave_lock_t; +files_lock_file(portslave_lock_t) + +######################################## +# +# Local policy +# + +allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config }; +dontaudit portslave_t self:capability sys_admin; +allow portslave_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow portslave_t self:fd use; +allow portslave_t self:fifo_file rw_fifo_file_perms; +allow portslave_t self:unix_dgram_socket sendto; +allow portslave_t self:unix_stream_socket { accept connectto listen }; +allow portslave_t self:shm create_shm_perms; +allow portslave_t self:sem create_sem_perms; +allow portslave_t self:msgq create_msgq_perms; +allow portslave_t self:msg { send receive }; +allow portslave_t self:tcp_socket { accept listen }; + +allow portslave_t portslave_etc_t:dir list_dir_perms; +allow portslave_t portslave_etc_t:file read_file_perms; +allow portslave_t portslave_etc_t:lnk_file read_lnk_file_perms; + +allow portslave_t portslave_lock_t:file manage_file_perms; +files_lock_filetrans(portslave_t, portslave_lock_t, file) + +kernel_read_system_state(portslave_t) +kernel_read_kernel_sysctls(portslave_t) + +corecmd_exec_bin(portslave_t) +corecmd_exec_shell(portslave_t) + +corenet_all_recvfrom_unlabeled(portslave_t) +corenet_all_recvfrom_netlabel(portslave_t) +corenet_tcp_sendrecv_generic_if(portslave_t) +corenet_udp_sendrecv_generic_if(portslave_t) +corenet_tcp_sendrecv_generic_node(portslave_t) +corenet_udp_sendrecv_generic_node(portslave_t) +corenet_tcp_sendrecv_all_ports(portslave_t) +corenet_udp_sendrecv_all_ports(portslave_t) + +corenet_rw_ppp_dev(portslave_t) + +dev_read_sysfs(portslave_t) +dev_read_urand(portslave_t) + +domain_use_interactive_fds(portslave_t) + +files_read_etc_runtime_files(portslave_t) +files_exec_etc_files(portslave_t) + +fs_search_auto_mountpoints(portslave_t) +fs_getattr_xattr_fs(portslave_t) + +term_use_unallocated_ttys(portslave_t) +term_setattr_unallocated_ttys(portslave_t) +term_use_all_ttys(portslave_t) +term_search_ptys(portslave_t) + +auth_domtrans_chk_passwd(portslave_t) +auth_rw_login_records(portslave_t) +auth_use_nsswitch(portslave_t) + +init_rw_utmp(portslave_t) + +logging_send_syslog_msg(portslave_t) +logging_search_logs(portslave_t) + +userdom_use_unpriv_users_fds(portslave_t) + +ppp_read_home_files(portslave_t) +ppp_read_rw_config(portslave_t) +ppp_exec(portslave_t) +ppp_read_secrets(portslave_t) +ppp_manage_pid_files(portslave_t) +ppp_pid_filetrans(portslave_t, file) + +ssh_exec(portslave_t) + +optional_policy(` + inetd_tcp_service_domain(portslave_t, portslave_exec_t) +') + +optional_policy(` + mta_send_mail(portslave_t) +') + +optional_policy(` + seutil_sigchld_newrole(portslave_t) +') + +optional_policy(` + udev_read_db(portslave_t) +') diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc new file mode 100644 index 000000000..ecf447d60 --- /dev/null +++ b/policy/modules/services/postfix.fc @@ -0,0 +1,70 @@ +/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0) +/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) + +/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) + +/usr/bin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/bin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/bin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) +/usr/bin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/bin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/bin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/bin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/bin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0) +/usr/bin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) +/usr/bin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + +# Remove catch-all so that .so files remain lib_t +#/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) +/usr/lib/postfix/(sbin/)?local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) +/usr/lib/postfix/(sbin/)?master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/lib/postfix/(sbin/)?pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) +/usr/lib/postfix/(sbin/)?(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) +/usr/lib/postfix/(sbin/)?showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) +/usr/lib/postfix/(sbin/)?smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/lib/postfix/(sbin/)?lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/lib/postfix/(sbin/)?scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/lib/postfix/(sbin/)?smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) +/usr/lib/postfix/(sbin/)?bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) +/usr/lib/postfix/(sbin/)?pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +/usr/lib/postfix/(sbin/)?virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) + +/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) +/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) +/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) +/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) +/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) +/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) +/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) +/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) + +/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) +/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0) +/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) +/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + +/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) + +/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) +/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) +/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) +/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) +/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if new file mode 100644 index 000000000..fa17bde44 --- /dev/null +++ b/policy/modules/services/postfix.if @@ -0,0 +1,738 @@ +## <summary>Postfix email server.</summary> + +######################################## +## <summary> +## Postfix stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_stub',` + gen_require(` + type postfix_master_t; + ') +') + +####################################### +## <summary> +## The template to define a postfix domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`postfix_domain_template',` + gen_require(` + attribute postfix_domain; + ') + + ######################################## + # + # Declarations + # + + type postfix_$1_t, postfix_domain; + type postfix_$1_exec_t; + domain_type(postfix_$1_t) + domain_entry_file(postfix_$1_t, postfix_$1_exec_t) + role system_r types postfix_$1_t; + + ######################################## + # + # Policy + # + + can_exec(postfix_$1_t, postfix_$1_exec_t) + + auth_use_nsswitch(postfix_$1_t) +') + +####################################### +## <summary> +## The template to define a postfix server domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`postfix_server_domain_template',` + gen_require(` + attribute postfix_server_domain, postfix_server_tmp_content; + ') + + ######################################## + # + # Declarations + # + + postfix_domain_template($1) + + typeattribute postfix_$1_t postfix_server_domain; + + type postfix_$1_tmp_t, postfix_server_tmp_content; + files_tmp_file(postfix_$1_tmp_t) + + ######################################## + # + # Declarations + # + + manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) + manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) + files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) + + domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) +') + +####################################### +## <summary> +## The template to define a postfix user domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`postfix_user_domain_template',` + gen_require(` + attribute postfix_user_domains, postfix_user_domtrans; + ') + + ######################################## + # + # Declarations + # + + postfix_domain_template($1) + + typeattribute postfix_$1_t postfix_user_domains; + + ######################################## + # + # Policy + # + + allow postfix_$1_t self:capability dac_override; + + domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) + + domain_use_interactive_fds(postfix_$1_t) +') + +######################################## +## <summary> +## Read postfix configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`postfix_read_config',` + gen_require(` + type postfix_etc_t; + ') + + files_search_etc($1) + allow $1 postfix_etc_t:dir list_dir_perms; + allow $1 postfix_etc_t:file read_file_perms; + allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Create specified object in postfix +## etc directories with a type transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`postfix_config_filetrans',` + gen_require(` + type postfix_etc_t; + ') + + filetrans_pattern($1, postfix_etc_t, $2, $3, $4) +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write postfix local delivery +## TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`postfix_dontaudit_rw_local_tcp_sockets',` + gen_require(` + type postfix_local_t; + ') + + dontaudit $1 postfix_local_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Read and write postfix local pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_rw_local_pipes',` + gen_require(` + type postfix_local_t; + ') + + allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Read postfix local process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_read_local_state',` + gen_require(` + type postfix_local_t; + ') + + kernel_search_proc($1) + allow $1 postfix_local_t:dir list_dir_perms; + allow $1 postfix_local_t:file read_file_perms; + allow $1 postfix_local_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Read and write inherited postfix master pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_rw_inherited_master_pipes',` + gen_require(` + type postfix_master_t; + ') + + allow $1 postfix_master_t:fd use; + allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; +') + +######################################## +## <summary> +## Read postfix master process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_read_master_state',` + gen_require(` + type postfix_master_t; + ') + + kernel_search_proc($1) + allow $1 postfix_master_t:dir list_dir_perms; + allow $1 postfix_master_t:file read_file_perms; + allow $1 postfix_master_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Use postfix master file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_use_fds_master',` + gen_require(` + type postfix_master_t; + ') + + allow $1 postfix_master_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to use +## postfix master process file +## file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`postfix_dontaudit_use_fds',` + gen_require(` + type postfix_master_t; + ') + + dontaudit $1 postfix_master_t:fd use; +') + +######################################## +## <summary> +## Execute postfix_map in the postfix_map domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`postfix_domtrans_map',` + gen_require(` + type postfix_map_t, postfix_map_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) +') + +######################################## +## <summary> +## Execute postfix map in the postfix +## map domain, and allow the specified +## role the postfix_map domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`postfix_run_map',` + gen_require(` + attribute_role postfix_map_roles; + ') + + postfix_domtrans_map($1) + roleattribute $2 postfix_map_roles; +') + +######################################## +## <summary> +## Execute the master postfix program +## in the postfix_master domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`postfix_domtrans_master',` + gen_require(` + type postfix_master_t, postfix_master_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) +') + +######################################## +## <summary> +## Execute the master postfix program +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_exec_master',` + gen_require(` + type postfix_master_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, postfix_master_exec_t) +') + +####################################### +## <summary> +## Connect to postfix master process +## using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`postfix_stream_connect_master',` + gen_require(` + type postfix_master_t, postfix_public_t; + ') + + stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) +') + +######################################## +## <summary> +## Execute the master postdrop in the +## postfix postdrop domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`postfix_domtrans_postdrop',` + gen_require(` + type postfix_postdrop_t, postfix_postdrop_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) +') + +######################################## +## <summary> +## Execute the master postqueue in the +## postfix postqueue domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`postfix_domtrans_postqueue',` + gen_require(` + type postfix_postqueue_t, postfix_postqueue_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) +') + +####################################### +## <summary> +## Execute postfix postqueue in +## the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_exec_postqueue',` + gen_require(` + type postfix_postqueue_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, postfix_postqueue_exec_t) +') + +######################################## +## <summary> +## Create postfix private sock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_create_private_sockets',` + gen_require(` + type postfix_private_t; + ') + + create_sock_files_pattern($1, postfix_private_t, postfix_private_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## postfix private sock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_manage_private_sockets',` + gen_require(` + type postfix_private_t; + ') + + manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) +') + +######################################## +## <summary> +## Execute the smtp postfix program +## in the postfix smtp domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`postfix_domtrans_smtp',` + gen_require(` + type postfix_smtp_t, postfix_smtp_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) +') + +######################################## +## <summary> +## Get attributes of all postfix mail +## spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_getattr_all_spool_files',` + gen_require(` + attribute postfix_spool_type; + ') + + files_search_spool($1) + getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) +') + +######################################## +## <summary> +## Search postfix mail spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_search_spool',` + gen_require(` + type postfix_spool_t; + ') + + files_search_spool($1) + allow $1 postfix_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## List postfix mail spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_list_spool',` + gen_require(` + type postfix_spool_t; + ') + + files_search_spool($1) + allow $1 postfix_spool_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Read postfix mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_read_spool_files',` + gen_require(` + type postfix_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, postfix_spool_t, postfix_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## postfix mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_manage_spool_files',` + gen_require(` + type postfix_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, postfix_spool_t, postfix_spool_t) +') + +######################################## +## <summary> +## Execute postfix user mail programs +## in their respective domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_domtrans_user_mail_handler',` + gen_require(` + attribute postfix_user_domtrans; + ') + + typeattribute $1 postfix_user_domtrans; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an postfix environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`postfix_admin',` + gen_require(` + attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content; + type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; + type postfix_data_t, postfix_var_run_t, postfix_public_t; + type postfix_private_t, postfix_map_tmp_t, postfix_exec_t; + type postfix_keytab_t; + ') + + allow $1 postfix_domain:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_domain) + + init_startstop_service($1, $2, postfix_t, postfix_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t }) + + files_search_spool($1) + admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type }) + + files_search_var_lib($1) + admin_pattern($1, postfix_data_t) + + files_search_pids($1) + admin_pattern($1, postfix_var_run_t) + + files_search_tmp($1) + admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t }) + + postfix_exec_master($1) + postfix_exec_postqueue($1) + postfix_stream_connect_master($1) + postfix_run_map($1, $2) + + ifdef(`distro_gentoo',` + gen_require(` + type postfix_showq_exec_t; + type postfix_master_exec_t; + type postfix_postqueue_t; + ') + + allow postfix_postqueue_t $1:process sigchld; + + can_exec($1, postfix_showq_exec_t) + + # Postfix admin must be able to execute postfix main (for instance for "postfix reload") + can_exec($1, postfix_master_exec_t) + + # Allow postfix admin to send message to log files, needed during operations like "postfix reload" + logging_send_syslog_msg($1) + + # Reloading the system through postfix reload needs a few permissions + # "postfix: fatal: socket: Permission denied" + allow $1 self:tcp_socket create_stream_socket_perms; + # "postfix: fatal: inet_addr_local[getifaddrs]: getifaddrs: Permission denied" + allow $1 self:netlink_route_socket r_netlink_socket_perms; + # "postsuper: fatal: setuid(207): Operation not permitted" + allow $1 self:capability { setuid setgid }; + ') +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te new file mode 100644 index 000000000..03843a2a0 --- /dev/null +++ b/policy/modules/services/postfix.te @@ -0,0 +1,847 @@ +policy_module(postfix, 1.19.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether postfix local +## can manage mail spool content. +## </p> +## </desc> +gen_tunable(postfix_local_write_mail_spool, true) + +attribute postfix_domain; +attribute postfix_server_domain; +attribute postfix_server_tmp_content; +attribute postfix_spool_type; +attribute postfix_user_domains; +attribute postfix_user_domtrans; + +attribute_role postfix_map_roles; +roleattribute system_r postfix_map_roles; + +postfix_server_domain_template(bounce) + +type postfix_spool_bounce_t, postfix_spool_type; +files_type(postfix_spool_bounce_t) + +postfix_server_domain_template(cleanup) + +type postfix_etc_t; +files_config_file(postfix_etc_t) + +type postfix_exec_t; +application_executable_file(postfix_exec_t) + +type postfix_keytab_t; +files_type(postfix_keytab_t) + +postfix_server_domain_template(local) +mta_mailserver_delivery(postfix_local_t) + +type postfix_map_t; +type postfix_map_exec_t; +application_domain(postfix_map_t, postfix_map_exec_t) +role postfix_map_roles types postfix_map_t; + +type postfix_map_tmp_t; +files_tmp_file(postfix_map_tmp_t) + +postfix_domain_template(master) +typealias postfix_master_t alias postfix_t; +mta_mailserver(postfix_t, postfix_master_exec_t) + +type postfix_initrc_exec_t; +init_script_file(postfix_initrc_exec_t) + +postfix_server_domain_template(pickup) + +postfix_server_domain_template(pipe) + +postfix_user_domain_template(postdrop) +mta_mailserver_user_agent(postfix_postdrop_t) + +postfix_user_domain_template(postqueue) +mta_mailserver_user_agent(postfix_postqueue_t) + +type postfix_private_t; +files_type(postfix_private_t) + +type postfix_prng_t; +files_type(postfix_prng_t) + +postfix_server_domain_template(qmgr) + +postfix_user_domain_template(showq) + +postfix_server_domain_template(smtp) +mta_mailserver_sender(postfix_smtp_t) + +postfix_server_domain_template(smtpd) + +type postfix_spool_t, postfix_spool_type; +files_type(postfix_spool_t) + +type postfix_spool_maildrop_t, postfix_spool_type; +files_type(postfix_spool_maildrop_t) + +type postfix_spool_flush_t, postfix_spool_type; +files_type(postfix_spool_flush_t) + +type postfix_public_t; +files_type(postfix_public_t) + +type postfix_var_run_t; +files_pid_file(postfix_var_run_t) + +type postfix_data_t; +files_type(postfix_data_t) + +postfix_server_domain_template(virtual) +mta_mailserver_delivery(postfix_virtual_t) + +######################################## +# +# Common postfix domain local policy +# + +allow postfix_domain self:capability { sys_chroot sys_nice }; +dontaudit postfix_domain self:capability sys_tty_config; +allow postfix_domain self:process { signal_perms setpgid setsched }; +allow postfix_domain self:fifo_file rw_fifo_file_perms; +allow postfix_domain self:unix_stream_socket { accept connectto listen }; + +allow postfix_domain postfix_etc_t:dir list_dir_perms; +allow postfix_domain postfix_etc_t:file { read_file_perms map }; +allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms; + +allow postfix_domain postfix_master_t:file read_file_perms; + +allow postfix_domain postfix_exec_t:file { mmap_exec_file_perms lock }; + +allow postfix_domain postfix_master_t:process sigchld; + +allow postfix_domain postfix_spool_t:dir list_dir_perms; + +manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) +files_pid_filetrans(postfix_domain, postfix_var_run_t, file) + +kernel_read_system_state(postfix_domain) +kernel_read_network_state(postfix_domain) +kernel_read_all_sysctls(postfix_domain) + +dev_read_sysfs(postfix_domain) +dev_read_rand(postfix_domain) +dev_read_urand(postfix_domain) + +fs_search_auto_mountpoints(postfix_domain) +fs_getattr_all_fs(postfix_domain) +fs_rw_anon_inodefs_files(postfix_domain) + +term_dontaudit_use_console(postfix_domain) + +corecmd_exec_shell(postfix_domain) +corecmd_getattr_all_executables(postfix_domain) + +files_read_etc_runtime_files(postfix_domain) +files_read_usr_files(postfix_domain) +files_search_spool(postfix_domain) +files_getattr_tmp_dirs(postfix_domain) +files_search_all_mountpoints(postfix_domain) + +init_dontaudit_use_fds(postfix_domain) +init_sigchld(postfix_domain) + +logging_send_syslog_msg(postfix_domain) + +miscfiles_read_localization(postfix_domain) +miscfiles_read_generic_certs(postfix_domain) +miscfiles_read_generic_tls_privkey(postfix_domain) + +userdom_dontaudit_use_unpriv_user_fds(postfix_domain) + +optional_policy(` + udev_read_db(postfix_domain) +') + +######################################## +# +# Common postfix server domain local policy +# + +allow postfix_server_domain self:capability { dac_read_search dac_override setgid setuid }; +allow postfix_master_t self:process getsched; + +allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; + +corenet_all_recvfrom_unlabeled(postfix_server_domain) +corenet_all_recvfrom_netlabel(postfix_server_domain) +corenet_tcp_sendrecv_generic_if(postfix_server_domain) +corenet_tcp_sendrecv_generic_node(postfix_server_domain) + +corenet_sendrecv_all_client_packets(postfix_server_domain) +corenet_tcp_connect_all_ports(postfix_server_domain) +corenet_tcp_sendrecv_all_ports(postfix_server_domain) + +######################################## +# +# Common postfix user domain local policy +# + +allow postfix_user_domains self:capability { dac_read_search dac_override }; + +domain_use_interactive_fds(postfix_user_domains) + +######################################## +# +# Master local policy +# + +allow postfix_master_t self:capability { chown dac_read_search dac_override fowner kill setgid setuid sys_tty_config }; +allow postfix_master_t self:capability2 block_suspend; +allow postfix_master_t self:process setrlimit; +allow postfix_master_t self:tcp_socket create_stream_socket_perms; +allow postfix_master_t self:udp_socket create_socket_perms; + +allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms; +allow postfix_master_t postfix_domain:process signal; + +allow postfix_master_t postfix_etc_t:dir rw_dir_perms; +allow postfix_master_t postfix_etc_t:file rw_file_perms; + +allow postfix_master_t postfix_data_t:dir manage_dir_perms; +allow postfix_master_t postfix_data_t:file manage_file_perms; + +allow postfix_master_t postfix_keytab_t:file read_file_perms; + +allow postfix_master_t postfix_map_exec_t:file { mmap_exec_file_perms ioctl lock }; + +allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; + +allow postfix_master_t postfix_prng_t:file rw_file_perms; + +manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) +manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) + +allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; +allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms; +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce") + +manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) +manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) +manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush") + +create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t) +manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private") + +create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t) +manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") + +create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) +delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer") +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred") +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") + +create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) +setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") + +can_exec(postfix_master_t, postfix_exec_t) + +domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) +domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) + +corenet_all_recvfrom_unlabeled(postfix_master_t) +corenet_all_recvfrom_netlabel(postfix_master_t) +corenet_tcp_sendrecv_generic_if(postfix_master_t) +corenet_udp_sendrecv_generic_if(postfix_master_t) +corenet_tcp_sendrecv_generic_node(postfix_master_t) +corenet_udp_sendrecv_generic_node(postfix_master_t) +corenet_tcp_sendrecv_all_ports(postfix_master_t) +corenet_udp_sendrecv_all_ports(postfix_master_t) +corenet_tcp_bind_generic_node(postfix_master_t) +corenet_udp_bind_generic_node(postfix_master_t) + +corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) +corenet_tcp_bind_amavisd_send_port(postfix_master_t) + +corenet_sendrecv_smtp_server_packets(postfix_master_t) +corenet_tcp_bind_smtp_port(postfix_master_t) + +corenet_sendrecv_spamd_server_packets(postfix_master_t) +corenet_tcp_bind_spamd_port(postfix_master_t) + +corenet_sendrecv_all_client_packets(postfix_master_t) +corenet_tcp_connect_all_ports(postfix_master_t) + +# Can this be conditional? +corenet_sendrecv_all_server_packets(postfix_master_t) +corenet_udp_bind_all_unreserved_ports(postfix_master_t) +corenet_dontaudit_udp_bind_all_ports(postfix_master_t) + +selinux_dontaudit_search_fs(postfix_master_t) + +corecmd_exec_bin(postfix_master_t) + +domain_use_interactive_fds(postfix_master_t) + +files_search_tmp(postfix_master_t) + +mcs_file_read_all(postfix_master_t) + +term_dontaudit_search_ptys(postfix_master_t) + +hostname_exec(postfix_master_t) + +miscfiles_read_man_pages(postfix_master_t) + +seutil_sigchld_newrole(postfix_master_t) +seutil_dontaudit_search_config(postfix_master_t) + +mta_manage_aliases(postfix_master_t) +mta_etc_filetrans_aliases(postfix_master_t, file, "aliases") +mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db") +mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp") +mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file) +mta_read_sendmail_bin(postfix_master_t) +mta_getattr_spool(postfix_master_t) + +optional_policy(` + cyrus_stream_connect(postfix_master_t) +') + +optional_policy(` + kerberos_read_keytab(postfix_master_t) + kerberos_use(postfix_master_t) +') + +optional_policy(` + mailman_manage_data_files(postfix_master_t) + mailman_search_data(postfix_pipe_t) +') + +optional_policy(` + milter_getattr_data_dir(postfix_master_t) +') + +optional_policy(` + mysql_stream_connect(postfix_master_t) +') + +optional_policy(` + postgrey_search_spool(postfix_master_t) +') + +optional_policy(` + sendmail_signal(postfix_master_t) +') + +######################################## +# +# Bounce local policy +# + +allow postfix_bounce_t self:capability dac_read_search; + +write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t) + +manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) +manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) +manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir) + +manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) +manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) +manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) + +######################################## +# +# Cleanup local policy +# + +allow postfix_cleanup_t self:process setrlimit; + +allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms; +allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms; +allow postfix_cleanup_t postfix_smtpd_t:fd use; + +allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; +allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; +allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; + +stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) + +rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) +write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) + +manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) +manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) +manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) + +allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; + +corecmd_exec_bin(postfix_cleanup_t) + +corenet_sendrecv_kismet_client_packets(postfix_cleanup_t) +corenet_tcp_connect_kismet_port(postfix_cleanup_t) +corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t) + +mta_read_aliases(postfix_cleanup_t) +mta_map_aliases(postfix_cleanup_t) + +optional_policy(` + dkim_stream_connect(postfix_cleanup_t) +') + +optional_policy(` + mailman_read_data_files(postfix_cleanup_t) +') + +######################################## +# +# Local local policy +# + +allow postfix_local_t self:capability chown; +allow postfix_local_t self:process setrlimit; + +stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) + +rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) + +allow postfix_local_t postfix_spool_t:file rw_file_perms; + +domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) + +corecmd_exec_bin(postfix_local_t) + +logging_dontaudit_search_logs(postfix_local_t) + +mta_delete_spool(postfix_local_t) +mta_read_aliases(postfix_local_t) +mta_map_aliases(postfix_local_t) +mta_read_config(postfix_local_t) +mta_send_mail(postfix_local_t) + +tunable_policy(`postfix_local_write_mail_spool',` + mta_manage_spool(postfix_local_t) +') + +optional_policy(` + clamav_search_lib(postfix_local_t) + clamav_exec_clamscan(postfix_local_t) + clamav_stream_connect(postfix_smtpd_t) +') + +optional_policy(` + dovecot_domtrans_deliver(postfix_local_t) +') + +optional_policy(` + dspam_domtrans(postfix_local_t) +') + +optional_policy(` + mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) + mailman_read_log(postfix_local_t) +') + +optional_policy(` + nagios_search_spool(postfix_local_t) +') + +optional_policy(` + procmail_domtrans(postfix_local_t) +') + +optional_policy(` + sendmail_rw_pipes(postfix_local_t) +') + +optional_policy(` + zarafa_domtrans_deliver(postfix_local_t) + zarafa_stream_connect_server(postfix_local_t) +') + +######################################## +# +# Map local policy +# + +allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid }; +allow postfix_map_t self:tcp_socket { accept listen }; + +allow postfix_map_t postfix_etc_t:dir manage_dir_perms; +allow postfix_map_t postfix_etc_t:file { manage_file_perms map }; +allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms; + +manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) +manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) +files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(postfix_map_t) +kernel_dontaudit_list_proc(postfix_map_t) +kernel_dontaudit_read_system_state(postfix_map_t) + +corenet_all_recvfrom_unlabeled(postfix_map_t) +corenet_all_recvfrom_netlabel(postfix_map_t) +corenet_tcp_sendrecv_generic_if(postfix_map_t) +corenet_tcp_sendrecv_generic_node(postfix_map_t) + +corenet_sendrecv_all_client_packets(postfix_map_t) +corenet_tcp_connect_all_ports(postfix_map_t) +corenet_tcp_sendrecv_all_ports(postfix_map_t) + +corecmd_list_bin(postfix_map_t) +corecmd_read_bin_files(postfix_map_t) +corecmd_read_bin_pipes(postfix_map_t) +corecmd_read_bin_sockets(postfix_map_t) + +files_list_home(postfix_map_t) +files_read_usr_files(postfix_map_t) +files_read_etc_runtime_files(postfix_map_t) +files_dontaudit_search_var(postfix_map_t) + +auth_use_nsswitch(postfix_map_t) + +logging_send_syslog_msg(postfix_map_t) + +miscfiles_read_localization(postfix_map_t) + +optional_policy(` + locallogin_dontaudit_use_fds(postfix_map_t) +') + +optional_policy(` + mailman_manage_data_files(postfix_map_t) +') + +######################################## +# +# Pickup local policy +# + +stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) + +rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) +rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) + +allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) +delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) + +allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; +read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + +mcs_file_read_all(postfix_pickup_t) +mcs_file_write_all(postfix_pickup_t) + +######################################## +# +# Pipe local policy +# + +allow postfix_pipe_t self:process setrlimit; + +write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) + +write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) +write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) + +rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) + +domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) + +corecmd_exec_bin(postfix_pipe_t) + +optional_policy(` + dovecot_domtrans_deliver(postfix_pipe_t) +') + +optional_policy(` + procmail_domtrans(postfix_pipe_t) +') + +optional_policy(` + mailman_domtrans_queue(postfix_pipe_t) + mailman_domtrans(postfix_pipe_t) +') + +optional_policy(` + mta_manage_spool(postfix_pipe_t) + mta_send_mail(postfix_pipe_t) +') + +optional_policy(` + spamassassin_domtrans_client(postfix_pipe_t) + spamassassin_kill_client(postfix_pipe_t) +') + +optional_policy(` + uucp_domtrans_uux(postfix_pipe_t) +') + +######################################## +# +# Postdrop local policy +# + +allow postfix_postdrop_t self:capability sys_resource; + +rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) + +manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + +allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; + +# for /var/spool/postfix/public/pickup +stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t) + +mcs_file_read_all(postfix_postdrop_t) +mcs_file_write_all(postfix_postdrop_t) + +term_dontaudit_use_all_ptys(postfix_postdrop_t) +term_dontaudit_use_all_ttys(postfix_postdrop_t) + +mta_rw_user_mail_stream_sockets(postfix_postdrop_t) + +optional_policy(` + apache_dontaudit_rw_fifo_file(postfix_postdrop_t) +') + +optional_policy(` + cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) +') + +optional_policy(` + fail2ban_dontaudit_use_fds(postfix_postdrop_t) +') + +optional_policy(` + fstools_read_pipes(postfix_postdrop_t) +') + +optional_policy(` + sendmail_rw_unix_stream_sockets(postfix_postdrop_t) +') + +optional_policy(` + uucp_manage_spool(postfix_postdrop_t) +') + +####################################### +# +# Postqueue local policy +# + +stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t) + +write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t) + +domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) + +term_use_all_ptys(postfix_postqueue_t) +term_use_all_ttys(postfix_postqueue_t) + +init_sigchld_script(postfix_postqueue_t) +init_use_script_fds(postfix_postqueue_t) + +optional_policy(` + cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t) +') + +optional_policy(` + ppp_use_fds(postfix_postqueue_t) + ppp_sigchld(postfix_postqueue_t) +') + +optional_policy(` + userdom_sigchld_all_users(postfix_postqueue_t) +') + +######################################## +# +# Qmgr local policy +# + +allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; +allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; + +stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + +rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) + +manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) +manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) +manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) + +corecmd_exec_bin(postfix_qmgr_t) + +######################################## +# +# Showq local policy +# + +allow postfix_showq_t self:capability { setgid setuid }; + +allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; + +allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; +allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; +allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; + +allow postfix_showq_t postfix_spool_t:file read_file_perms; + +mcs_file_read_all(postfix_showq_t) + +term_use_all_ptys(postfix_showq_t) +term_use_all_ttys(postfix_showq_t) + +######################################## +# +# Smtp delivery local policy +# + +allow postfix_smtp_t self:capability sys_chroot; + +stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + +allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms; + +rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + +corenet_tcp_bind_generic_node(postfix_smtp_t) + +optional_policy(` + cyrus_stream_connect(postfix_smtp_t) +') + +optional_policy(` + dovecot_stream_connect(postfix_smtp_t) +') + +optional_policy(` + dspam_stream_connect(postfix_smtp_t) +') + +optional_policy(` + milter_stream_connect_all(postfix_smtp_t) +') + +######################################## +# +# Smtpd local policy +# + +allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; + +stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + +manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) +manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) +manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) +allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; + +corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t) +corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) +corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t) + +corecmd_exec_bin(postfix_smtpd_t) + +fs_getattr_all_dirs(postfix_smtpd_t) +fs_getattr_all_fs(postfix_smtpd_t) + +mta_read_aliases(postfix_smtpd_t) +mta_map_aliases(postfix_smtpd_t) + +optional_policy(` + dovecot_stream_connect_auth(postfix_smtpd_t) + dovecot_stream_connect(postfix_smtpd_t) +') + +optional_policy(` + mailman_read_data_files(postfix_smtpd_t) +') + +optional_policy(` + milter_stream_connect_all(postfix_smtpd_t) +') + +optional_policy(` + postgrey_stream_connect(postfix_smtpd_t) +') + +optional_policy(` + sasl_connect(postfix_smtpd_t) +') + +optional_policy(` + spamassassin_read_spamd_pid_files(postfix_smtpd_t) + spamassassin_stream_connect_spamd(postfix_smtpd_t) +') + +######################################## +# +# Virtual local policy +# + +allow postfix_virtual_t self:process setrlimit; + +allow postfix_virtual_t postfix_spool_t:file rw_file_perms; + +stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + +corecmd_exec_bin(postfix_virtual_t) + +mta_read_aliases(postfix_virtual_t) +mta_map_aliases(postfix_virtual_t) +mta_delete_spool(postfix_virtual_t) +mta_read_config(postfix_virtual_t) +mta_manage_spool(postfix_virtual_t) + +userdom_user_content_access_template(postfix, postfix_virtual_t) + +ifdef(`distro_gentoo',` + ##################################### + # + # Local postfix postdrop policy + # + + rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) + + ##################################### + # + # Local postmap policy + # + + # Bug #549566 + domain_use_interactive_fds(postfix_map_t) + userdom_use_user_terminals(postfix_map_t) +') diff --git a/policy/modules/services/postfixpolicyd.fc b/policy/modules/services/postfixpolicyd.fc new file mode 100644 index 000000000..a8fb9f8c6 --- /dev/null +++ b/policy/modules/services/postfixpolicyd.fc @@ -0,0 +1,9 @@ +/etc/policyd\.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t,s0) + +/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0) + +/usr/bin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t,s0) + +/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t,s0) + +/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t,s0) diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if new file mode 100644 index 000000000..e462ac04c --- /dev/null +++ b/policy/modules/services/postfixpolicyd.if @@ -0,0 +1,36 @@ +## <summary>Postfix policy server.</summary> + +######################################## +## <summary> +## All of the rules required to administrate +## an postfixpolicyd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`postfixpolicyd_admin',` + gen_require(` + type postfix_policyd_t, postfix_policyd_conf_t; + type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; + ') + + allow $1 postfix_policyd_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_policyd_t) + + init_startstop_service($1, $2, postfix_policyd_t, postfix_policyd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, postfix_policyd_conf_t) + + files_list_pids($1) + admin_pattern($1, postfix_policyd_var_run_t) +') diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te new file mode 100644 index 000000000..78e565bed --- /dev/null +++ b/policy/modules/services/postfixpolicyd.te @@ -0,0 +1,69 @@ +policy_module(postfixpolicyd, 1.6.0) + +######################################## +# +# Declarations +# + +type postfix_policyd_t; +type postfix_policyd_exec_t; +init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t) + +type postfix_policyd_conf_t; +files_config_file(postfix_policyd_conf_t) + +type postfix_policyd_initrc_exec_t; +init_script_file(postfix_policyd_initrc_exec_t) + +type postfix_policyd_tmp_t; +files_type(postfix_policyd_tmp_t) + +type postfix_policyd_var_run_t; +files_pid_file(postfix_policyd_var_run_t) + +######################################## +# +# Local policy +# + +allow postfix_policyd_t self:capability { chown sys_chroot sys_resource setgid setuid }; +allow postfix_policyd_t self:process { setrlimit signal signull }; +allow postfix_policyd_t self:tcp_socket { accept listen }; + +allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; +allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms; +allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) +files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) + +allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file } manage_file_perms; +files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file }) + +kernel_search_network_sysctl(postfix_policyd_t) + +corecmd_exec_bin(postfix_policyd_t) + +corenet_all_recvfrom_unlabeled(postfix_policyd_t) +corenet_tcp_sendrecv_generic_if(postfix_policyd_t) +corenet_tcp_sendrecv_generic_node(postfix_policyd_t) +corenet_tcp_bind_generic_node(postfix_policyd_t) + +corenet_sendrecv_postfix_policyd_server_packets(postfix_policyd_t) +corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t) +corenet_tcp_sendrecv_postfix_policyd_port(postfix_policyd_t) + +corenet_sendrecv_mysqld_server_packets(postfix_policyd_t) +corenet_tcp_bind_mysqld_port(postfix_policyd_t) +corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t) + +dev_read_urand(postfix_policyd_t) + +files_read_etc_files(postfix_policyd_t) +files_read_usr_files(postfix_policyd_t) + +logging_send_syslog_msg(postfix_policyd_t) + +miscfiles_read_localization(postfix_policyd_t) + +sysnet_dns_name_resolve(postfix_policyd_t) diff --git a/policy/modules/services/postgrey.fc b/policy/modules/services/postgrey.fc new file mode 100644 index 000000000..076987a60 --- /dev/null +++ b/policy/modules/services/postgrey.fc @@ -0,0 +1,14 @@ +/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0) + +/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0) + +/usr/bin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0) + +/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0) + +/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0) + +/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) +/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) + +/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if new file mode 100644 index 000000000..d63198e92 --- /dev/null +++ b/policy/modules/services/postgrey.if @@ -0,0 +1,83 @@ +## <summary>Postfix grey-listing server.</summary> + +######################################## +## <summary> +## Connect to postgrey using a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postgrey_stream_connect',` + gen_require(` + type postgrey_var_run_t, postgrey_t, postgrey_spool_t; + ') + + files_search_pids($1) + files_search_spool($1) + stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) +') + +######################################## +## <summary> +## Search spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postgrey_search_spool',` + gen_require(` + type postgrey_spool_t; + ') + + files_search_spool($1) + allow $1 postgrey_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an postgrey environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`postgrey_admin',` + gen_require(` + type postgrey_t, postgrey_etc_t, postgrey_spool_t; + type postgrey_var_lib_t, postgrey_var_run_t; + type postgrey_initrc_exec_t; + ') + + allow $1 postgrey_t:process { ptrace signal_perms }; + ps_process_pattern($1, postgrey_t) + + init_startstop_service($1, $2, postgrey_t, postgrey_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, postgrey_etc_t) + + files_list_var_lib($1) + admin_pattern($1, postgrey_var_lib_t) + + files_list_spool($1) + admin_pattern($1, postgrey_spool_t) + + files_list_pids($1) + admin_pattern($1, postgrey_var_run_t) +') diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te new file mode 100644 index 000000000..70aaf77eb --- /dev/null +++ b/policy/modules/services/postgrey.te @@ -0,0 +1,110 @@ +policy_module(postgrey, 1.12.0) + +######################################## +# +# Declarations +# + +type postgrey_t; +type postgrey_exec_t; +init_daemon_domain(postgrey_t, postgrey_exec_t) + +type postgrey_etc_t; +files_config_file(postgrey_etc_t) + +type postgrey_initrc_exec_t; +init_script_file(postgrey_initrc_exec_t) + +type postgrey_spool_t; +files_type(postgrey_spool_t) + +type postgrey_var_lib_t; +files_type(postgrey_var_lib_t) + +type postgrey_var_run_t; +files_pid_file(postgrey_var_run_t) + +######################################## +# +# Local policy +# + +allow postgrey_t self:capability { chown dac_override setgid setuid }; +dontaudit postgrey_t self:capability sys_tty_config; +allow postgrey_t self:process signal_perms; +allow postgrey_t self:fifo_file create_fifo_file_perms; +allow postgrey_t self:tcp_socket create_stream_socket_perms; +allow postgrey_t self:netlink_route_socket r_netlink_socket_perms; +allow postgrey_t self:udp_socket { connect connected_socket_perms }; + +allow postgrey_t postgrey_etc_t:dir list_dir_perms; +allow postgrey_t postgrey_etc_t:file read_file_perms; +allow postgrey_t postgrey_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) +manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) +manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) +manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) + +manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) +files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) + +manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) +manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) +manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) +files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) + +kernel_read_system_state(postgrey_t) +kernel_read_kernel_sysctls(postgrey_t) + +corecmd_read_bin_files(postgrey_t) +corecmd_exec_bin(postgrey_t) + +corenet_all_recvfrom_unlabeled(postgrey_t) +corenet_all_recvfrom_netlabel(postgrey_t) +corenet_tcp_sendrecv_generic_if(postgrey_t) +corenet_tcp_sendrecv_generic_node(postgrey_t) +corenet_tcp_bind_generic_node(postgrey_t) + +corenet_sendrecv_postgrey_server_packets(postgrey_t) +corenet_tcp_bind_postgrey_port(postgrey_t) +corenet_tcp_sendrecv_postgrey_port(postgrey_t) + +dev_read_urand(postgrey_t) +dev_read_sysfs(postgrey_t) + +domain_use_interactive_fds(postgrey_t) + +files_read_etc_files(postgrey_t) +files_read_etc_runtime_files(postgrey_t) +files_read_usr_files(postgrey_t) +files_getattr_tmp_dirs(postgrey_t) + +fs_getattr_all_fs(postgrey_t) +fs_search_auto_mountpoints(postgrey_t) + +logging_send_syslog_msg(postgrey_t) + +miscfiles_read_localization(postgrey_t) + +sysnet_read_config(postgrey_t) + +userdom_dontaudit_use_unpriv_user_fds(postgrey_t) +userdom_dontaudit_search_user_home_dirs(postgrey_t) + +optional_policy(` + nis_use_ypbind(postgrey_t) +') + +optional_policy(` + postfix_read_config(postgrey_t) + postfix_manage_spool_files(postgrey_t) +') + +optional_policy(` + seutil_sigchld_newrole(postgrey_t) +') + +optional_policy(` + udev_read_db(postgrey_t) +') diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc new file mode 100644 index 000000000..67de5b3e1 --- /dev/null +++ b/policy/modules/services/ppp.fc @@ -0,0 +1,35 @@ +HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0) + +/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) + +/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) +/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) +/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) +/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) + +/usr/bin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/bin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/bin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/bin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/bin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) + +/usr/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_t,s0) + +/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) + +/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) + +/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0) + +/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) +/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) +/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) +/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if new file mode 100644 index 000000000..070e565ce --- /dev/null +++ b/policy/modules/services/ppp.if @@ -0,0 +1,487 @@ +## <summary>Point to Point Protocol daemon creates links in ppp networks.</summary> + +######################################## +## <summary> +## Create, read, write, and delete +## ppp home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_manage_home_files',` + gen_require(` + type ppp_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 ppp_home_t:file manage_file_perms; +') + +######################################## +## <summary> +## Read ppp user home content files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_read_home_files',` + gen_require(` + type ppp_home_t; + + ') + + userdom_search_user_home_dirs($1) + allow $1 ppp_home_t:file read_file_perms; +') + +######################################## +## <summary> +## Relabel ppp home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_relabel_home_files',` + gen_require(` + type ppp_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 ppp_home_t:file relabel_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the ppp home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`ppp_home_filetrans_ppp_home',` + gen_require(` + type ppp_home_t; + ') + + userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) +') + +######################################## +## <summary> +## Inherit and use ppp file discriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_use_fds',` + gen_require(` + type pppd_t; + ') + + allow $1 pppd_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to inherit +## and use ppp file discriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`ppp_dontaudit_use_fds',` + gen_require(` + type pppd_t; + ') + + dontaudit $1 pppd_t:fd use; +') + +######################################## +## <summary> +## Send child terminated signals to ppp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_sigchld',` + gen_require(` + type pppd_t; + + ') + + allow $1 pppd_t:process sigchld; +') + +######################################## +## <summary> +## Send kill signals to ppp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`ppp_kill',` + gen_require(` + type pppd_t; + ') + + allow $1 pppd_t:process sigkill; +') + +######################################## +## <summary> +## Send generic signals to ppp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_signal',` + gen_require(` + type pppd_t; + ') + + allow $1 pppd_t:process signal; +') + +######################################## +## <summary> +## Send null signals to ppp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_signull',` + gen_require(` + type pppd_t; + ') + + allow $1 pppd_t:process signull; +') + +######################################## +## <summary> +## Execute pppd in the pppd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ppp_domtrans',` + gen_require(` + type pppd_t, pppd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, pppd_exec_t, pppd_t) +') + +######################################## +## <summary> +## Conditionally execute pppd on +## behalf of a user or staff type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ppp_run_cond',` + gen_require(` + attribute_role pppd_roles; + ') + + roleattribute $2 pppd_roles; + + tunable_policy(`pppd_for_user',` + ppp_domtrans($1) + ') +') + +######################################## +## <summary> +## Unconditionally execute ppp daemon +## on behalf of a user or staff type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ppp_run',` + gen_require(` + attribute_role pppd_roles; + ') + + ppp_domtrans($1) + roleattribute $2 pppd_roles; +') + +######################################## +## <summary> +## Execute domain in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_exec',` + gen_require(` + type pppd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, pppd_exec_t) +') + +######################################## +## <summary> +## Read ppp configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_read_config',` + gen_require(` + type pppd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, pppd_etc_t, pppd_etc_t) +') + +######################################## +## <summary> +## Read ppp writable configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_read_rw_config',` + gen_require(` + type pppd_etc_t, pppd_etc_rw_t; + ') + + files_search_etc($1) + allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms; + allow $1 pppd_etc_rw_t:file read_file_perms; + allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Read ppp secret files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_read_secrets',` + gen_require(` + type pppd_etc_t, pppd_secret_t; + ') + + files_search_etc($1) + allow $1 pppd_etc_t:dir list_dir_perms; + allow $1 pppd_secret_t:file read_file_perms; + allow $1 pppd_etc_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Read ppp pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_read_pid_files',` + gen_require(` + type pppd_var_run_t; + ') + + files_search_pids($1) + allow $1 pppd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## ppp pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_manage_pid_files',` + gen_require(` + type pppd_var_run_t; + ') + + files_search_pids($1) + allow $1 pppd_var_run_t:file manage_file_perms; +') + +######################################## +## <summary> +## Create specified pppd pid objects +## with a type transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`ppp_pid_filetrans',` + gen_require(` + type pppd_var_run_t; + ') + + files_pid_filetrans($1, pppd_var_run_t, $2, $3) +') + +######################################## +## <summary> +## Execute pppd init script in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ppp_initrc_domtrans',` + gen_require(` + type pppd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, pppd_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ppp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ppp_admin',` + gen_require(` + type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; + type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t; + type pppd_var_run_t, pppd_initrc_exec_t; + type pptp_t, pptp_log_t, pptp_var_run_t; + ') + + allow $1 { pptp_t pppd_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { pptp_t pppd_t }) + + init_startstop_service($1, $2, pppd_t, pppd_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, pppd_tmp_t) + + logging_list_logs($1) + admin_pattern($1, { pptp_log_t pppd_log_t }) + + files_list_locks($1) + admin_pattern($1, pppd_lock_t) + + files_list_etc($1) + admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t }) + + files_list_pids($1) + admin_pattern($1, { pptp_var_run_t pppd_var_run_t }) +') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te new file mode 100644 index 000000000..d5c80292a --- /dev/null +++ b/policy/modules/services/ppp.te @@ -0,0 +1,325 @@ +policy_module(ppp, 1.18.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether pppd can +## load kernel modules. +## </p> +## </desc> +gen_tunable(pppd_can_insmod, false) + +## <desc> +## <p> +## Determine whether common users can +## run pppd with a domain transition. +## </p> +## </desc> +gen_tunable(pppd_for_user, false) + +attribute_role pppd_roles; +attribute_role pptp_roles; + +type pppd_t; +type pppd_exec_t; +init_daemon_domain(pppd_t, pppd_exec_t) +role pppd_roles types pppd_t; + +type pppd_devpts_t; +term_pty(pppd_devpts_t) + +type pppd_etc_t; +files_config_file(pppd_etc_t) + +type pppd_etc_rw_t; +files_type(pppd_etc_rw_t) + +type pppd_initrc_exec_t alias pppd_script_exec_t; +init_script_file(pppd_initrc_exec_t) + +type pppd_secret_t; +files_type(pppd_secret_t) + +type pppd_log_t; +logging_log_file(pppd_log_t) + +type pppd_lock_t; +files_lock_file(pppd_lock_t) + +type pppd_tmp_t; +files_tmp_file(pppd_tmp_t) + +type pppd_unit_t; +init_unit_file(pppd_unit_t) + +type pppd_var_run_t; +files_pid_file(pppd_var_run_t) + +type pptp_t; +type pptp_exec_t; +init_daemon_domain(pptp_t, pptp_exec_t) +role pptp_roles types pptp_t; + +type pptp_log_t; +logging_log_file(pptp_log_t) + +type pptp_var_run_t; +files_pid_file(pptp_var_run_t) + +type ppp_home_t; +userdom_user_home_content(ppp_home_t) + +######################################## +# +# PPPD local policy +# + +allow pppd_t self:capability { dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_admin sys_nice }; +dontaudit pppd_t self:capability sys_tty_config; +allow pppd_t self:process { getsched setsched signal }; +allow pppd_t self:fifo_file rw_fifo_file_perms; +allow pppd_t self:socket create_socket_perms; +allow pppd_t self:netlink_route_socket nlmsg_write; +allow pppd_t self:tcp_socket { accept listen }; +allow pppd_t self:packet_socket create_socket_perms; + +allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + +allow pppd_t pppd_etc_t:dir rw_dir_perms; +allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms; +allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) +filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) + +allow pppd_t pppd_lock_t:file manage_file_perms; +files_lock_filetrans(pppd_t, pppd_lock_t, file) + +allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(pppd_t, pppd_log_t, file) + +manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) +manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) +files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file}) + +manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) +manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) +files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) + +can_exec(pppd_t, pppd_exec_t) + +domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) + +allow pppd_t pptp_t:process signal; + +allow pppd_t pppd_secret_t:file read_file_perms; + +kernel_read_kernel_sysctls(pppd_t) +kernel_read_system_state(pppd_t) +kernel_rw_net_sysctls(pppd_t) +kernel_read_network_state(pppd_t) +kernel_request_load_module(pppd_t) + +dev_read_urand(pppd_t) +dev_read_sysfs(pppd_t) +dev_rw_modem(pppd_t) + +corenet_all_recvfrom_unlabeled(pppd_t) +corenet_all_recvfrom_netlabel(pppd_t) +corenet_tcp_sendrecv_generic_if(pppd_t) +corenet_raw_sendrecv_generic_if(pppd_t) +corenet_udp_sendrecv_generic_if(pppd_t) +corenet_tcp_sendrecv_generic_node(pppd_t) +corenet_raw_sendrecv_generic_node(pppd_t) +corenet_udp_sendrecv_generic_node(pppd_t) +corenet_tcp_sendrecv_all_ports(pppd_t) +corenet_udp_sendrecv_all_ports(pppd_t) + +corenet_rw_ppp_dev(pppd_t) + +corecmd_exec_bin(pppd_t) +corecmd_exec_shell(pppd_t) + +domain_use_interactive_fds(pppd_t) + +files_exec_etc_files(pppd_t) +files_manage_etc_runtime_files(pppd_t) +files_dontaudit_write_etc_files(pppd_t) + +fs_getattr_all_fs(pppd_t) +fs_search_auto_mountpoints(pppd_t) + +term_use_unallocated_ttys(pppd_t) +term_setattr_unallocated_ttys(pppd_t) +term_ioctl_generic_ptys(pppd_t) +term_create_pty(pppd_t, pppd_devpts_t) +term_use_generic_ptys(pppd_t) + +init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t) +init_read_utmp(pppd_t) +init_signal_script(pppd_t) +init_dontaudit_write_utmp(pppd_t) + +auth_run_chk_passwd(pppd_t, pppd_roles) +auth_use_nsswitch(pppd_t) +auth_write_login_records(pppd_t) + +logging_send_syslog_msg(pppd_t) +logging_send_audit_msgs(pppd_t) + +miscfiles_read_localization(pppd_t) + +sysnet_exec_ifconfig(pppd_t) +sysnet_manage_config(pppd_t) +sysnet_etc_filetrans_config(pppd_t) + +userdom_use_user_terminals(pppd_t) +userdom_dontaudit_use_unpriv_user_fds(pppd_t) +userdom_search_user_home_dirs(pppd_t) + +optional_policy(` + ddclient_run(pppd_t, pppd_roles) +') + +optional_policy(` + l2tpd_dgram_send(pppd_t) + l2tpd_rw_socket(pppd_t) + l2tpd_stream_connect(pppd_t) +') + +optional_policy(` + tunable_policy(`pppd_can_insmod',` + modutils_domtrans(pppd_t) + ') +') + +optional_policy(` + mta_send_mail(pppd_t) + mta_system_content(pppd_etc_t) + mta_system_content(pppd_etc_rw_t) +') + +optional_policy(` + networkmanager_signal(pppd_t) +') + +optional_policy(` + postfix_domtrans_master(pppd_t) +') + +optional_policy(` + seutil_sigchld_newrole(pppd_t) +') + +optional_policy(` + udev_read_db(pppd_t) +') + +######################################## +# +# PPTP local policy +# + +allow pptp_t self:capability { dac_override dac_read_search net_admin net_raw }; +dontaudit pptp_t self:capability sys_tty_config; +allow pptp_t self:process signal; +allow pptp_t self:fifo_file rw_fifo_file_perms; +allow pptp_t self:unix_stream_socket { accept connectto listen }; +allow pptp_t self:rawip_socket create_socket_perms; +allow pptp_t self:netlink_route_socket nlmsg_write; + +allow pptp_t pppd_etc_t:dir list_dir_perms; +allow pptp_t pppd_etc_t:file read_file_perms; +allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; + +allow pptp_t pppd_etc_rw_t:dir list_dir_perms; +allow pptp_t pppd_etc_rw_t:file read_file_perms; +allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; + +allow pptp_t pppd_log_t:file append_file_perms; + +allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(pptp_t, pptp_log_t, file) + +manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) +manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) +files_pid_filetrans(pptp_t, pptp_var_run_t, file) + +can_exec(pptp_t, pppd_etc_rw_t) + +kernel_read_kernel_sysctls(pptp_t) +kernel_read_network_state(pptp_t) +kernel_read_system_state(pptp_t) +kernel_signal(pptp_t) + +corecmd_exec_shell(pptp_t) + +corenet_all_recvfrom_unlabeled(pptp_t) +corenet_all_recvfrom_netlabel(pptp_t) +corenet_tcp_sendrecv_generic_if(pptp_t) +corenet_raw_sendrecv_generic_if(pptp_t) +corenet_tcp_sendrecv_generic_node(pptp_t) +corenet_raw_sendrecv_generic_node(pptp_t) +corenet_tcp_sendrecv_all_ports(pptp_t) + +corenet_tcp_connect_all_reserved_ports(pptp_t) +corenet_tcp_connect_generic_port(pptp_t) +corenet_sendrecv_generic_client_packets(pptp_t) + +corenet_sendrecv_pptp_client_packets(pptp_t) +corenet_tcp_connect_pptp_port(pptp_t) + +dev_read_sysfs(pptp_t) + +domain_use_interactive_fds(pptp_t) + +fs_getattr_all_fs(pptp_t) +fs_search_auto_mountpoints(pptp_t) + +term_ioctl_generic_ptys(pptp_t) +term_search_ptys(pptp_t) +term_use_ptmx(pptp_t) + +auth_use_nsswitch(pptp_t) + +logging_send_syslog_msg(pptp_t) + +miscfiles_read_localization(pptp_t) + +sysnet_exec_ifconfig(pptp_t) + +userdom_dontaudit_use_unpriv_user_fds(pptp_t) +userdom_dontaudit_search_user_home_dirs(pptp_t) +userdom_signal_unpriv_users(pptp_t) + +optional_policy(` + consoletype_exec(pppd_t) +') + +optional_policy(` + dbus_system_domain(pppd_t, pppd_exec_t) + + optional_policy(` + networkmanager_dbus_chat(pppd_t) + ') +') + +optional_policy(` + hostname_exec(pptp_t) +') + +optional_policy(` + seutil_sigchld_newrole(pptp_t) +') + +optional_policy(` + udev_read_db(pptp_t) +') + +optional_policy(` + postfix_read_config(pppd_t) +') diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc new file mode 100644 index 000000000..ca48c9823 --- /dev/null +++ b/policy/modules/services/prelude.fc @@ -0,0 +1,24 @@ +/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) + +/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) +/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) +/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) + +/usr/bin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) +/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t,s0) +/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) +/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) + +/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) + +/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) + +/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) + +/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) + +/run/prelude-lml\.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) +/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) + +/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) +/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if new file mode 100644 index 000000000..ceef90f2c --- /dev/null +++ b/policy/modules/services/prelude.if @@ -0,0 +1,145 @@ +## <summary>Prelude hybrid intrusion detection system.</summary> + +######################################## +## <summary> +## Execute a domain transition to run prelude. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`prelude_domtrans',` + gen_require(` + type prelude_t, prelude_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, prelude_exec_t, prelude_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run prelude audisp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`prelude_domtrans_audisp',` + gen_require(` + type prelude_audisp_t, prelude_audisp_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) +') + +######################################## +## <summary> +## Send generic signals to prelude audisp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelude_signal_audisp',` + gen_require(` + type prelude_audisp_t; + ') + + allow $1 prelude_audisp_t:process signal; +') + +######################################## +## <summary> +## Read prelude spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelude_read_spool',` + gen_require(` + type prelude_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## prelude manager spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelude_manage_spool',` + gen_require(` + type prelude_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) + manage_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an prelude environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`prelude_admin',` + gen_require(` + type prelude_t, prelude_spool_t, prelude_lml_var_run_t; + type prelude_var_run_t, prelude_var_lib_t, prelude_log_t; + type prelude_audisp_t, prelude_audisp_var_run_t; + type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t; + type prelude_correlator_t; + ') + + allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }) + + init_startstop_service($1, $2, prelude_t, prelude_initrc_exec_t) + + files_search_spool($1) + admin_pattern($1, prelude_spool_t) + + logging_search_logs($1) + admin_pattern($1, prelude_log_t) + + files_search_var_lib($1) + admin_pattern($1, prelude_var_lib_t) + + files_search_pids($1) + admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t }) + + files_search_tmp($1) + admin_pattern($1, prelude_lml_tmp_t) +') diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te new file mode 100644 index 000000000..187cac128 --- /dev/null +++ b/policy/modules/services/prelude.te @@ -0,0 +1,304 @@ +policy_module(prelude, 1.8.0) + +######################################## +# +# Declarations +# + +type prelude_t; +type prelude_exec_t; +init_daemon_domain(prelude_t, prelude_exec_t) + +type prelude_initrc_exec_t; +init_script_file(prelude_initrc_exec_t) + +type prelude_spool_t; +files_type(prelude_spool_t) + +type prelude_log_t; +logging_log_file(prelude_log_t) + +type prelude_var_run_t; +files_pid_file(prelude_var_run_t) + +type prelude_var_lib_t; +files_type(prelude_var_lib_t) + +type prelude_audisp_t; +type prelude_audisp_exec_t; +init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) +logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) + +type prelude_audisp_var_run_t; +files_pid_file(prelude_audisp_var_run_t) + +type prelude_correlator_t; +type prelude_correlator_exec_t; +init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) + +type prelude_correlator_config_t; +files_config_file(prelude_correlator_config_t) + +type prelude_lml_t; +type prelude_lml_exec_t; +init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) + +type prelude_lml_tmp_t; +files_tmp_file(prelude_lml_tmp_t) + +type prelude_lml_var_run_t; +files_pid_file(prelude_lml_var_run_t) + +######################################## +# +# Prelude local policy +# + +allow prelude_t self:capability { dac_override sys_tty_config }; +allow prelude_t self:fifo_file rw_fifo_file_perms; +allow prelude_t self:unix_stream_socket { accept listen }; +allow prelude_t self:tcp_socket { accept listen }; + +allow prelude_t prelude_log_t:dir setattr_dir_perms; +append_files_pattern(prelude_t, prelude_log_t, prelude_log_t) +create_files_pattern(prelude_t, prelude_log_t, prelude_log_t) +setattr_files_pattern(prelude_t, prelude_log_t, prelude_log_t) +logging_log_filetrans(prelude_t, prelude_log_t, file) + +manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t) + +manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) +manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) + +manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file }) + +kernel_read_system_state(prelude_t) +kernel_read_sysctl(prelude_t) + +corecmd_search_bin(prelude_t) + +corenet_all_recvfrom_unlabeled(prelude_t) +corenet_all_recvfrom_netlabel(prelude_t) +corenet_tcp_sendrecv_generic_if(prelude_t) +corenet_tcp_sendrecv_generic_node(prelude_t) +corenet_tcp_bind_generic_node(prelude_t) + +corenet_sendrecv_prelude_server_packets(prelude_t) +corenet_tcp_bind_prelude_port(prelude_t) +corenet_sendrecv_prelude_client_packets(prelude_t) +corenet_tcp_connect_prelude_port(prelude_t) +corenet_tcp_sendrecv_prelude_port(prelude_t) + +dev_read_rand(prelude_t) +dev_read_urand(prelude_t) + +files_read_etc_runtime_files(prelude_t) +files_read_usr_files(prelude_t) +files_search_spool(prelude_t) +files_search_tmp(prelude_t) + +fs_rw_anon_inodefs_files(prelude_t) + +auth_use_nsswitch(prelude_t) + +logging_send_audit_msgs(prelude_t) +logging_send_syslog_msg(prelude_t) + +miscfiles_read_localization(prelude_t) + +optional_policy(` + mysql_stream_connect(prelude_t) + mysql_tcp_connect(prelude_t) +') + +optional_policy(` + postgresql_stream_connect(prelude_t) + postgresql_tcp_connect(prelude_t) +') + +######################################## +# +# Audisp local policy +# + +allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap }; +allow prelude_audisp_t self:process { getcap setcap }; +allow prelude_audisp_t self:fifo_file rw_fifo_file_perms; +allow prelude_audisp_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) + +manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t) +files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file) + +kernel_read_sysctl(prelude_audisp_t) +kernel_read_system_state(prelude_audisp_t) + +corecmd_search_bin(prelude_audisp_t) + +corenet_all_recvfrom_unlabeled(prelude_audisp_t) +corenet_all_recvfrom_netlabel(prelude_audisp_t) +corenet_tcp_sendrecv_generic_if(prelude_audisp_t) +corenet_tcp_sendrecv_generic_node(prelude_audisp_t) + +corenet_sendrecv_prelude_client_packets(prelude_audisp_t) +corenet_tcp_connect_prelude_port(prelude_audisp_t) +corenet_tcp_sendrecv_prelude_port(prelude_audisp_t) + +dev_read_rand(prelude_audisp_t) +dev_read_urand(prelude_audisp_t) + +domain_use_interactive_fds(prelude_audisp_t) + +files_read_etc_files(prelude_audisp_t) +files_read_etc_runtime_files(prelude_audisp_t) +files_search_spool(prelude_audisp_t) +files_search_tmp(prelude_audisp_t) + +logging_send_syslog_msg(prelude_audisp_t) + +miscfiles_read_localization(prelude_audisp_t) + +sysnet_dns_name_resolve(prelude_audisp_t) + +######################################## +# +# Correlator local policy +# + +allow prelude_correlator_t self:capability dac_override; +allow prelude_correlator_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t) + +allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms; +read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) + +kernel_read_sysctl(prelude_correlator_t) + +corecmd_search_bin(prelude_correlator_t) + +corenet_all_recvfrom_unlabeled(prelude_correlator_t) +corenet_all_recvfrom_netlabel(prelude_correlator_t) +corenet_tcp_sendrecv_generic_if(prelude_correlator_t) +corenet_tcp_sendrecv_generic_node(prelude_correlator_t) + +corenet_sendrecv_prelude_client_packets(prelude_correlator_t) +corenet_tcp_connect_prelude_port(prelude_correlator_t) +corenet_tcp_sendrecv_prelude_port(prelude_correlator_t) + +dev_read_rand(prelude_correlator_t) +dev_read_urand(prelude_correlator_t) + +files_read_etc_files(prelude_correlator_t) +files_read_usr_files(prelude_correlator_t) +files_search_spool(prelude_correlator_t) + +logging_send_syslog_msg(prelude_correlator_t) + +miscfiles_read_localization(prelude_correlator_t) + +sysnet_dns_name_resolve(prelude_correlator_t) + +######################################## +# +# Lml local declarations +# + +allow prelude_lml_t self:capability dac_override; +allow prelude_lml_t self:fifo_file rw_fifo_file_perms; +allow prelude_lml_t self:unix_stream_socket connectto; + +manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) +manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) +files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) + +manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) + +manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) +manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) + +manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) +files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) + +kernel_read_system_state(prelude_lml_t) +kernel_read_sysctl(prelude_lml_t) + +corecmd_exec_bin(prelude_lml_t) + +corenet_all_recvfrom_unlabeled(prelude_lml_t) +corenet_all_recvfrom_netlabel(prelude_lml_t) +corenet_tcp_sendrecv_generic_if(prelude_lml_t) +corenet_tcp_sendrecv_generic_node(prelude_lml_t) + +corenet_sendrecv_prelude_client_packets(prelude_lml_t) +corenet_tcp_connect_prelude_port(prelude_lml_t) +corenet_tcp_sendrecv_prelude_port(prelude_lml_t) + +dev_read_rand(prelude_lml_t) +dev_read_urand(prelude_lml_t) + +files_list_etc(prelude_lml_t) +files_list_tmp(prelude_lml_t) +files_read_etc_runtime_files(prelude_lml_t) +files_search_spool(prelude_lml_t) + +fs_getattr_all_fs(prelude_lml_t) +fs_list_inotifyfs(prelude_lml_t) +fs_rw_anon_inodefs_files(prelude_lml_t) + +auth_use_nsswitch(prelude_lml_t) + +libs_exec_lib_files(prelude_lml_t) +libs_read_lib_files(prelude_lml_t) + +logging_send_syslog_msg(prelude_lml_t) +logging_read_generic_logs(prelude_lml_t) + +miscfiles_read_localization(prelude_lml_t) + +userdom_read_all_users_state(prelude_lml_t) + +optional_policy(` + apache_search_sys_content(prelude_lml_t) + apache_read_log(prelude_lml_t) +') + +######################################## +# +# Cgi Declarations +# + +optional_policy(` + apache_content_template(prewikka) + + can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) + + files_search_tmp(httpd_prewikka_script_t) + + kernel_read_sysctl(httpd_prewikka_script_t) + kernel_search_network_sysctl(httpd_prewikka_script_t) + + auth_use_nsswitch(httpd_prewikka_script_t) + + logging_send_syslog_msg(httpd_prewikka_script_t) + + apache_search_sys_content(httpd_prewikka_script_t) + + optional_policy(` + mysql_stream_connect(httpd_prewikka_script_t) + mysql_tcp_connect(httpd_prewikka_script_t) + ') + + optional_policy(` + postgresql_stream_connect(httpd_prewikka_script_t) + postgresql_tcp_connect(httpd_prewikka_script_t) + ') +') diff --git a/policy/modules/services/privoxy.fc b/policy/modules/services/privoxy.fc new file mode 100644 index 000000000..9feef4f7c --- /dev/null +++ b/policy/modules/services/privoxy.fc @@ -0,0 +1,11 @@ +/etc/privoxy/[^/]*\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) + +/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0) + +/usr/bin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) + +/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) + +/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0) + +/run/privoxy\.pid -- gen_context(system_u:object_r:privoxy_var_run_t,s0) diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if new file mode 100644 index 000000000..a35e6eab7 --- /dev/null +++ b/policy/modules/services/privoxy.if @@ -0,0 +1,39 @@ +## <summary>Privacy enhancing web proxy.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an privoxy environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`privoxy_admin',` + gen_require(` + type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; + type privoxy_etc_rw_t, privoxy_var_run_t; + ') + + allow $1 privoxy_t:process { ptrace signal_perms }; + ps_process_pattern($1, privoxy_t) + + init_startstop_service($1, $2, privoxy_t, privoxy_initrc_exec_t) + + logging_list_logs($1) + admin_pattern($1, privoxy_log_t) + + files_list_etc($1) + admin_pattern($1, privoxy_etc_rw_t) + + files_list_pids($1) + admin_pattern($1, privoxy_var_run_t) +') diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te new file mode 100644 index 000000000..8f6b50cbf --- /dev/null +++ b/policy/modules/services/privoxy.te @@ -0,0 +1,116 @@ +policy_module(privoxy, 1.15.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether privoxy can +## connect to all tcp ports. +## </p> +## </desc> +gen_tunable(privoxy_connect_any, false) + +type privoxy_t; +type privoxy_exec_t; +init_daemon_domain(privoxy_t, privoxy_exec_t) + +type privoxy_initrc_exec_t; +init_script_file(privoxy_initrc_exec_t) + +type privoxy_etc_rw_t; +files_type(privoxy_etc_rw_t) + +type privoxy_log_t; +logging_log_file(privoxy_log_t) + +type privoxy_var_run_t; +files_pid_file(privoxy_var_run_t) + +######################################## +# +# Local Policy +# + +allow privoxy_t self:capability { setgid setuid }; +dontaudit privoxy_t self:capability sys_tty_config; +allow privoxy_t self:tcp_socket { accept listen }; + +allow privoxy_t privoxy_etc_rw_t:file rw_file_perms; + +allow privoxy_t privoxy_log_t:dir setattr_dir_perms; +append_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) +create_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) +setattr_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) +logging_log_filetrans(privoxy_t, privoxy_log_t, file) + +manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) +files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) + +kernel_read_kernel_sysctls(privoxy_t) +kernel_read_network_state(privoxy_t) +kernel_read_system_state(privoxy_t) + +corenet_all_recvfrom_unlabeled(privoxy_t) +corenet_all_recvfrom_netlabel(privoxy_t) +corenet_tcp_sendrecv_generic_if(privoxy_t) +corenet_tcp_sendrecv_generic_node(privoxy_t) +corenet_tcp_bind_generic_node(privoxy_t) + +corenet_sendrecv_http_client_packets(privoxy_t) +corenet_tcp_connect_http_port(privoxy_t) +corenet_tcp_sendrecv_http_port(privoxy_t) + +corenet_sendrecv_http_cache_server_packets(privoxy_t) +corenet_tcp_bind_http_cache_port(privoxy_t) +corenet_sendrecv_http_cache_client_packets(privoxy_t) +corenet_tcp_connect_http_cache_port(privoxy_t) +corenet_tcp_sendrecv_http_cache_port(privoxy_t) + +corenet_sendrecv_squid_client_packets(privoxy_t) +corenet_tcp_connect_squid_port(privoxy_t) +corenet_tcp_sendrecv_squid_port(privoxy_t) + +corenet_sendrecv_ftp_client_packets(privoxy_t) +corenet_tcp_connect_ftp_port(privoxy_t) +corenet_tcp_sendrecv_ftp_port(privoxy_t) + +corenet_sendrecv_pgpkeyserver_client_packets(privoxy_t) +corenet_tcp_connect_pgpkeyserver_port(privoxy_t) +corenet_tcp_sendrecv_pgpkeyserver_port(privoxy_t) + +corenet_sendrecv_tor_client_packets(privoxy_t) +corenet_tcp_connect_tor_port(privoxy_t) +corenet_tcp_sendrecv_tor_port(privoxy_t) + +dev_read_sysfs(privoxy_t) + +domain_use_interactive_fds(privoxy_t) + +fs_getattr_all_fs(privoxy_t) +fs_search_auto_mountpoints(privoxy_t) + +auth_use_nsswitch(privoxy_t) + +logging_send_syslog_msg(privoxy_t) + +miscfiles_read_localization(privoxy_t) + +userdom_dontaudit_use_unpriv_user_fds(privoxy_t) +userdom_dontaudit_search_user_home_dirs(privoxy_t) + +tunable_policy(`privoxy_connect_any',` + corenet_sendrecv_all_client_packets(privoxy_t) + corenet_tcp_connect_all_ports(privoxy_t) + corenet_tcp_sendrecv_all_ports(privoxy_t) +') + +optional_policy(` + seutil_sigchld_newrole(privoxy_t) +') + +optional_policy(` + udev_read_db(privoxy_t) +') diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc new file mode 100644 index 000000000..dac08916f --- /dev/null +++ b/policy/modules/services/procmail.fc @@ -0,0 +1,7 @@ +HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) + +/usr/bin/maildrop -- gen_context(system_u:object_r:procmail_exec_t,s0) +/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) + +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if new file mode 100644 index 000000000..00edeab17 --- /dev/null +++ b/policy/modules/services/procmail.if @@ -0,0 +1,165 @@ +## <summary>Procmail mail delivery agent.</summary> + +######################################## +## <summary> +## Execute procmail with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`procmail_domtrans',` + gen_require(` + type procmail_exec_t, procmail_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, procmail_exec_t, procmail_t) +') + +######################################## +## <summary> +## Execute procmail in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`procmail_exec',` + gen_require(` + type procmail_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, procmail_exec_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## procmail home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`procmail_manage_home_files',` + gen_require(` + type procmail_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 procmail_home_t:file manage_file_perms; +') + +######################################## +## <summary> +## Read procmail user home content files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`procmail_read_home_files',` + gen_require(` + type procmail_home_t; + + ') + + userdom_search_user_home_dirs($1) + allow $1 procmail_home_t:file read_file_perms; +') + +######################################## +## <summary> +## Relabel procmail home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`procmail_relabel_home_files',` + gen_require(` + type ppp_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 procmail_home_t:file relabel_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the procmail home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`procmail_home_filetrans_procmail_home',` + gen_require(` + type procmail_home_t; + ') + + userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3) +') + +######################################## +## <summary> +## Read procmail tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`procmail_read_tmp_files',` + gen_require(` + type procmail_tmp_t; + ') + + files_search_tmp($1) + allow $1 procmail_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Read and write procmail tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`procmail_rw_tmp_files',` + gen_require(` + type procmail_tmp_t; + ') + + files_search_tmp($1) + rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) +') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te new file mode 100644 index 000000000..deb10b388 --- /dev/null +++ b/policy/modules/services/procmail.te @@ -0,0 +1,152 @@ +policy_module(procmail, 1.15.0) + +######################################## +# +# Declarations +# + +type procmail_t; +type procmail_exec_t; +application_domain(procmail_t, procmail_exec_t) +role system_r types procmail_t; + +type procmail_home_t; +userdom_user_home_content(procmail_home_t) + +type procmail_log_t; +logging_log_file(procmail_log_t) + +type procmail_tmp_t; +files_tmp_file(procmail_tmp_t) + +######################################## +# +# Local policy +# + +allow procmail_t self:capability { chown dac_override fsetid setgid setuid sys_nice }; +allow procmail_t self:process { setsched signal signull }; +allow procmail_t self:fifo_file rw_fifo_file_perms; +allow procmail_t self:tcp_socket { accept listen }; + +allow procmail_t procmail_home_t:file read_file_perms; + +allow procmail_t procmail_log_t:dir setattr_dir_perms; +create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) +append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) +read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) +logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) + +allow procmail_t procmail_tmp_t:file manage_file_perms; +files_tmp_filetrans(procmail_t, procmail_tmp_t, file) + +can_exec(procmail_t, procmail_exec_t) + +kernel_read_system_state(procmail_t) +kernel_read_kernel_sysctls(procmail_t) + +corenet_all_recvfrom_unlabeled(procmail_t) +corenet_all_recvfrom_netlabel(procmail_t) +corenet_tcp_sendrecv_generic_if(procmail_t) +corenet_tcp_sendrecv_generic_node(procmail_t) + +corenet_sendrecv_spamd_client_packets(procmail_t) +corenet_tcp_connect_spamd_port(procmail_t) +corenet_tcp_sendrecv_spamd_port(procmail_t) + +corenet_sendrecv_comsat_client_packets(procmail_t) +corenet_tcp_connect_comsat_port(procmail_t) +corenet_tcp_sendrecv_comsat_port(procmail_t) + +corecmd_exec_bin(procmail_t) +corecmd_exec_shell(procmail_t) + +dev_read_urand(procmail_t) + +fs_getattr_all_fs(procmail_t) +fs_search_auto_mountpoints(procmail_t) +fs_rw_anon_inodefs_files(procmail_t) + +auth_use_nsswitch(procmail_t) + +files_read_etc_runtime_files(procmail_t) +files_read_usr_files(procmail_t) + +logging_send_syslog_msg(procmail_t) + +miscfiles_read_localization(procmail_t) + +userdom_search_user_home_dirs(procmail_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(procmail_t) + fs_manage_nfs_files(procmail_t) + fs_manage_nfs_symlinks(procmail_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(procmail_t) + fs_manage_cifs_files(procmail_t) + fs_manage_cifs_symlinks(procmail_t) +') + +optional_policy(` + clamav_domtrans_clamscan(procmail_t) + clamav_search_lib(procmail_t) +') + +optional_policy(` + courier_read_config(procmail_t) + courier_stream_connect_authdaemon(procmail_t) +') + +optional_policy(` + cyrus_stream_connect(procmail_t) +') + +optional_policy(` + mta_manage_spool(procmail_t) + mta_read_config(procmail_t) + mta_read_queue(procmail_t) + mta_manage_mail_home_rw_content(procmail_t) + mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir") + mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir") +') + +optional_policy(` + munin_dontaudit_search_lib(procmail_t) +') + +optional_policy(` + nagios_search_spool(procmail_t) +') + +optional_policy(` + postfix_dontaudit_rw_local_tcp_sockets(procmail_t) + postfix_dontaudit_use_fds(procmail_t) + postfix_read_spool_files(procmail_t) + postfix_read_local_state(procmail_t) + postfix_read_master_state(procmail_t) + postfix_rw_inherited_master_pipes(procmail_t) +') + +optional_policy(` + pyzor_domtrans(procmail_t) + pyzor_signal(procmail_t) +') + +optional_policy(` + sendmail_domtrans(procmail_t) + sendmail_signal(procmail_t) + sendmail_dontaudit_rw_tcp_sockets(procmail_t) + sendmail_dontaudit_rw_unix_stream_sockets(procmail_t) +') + +optional_policy(` + corenet_udp_bind_generic_port(procmail_t) + corenet_dontaudit_udp_bind_all_ports(procmail_t) + + spamassassin_domtrans_local_client(procmail_t) + spamassassin_domtrans_client(procmail_t) + spamassassin_read_lib_files(procmail_t) +') diff --git a/policy/modules/services/psad.fc b/policy/modules/services/psad.fc new file mode 100644 index 000000000..d26a15b5f --- /dev/null +++ b/policy/modules/services/psad.fc @@ -0,0 +1,13 @@ +/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0) + +/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0) + +/usr/bin/psad -- gen_context(system_u:object_r:psad_exec_t,s0) + +/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0) + +/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) + +/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) + +/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if new file mode 100644 index 000000000..6ad870342 --- /dev/null +++ b/policy/modules/services/psad.if @@ -0,0 +1,261 @@ +## <summary>Intrusion Detection and Log Analysis with iptables.</summary> + +######################################## +## <summary> +## Execute a domain transition to run psad. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`psad_domtrans',` + gen_require(` + type psad_t, psad_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, psad_exec_t, psad_t) +') + +######################################## +## <summary> +## Send generic signals to psad. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_signal',` + gen_require(` + type psad_t; + ') + + allow $1 psad_t:process signal; +') + +####################################### +## <summary> +## Send null signals to psad. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_signull',` + gen_require(` + type psad_t; + ') + + allow $1 psad_t:process signull; +') + +######################################## +## <summary> +## Read psad configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_read_config',` + gen_require(` + type psad_etc_t; + ') + + files_search_etc($1) + allow $1 psad_etc_t:dir list_dir_perms; + allow $1 psad_etc_t:file read_file_perms; + allow $1 psad_etc_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## psad configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_manage_config',` + gen_require(` + type psad_etc_t; + ') + + files_search_etc($1) + allow $1 psad_etc_t:dir manage_dir_perms; + allow $1 psad_etc_t:file manage_file_perms; + allow $1 psad_etc_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Read psad pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_read_pid_files',` + gen_require(` + type psad_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, psad_var_run_t, psad_var_run_t) +') + +######################################## +## <summary> +## Read and write psad pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_rw_pid_files',` + gen_require(` + type psad_var_run_t; + ') + + files_search_pids($1) + rw_files_pattern($1, psad_var_run_t, psad_var_run_t) +') + +######################################## +## <summary> +## Read psad log content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`psad_read_log',` + gen_require(` + type psad_var_log_t; + ') + + logging_search_logs($1) + allow $1 psad_var_log_t:dir list_dir_perms; + allow $1 psad_var_log_t:file read_file_perms; +') + +######################################## +## <summary> +## Append psad log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`psad_append_log',` + gen_require(` + type psad_var_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, psad_var_log_t, psad_var_log_t) +') + +######################################## +## <summary> +## Read and write psad fifo files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_rw_fifo_file',` + gen_require(` + type psad_var_lib_t; + ') + + files_search_var_lib($1) + rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) +') + +####################################### +## <summary> +## Read and write psad temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_rw_tmp_files',` + gen_require(` + type psad_tmp_t; + ') + + files_search_tmp($1) + rw_files_pattern($1, psad_tmp_t, psad_tmp_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an psad environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`psad_admin',` + gen_require(` + type psad_t, psad_var_run_t, psad_var_log_t; + type psad_initrc_exec_t, psad_var_lib_t; + type psad_tmp_t, psad_etc_t; + ') + + allow $1 psad_t:process { ptrace signal_perms }; + ps_process_pattern($1, psad_t) + + init_startstop_service($1, $2, psad_t, psad_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, psad_etc_t) + + files_search_pids($1) + admin_pattern($1, psad_var_run_t) + + logging_search_logs($1) + admin_pattern($1, psad_var_log_t) + + files_search_var_lib($1) + admin_pattern($1, psad_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, psad_tmp_t) +') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te new file mode 100644 index 000000000..a18acb8c7 --- /dev/null +++ b/policy/modules/services/psad.te @@ -0,0 +1,102 @@ +policy_module(psad, 1.5.0) + +######################################## +# +# Declarations +# + +type psad_t; +type psad_exec_t; +init_daemon_domain(psad_t, psad_exec_t) + +type psad_etc_t; +files_config_file(psad_etc_t) + +type psad_initrc_exec_t; +init_script_file(psad_initrc_exec_t) + +type psad_var_lib_t; +files_type(psad_var_lib_t) + +type psad_var_log_t; +logging_log_file(psad_var_log_t) + +type psad_var_run_t; +files_pid_file(psad_var_run_t) + +type psad_tmp_t; +files_tmp_file(psad_tmp_t) + +######################################## +# +# Local policy +# + +allow psad_t self:capability { dac_override net_admin net_raw setgid setuid }; +dontaudit psad_t self:capability sys_tty_config; +allow psad_t self:process signal_perms; +allow psad_t self:fifo_file rw_fifo_file_perms; +allow psad_t self:rawip_socket create_socket_perms; + +allow psad_t psad_etc_t:dir list_dir_perms; +allow psad_t psad_etc_t:file read_file_perms; +allow psad_t psad_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) +append_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) +create_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) +setattr_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) +logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) + +manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t) +manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) +manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) +files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) +manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t) +files_tmp_filetrans(psad_t, psad_tmp_t, { file dir }) + +manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) + +kernel_read_system_state(psad_t) +kernel_read_network_state(psad_t) +kernel_read_net_sysctls(psad_t) + +corecmd_exec_bin(psad_t) +corecmd_exec_shell(psad_t) + +corenet_all_recvfrom_unlabeled(psad_t) +corenet_all_recvfrom_netlabel(psad_t) +corenet_tcp_sendrecv_generic_if(psad_t) +corenet_tcp_sendrecv_generic_node(psad_t) + +corenet_sendrecv_whois_client_packets(psad_t) +corenet_tcp_connect_whois_port(psad_t) +corenet_tcp_sendrecv_whois_port(psad_t) + +dev_read_urand(psad_t) + +files_read_etc_runtime_files(psad_t) +files_read_usr_files(psad_t) + +fs_getattr_all_fs(psad_t) + +auth_use_nsswitch(psad_t) + +logging_read_generic_logs(psad_t) +logging_read_syslog_config(psad_t) +logging_send_syslog_msg(psad_t) + +miscfiles_read_localization(psad_t) + +sysnet_exec_ifconfig(psad_t) + +optional_policy(` + iptables_domtrans(psad_t) +') + +optional_policy(` + mta_send_mail(psad_t) + mta_read_queue(psad_t) +') diff --git a/policy/modules/services/publicfile.fc b/policy/modules/services/publicfile.fc new file mode 100644 index 000000000..68bd5f50b --- /dev/null +++ b/policy/modules/services/publicfile.fc @@ -0,0 +1,6 @@ +/usr/bin/publicfile-ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) +/usr/bin/publicfile-httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) + +# this is the place where online content located +# set this to suit your needs +#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0) diff --git a/policy/modules/services/publicfile.if b/policy/modules/services/publicfile.if new file mode 100644 index 000000000..f39eec612 --- /dev/null +++ b/policy/modules/services/publicfile.if @@ -0,0 +1 @@ +## <summary>publicfile supplies files to the public through HTTP and FTP.</summary> diff --git a/policy/modules/services/publicfile.te b/policy/modules/services/publicfile.te new file mode 100644 index 000000000..3246befff --- /dev/null +++ b/policy/modules/services/publicfile.te @@ -0,0 +1,34 @@ +policy_module(publicfile, 1.2.0) + +######################################## +# +# Declarations +# + +type publicfile_t; +type publicfile_exec_t; +init_daemon_domain(publicfile_t, publicfile_exec_t) + +type publicfile_content_t; +files_type(publicfile_content_t) + +######################################## +# +# Local policy +# + +allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; + +allow publicfile_t publicfile_content_t:dir list_dir_perms; +allow publicfile_t publicfile_content_t:file read_file_perms; +allow publicfile_t publicfile_content_t:lnk_file read_lnk_file_perms; + +files_search_var(publicfile_t) + +optional_policy(` + daemontools_ipc_domain(publicfile_t) +') + +optional_policy(` + ucspitcp_service_domain(publicfile_t, publicfile_exec_t) +') diff --git a/policy/modules/services/pwauth.fc b/policy/modules/services/pwauth.fc new file mode 100644 index 000000000..bef33518f --- /dev/null +++ b/policy/modules/services/pwauth.fc @@ -0,0 +1,3 @@ +/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) + +/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) diff --git a/policy/modules/services/pwauth.if b/policy/modules/services/pwauth.if new file mode 100644 index 000000000..1148dce1a --- /dev/null +++ b/policy/modules/services/pwauth.if @@ -0,0 +1,72 @@ +## <summary>External plugin for mod_authnz_external authenticator.</summary> + +######################################## +## <summary> +## Role access for pwauth. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`pwauth_role',` + gen_require(` + type pwauth_t; + ') + + pwauth_run($2, $1) + + ps_process_pattern($2, pwauth_t) + allow $2 pwauth_t:process { ptrace signal_perms }; +') + +######################################## +## <summary> +## Execute pwauth in the pwauth domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pwauth_domtrans',` + gen_require(` + type pwauth_t, pwauth_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, pwauth_exec_t, pwauth_t) +') + +######################################## +## <summary> +## Execute pwauth in the pwauth +## domain, and allow the specified +## role the pwauth domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`pwauth_run',` + gen_require(` + attribute_role pwauth_roles; + ') + + pwauth_domtrans($1) + roleattribute $2 pwauth_roles; +') diff --git a/policy/modules/services/pwauth.te b/policy/modules/services/pwauth.te new file mode 100644 index 000000000..dda037399 --- /dev/null +++ b/policy/modules/services/pwauth.te @@ -0,0 +1,42 @@ +policy_module(pwauth, 1.1.0) + +######################################## +# +# Declarations +# + +attribute_role pwauth_roles; +roleattribute system_r pwauth_roles; + +type pwauth_t; +type pwauth_exec_t; +application_domain(pwauth_t, pwauth_exec_t) +role pwauth_roles types pwauth_t; + +type pwauth_var_run_t; +files_pid_file(pwauth_var_run_t) + +######################################## +# +# Local policy +# + +allow pwauth_t self:capability setuid; +allow pwauth_t self:process setrlimit; +allow pwauth_t self:fifo_file manage_fifo_file_perms; +allow pwauth_t self:unix_stream_socket { accept listen }; + +manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t) +files_pid_filetrans(pwauth_t, pwauth_var_run_t, file) + +domain_use_interactive_fds(pwauth_t) + +auth_domtrans_chkpwd(pwauth_t) +auth_use_nsswitch(pwauth_t) + +init_read_utmp(pwauth_t) + +logging_send_syslog_msg(pwauth_t) +logging_send_audit_msgs(pwauth_t) + +miscfiles_read_localization(pwauth_t) diff --git a/policy/modules/services/pxe.fc b/policy/modules/services/pxe.fc new file mode 100644 index 000000000..56ca3ecd5 --- /dev/null +++ b/policy/modules/services/pxe.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/pxe -- gen_context(system_u:object_r:pxe_initrc_exec_t,s0) + +/usr/bin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0) + +/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0) + +/var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0) + +/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) diff --git a/policy/modules/services/pxe.if b/policy/modules/services/pxe.if new file mode 100644 index 000000000..e0068b794 --- /dev/null +++ b/policy/modules/services/pxe.if @@ -0,0 +1,36 @@ +## <summary>Server for the PXE network boot protocol.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an pxe environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pxe_admin',` + gen_require(` + type pxe_t, pxe_initrc_exec_t, pxe_log_t; + type pxe_var_run_t; + ') + + allow $1 pxe_t:process { ptrace signal_perms }; + ps_process_pattern($1, pxe_t) + + init_startstop_service($1, $2, pxe_t, pxe_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, pxe_log_t) + + files_search_pids($1) + admin_pattern($1, pxe_var_run_t) +') diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te new file mode 100644 index 000000000..66b5fda46 --- /dev/null +++ b/policy/modules/services/pxe.te @@ -0,0 +1,71 @@ +policy_module(pxe, 1.8.0) + +######################################## +# +# Declarations +# + +type pxe_t; +type pxe_exec_t; +init_daemon_domain(pxe_t, pxe_exec_t) + +type pxe_initrc_exec_t; +init_script_file(pxe_initrc_exec_t) + +type pxe_log_t; +logging_log_file(pxe_log_t) + +type pxe_var_run_t; +files_pid_file(pxe_var_run_t) + +######################################## +# +# Local policy +# + +allow pxe_t self:capability { chown setgid setuid }; +dontaudit pxe_t self:capability sys_tty_config; +allow pxe_t self:process signal_perms; + +allow pxe_t pxe_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(pxe_t, pxe_log_t, file) + +manage_files_pattern(pxe_t, pxe_var_run_t, pxe_var_run_t) +files_pid_filetrans(pxe_t, pxe_var_run_t, file) + +kernel_read_kernel_sysctls(pxe_t) +kernel_read_system_state(pxe_t) + +corenet_all_recvfrom_unlabeled(pxe_t) +corenet_all_recvfrom_netlabel(pxe_t) +corenet_udp_sendrecv_generic_if(pxe_t) +corenet_udp_sendrecv_generic_node(pxe_t) +corenet_udp_bind_generic_node(pxe_t) + +corenet_sendrecv_pxe_server_packets(pxe_t) +corenet_udp_bind_pxe_port(pxe_t) +corenet_udp_sendrecv_pxe_port(pxe_t) + +dev_read_sysfs(pxe_t) + +domain_use_interactive_fds(pxe_t) + +files_read_etc_files(pxe_t) + +fs_getattr_all_fs(pxe_t) +fs_search_auto_mountpoints(pxe_t) + +logging_send_syslog_msg(pxe_t) + +miscfiles_read_localization(pxe_t) + +userdom_dontaudit_use_unpriv_user_fds(pxe_t) +userdom_dontaudit_search_user_home_dirs(pxe_t) + +optional_policy(` + seutil_sigchld_newrole(pxe_t) +') + +optional_policy(` + udev_read_db(pxe_t) +') diff --git a/policy/modules/services/pyicqt.fc b/policy/modules/services/pyicqt.fc new file mode 100644 index 000000000..4dd36d1cd --- /dev/null +++ b/policy/modules/services/pyicqt.fc @@ -0,0 +1,11 @@ +/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0) + +/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0) + +/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) + +/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0) + +/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) + +/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) diff --git a/policy/modules/services/pyicqt.if b/policy/modules/services/pyicqt.if new file mode 100644 index 000000000..1742d8cf7 --- /dev/null +++ b/policy/modules/services/pyicqt.if @@ -0,0 +1,42 @@ +## <summary>ICQ transport for XMPP server.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an pyicqt environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pyicqt_admin',` + gen_require(` + type pyicqt_t, pyicqt_log_t, pyicqt_spool_t; + type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t; + ') + + allow $1 pyicqt_t:process { ptrace signal_perms }; + ps_process_pattern($1, pyicqt_t) + + init_startstop_service($1, $2, pyicqt_t, pyicqt_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, pyicqt_conf_t) + + logging_search_logs($1) + admin_pattern($1, pyicqt_log_t) + + files_search_spool($1) + admin_pattern($1, pyicqt_spool_t) + + files_search_pids($1) + admin_pattern($1, pyicqt_var_run_t) +') diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te new file mode 100644 index 000000000..6861a4af8 --- /dev/null +++ b/policy/modules/services/pyicqt.te @@ -0,0 +1,92 @@ +policy_module(pyicqt, 1.3.0) + +######################################## +# +# Declarations +# + +type pyicqt_t; +type pyicqt_exec_t; +init_daemon_domain(pyicqt_t, pyicqt_exec_t) + +type pyicqt_initrc_exec_t; +init_script_file(pyicqt_initrc_exec_t) + +type pyicqt_conf_t; +files_config_file(pyicqt_conf_t) + +type pyicqt_log_t; +logging_log_file(pyicqt_log_t) + +type pyicqt_spool_t; +files_type(pyicqt_spool_t) + +type pyicqt_var_run_t; +files_pid_file(pyicqt_var_run_t) + +######################################## +# +# Local policy +# + +allow pyicqt_t self:process signal_perms; +allow pyicqt_t self:fifo_file rw_fifo_file_perms; +allow pyicqt_t self:tcp_socket { accept listen }; + +read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t) + +allow pyicqt_t pyicqt_log_t:file append_file_perms; +allow pyicqt_t pyicqt_log_t:file create_file_perms; +allow pyicqt_t pyicqt_log_t:file setattr_file_perms; +logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) + +manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) +manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) +files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir) + +manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t) +files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) + +kernel_read_system_state(pyicqt_t) + +corecmd_exec_bin(pyicqt_t) + +corenet_all_recvfrom_unlabeled(pyicqt_t) +corenet_all_recvfrom_netlabel(pyicqt_t) +corenet_tcp_sendrecv_generic_if(pyicqt_t) +corenet_tcp_sendrecv_generic_node(pyicqt_t) +corenet_tcp_bind_generic_node(pyicqt_t) + +# corenet_sendrecv_jabber_router_server_packets(pyicqt_t) +# corenet_tcp_bind_jabber_router_port(pyicqt_t) +# corenet_sendrecv_jabber_router_client_packets(pyicqt_t) +# corenet_tcp_connect_jabber_router_port(pyicqt_t) +# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t) + +dev_read_sysfs(pyicqt_t) +dev_read_urand(pyicqt_t) + +files_read_usr_files(pyicqt_t) + +fs_getattr_all_fs(pyicqt_t) + +auth_use_nsswitch(pyicqt_t) + +libs_read_lib_files(pyicqt_t) + +logging_send_syslog_msg(pyicqt_t) + +miscfiles_read_localization(pyicqt_t) + +optional_policy(` + jabber_manage_lib_files(pyicqt_t) +') + +optional_policy(` + mysql_stream_connect(pyicqt_t) + mysql_tcp_connect(pyicqt_t) +') + +optional_policy(` + seutil_sigchld_newrole(pyicqt_t) +') diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc new file mode 100644 index 000000000..af13139a1 --- /dev/null +++ b/policy/modules/services/pyzor.fc @@ -0,0 +1,12 @@ +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) + +/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) + +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) + +/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) +/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) + +/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) + +/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0) diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if new file mode 100644 index 000000000..7bc14f913 --- /dev/null +++ b/policy/modules/services/pyzor.if @@ -0,0 +1,134 @@ +## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary> + +######################################## +## <summary> +## Role access for pyzor. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`pyzor_role',` + gen_require(` + attribute_role pyzor_roles; + type pyzor_t, pyzor_exec_t, pyzor_home_t; + type pyzor_tmp_t; + ') + + roleattribute $1 pyzor_roles; + + domtrans_pattern($2, pyzor_exec_t, pyzor_t) + + allow $2 pyzor_t:process { ptrace signal_perms }; + ps_process_pattern($2, pyzor_t) + + allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + + userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor") +') + +######################################## +## <summary> +## Send generic signals to pyzor. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pyzor_signal',` + gen_require(` + type pyzor_t; + ') + + allow $1 pyzor_t:process signal; +') + +######################################## +## <summary> +## Execute pyzor with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pyzor_domtrans',` + gen_require(` + type pyzor_exec_t, pyzor_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, pyzor_exec_t, pyzor_t) +') + +######################################## +## <summary> +## Execute pyzor in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pyzor_exec',` + gen_require(` + type pyzor_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, pyzor_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an pyzor environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pyzor_admin',` + gen_require(` + type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t; + type pyzor_var_lib_t, pyzor_etc_t; + ') + + allow $1 pyzord_t:process { ptrace signal_perms }; + ps_process_pattern($1, pyzord_t) + + init_startstop_service($1, $2, pyzord_t, pyzord_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, pyzor_etc_t) + + logging_search_logs($1) + admin_pattern($1, pyzord_log_t) + + files_search_var_lib($1) + admin_pattern($1, pyzor_var_lib_t) + + # This makes it impossible to apply _admin if _role has already been applied + #pyzor_role($2, $1) +') diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te new file mode 100644 index 000000000..3119df007 --- /dev/null +++ b/policy/modules/services/pyzor.te @@ -0,0 +1,160 @@ +policy_module(pyzor, 2.5.0) + +######################################## +# +# Declarations +# + +attribute_role pyzor_roles; +roleattribute system_r pyzor_roles; + +type pyzor_t; +type pyzor_exec_t; +typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; +typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; +userdom_user_application_domain(pyzor_t, pyzor_exec_t) +role pyzor_roles types pyzor_t; + +type pyzor_etc_t; +files_type(pyzor_etc_t) + +type pyzor_home_t; +typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; +typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; +userdom_user_home_content(pyzor_home_t) + +type pyzor_tmp_t; +typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; +typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; +userdom_user_tmp_file(pyzor_tmp_t) + +type pyzor_var_lib_t; +typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; +typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; +files_type(pyzor_var_lib_t) +ubac_constrained(pyzor_var_lib_t) + +type pyzord_t; +type pyzord_exec_t; +init_daemon_domain(pyzord_t, pyzord_exec_t) + +type pyzord_initrc_exec_t; +init_script_file(pyzord_initrc_exec_t) + +type pyzord_log_t; +logging_log_file(pyzord_log_t) + +######################################## +# +# Local policy +# + +manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor") + +allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; +read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t) + +manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) +manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) +files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(pyzor_t) +kernel_read_system_state(pyzor_t) + +corecmd_list_bin(pyzor_t) +corecmd_getattr_bin_files(pyzor_t) + +corenet_all_recvfrom_unlabeled(pyzor_t) +corenet_all_recvfrom_netlabel(pyzor_t) +corenet_tcp_sendrecv_generic_if(pyzor_t) +corenet_tcp_sendrecv_generic_node(pyzor_t) + +corenet_sendrecv_http_client_packets(pyzor_t) +corenet_tcp_connect_http_port(pyzor_t) +corenet_tcp_sendrecv_http_port(pyzor_t) + +dev_read_urand(pyzor_t) + +fs_getattr_all_fs(pyzor_t) +fs_search_auto_mountpoints(pyzor_t) + +auth_use_nsswitch(pyzor_t) + +miscfiles_read_localization(pyzor_t) + +mta_read_queue(pyzor_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(pyzor_t) + fs_manage_nfs_files(pyzor_t) + fs_manage_nfs_symlinks(pyzor_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(pyzor_t) + fs_manage_cifs_files(pyzor_t) + fs_manage_cifs_symlinks(pyzor_t) +') + +optional_policy(` + amavis_manage_lib_files(pyzor_t) + amavis_manage_spool_files(pyzor_t) +') + +optional_policy(` + spamassassin_signal_spamd(pyzor_t) + spamassassin_read_spamd_tmp_files(pyzor_t) +') + +######################################## +# +# Daemon local policy +# + +allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms; +manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t) +files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir }) + +allow pyzord_t pyzor_etc_t:dir list_dir_perms; +allow pyzord_t pyzor_etc_t:file read_file_perms; +allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms; + +allow pyzord_t pyzord_log_t:dir setattr_dir_perms; +append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) +create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) +setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) +logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir }) + +can_exec(pyzord_t, pyzor_exec_t) + +kernel_read_kernel_sysctls(pyzord_t) +kernel_read_system_state(pyzord_t) + +dev_read_urand(pyzord_t) + +corecmd_exec_bin(pyzord_t) + +corenet_all_recvfrom_unlabeled(pyzord_t) +corenet_all_recvfrom_netlabel(pyzord_t) +corenet_udp_sendrecv_generic_if(pyzord_t) +corenet_udp_sendrecv_generic_node(pyzord_t) +corenet_udp_bind_generic_node(pyzord_t) + +corenet_sendrecv_pyzor_server_packets(pyzord_t) +corenet_udp_bind_pyzor_port(pyzord_t) +corenet_udp_sendrecv_pyzor_port(pyzord_t) + +auth_use_nsswitch(pyzord_t) + +logging_send_syslog_msg(pyzord_t) + +locallogin_dontaudit_use_fds(pyzord_t) + +miscfiles_read_localization(pyzord_t) + +userdom_dontaudit_search_user_home_dirs(pyzord_t) + +mta_manage_spool(pyzord_t) diff --git a/policy/modules/services/qmail.fc b/policy/modules/services/qmail.fc new file mode 100644 index 000000000..54e0847fd --- /dev/null +++ b/policy/modules/services/qmail.fc @@ -0,0 +1,49 @@ +/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) + +/usr/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) +/usr/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) +/usr/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) +/usr/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) +/usr/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) +/usr/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) +/usr/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) +/usr/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) +/usr/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) +/usr/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) +/usr/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) +/usr/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) +/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) + +/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) +/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) +/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) +/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) +/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) +/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) +/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) +/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) +/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) +/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) +/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) +/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) + +/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) +/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) + +/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) +/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) +/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) +/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) +/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) +/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) +/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) +/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) +/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) +/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) +/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) +/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) +/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) + +/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) + +/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if new file mode 100644 index 000000000..e4f0000e5 --- /dev/null +++ b/policy/modules/services/qmail.if @@ -0,0 +1,143 @@ +## <summary>Qmail Mail Server.</summary> + +######################################## +## <summary> +## Template for qmail parent/sub-domain pairs. +## </summary> +## <param name="child_prefix"> +## <summary> +## The prefix of the child domain. +## </summary> +## </param> +## <param name="parent_domain"> +## <summary> +## The name of the parent domain. +## </summary> +## </param> +# +template(`qmail_child_domain_template',` + gen_require(` + attribute qmail_child_domain; + ') + + ######################################## + # + # Declarations + # + + type $1_t, qmail_child_domain; + type $1_exec_t; + domain_type($1_t) + domain_entry_file($1_t, $1_exec_t) + + role system_r types $1_t; + + ######################################## + # + # Policy + # + + domtrans_pattern($2, $1_exec_t, $1_t) + + kernel_read_system_state($2) +') + +######################################## +## <summary> +## Transition to qmail_inject_t. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qmail_domtrans_inject',` + gen_require(` + type qmail_inject_t, qmail_inject_exec_t; + ') + + domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) + + ifdef(`distro_debian',` + files_search_usr($1) + corecmd_search_bin($1) + ',` + files_search_var($1) + ') +') + +######################################## +## <summary> +## Transition to qmail_queue_t. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qmail_domtrans_queue',` + gen_require(` + type qmail_queue_t, qmail_queue_exec_t; + ') + + domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) + + ifdef(`distro_debian',` + files_search_usr($1) + corecmd_search_bin($1) + ',` + files_search_var($1) + ') +') + +######################################## +## <summary> +## Read qmail configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`qmail_read_config',` + gen_require(` + type qmail_etc_t; + ') + + files_search_var($1) + allow $1 qmail_etc_t:dir list_dir_perms; + allow $1 qmail_etc_t:file read_file_perms; + allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; + + ifdef(`distro_debian',` + files_search_etc($1) + ') +') + +######################################## +## <summary> +## Define the specified domain as a +## qmail-smtp service. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`qmail_smtpd_service_domain',` + gen_require(` + type qmail_smtpd_t; + ') + + domtrans_pattern(qmail_smtpd_t, $2, $1) +') diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te new file mode 100644 index 000000000..8abb5f9bf --- /dev/null +++ b/policy/modules/services/qmail.te @@ -0,0 +1,322 @@ +policy_module(qmail, 1.8.0) + +######################################## +# +# Declarations +# + +attribute qmail_child_domain; + +type qmail_alias_home_t; +files_type(qmail_alias_home_t) + +qmail_child_domain_template(qmail_clean, qmail_start_t) + +type qmail_etc_t; +files_config_file(qmail_etc_t) + +type qmail_exec_t; +files_type(qmail_exec_t) + +type qmail_inject_t; +type qmail_inject_exec_t; +domain_type(qmail_inject_t) +domain_entry_file(qmail_inject_t, qmail_inject_exec_t) +mta_mailserver_user_agent(qmail_inject_t) +role system_r types qmail_inject_t; + +qmail_child_domain_template(qmail_local, qmail_lspawn_t) +mta_mailserver_delivery(qmail_local_t) + +qmail_child_domain_template(qmail_lspawn, qmail_start_t) +mta_mailserver_delivery(qmail_lspawn_t) + +qmail_child_domain_template(qmail_queue, qmail_inject_t) +mta_mailserver_user_agent(qmail_queue_t) + +qmail_child_domain_template(qmail_remote, qmail_rspawn_t) +mta_mailserver_sender(qmail_remote_t) + +qmail_child_domain_template(qmail_rspawn, qmail_start_t) +qmail_child_domain_template(qmail_send, qmail_start_t) +qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) +qmail_child_domain_template(qmail_splogger, qmail_start_t) + +type qmail_keytab_t; +files_type(qmail_keytab_t) + +type qmail_spool_t; +files_type(qmail_spool_t) + +type qmail_start_t; +type qmail_start_exec_t; +init_daemon_domain(qmail_start_t, qmail_start_exec_t) + +type qmail_tcp_env_t; +type qmail_tcp_env_exec_t; +application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) + +######################################## +# +# Common qmail child domain local policy +# + +allow qmail_child_domain self:process signal_perms; + +allow qmail_child_domain qmail_etc_t:dir list_dir_perms; +allow qmail_child_domain qmail_etc_t:file read_file_perms; +allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms; + +allow qmail_child_domain qmail_start_t:fd use; + +corecmd_search_bin(qmail_child_domain) + +files_search_var(qmail_child_domain) + +fs_getattr_xattr_fs(qmail_child_domain) + +miscfiles_read_localization(qmail_child_domain) + +######################################## +# +# Clean local policy +# + +read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) +delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) + +######################################## +# +# Inject local policy +# + +allow qmail_inject_t self:fifo_file write_fifo_file_perms; +allow qmail_inject_t self:process signal_perms; + +allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; + +corecmd_search_bin(qmail_inject_t) + +files_search_var(qmail_inject_t) + +miscfiles_read_localization(qmail_inject_t) + +qmail_read_config(qmail_inject_t) + +######################################## +# +# Local local policy +# + +allow qmail_local_t self:fifo_file write_fifo_file_perms; +allow qmail_local_t self:process signal_perms; +allow qmail_local_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) +manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) + +can_exec(qmail_local_t, qmail_local_exec_t) + +allow qmail_local_t qmail_queue_exec_t:file read_file_perms; + +allow qmail_local_t qmail_spool_t:file read_file_perms; + +kernel_read_system_state(qmail_local_t) + +corecmd_exec_bin(qmail_local_t) +corecmd_exec_shell(qmail_local_t) + +files_read_etc_runtime_files(qmail_local_t) + +auth_use_nsswitch(qmail_local_t) + +logging_send_syslog_msg(qmail_local_t) + +mta_append_spool(qmail_local_t) + +qmail_domtrans_queue(qmail_local_t) + +optional_policy(` + spamassassin_domtrans_client(qmail_local_t) +') + +######################################## +# +# Lspawn local policy +# + +allow qmail_lspawn_t self:capability { setgid setuid }; +allow qmail_lspawn_t self:process signal_perms; +allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms; +allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; + +can_exec(qmail_lspawn_t, qmail_exec_t) + +allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; + +read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) + +files_read_etc_files(qmail_lspawn_t) +files_search_pids(qmail_lspawn_t) +files_search_tmp(qmail_lspawn_t) + +######################################## +# +# Queue local policy +# + +allow qmail_queue_t qmail_lspawn_t:fd use; +allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; + +allow qmail_queue_t qmail_smtpd_t:fd use; +allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; +allow qmail_queue_t qmail_smtpd_t:process sigchld; + +manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) +manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) +rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) + +corecmd_exec_bin(qmail_queue_t) + +logging_send_syslog_msg(qmail_queue_t) + +optional_policy(` + daemontools_ipc_domain(qmail_queue_t) +') + +######################################## +# +# Remote local policy +# + +rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t) + +corenet_all_recvfrom_unlabeled(qmail_remote_t) +corenet_all_recvfrom_netlabel(qmail_remote_t) +corenet_tcp_sendrecv_generic_if(qmail_remote_t) +corenet_tcp_sendrecv_generic_node(qmail_remote_t) + +corenet_sendrecv_smtp_client_packets(qmail_remote_t) +corenet_tcp_connect_smtp_port(qmail_remote_t) +corenet_tcp_sendrecv_smtp_port(qmail_remote_t) + +dev_read_rand(qmail_remote_t) +dev_read_urand(qmail_remote_t) + +sysnet_dns_name_resolve(qmail_remote_t) + +######################################## +# +# Rspawn local policy +# + +allow qmail_rspawn_t self:process signal_perms; +allow qmail_rspawn_t self:fifo_file read_fifo_file_perms; + +allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; + +rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) + +######################################## +# +# Send local policy +# + +allow qmail_send_t self:process signal_perms; +allow qmail_send_t self:fifo_file write_fifo_file_perms; + +manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) +manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) +read_fifo_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) + +qmail_domtrans_queue(qmail_send_t) + +optional_policy(` + daemontools_ipc_domain(qmail_send_t) +') + +######################################## +# +# Smtpd local policy +# + +allow qmail_smtpd_t self:process signal_perms; +allow qmail_smtpd_t self:fifo_file write_fifo_file_perms; +allow qmail_smtpd_t self:tcp_socket create_socket_perms; + +allow qmail_smtpd_t qmail_keytab_t:file read_file_perms; + +allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms; + +dev_read_rand(qmail_smtpd_t) +dev_read_urand(qmail_smtpd_t) + +qmail_domtrans_queue(qmail_smtpd_t) + +optional_policy(` + daemontools_ipc_domain(qmail_smtpd_t) +') + +optional_policy(` + kerberos_read_keytab(qmail_smtpd_t) + kerberos_use(qmail_smtpd_t) +') + +optional_policy(` + ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t) +') + +######################################## +# +# Splogger local policy +# + +allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; + +files_read_etc_files(qmail_splogger_t) + +init_dontaudit_use_script_fds(qmail_splogger_t) + +miscfiles_read_localization(qmail_splogger_t) + +######################################## +# +# Start local policy +# + +allow qmail_start_t self:capability { setgid setuid }; +dontaudit qmail_start_t self:capability sys_tty_config; +allow qmail_start_t self:fifo_file rw_fifo_file_perms; +allow qmail_start_t self:process signal_perms; + +can_exec(qmail_start_t, qmail_start_exec_t) + +corecmd_search_bin(qmail_start_t) + +files_search_var(qmail_start_t) + +qmail_read_config(qmail_start_t) + +optional_policy(` + daemontools_service_domain(qmail_start_t, qmail_start_exec_t) + daemontools_ipc_domain(qmail_start_t) +') + +######################################## +# +# Tcp-env local policy +# + +allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; + +corecmd_search_bin(qmail_tcp_env_t) + +sysnet_read_config(qmail_tcp_env_t) + +optional_policy(` + inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) +') + +optional_policy(` + ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) +') diff --git a/policy/modules/services/qpid.fc b/policy/modules/services/qpid.fc new file mode 100644 index 000000000..ed8f5432a --- /dev/null +++ b/policy/modules/services/qpid.fc @@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0) + +/usr/bin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) + +/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) + +/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) + +/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0) +/run/qpidd\.pid -- gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if new file mode 100644 index 000000000..531bdc39f --- /dev/null +++ b/policy/modules/services/qpid.if @@ -0,0 +1,187 @@ +## <summary>Apache QPID AMQP messaging server.</summary> + +######################################## +## <summary> +## Execute a domain transition to run qpidd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qpidd_domtrans',` + gen_require(` + type qpidd_t, qpidd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, qpidd_exec_t, qpidd_t) +') + +##################################### +## <summary> +## Read and write access qpidd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_rw_semaphores',` + gen_require(` + type qpidd_t; + ') + + allow $1 qpidd_t:sem rw_sem_perms; +') + +######################################## +## <summary> +## Read and write qpidd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_rw_shm',` + gen_require(` + type qpidd_t; + ') + + allow $1 qpidd_t:shm rw_shm_perms; +') + +######################################## +## <summary> +## Execute qpidd init script in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qpidd_initrc_domtrans',` + gen_require(` + type qpidd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, qpidd_initrc_exec_t) +') + +######################################## +## <summary> +## Read qpidd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_read_pid_files',` + gen_require(` + type qpidd_var_run_t; + ') + + files_search_pids($1) + allow $1 qpidd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Search qpidd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_search_lib',` + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 qpidd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read qpidd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_read_lib_files',` + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## qpidd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_manage_lib_files',` + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an qpidd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`qpidd_admin',` + gen_require(` + type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; + type qpidd_var_run_t; + ') + + allow $1 qpidd_t:process { ptrace signal_perms }; + ps_process_pattern($1, qpidd_t) + + init_startstop_service($1, $2, qpidd_t, qpidd_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, qpidd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, qpidd_var_run_t) +') diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te new file mode 100644 index 000000000..533fbb16a --- /dev/null +++ b/policy/modules/services/qpid.te @@ -0,0 +1,73 @@ +policy_module(qpid, 1.4.0) + +######################################## +# +# Declarations +# + +type qpidd_t; +type qpidd_exec_t; +init_daemon_domain(qpidd_t, qpidd_exec_t) + +type qpidd_initrc_exec_t; +init_script_file(qpidd_initrc_exec_t) + +type qpidd_tmpfs_t; +files_tmpfs_file(qpidd_tmpfs_t) + +type qpidd_var_lib_t; +files_type(qpidd_var_lib_t) + +type qpidd_var_run_t; +files_pid_file(qpidd_var_run_t) + +######################################## +# +# Local policy +# + +allow qpidd_t self:process { setsched signull }; +allow qpidd_t self:fifo_file rw_fifo_file_perms; +allow qpidd_t self:sem create_sem_perms; +allow qpidd_t self:shm create_shm_perms; +allow qpidd_t self:tcp_socket { accept listen }; +allow qpidd_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) +manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) +fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file }) + +manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) + +manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) +manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) +files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) + +kernel_read_system_state(qpidd_t) + +corenet_all_recvfrom_unlabeled(qpidd_t) +corenet_all_recvfrom_netlabel(qpidd_t) +corenet_tcp_sendrecv_generic_if(qpidd_t) +corenet_tcp_sendrecv_generic_node(qpidd_t) +corenet_tcp_bind_generic_node(qpidd_t) + +corenet_sendrecv_amqp_server_packets(qpidd_t) +corenet_tcp_bind_amqp_port(qpidd_t) +corenet_tcp_sendrecv_amqp_port(qpidd_t) + +dev_read_sysfs(qpidd_t) +dev_read_urand(qpidd_t) + +files_read_etc_files(qpidd_t) + +logging_send_syslog_msg(qpidd_t) + +miscfiles_read_localization(qpidd_t) + +sysnet_dns_name_resolve(qpidd_t) + +optional_policy(` + corosync_stream_connect(qpidd_t) +') diff --git a/policy/modules/services/quantum.fc b/policy/modules/services/quantum.fc new file mode 100644 index 000000000..70ab68b02 --- /dev/null +++ b/policy/modules/services/quantum.fc @@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0) + +/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0) +/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) +/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) +/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) + +/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) + +/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0) diff --git a/policy/modules/services/quantum.if b/policy/modules/services/quantum.if new file mode 100644 index 000000000..31aa2d93b --- /dev/null +++ b/policy/modules/services/quantum.if @@ -0,0 +1,39 @@ +## <summary>Virtual network service for Openstack.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an quantum environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`quantum_admin',` + gen_require(` + type quantum_t, quantum_initrc_exec_t, quantum_log_t; + type quantum_var_lib_t, quantum_tmp_t; + ') + + allow $1 quantum_t:process { ptrace signal_perms }; + ps_process_pattern($1, quantum_t) + + init_startstop_service($1, $2, quantum_t, quantum_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, quantum_log_t) + + files_search_var_lib($1) + admin_pattern($1, quantum_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, quantum_tmp_t) +') diff --git a/policy/modules/services/quantum.te b/policy/modules/services/quantum.te new file mode 100644 index 000000000..f4d304a60 --- /dev/null +++ b/policy/modules/services/quantum.te @@ -0,0 +1,96 @@ +policy_module(quantum, 1.2.0) + +######################################## +# +# Declarations +# + +type quantum_t; +type quantum_exec_t; +init_daemon_domain(quantum_t, quantum_exec_t) + +type quantum_initrc_exec_t; +init_script_file(quantum_initrc_exec_t) + +type quantum_log_t; +logging_log_file(quantum_log_t) + +type quantum_tmp_t; +files_tmp_file(quantum_tmp_t) + +type quantum_var_lib_t; +files_type(quantum_var_lib_t) + +######################################## +# +# Local policy +# + +allow quantum_t self:capability { setgid setuid sys_resource }; +allow quantum_t self:process { setsched setrlimit }; +allow quantum_t self:fifo_file rw_fifo_file_perms; +allow quantum_t self:key manage_key_perms; +allow quantum_t self:tcp_socket { accept listen }; +allow quantum_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) +append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) +create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) +setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) +logging_log_filetrans(quantum_t, quantum_log_t, dir) + +manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) +files_tmp_filetrans(quantum_t, quantum_tmp_t, file) + +manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) +manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) +files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) + +can_exec(quantum_t, quantum_tmp_t) + +kernel_read_kernel_sysctls(quantum_t) +kernel_read_system_state(quantum_t) + +corecmd_exec_shell(quantum_t) +corecmd_exec_bin(quantum_t) + +corenet_all_recvfrom_unlabeled(quantum_t) +corenet_all_recvfrom_netlabel(quantum_t) +corenet_tcp_sendrecv_generic_if(quantum_t) +corenet_tcp_sendrecv_generic_node(quantum_t) +corenet_tcp_sendrecv_all_ports(quantum_t) +corenet_tcp_bind_generic_node(quantum_t) + +dev_list_sysfs(quantum_t) +dev_read_urand(quantum_t) + +files_read_usr_files(quantum_t) + +auth_use_nsswitch(quantum_t) + +libs_exec_ldconfig(quantum_t) + +logging_send_audit_msgs(quantum_t) +logging_send_syslog_msg(quantum_t) + +miscfiles_read_localization(quantum_t) + +sysnet_domtrans_ifconfig(quantum_t) + +optional_policy(` + brctl_domtrans(quantum_t) +') + +optional_policy(` + mysql_stream_connect(quantum_t) + mysql_read_config(quantum_t) + + mysql_tcp_connect(quantum_t) +') + +optional_policy(` + postgresql_stream_connect(quantum_t) + postgresql_unpriv_client(quantum_t) + + postgresql_tcp_connect(quantum_t) +') diff --git a/policy/modules/services/rabbitmq.fc b/policy/modules/services/rabbitmq.fc new file mode 100644 index 000000000..88541bb7a --- /dev/null +++ b/policy/modules/services/rabbitmq.fc @@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0) + +/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) +/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) + +/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) + +/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) + +/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) diff --git a/policy/modules/services/rabbitmq.if b/policy/modules/services/rabbitmq.if new file mode 100644 index 000000000..854cd364d --- /dev/null +++ b/policy/modules/services/rabbitmq.if @@ -0,0 +1,60 @@ +## <summary>AMQP server written in Erlang.</summary> + +######################################## +## <summary> +## Execute rabbitmq in the rabbitmq domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rabbitmq_domtrans',` + gen_require(` + type rabbitmq_epmd_t, rabbitmq_epmd_exec_t; + type rabbitmq_beam_t, rabbitmq_beam_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) + domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an rabbitmq environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rabbitmq_admin',` + gen_require(` + type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t; + type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t; + ') + + allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t }) + + init_startstop_service($1, $2, { rabbitmq_epmd_t rabbitmq_beam_t }, rabbitmq_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, rabbitmq_var_log_t) + + files_search_var_lib($1) + admin_pattern($1, rabbitmq_var_lib_t) + + files_search_pids($1) + admin_pattern($1, rabbitmq_var_run_t) +') diff --git a/policy/modules/services/rabbitmq.te b/policy/modules/services/rabbitmq.te new file mode 100644 index 000000000..e557dc00e --- /dev/null +++ b/policy/modules/services/rabbitmq.te @@ -0,0 +1,124 @@ +policy_module(rabbitmq, 1.3.1) + +######################################## +# +# Declarations +# + +type rabbitmq_epmd_t; +type rabbitmq_epmd_exec_t; +init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t) + +type rabbitmq_beam_t; +type rabbitmq_beam_exec_t; +init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t) + +type rabbitmq_initrc_exec_t; +init_script_file(rabbitmq_initrc_exec_t) + +type rabbitmq_var_lib_t; +files_type(rabbitmq_var_lib_t) + +type rabbitmq_var_log_t; +logging_log_file(rabbitmq_var_log_t) + +type rabbitmq_var_run_t; +files_pid_file(rabbitmq_var_run_t) + +###################################### +# +# Beam local policy +# + +allow rabbitmq_beam_t self:process { setsched signal signull }; +allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; +allow rabbitmq_beam_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) + +manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) + +manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) + +can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) + +domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) + +kernel_read_system_state(rabbitmq_beam_t) +kernel_read_fs_sysctls(rabbitmq_beam_t) + +corecmd_exec_bin(rabbitmq_beam_t) +corecmd_exec_shell(rabbitmq_beam_t) + +corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) +corenet_all_recvfrom_netlabel(rabbitmq_beam_t) +corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) +corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t) +corenet_tcp_bind_generic_node(rabbitmq_beam_t) + +corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) +corenet_tcp_bind_amqp_port(rabbitmq_beam_t) +corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t) + +corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) +corenet_tcp_connect_epmd_port(rabbitmq_beam_t) +corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) + +corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t) +corenet_tcp_bind_couchdb_port(rabbitmq_beam_t) +corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t) + +dev_read_sysfs(rabbitmq_beam_t) +dev_read_urand(rabbitmq_beam_t) + +fs_getattr_all_fs(rabbitmq_beam_t) +fs_search_cgroup_dirs(rabbitmq_beam_t) + +files_read_etc_files(rabbitmq_beam_t) + +storage_getattr_fixed_disk_dev(rabbitmq_beam_t) + +miscfiles_read_localization(rabbitmq_beam_t) + +sysnet_dns_name_resolve(rabbitmq_beam_t) + + optional_policy(` + couchdb_manage_lib_files(rabbitmq_beam_t) + couchdb_read_conf_files(rabbitmq_beam_t) + couchdb_read_log_files(rabbitmq_beam_t) + couchdb_read_pid_files(rabbitmq_beam_t) + ') + +######################################## +# +# Epmd local policy +# + + +allow rabbitmq_epmd_t self:process signal; +allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; +allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; +allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; + +allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; + +corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) +corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) +corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t) +corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t) +corenet_tcp_bind_generic_node(rabbitmq_epmd_t) + +corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) +corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) + +files_read_etc_files(rabbitmq_epmd_t) + +logging_send_syslog_msg(rabbitmq_epmd_t) + +miscfiles_read_localization(rabbitmq_epmd_t) diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc new file mode 100644 index 000000000..19ff8e93c --- /dev/null +++ b/policy/modules/services/radius.fc @@ -0,0 +1,26 @@ +/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) +/etc/cron\.((daily)|(weekly)|(monthly))/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) + +/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0) + +/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) +/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0) + +/usr/bin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) +/usr/bin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) + +/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) +/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) + +/var/lib/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) + +/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radutmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) + +/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) +/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if new file mode 100644 index 000000000..bce89c308 --- /dev/null +++ b/policy/modules/services/radius.if @@ -0,0 +1,43 @@ +## <summary>RADIUS authentication and accounting server.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an radius environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`radius_admin',` + gen_require(` + type radiusd_t, radiusd_etc_t, radiusd_log_t; + type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; + type radiusd_initrc_exec_t; + ') + + allow $1 radiusd_t:process { ptrace signal_perms }; + ps_process_pattern($1, radiusd_t) + + init_startstop_service($1, $2, radiusd_t, radiusd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t }) + + logging_list_logs($1) + admin_pattern($1, radiusd_log_t) + + files_list_var_lib($1) + admin_pattern($1, radiusd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, radiusd_var_run_t) +') diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te new file mode 100644 index 000000000..e6ff2d00f --- /dev/null +++ b/policy/modules/services/radius.te @@ -0,0 +1,145 @@ +policy_module(radius, 1.17.0) + +######################################## +# +# Declarations +# + +type radiusd_t; +type radiusd_exec_t; +init_daemon_domain(radiusd_t, radiusd_exec_t) + +type radiusd_etc_t; +files_config_file(radiusd_etc_t) + +type radiusd_etc_rw_t; +files_type(radiusd_etc_rw_t) + +type radiusd_initrc_exec_t; +init_script_file(radiusd_initrc_exec_t) + +type radiusd_log_t; +logging_log_file(radiusd_log_t) + +type radiusd_var_lib_t; +files_type(radiusd_var_lib_t) + +type radiusd_var_run_t; +files_pid_file(radiusd_var_run_t) + +######################################## +# +# Local policy +# + +allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; +dontaudit radiusd_t self:capability sys_tty_config; +allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; +allow radiusd_t self:fifo_file rw_fifo_file_perms; +allow radiusd_t self:unix_stream_socket { accept listen }; +allow radiusd_t self:tcp_socket { accept listen }; + +allow radiusd_t radiusd_etc_t:dir list_dir_perms; +allow radiusd_t radiusd_etc_t:file read_file_perms; +allow radiusd_t radiusd_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) +manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) +manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) +filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) + +manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) +append_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) +create_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) +setattr_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) +logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir }) + +manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) + +manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) + +kernel_read_kernel_sysctls(radiusd_t) +kernel_read_system_state(radiusd_t) + +corenet_all_recvfrom_unlabeled(radiusd_t) +corenet_all_recvfrom_netlabel(radiusd_t) +corenet_tcp_sendrecv_generic_if(radiusd_t) +corenet_udp_sendrecv_generic_if(radiusd_t) +corenet_tcp_sendrecv_generic_node(radiusd_t) +corenet_udp_sendrecv_generic_node(radiusd_t) +corenet_tcp_sendrecv_all_ports(radiusd_t) +corenet_udp_sendrecv_all_ports(radiusd_t) +corenet_udp_bind_generic_node(radiusd_t) + +corenet_sendrecv_radacct_server_packets(radiusd_t) +corenet_udp_bind_radacct_port(radiusd_t) + +corenet_sendrecv_radius_server_packets(radiusd_t) +corenet_udp_bind_radius_port(radiusd_t) + +corenet_sendrecv_snmp_client_packets(radiusd_t) +corenet_tcp_connect_snmp_port(radiusd_t) + +corenet_sendrecv_generic_server_packets(radiusd_t) +corenet_udp_bind_generic_port(radiusd_t) +corenet_dontaudit_udp_bind_all_ports(radiusd_t) + +corecmd_exec_bin(radiusd_t) +corecmd_exec_shell(radiusd_t) + +dev_read_sysfs(radiusd_t) + +domain_use_interactive_fds(radiusd_t) + +fs_getattr_all_fs(radiusd_t) +fs_search_auto_mountpoints(radiusd_t) + +files_read_usr_files(radiusd_t) +files_read_etc_runtime_files(radiusd_t) +files_dontaudit_list_tmp(radiusd_t) + +auth_use_nsswitch(radiusd_t) +auth_read_shadow(radiusd_t) +auth_domtrans_chk_passwd(radiusd_t) + +libs_exec_lib_files(radiusd_t) + +logging_send_syslog_msg(radiusd_t) + +miscfiles_read_localization(radiusd_t) +miscfiles_read_generic_certs(radiusd_t) +miscfiles_read_generic_tls_privkey(radiusd_t) + +sysnet_use_ldap(radiusd_t) + +userdom_dontaudit_use_unpriv_user_fds(radiusd_t) +userdom_dontaudit_search_user_home_dirs(radiusd_t) + +optional_policy(` + cron_system_entry(radiusd_t, radiusd_exec_t) +') + +optional_policy(` + logrotate_exec(radiusd_t) +') + +optional_policy(` + mysql_read_config(radiusd_t) + mysql_stream_connect(radiusd_t) + mysql_tcp_connect(radiusd_t) +') + +optional_policy(` + samba_domtrans_winbind_helper(radiusd_t) +') + +optional_policy(` + seutil_sigchld_newrole(radiusd_t) +') + +optional_policy(` + udev_read_db(radiusd_t) +') diff --git a/policy/modules/services/radvd.fc b/policy/modules/services/radvd.fc new file mode 100644 index 000000000..9765e4561 --- /dev/null +++ b/policy/modules/services/radvd.fc @@ -0,0 +1,10 @@ +/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0) + +/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0) + +/usr/bin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0) + +/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0) + +/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) +/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if new file mode 100644 index 000000000..38e35fe6c --- /dev/null +++ b/policy/modules/services/radvd.if @@ -0,0 +1,36 @@ +## <summary>IPv6 router advertisement daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an radvd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`radvd_admin',` + gen_require(` + type radvd_t, radvd_etc_t, radvd_initrc_exec_t; + type radvd_var_run_t; + ') + + allow $1 radvd_t:process { ptrace signal_perms }; + ps_process_pattern($1, radvd_t) + + init_startstop_service($1, $2, radvd_t, radvd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, radvd_etc_t) + + files_list_pids($1) + admin_pattern($1, radvd_var_run_t) +') diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te new file mode 100644 index 000000000..e06e52e6a --- /dev/null +++ b/policy/modules/services/radvd.te @@ -0,0 +1,79 @@ +policy_module(radvd, 1.17.0) + +######################################## +# +# Declarations +# +type radvd_t; +type radvd_exec_t; +init_daemon_domain(radvd_t, radvd_exec_t) + +type radvd_etc_t; +files_config_file(radvd_etc_t) + +type radvd_initrc_exec_t; +init_script_file(radvd_initrc_exec_t) + +type radvd_var_run_t; +files_pid_file(radvd_var_run_t) + +######################################## +# +# Local policy +# + +allow radvd_t self:capability { kill net_admin net_raw setgid setuid }; +dontaudit radvd_t self:capability sys_tty_config; +allow radvd_t self:process signal_perms; +allow radvd_t self:fifo_file rw_fifo_file_perms; +allow radvd_t self:rawip_socket create_socket_perms; +allow radvd_t self:tcp_socket { accept listen }; + +allow radvd_t radvd_etc_t:file read_file_perms; + +manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) +manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) +files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file }) + +kernel_read_kernel_sysctls(radvd_t) +kernel_rw_net_sysctls(radvd_t) +kernel_read_network_state(radvd_t) +kernel_read_system_state(radvd_t) +kernel_request_load_module(radvd_t) + +corenet_all_recvfrom_netlabel(radvd_t) +corenet_all_recvfrom_unlabeled(radvd_t) +corenet_tcp_sendrecv_generic_if(radvd_t) +corenet_udp_sendrecv_generic_if(radvd_t) +corenet_raw_sendrecv_generic_if(radvd_t) +corenet_tcp_sendrecv_generic_node(radvd_t) +corenet_udp_sendrecv_generic_node(radvd_t) +corenet_raw_sendrecv_generic_node(radvd_t) +corenet_tcp_sendrecv_all_ports(radvd_t) +corenet_udp_sendrecv_all_ports(radvd_t) + +dev_read_sysfs(radvd_t) + +domain_use_interactive_fds(radvd_t) + +files_list_usr(radvd_t) + +fs_getattr_all_fs(radvd_t) +fs_search_auto_mountpoints(radvd_t) + +auth_use_nsswitch(radvd_t) + +logging_send_syslog_msg(radvd_t) + +miscfiles_read_localization(radvd_t) + +userdom_dontaudit_use_unpriv_user_fds(radvd_t) +userdom_dontaudit_search_user_home_dirs(radvd_t) + +optional_policy(` + seutil_sigchld_newrole(radvd_t) +') + +optional_policy(` + udev_read_db(radvd_t) +') diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc new file mode 100644 index 000000000..6723f4d3b --- /dev/null +++ b/policy/modules/services/razor.fc @@ -0,0 +1,9 @@ +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) + +/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) + +/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) + +/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) + +/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if new file mode 100644 index 000000000..1e4b523bf --- /dev/null +++ b/policy/modules/services/razor.if @@ -0,0 +1,130 @@ +## <summary>A distributed, collaborative, spam detection and filtering network.</summary> + +####################################### +## <summary> +## The template to define a razor domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`razor_common_domain_template',` + gen_require(` + attribute razor_domain; + type razor_exec_t; + ') + + ######################################## + # + # Declarations + # + + type $1_t, razor_domain; + domain_type($1_t) + domain_entry_file($1_t, razor_exec_t) + + ######################################## + # + # Declarations + # + + auth_use_nsswitch($1_t) +') + +######################################## +## <summary> +## Role access for razor. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`razor_role',` + gen_require(` + attribute_role razor_roles; + type razor_t, razor_exec_t, razor_home_t; + type razor_tmp_t; + ') + + roleattribute $1 razor_roles; + + domtrans_pattern($2, razor_exec_t, razor_t) + + ps_process_pattern($2, razor_t) + allow $2 razor_t:process signal; + + allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + + userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor") +') + +######################################## +## <summary> +## Execute razor in the system razor domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`razor_domtrans',` + gen_require(` + type system_razor_t, razor_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, razor_exec_t, system_razor_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## razor home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`razor_manage_home_content',` + gen_require(` + type razor_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 razor_home_t:dir manage_dir_perms; + allow $1 razor_home_t:file manage_file_perms; + allow $1 razor_home_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Read razor lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`razor_read_lib_files',` + gen_require(` + type razor_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te new file mode 100644 index 000000000..8497f9afa --- /dev/null +++ b/policy/modules/services/razor.te @@ -0,0 +1,139 @@ +policy_module(razor, 2.4.0) + +######################################## +# +# Declarations +# + +attribute razor_domain; + +attribute_role razor_roles; + +type razor_exec_t; +corecmd_executable_file(razor_exec_t) + +type razor_etc_t; +files_config_file(razor_etc_t) + +type razor_home_t; +typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; +typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; +userdom_user_home_content(razor_home_t) + +type razor_log_t; +logging_log_file(razor_log_t) + +type razor_tmp_t; +typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; +typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; +userdom_user_tmp_file(razor_tmp_t) + +type razor_var_lib_t; +files_type(razor_var_lib_t) + +razor_common_domain_template(razor) +typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; +typealias razor_t alias { auditadm_razor_t secadm_razor_t }; +userdom_user_application_type(razor_t) +role razor_roles types razor_t; + +razor_common_domain_template(system_razor) +role system_r types system_razor_t; + +######################################## +# +# Common razor domain local policy +# + +allow razor_domain self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow razor_domain self:fd use; +allow razor_domain self:fifo_file rw_fifo_file_perms; +allow razor_domain self:unix_dgram_socket sendto; +allow razor_domain self:unix_stream_socket { accept connectto listen }; + +allow razor_domain razor_etc_t:dir list_dir_perms; +allow razor_domain razor_etc_t:file read_file_perms; +allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms; + +allow razor_domain razor_exec_t:file read_file_perms; +allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms; + +kernel_read_system_state(razor_domain) +kernel_read_network_state(razor_domain) +kernel_read_software_raid_state(razor_domain) +kernel_getattr_core_if(razor_domain) +kernel_getattr_message_if(razor_domain) +kernel_read_kernel_sysctls(razor_domain) + +corecmd_exec_bin(razor_domain) + +corenet_all_recvfrom_unlabeled(razor_domain) +corenet_all_recvfrom_netlabel(razor_domain) +corenet_tcp_sendrecv_generic_if(razor_domain) +corenet_tcp_sendrecv_generic_node(razor_domain) + +corenet_tcp_sendrecv_razor_port(razor_domain) +corenet_tcp_connect_razor_port(razor_domain) +corenet_sendrecv_razor_client_packets(razor_domain) + +dev_read_rand(razor_domain) +dev_read_urand(razor_domain) + +files_read_etc_runtime_files(razor_domain) + +libs_read_lib_files(razor_domain) + +miscfiles_read_localization(razor_domain) + +######################################## +# +# System local policy +# + +manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) +manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) + +manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t) +append_files_pattern(system_razor_t, razor_log_t, razor_log_t) +create_files_pattern(system_razor_t, razor_log_t, razor_log_t) +setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t) +manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t) +logging_log_filetrans(system_razor_t, razor_log_t, file) + +manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) + +######################################## +# +# Session local policy +# + +manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) +manage_files_pattern(razor_t, razor_home_t, razor_home_t) +manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) +userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor") + +manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) +manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) +files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) + +fs_getattr_all_fs(razor_t) +fs_search_auto_mountpoints(razor_t) + +userdom_use_unpriv_users_fds(razor_t) +userdom_use_user_terminals(razor_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(razor_t) + fs_manage_nfs_files(razor_t) + fs_manage_nfs_symlinks(razor_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(razor_t) + fs_manage_cifs_files(razor_t) + fs_manage_cifs_symlinks(razor_t) +') diff --git a/policy/modules/services/rdisc.fc b/policy/modules/services/rdisc.fc new file mode 100644 index 000000000..0c4d5b558 --- /dev/null +++ b/policy/modules/services/rdisc.fc @@ -0,0 +1,3 @@ +/usr/bin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) + +/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) diff --git a/policy/modules/services/rdisc.if b/policy/modules/services/rdisc.if new file mode 100644 index 000000000..170ef52fb --- /dev/null +++ b/policy/modules/services/rdisc.if @@ -0,0 +1,20 @@ +## <summary>Network router discovery daemon.</summary> + +###################################### +## <summary> +## Execute rdisc in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rdisc_exec',` + gen_require(` + type rdisc_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rdisc_exec_t) +') diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te new file mode 100644 index 000000000..cd8ead336 --- /dev/null +++ b/policy/modules/services/rdisc.te @@ -0,0 +1,58 @@ +policy_module(rdisc, 1.9.0) + +######################################## +# +# Declarations +# + +type rdisc_t; +type rdisc_exec_t; +init_daemon_domain(rdisc_t, rdisc_exec_t) + +######################################## +# +# Local policy +# + +allow rdisc_t self:capability net_raw; +dontaudit rdisc_t self:capability sys_tty_config; +allow rdisc_t self:process signal_perms; +allow rdisc_t self:unix_stream_socket { accept listen }; +allow rdisc_t self:udp_socket create_socket_perms; +allow rdisc_t self:rawip_socket create_socket_perms; + +kernel_list_proc(rdisc_t) +kernel_read_proc_symlinks(rdisc_t) +kernel_read_kernel_sysctls(rdisc_t) + +corenet_all_recvfrom_unlabeled(rdisc_t) +corenet_all_recvfrom_netlabel(rdisc_t) +corenet_udp_sendrecv_generic_if(rdisc_t) +corenet_raw_sendrecv_generic_if(rdisc_t) +corenet_udp_sendrecv_generic_node(rdisc_t) +corenet_raw_sendrecv_generic_node(rdisc_t) +corenet_udp_sendrecv_all_ports(rdisc_t) + +dev_read_sysfs(rdisc_t) + +fs_search_auto_mountpoints(rdisc_t) + +domain_use_interactive_fds(rdisc_t) + +files_read_etc_files(rdisc_t) + +logging_send_syslog_msg(rdisc_t) + +miscfiles_read_localization(rdisc_t) + +sysnet_read_config(rdisc_t) + +userdom_dontaudit_use_unpriv_user_fds(rdisc_t) + +optional_policy(` + seutil_sigchld_newrole(rdisc_t) +') + +optional_policy(` + udev_read_db(rdisc_t) +') diff --git a/policy/modules/services/realmd.fc b/policy/modules/services/realmd.fc new file mode 100644 index 000000000..04babe3d5 --- /dev/null +++ b/policy/modules/services/realmd.fc @@ -0,0 +1 @@ +/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) diff --git a/policy/modules/services/realmd.if b/policy/modules/services/realmd.if new file mode 100644 index 000000000..bff31dfd2 --- /dev/null +++ b/policy/modules/services/realmd.if @@ -0,0 +1,41 @@ +## <summary>Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.</summary> + +######################################## +## <summary> +## Execute realmd in the realmd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`realmd_domtrans',` + gen_require(` + type realmd_t, realmd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, realmd_exec_t, realmd_t) +') + +######################################## +## <summary> +## Send and receive messages from +## realmd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`realmd_dbus_chat',` + gen_require(` + type realmd_t; + class dbus send_msg; + ') + + allow $1 realmd_t:dbus send_msg; + allow realmd_t $1:dbus send_msg; +') diff --git a/policy/modules/services/realmd.te b/policy/modules/services/realmd.te new file mode 100644 index 000000000..5bc878b29 --- /dev/null +++ b/policy/modules/services/realmd.te @@ -0,0 +1,90 @@ +policy_module(realmd, 1.1.0) + +######################################## +# +# Declarations +# + +type realmd_t; +type realmd_exec_t; +init_system_domain(realmd_t, realmd_exec_t) + +######################################## +# +# Local policy +# + +allow realmd_t self:capability sys_nice; +allow realmd_t self:process setsched; + +kernel_read_system_state(realmd_t) + +corecmd_exec_bin(realmd_t) +corecmd_exec_shell(realmd_t) + +corenet_all_recvfrom_unlabeled(realmd_t) +corenet_all_recvfrom_netlabel(realmd_t) +corenet_tcp_sendrecv_generic_if(realmd_t) +corenet_tcp_sendrecv_generic_node(realmd_t) + +corenet_sendrecv_http_client_packets(realmd_t) +corenet_tcp_connect_http_port(realmd_t) +corenet_tcp_sendrecv_http_port(realmd_t) + +domain_use_interactive_fds(realmd_t) + +dev_read_rand(realmd_t) +dev_read_urand(realmd_t) + +fs_getattr_all_fs(realmd_t) + +files_read_usr_files(realmd_t) + +auth_use_nsswitch(realmd_t) + +logging_send_syslog_msg(realmd_t) + +optional_policy(` + dbus_system_domain(realmd_t, realmd_exec_t) + + optional_policy(` + networkmanager_dbus_chat(realmd_t) + ') + + optional_policy(` + policykit_dbus_chat(realmd_t) + ') +') + +optional_policy(` + hostname_exec(realmd_t) +') + +optional_policy(` + kerberos_use(realmd_t) + kerberos_rw_keytab(realmd_t) +') + +optional_policy(` + nis_exec_ypbind(realmd_t) + nis_initrc_domtrans(realmd_t) +') + +optional_policy(` + gnome_read_generic_home_content(realmd_t) +') + +optional_policy(` + samba_domtrans_net(realmd_t) + samba_manage_config(realmd_t) + samba_getattr_winbind_exec(realmd_t) +') + +optional_policy(` + sssd_getattr_exec(realmd_t) + sssd_manage_config(realmd_t) + sssd_manage_lib_files(realmd_t) + sssd_manage_public_files(realmd_t) + sssd_read_pid_files(realmd_t) + sssd_initrc_domtrans(realmd_t) +') diff --git a/policy/modules/services/redis.fc b/policy/modules/services/redis.fc new file mode 100644 index 000000000..74443abdd --- /dev/null +++ b/policy/modules/services/redis.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) + +/etc/redis.*\.conf -- gen_context(system_u:object_r:redis_conf_t,s0) + +/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) + +/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) + +/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) + +/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) + +/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) diff --git a/policy/modules/services/redis.if b/policy/modules/services/redis.if new file mode 100644 index 000000000..276309a98 --- /dev/null +++ b/policy/modules/services/redis.if @@ -0,0 +1,42 @@ +## <summary>Advanced key-value store.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an redis environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`redis_admin',` + gen_require(` + type redis_t, redis_initrc_exec_t, redis_var_lib_t; + type redis_log_t, redis_var_run_t, redis_conf_t; + ') + + allow $1 redis_t:process { ptrace signal_perms }; + ps_process_pattern($1, redis_t) + + init_startstop_service($1, $2, redis_t, redis_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, redis_conf_t) + + logging_search_logs($1) + admin_pattern($1, redis_log_t) + + files_search_var_lib($1) + admin_pattern($1, redis_var_lib_t) + + files_search_pids($1) + admin_pattern($1, redis_var_run_t) +') diff --git a/policy/modules/services/redis.te b/policy/modules/services/redis.te new file mode 100644 index 000000000..5e809cf69 --- /dev/null +++ b/policy/modules/services/redis.te @@ -0,0 +1,72 @@ +policy_module(redis, 1.5.1) + +######################################## +# +# Declarations +# + +type redis_t; +type redis_exec_t; +init_daemon_domain(redis_t, redis_exec_t) + +type redis_initrc_exec_t; +init_script_file(redis_initrc_exec_t) + +type redis_log_t; +logging_log_file(redis_log_t) + +type redis_var_lib_t; +files_type(redis_var_lib_t) + +type redis_var_run_t; +files_pid_file(redis_var_run_t) + +type redis_conf_t; +files_config_file(redis_conf_t) + +######################################## +# +# Local policy +# + +allow redis_t self:process { setrlimit signal_perms }; +allow redis_t self:fifo_file rw_fifo_file_perms; +allow redis_t self:unix_stream_socket create_stream_socket_perms; +allow redis_t self:tcp_socket create_stream_socket_perms; + +allow redis_t redis_conf_t:file rw_file_perms; + +manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) +manage_files_pattern(redis_t, redis_log_t, redis_log_t) +manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) +logging_log_filetrans(redis_t, redis_log_t, dir) + +manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) + +manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) +manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) +manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) + +kernel_read_system_state(redis_t) + +corenet_all_recvfrom_unlabeled(redis_t) +corenet_all_recvfrom_netlabel(redis_t) +corenet_tcp_sendrecv_generic_if(redis_t) +corenet_tcp_sendrecv_generic_node(redis_t) +corenet_tcp_bind_generic_node(redis_t) + +corenet_sendrecv_redis_server_packets(redis_t) +corenet_tcp_bind_redis_port(redis_t) +corenet_tcp_connect_redis_port(redis_t) +corenet_tcp_sendrecv_redis_port(redis_t) + +dev_read_sysfs(redis_t) +dev_read_urand(redis_t) + +logging_send_syslog_msg(redis_t) + +miscfiles_read_localization(redis_t) + +sysnet_dns_name_resolve(redis_t) diff --git a/policy/modules/services/remotelogin.fc b/policy/modules/services/remotelogin.fc new file mode 100644 index 000000000..327baf059 --- /dev/null +++ b/policy/modules/services/remotelogin.fc @@ -0,0 +1 @@ +# Remote login currently has no file contexts. diff --git a/policy/modules/services/remotelogin.if b/policy/modules/services/remotelogin.if new file mode 100644 index 000000000..a9ce68e33 --- /dev/null +++ b/policy/modules/services/remotelogin.if @@ -0,0 +1,79 @@ +## <summary>Rshd, rlogind, and telnetd.</summary> + +######################################## +## <summary> +## Domain transition to the remote login domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`remotelogin_domtrans',` + gen_require(` + type remote_login_t; + ') + + corecmd_search_bin($1) + auth_domtrans_login_program($1, remote_login_t) +') + +######################################## +## <summary> +## Send generic signals to remote login. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`remotelogin_signal',` + gen_require(` + type remote_login_t; + ') + + allow $1 remote_login_t:process signal; +') + +######################################## +## <summary> +## Create, read, write, and delete +## remote login temporary content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`remotelogin_manage_tmp_content',` + gen_require(` + type remote_login_tmp_t; + ') + + files_search_tmp($1) + allow $1 remote_login_tmp_t:dir manage_dir_perms; + allow $1 remote_login_tmp_t:file manage_file_perms; +') + +######################################## +## <summary> +## Relabel remote login temporary content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`remotelogin_relabel_tmp_content',` + gen_require(` + type remote_login_tmp_t; + ') + + files_search_tmp($1) + allow $1 remote_login_tmp_t:dir relabel_dir_perms; + allow $1 remote_login_tmp_t:file relabel_file_perms; +') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te new file mode 100644 index 000000000..bc2292e37 --- /dev/null +++ b/policy/modules/services/remotelogin.te @@ -0,0 +1,100 @@ +policy_module(remotelogin, 1.9.0) + +######################################## +# +# Declarations +# + +type remote_login_t; +domain_interactive_fd(remote_login_t) +auth_login_pgm_domain(remote_login_t) +auth_login_entry_type(remote_login_t) + +type remote_login_tmp_t; +files_tmp_file(remote_login_tmp_t) + +######################################## +# +# Local policy +# + +allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config }; +allow remote_login_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow remote_login_t self:process { setrlimit setexec }; +allow remote_login_t self:fd use; +allow remote_login_t self:fifo_file rw_fifo_file_perms; +allow remote_login_t self:unix_dgram_socket sendto; +allow remote_login_t self:unix_stream_socket { accept connectto listen }; + +manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) +manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) +files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) + +kernel_read_system_state(remote_login_t) +kernel_read_kernel_sysctls(remote_login_t) + +dev_getattr_mouse_dev(remote_login_t) +dev_setattr_mouse_dev(remote_login_t) + +fs_getattr_xattr_fs(remote_login_t) + +term_relabel_all_ptys(remote_login_t) +term_use_all_ptys(remote_login_t) +term_setattr_all_ptys(remote_login_t) + +auth_manage_pam_console_data(remote_login_t) +auth_domtrans_pam_console(remote_login_t) +auth_rw_login_records(remote_login_t) +auth_rw_faillog(remote_login_t) + +corecmd_list_bin(remote_login_t) + +domain_read_all_entry_files(remote_login_t) + +files_read_etc_runtime_files(remote_login_t) +files_list_home(remote_login_t) +files_read_usr_files(remote_login_t) +files_list_world_readable(remote_login_t) +files_read_world_readable_files(remote_login_t) +files_read_world_readable_symlinks(remote_login_t) +files_read_world_readable_pipes(remote_login_t) +files_read_world_readable_sockets(remote_login_t) +files_list_mnt(remote_login_t) +files_read_var_symlinks(remote_login_t) + +miscfiles_read_localization(remote_login_t) + +userdom_use_unpriv_users_fds(remote_login_t) +userdom_search_user_home_content(remote_login_t) +userdom_signal_unpriv_users(remote_login_t) +userdom_spec_domtrans_unpriv_users(remote_login_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(remote_login_t) + fs_read_nfs_symlinks(remote_login_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(remote_login_t) + fs_read_cifs_symlinks(remote_login_t) +') + +optional_policy(` + alsa_domtrans(remote_login_t) +') + +optional_policy(` + mta_getattr_spool(remote_login_t) +') + +optional_policy(` + telnet_use_ptys(remote_login_t) +') + +optional_policy(` + unconfined_shell_domtrans(remote_login_t) +') + +optional_policy(` + usermanage_read_crack_db(remote_login_t) +') diff --git a/policy/modules/services/resmgr.fc b/policy/modules/services/resmgr.fc new file mode 100644 index 000000000..c5b467dc8 --- /dev/null +++ b/policy/modules/services/resmgr.fc @@ -0,0 +1,10 @@ +/etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0) + +/etc/rc\.d/init\.d/resmgr -- gen_context(system_u:object_r:resmgrd_initrc_exec_t,s0) + +/usr/bin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) + +/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) + +/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) +/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if new file mode 100644 index 000000000..a40693442 --- /dev/null +++ b/policy/modules/services/resmgr.if @@ -0,0 +1,56 @@ +## <summary>Resource management daemon.</summary> + +######################################## +## <summary> +## Connect to resmgrd over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`resmgr_stream_connect',` + gen_require(` + type resmgrd_var_run_t, resmgrd_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an resmgr environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`resmgr_admin',` + gen_require(` + type resmgrd_t, resmgrd_initrc_exec_t, resmgrd_var_run_t; + type resmgrd_etc_t; + ') + + allow $1 resmgrd_t:process { ptrace signal_perms }; + ps_process_pattern($1, resmgrd_t) + + init_startstop_service($1, $2, resmgrd_t, resmgrd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, resmgrd_etc_t) + + files_search_pids($1) + admin_pattern($1, resmgrd_var_run_t) +') diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te new file mode 100644 index 000000000..d3a7890f0 --- /dev/null +++ b/policy/modules/services/resmgr.te @@ -0,0 +1,67 @@ +policy_module(resmgr, 1.6.0) + +######################################## +# +# Declarations +# + +type resmgrd_t; +type resmgrd_exec_t; +init_daemon_domain(resmgrd_t, resmgrd_exec_t) + +type resmgrd_initrc_exec_t; +init_script_file(resmgrd_initrc_exec_t) + +type resmgrd_etc_t; +files_config_file(resmgrd_etc_t) + +type resmgrd_var_run_t; +files_pid_file(resmgrd_var_run_t) + +######################################## +# +# Local policy +# + +allow resmgrd_t self:capability { dac_override sys_admin sys_rawio }; +dontaudit resmgrd_t self:capability sys_tty_config; +allow resmgrd_t self:process signal_perms; + +allow resmgrd_t resmgrd_etc_t:file read_file_perms; + +allow resmgrd_t resmgrd_var_run_t:file manage_file_perms; +allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms; +files_pid_filetrans(resmgrd_t, resmgrd_var_run_t, { file sock_file }) + +kernel_list_proc(resmgrd_t) +kernel_read_proc_symlinks(resmgrd_t) +kernel_read_kernel_sysctls(resmgrd_t) + +dev_read_sysfs(resmgrd_t) +dev_getattr_scanner_dev(resmgrd_t) + +domain_use_interactive_fds(resmgrd_t) + +files_read_etc_files(resmgrd_t) + +fs_search_auto_mountpoints(resmgrd_t) + +storage_dontaudit_read_fixed_disk(resmgrd_t) +storage_read_scsi_generic(resmgrd_t) +storage_raw_read_removable_device(resmgrd_t) +storage_raw_write_removable_device(resmgrd_t) +storage_write_scsi_generic(resmgrd_t) + +logging_send_syslog_msg(resmgrd_t) + +miscfiles_read_localization(resmgrd_t) + +userdom_dontaudit_use_unpriv_user_fds(resmgrd_t) + +optional_policy(` + seutil_sigchld_newrole(resmgrd_t) +') + +optional_policy(` + udev_read_db(resmgrd_t) +') diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc new file mode 100644 index 000000000..0e0644444 --- /dev/null +++ b/policy/modules/services/rgmanager.fc @@ -0,0 +1,15 @@ +/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) + +/usr/bin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/bin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/bin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) + +/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) + +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) + +/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) + +/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if new file mode 100644 index 000000000..943b0b875 --- /dev/null +++ b/policy/modules/services/rgmanager.if @@ -0,0 +1,120 @@ +## <summary>Resource Group Manager.</summary> + +####################################### +## <summary> +## Execute a domain transition to run rgmanager. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rgmanager_domtrans',` + gen_require(` + type rgmanager_t, rgmanager_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rgmanager_exec_t, rgmanager_t) +') + +######################################## +## <summary> +## Connect to rgmanager with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rgmanager_stream_connect',` + gen_require(` + type rgmanager_t, rgmanager_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) +') + +###################################### +## <summary> +## Create, read, write, and delete +## rgmanager tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rgmanager_manage_tmp_files',` + gen_require(` + type rgmanager_tmp_t; + ') + + files_search_tmp($1) + manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) +') + +###################################### +## <summary> +## Create, read, write, and delete +## rgmanager tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rgmanager_manage_tmpfs_files',` + gen_require(` + type rgmanager_tmpfs_t; + ') + + fs_search_tmpfs($1) + manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +') + +###################################### +## <summary> +## All of the rules required to +## administrate an rgmanager environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rgmanager_admin',` + gen_require(` + type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; + type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; + ') + + allow $1 rgmanager_t:process { ptrace signal_perms }; + ps_process_pattern($1, rgmanager_t) + + init_startstop_service($1, $2, rgmanager_t, rgmanager_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, rgmanager_tmp_t) + + admin_pattern($1, rgmanager_tmpfs_t) + + logging_list_logs($1) + admin_pattern($1, rgmanager_var_log_t) + + files_list_pids($1) + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te new file mode 100644 index 000000000..2329f8e39 --- /dev/null +++ b/policy/modules/services/rgmanager.te @@ -0,0 +1,205 @@ +policy_module(rgmanager, 1.7.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether rgmanager can +## connect to the network using TCP. +## </p> +## </desc> +gen_tunable(rgmanager_can_network_connect, false) + +type rgmanager_t; +type rgmanager_exec_t; +init_daemon_domain(rgmanager_t, rgmanager_exec_t) + +type rgmanager_initrc_exec_t; +init_script_file(rgmanager_initrc_exec_t) + +type rgmanager_tmp_t; +files_tmp_file(rgmanager_tmp_t) + +type rgmanager_tmpfs_t; +files_tmpfs_file(rgmanager_tmpfs_t) + +type rgmanager_var_log_t; +logging_log_file(rgmanager_var_log_t) + +type rgmanager_var_run_t; +files_pid_file(rgmanager_var_run_t) + +######################################## +# +# Local policy +# + +allow rgmanager_t self:capability { dac_override ipc_lock net_raw sys_admin sys_nice sys_resource }; +allow rgmanager_t self:process { setsched signal }; +allow rgmanager_t self:fifo_file rw_fifo_file_perms; +allow rgmanager_t self:unix_stream_socket { accept listen }; +allow rgmanager_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) +manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) +files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) + +manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) + +allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file) + +manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) +manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) +files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(rgmanager_t) +kernel_read_system_state(rgmanager_t) +kernel_rw_rpc_sysctls(rgmanager_t) +kernel_search_debugfs(rgmanager_t) +kernel_search_network_state(rgmanager_t) +kernel_manage_unlabeled_dirs(rgmanager_t) + +corenet_all_recvfrom_unlabeled(rgmanager_t) +corenet_all_recvfrom_netlabel(rgmanager_t) +corenet_tcp_sendrecv_generic_if(rgmanager_t) +corenet_tcp_sendrecv_generic_node(rgmanager_t) + +corecmd_exec_bin(rgmanager_t) +corecmd_exec_shell(rgmanager_t) + +dev_rw_dlm_control(rgmanager_t) +dev_setattr_dlm_control(rgmanager_t) +dev_search_sysfs(rgmanager_t) + +domain_read_all_domains_state(rgmanager_t) +domain_getattr_all_domains(rgmanager_t) +domain_dontaudit_ptrace_all_domains(rgmanager_t) + +files_list_all(rgmanager_t) +files_getattr_all_symlinks(rgmanager_t) +files_manage_mnt_dirs(rgmanager_t) +files_read_non_security_files(rgmanager_t) + +fs_getattr_all_fs(rgmanager_t) + +storage_raw_read_fixed_disk(rgmanager_t) + +term_getattr_pty_fs(rgmanager_t) + +auth_dontaudit_getattr_shadow(rgmanager_t) +auth_use_nsswitch(rgmanager_t) + +init_domtrans_script(rgmanager_t) + +logging_send_syslog_msg(rgmanager_t) + +miscfiles_read_localization(rgmanager_t) + +tunable_policy(`rgmanager_can_network_connect',` + corenet_sendrecv_all_client_packets(rgmanager_t) + corenet_tcp_connect_all_ports(rgmanager_t) + corenet_tcp_sendrecv_all_ports(rgmanager_t) +') + +optional_policy(` + aisexec_stream_connect(rgmanager_t) +') + +optional_policy(` + consoletype_exec(rgmanager_t) +') + +optional_policy(` + corosync_stream_connect(rgmanager_t) +') + +optional_policy(` + apache_domtrans(rgmanager_t) + apache_signal(rgmanager_t) +') + +optional_policy(` + fstools_domtrans(rgmanager_t) +') + +optional_policy(` + rhcs_stream_connect_groupd(rgmanager_t) + rhcs_stream_connect_gfs_controld(rgmanager_t) +') + +optional_policy(` + hostname_exec(rgmanager_t) +') + +optional_policy(` + ccs_manage_config(rgmanager_t) + ccs_stream_connect(rgmanager_t) +') + +optional_policy(` + lvm_domtrans(rgmanager_t) +') + +optional_policy(` + mount_domtrans(rgmanager_t) +') + +optional_policy(` + mysql_domtrans_mysql_safe(rgmanager_t) + mysql_stream_connect(rgmanager_t) +') + +optional_policy(` + netutils_domtrans(rgmanager_t) + netutils_domtrans_ping(rgmanager_t) +') + +optional_policy(` + postgresql_domtrans(rgmanager_t) + postgresql_signal(rgmanager_t) +') + +optional_policy(` + rdisc_exec(rgmanager_t) +') + +optional_policy(` + ricci_dontaudit_rw_modcluster_pipes(rgmanager_t) +') + +optional_policy(` + rpc_domtrans_nfsd(rgmanager_t) + rpc_domtrans_rpcd(rgmanager_t) + rpc_manage_nfs_state_data(rgmanager_t) +') + +optional_policy(` + samba_domtrans_smbd(rgmanager_t) + samba_domtrans_nmbd(rgmanager_t) + samba_manage_var_files(rgmanager_t) + samba_rw_config(rgmanager_t) + samba_signal_smbd(rgmanager_t) + samba_signal_nmbd(rgmanager_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(rgmanager_t) +') + +optional_policy(` + udev_read_db(rgmanager_t) +') + +optional_policy(` + virt_stream_connect(rgmanager_t) +') + +optional_policy(` + xen_domtrans_xm(rgmanager_t) +') diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc new file mode 100644 index 000000000..90d0c0de5 --- /dev/null +++ b/policy/modules/services/rhcs.fc @@ -0,0 +1,40 @@ +/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) +/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) + +/usr/bin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/usr/bin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/bin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/bin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/bin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) +/usr/bin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) +/usr/bin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) +/usr/bin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) + +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) +/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) +/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) +/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) + +/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) + +/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) + +/var/log/cluster/.*\.log <<none>> +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) +/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) +/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) + +/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) +/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) +/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) +/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) +/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if new file mode 100644 index 000000000..776c57017 --- /dev/null +++ b/policy/modules/services/rhcs.if @@ -0,0 +1,496 @@ +## <summary>Red Hat Cluster Suite.</summary> + +####################################### +## <summary> +## The template to define a rhcs domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`rhcs_domain_template',` + gen_require(` + attribute cluster_domain, cluster_pid, cluster_tmpfs; + attribute cluster_log; + ') + + ############################## + # + # Declarations + # + + type $1_t, cluster_domain; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + + type $1_tmpfs_t, cluster_tmpfs; + files_tmpfs_file($1_tmpfs_t) + + type $1_var_log_t, cluster_log; + logging_log_file($1_var_log_t) + + type $1_var_run_t, cluster_pid; + files_pid_file($1_var_run_t) + + ############################## + # + # Local policy + # + + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) + + manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t) + append_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + create_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) + + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file }) + + optional_policy(` + dbus_system_bus_client($1_t) + ') +') + +###################################### +## <summary> +## Execute a domain transition to +## run dlm_controld. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_dlm_controld',` + gen_require(` + type dlm_controld_t, dlm_controld_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t) +') + +##################################### +## <summary> +## Get attributes of fenced +## executable files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_getattr_fenced_exec_files',` + gen_require(` + type fenced_exec_t; + ') + + allow $1 fenced_exec_t:file getattr_file_perms; +') + +##################################### +## <summary> +## Connect to dlm_controld with a +## unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_dlm_controld',` + gen_require(` + type dlm_controld_t, dlm_controld_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) +') + +##################################### +## <summary> +## Read and write dlm_controld semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_dlm_controld_semaphores',` + gen_require(` + type dlm_controld_t, dlm_controld_tmpfs_t; + ') + + allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) +') + +###################################### +## <summary> +## Execute a domain transition to run fenced. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_fenced',` + gen_require(` + type fenced_t, fenced_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fenced_exec_t, fenced_t) +') + +###################################### +## <summary> +## Read and write fenced semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_fenced_semaphores',` + gen_require(` + type fenced_t, fenced_tmpfs_t; + ') + + allow $1 fenced_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) +') + +#################################### +## <summary> +## Connect to all cluster domains +## with a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_cluster',` + gen_require(` + attribute cluster_domain, cluster_pid; + ') + + files_search_pids($1) + stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) +') + +###################################### +## <summary> +## Connect to fenced with an unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_fenced',` + gen_require(` + type fenced_var_run_t, fenced_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) +') + +##################################### +## <summary> +## Execute a domain transition +## to run gfs_controld. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_gfs_controld',` + gen_require(` + type gfs_controld_t, gfs_controld_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) +') + +#################################### +## <summary> +## Read and write gfs_controld semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_gfs_controld_semaphores',` + gen_require(` + type gfs_controld_t, gfs_controld_tmpfs_t; + ') + + allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) +') + +######################################## +## <summary> +## Read and write gfs_controld_t shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_gfs_controld_shm',` + gen_require(` + type gfs_controld_t, gfs_controld_tmpfs_t; + ') + + allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) +') + +##################################### +## <summary> +## Connect to gfs_controld_t with +## a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_gfs_controld',` + gen_require(` + type gfs_controld_t, gfs_controld_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t) +') + +###################################### +## <summary> +## Execute a domain transition to run groupd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_groupd',` + gen_require(` + type groupd_t, groupd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, groupd_exec_t, groupd_t) +') + +##################################### +## <summary> +## Connect to groupd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_groupd',` + gen_require(` + type groupd_t, groupd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) +') + +######################################## +## <summary> +## Read and write all cluster domains +## shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_cluster_shm',` + gen_require(` + attribute cluster_domain, cluster_tmpfs; + ') + + allow $1 cluster_domain:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) +') + +#################################### +## <summary> +## Read and write all cluster +## domains semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_cluster_semaphores',` + gen_require(` + attribute cluster_domain; + ') + + allow $1 cluster_domain:sem { rw_sem_perms destroy }; +') + +##################################### +## <summary> +## Read and write groupd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_groupd_semaphores',` + gen_require(` + type groupd_t, groupd_tmpfs_t; + ') + + allow $1 groupd_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +') + +######################################## +## <summary> +## Read and write groupd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_groupd_shm',` + gen_require(` + type groupd_t, groupd_tmpfs_t; + ') + + allow $1 groupd_t:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +') + +###################################### +## <summary> +## Execute a domain transition to run qdiskd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_qdiskd',` + gen_require(` + type qdiskd_t, qdiskd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an rhcs environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rhcs_admin',` + gen_require(` + attribute cluster_domain, cluster_pid, cluster_tmpfs; + attribute cluster_log; + type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t; + type fenced_tmp_t, qdiskd_var_lib_t; + type dlm_controld_t, foghorn_t; + ') + + allow $1 cluster_domain:process { ptrace signal_perms }; + ps_process_pattern($1, cluster_domain) + + init_startstop_service($1, $2, dlm_controld_t, dlm_controld_initrc_exec_t) + init_startstop_service($1, $2, foghorn_t, foghorn_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, cluster_pid) + + files_search_locks($1) + admin_pattern($1, fenced_lock_t) + + files_search_tmp($1) + admin_pattern($1, fenced_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, qdiskd_var_lib_t) + + fs_search_tmpfs($1) + admin_pattern($1, cluster_tmpfs) + + logging_search_logs($1) + admin_pattern($1, cluster_log) +') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te new file mode 100644 index 000000000..c0a7c3d54 --- /dev/null +++ b/policy/modules/services/rhcs.te @@ -0,0 +1,330 @@ +policy_module(rhcs, 1.7.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether fenced can +## connect to the TCP network. +## </p> +## </desc> +gen_tunable(fenced_can_network_connect, false) + +## <desc> +## <p> +## Determine whether fenced can use ssh. +## </p> +## </desc> +gen_tunable(fenced_can_ssh, false) + +attribute cluster_domain; +attribute cluster_log; +attribute cluster_pid; +attribute cluster_tmpfs; + +rhcs_domain_template(dlm_controld) + +type dlm_controld_initrc_exec_t; +init_script_file(dlm_controld_initrc_exec_t) + +rhcs_domain_template(fenced) + +type fenced_lock_t; +files_lock_file(fenced_lock_t) + +type fenced_tmp_t; +files_tmp_file(fenced_tmp_t) + +rhcs_domain_template(foghorn) + +type foghorn_initrc_exec_t; +init_script_file(foghorn_initrc_exec_t) + +rhcs_domain_template(gfs_controld) +rhcs_domain_template(groupd) +rhcs_domain_template(qdiskd) + +type qdiskd_var_lib_t; +files_type(qdiskd_var_lib_t) + +##################################### +# +# Common cluster domains local policy +# + +allow cluster_domain self:capability sys_nice; +allow cluster_domain self:process setsched; +allow cluster_domain self:sem create_sem_perms; +allow cluster_domain self:fifo_file rw_fifo_file_perms; +allow cluster_domain self:unix_stream_socket create_stream_socket_perms; +allow cluster_domain self:unix_dgram_socket create_socket_perms; + +logging_send_syslog_msg(cluster_domain) + +miscfiles_read_localization(cluster_domain) + +optional_policy(` + ccs_stream_connect(cluster_domain) +') + +optional_policy(` + corosync_stream_connect(cluster_domain) +') + +##################################### +# +# dlm_controld local policy +# + +allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; +allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + +stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +kernel_read_system_state(dlm_controld_t) +kernel_rw_net_sysctls(dlm_controld_t) + +corecmd_exec_bin(dlm_controld_t) + +dev_rw_dlm_control(dlm_controld_t) +dev_rw_sysfs(dlm_controld_t) + +fs_manage_configfs_files(dlm_controld_t) +fs_manage_configfs_dirs(dlm_controld_t) + +init_rw_script_tmp_files(dlm_controld_t) + +####################################### +# +# fenced local policy +# + +allow fenced_t self:capability { sys_rawio sys_resource }; +allow fenced_t self:process { getsched signal_perms }; +allow fenced_t self:tcp_socket { accept listen }; +allow fenced_t self:unix_stream_socket connectto; + +manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) +files_lock_filetrans(fenced_t, fenced_lock_t, file) + +manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) +manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) +manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) +files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) + +stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +can_exec(fenced_t, fenced_exec_t) + +kernel_read_system_state(fenced_t) + +corecmd_exec_bin(fenced_t) +corecmd_exec_shell(fenced_t) + +corenet_all_recvfrom_unlabeled(fenced_t) +corenet_all_recvfrom_netlabel(fenced_t) +corenet_tcp_sendrecv_generic_if(fenced_t) +corenet_udp_sendrecv_generic_if(fenced_t) +corenet_tcp_sendrecv_generic_node(fenced_t) +corenet_udp_sendrecv_generic_node(fenced_t) +corenet_tcp_bind_generic_node(fenced_t) +corenet_udp_bind_generic_node(fenced_t) + +corenet_sendrecv_ionixnetmon_server_packets(fenced_t) +corenet_udp_bind_ionixnetmon_port(fenced_t) +corenet_udp_sendrecv_ionixnetmon_port(fenced_t) + +corenet_sendrecv_zented_server_packets(fenced_t) +corenet_tcp_bind_zented_port(fenced_t) +corenet_tcp_sendrecv_zented_port(fenced_t) + +corenet_sendrecv_http_client_packets(fenced_t) +corenet_tcp_connect_http_port(fenced_t) +corenet_tcp_sendrecv_http_port(fenced_t) + +dev_read_sysfs(fenced_t) +dev_read_urand(fenced_t) + +files_read_usr_files(fenced_t) +files_read_usr_symlinks(fenced_t) + +storage_raw_read_fixed_disk(fenced_t) +storage_raw_write_fixed_disk(fenced_t) +storage_raw_read_removable_device(fenced_t) + +term_getattr_pty_fs(fenced_t) +term_use_generic_ptys(fenced_t) +term_use_ptmx(fenced_t) + +auth_use_nsswitch(fenced_t) + +tunable_policy(`fenced_can_network_connect',` + corenet_sendrecv_all_client_packets(fenced_t) + corenet_tcp_connect_all_ports(fenced_t) + corenet_tcp_sendrecv_all_ports(fenced_t) +') + +optional_policy(` + tunable_policy(`fenced_can_ssh',` + allow fenced_t self:capability { setgid setuid }; + + corenet_sendrecv_ssh_client_packets(fenced_t) + corenet_tcp_connect_ssh_port(fenced_t) + corenet_tcp_sendrecv_ssh_port(fenced_t) + + ssh_exec(fenced_t) + ssh_read_user_home_files(fenced_t) + ') +') + +optional_policy(` + corosync_exec(fenced_t) +') + +optional_policy(` + ccs_read_config(fenced_t) +') + +optional_policy(` + gnome_read_generic_home_content(fenced_t) +') + +optional_policy(` + lvm_domtrans(fenced_t) + lvm_read_config(fenced_t) +') + +optional_policy(` + snmp_manage_var_lib_files(fenced_t) + snmp_manage_var_lib_dirs(fenced_t) +') + +####################################### +# +# foghorn local policy +# + +allow foghorn_t self:process signal; +allow foghorn_t self:tcp_socket create_stream_socket_perms; +allow foghorn_t self:udp_socket create_socket_perms; + +corenet_all_recvfrom_unlabeled(foghorn_t) +corenet_all_recvfrom_netlabel(foghorn_t) +corenet_tcp_sendrecv_generic_if(foghorn_t) +corenet_tcp_sendrecv_generic_node(foghorn_t) + +corenet_sendrecv_agentx_client_packets(foghorn_t) +corenet_tcp_connect_agentx_port(foghorn_t) +corenet_tcp_sendrecv_agentx_port(foghorn_t) + +dev_read_urand(foghorn_t) + +files_read_usr_files(foghorn_t) + +optional_policy(` + dbus_connect_system_bus(foghorn_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(foghorn_t) + snmp_stream_connect(foghorn_t) +') + +###################################### +# +# gfs_controld local policy +# + +allow gfs_controld_t self:capability { net_admin sys_resource }; +allow gfs_controld_t self:shm create_shm_perms; +allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + +stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) +stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +kernel_read_system_state(gfs_controld_t) + +dev_rw_dlm_control(gfs_controld_t) +dev_setattr_dlm_control(gfs_controld_t) +dev_rw_sysfs(gfs_controld_t) + +storage_getattr_removable_dev(gfs_controld_t) + +init_rw_script_tmp_files(gfs_controld_t) + +optional_policy(` + lvm_exec(gfs_controld_t) + dev_rw_lvm_control(gfs_controld_t) +') + +####################################### +# +# groupd local policy +# + +allow groupd_t self:capability { sys_nice sys_resource }; +allow groupd_t self:process setsched; +allow groupd_t self:shm create_shm_perms; + +domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) + +dev_list_sysfs(groupd_t) + +files_read_etc_files(groupd_t) + +init_rw_script_tmp_files(groupd_t) + +###################################### +# +# qdiskd local policy +# + +allow qdiskd_t self:capability { ipc_lock sys_boot }; +allow qdiskd_t self:tcp_socket { accept listen }; + +manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) + +kernel_read_system_state(qdiskd_t) +kernel_read_software_raid_state(qdiskd_t) +kernel_getattr_core_if(qdiskd_t) + +corecmd_exec_bin(qdiskd_t) +corecmd_exec_shell(qdiskd_t) + +dev_read_sysfs(qdiskd_t) +dev_list_all_dev_nodes(qdiskd_t) +dev_getattr_all_blk_files(qdiskd_t) +dev_getattr_all_chr_files(qdiskd_t) +dev_manage_generic_blk_files(qdiskd_t) +dev_manage_generic_chr_files(qdiskd_t) + +domain_dontaudit_getattr_all_pipes(qdiskd_t) +domain_dontaudit_getattr_all_sockets(qdiskd_t) + +files_dontaudit_getattr_all_sockets(qdiskd_t) +files_dontaudit_getattr_all_pipes(qdiskd_t) + +fs_list_hugetlbfs(qdiskd_t) + +storage_raw_read_removable_device(qdiskd_t) +storage_raw_write_removable_device(qdiskd_t) +storage_raw_read_fixed_disk(qdiskd_t) +storage_raw_write_fixed_disk(qdiskd_t) + +auth_use_nsswitch(qdiskd_t) + +optional_policy(` + netutils_domtrans_ping(qdiskd_t) +') + +optional_policy(` + udev_read_db(qdiskd_t) +') diff --git a/policy/modules/services/rhgb.fc b/policy/modules/services/rhgb.fc new file mode 100644 index 000000000..b83c05f91 --- /dev/null +++ b/policy/modules/services/rhgb.fc @@ -0,0 +1 @@ +/usr/bin/rhgb -- gen_context(system_u:object_r:rhgb_exec_t,s0) diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if new file mode 100644 index 000000000..1a134a72e --- /dev/null +++ b/policy/modules/services/rhgb.if @@ -0,0 +1,205 @@ +## <summary> Red Hat Graphical Boot.</summary> + +######################################## +## <summary> +## RHGB stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## N/A +## </summary> +## </param> +# +interface(`rhgb_stub',` + gen_require(` + type rhgb_t; + ') +') + +######################################## +## <summary> +## Inherit and use rhgb file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_use_fds',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:fd use; +') + +######################################## +## <summary> +## Get the process group of rhgb. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_getpgid',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:process getpgid; +') + +######################################## +## <summary> +## Send generic signals to rhgb. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_signal',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:process signal; +') + +######################################## +## <summary> +## Read and write inherited rhgb unix +## domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_rw_stream_sockets',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## rhgb unix domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rhgb_dontaudit_rw_stream_sockets',` + gen_require(` + type rhgb_t; + ') + + dontaudit $1 rhgb_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Connected to rhgb with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_stream_connect',` + gen_require(` + type rhgb_t, rhgb_tmpfs_t; + ') + + fs_search_tmpfs($1) + stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t) +') + +######################################## +## <summary> +## Read and write to rhgb shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_rw_shm',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:shm rw_shm_perms; +') + +######################################## +## <summary> +## Read and write rhgb pty devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_use_ptys',` + gen_require(` + type rhgb_devpts_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 rhgb_devpts_t:chr_file rw_term_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write rhgb pty devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rhgb_dontaudit_use_ptys',` + gen_require(` + type rhgb_devpts_t; + ') + + dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms; +') + +######################################## +## <summary> +## Read and write to rhgb tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_rw_tmpfs_files',` + gen_require(` + type rhgb_tmpfs_t; + ') + + + fs_search_tmpfs($1) + allow $1 rhgb_tmpfs_t:file rw_file_perms; +') diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te new file mode 100644 index 000000000..3f32e4bb3 --- /dev/null +++ b/policy/modules/services/rhgb.te @@ -0,0 +1,127 @@ +policy_module(rhgb, 1.9.0) + +######################################## +# +# Declarations +# + +type rhgb_t; +type rhgb_exec_t; +init_daemon_domain(rhgb_t, rhgb_exec_t) + +type rhgb_tmpfs_t; +files_tmpfs_file(rhgb_tmpfs_t) + +type rhgb_devpts_t; +term_pty(rhgb_devpts_t) + +######################################## +# +# Local policy +# + +allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config }; +dontaudit rhgb_t self:capability sys_tty_config; +allow rhgb_t self:process { setpgid signal_perms }; +allow rhgb_t self:shm create_shm_perms; +allow rhgb_t self:unix_stream_socket { accept listen }; +allow rhgb_t self:fifo_file rw_fifo_file_perms; + +allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(rhgb_t, rhgb_devpts_t) + +manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +manage_lnk_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +manage_fifo_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +manage_sock_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +fs_tmpfs_filetrans(rhgb_t, rhgb_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(rhgb_t) +kernel_read_system_state(rhgb_t) + +corecmd_exec_bin(rhgb_t) +corecmd_exec_shell(rhgb_t) + +corenet_all_recvfrom_unlabeled(rhgb_t) +corenet_all_recvfrom_netlabel(rhgb_t) +corenet_tcp_sendrecv_generic_if(rhgb_t) +corenet_tcp_sendrecv_generic_node(rhgb_t) +corenet_tcp_sendrecv_all_ports(rhgb_t) + +corenet_sendrecv_all_client_packets(rhgb_t) +corenet_tcp_connect_all_ports(rhgb_t) + +dev_read_sysfs(rhgb_t) +dev_read_urand(rhgb_t) + +domain_use_interactive_fds(rhgb_t) + +files_read_etc_files(rhgb_t) +files_read_var_files(rhgb_t) +files_read_etc_runtime_files(rhgb_t) +files_search_tmp(rhgb_t) +files_read_usr_files(rhgb_t) +files_mounton_mnt(rhgb_t) +files_dontaudit_rw_root_dir(rhgb_t) +files_dontaudit_read_default_files(rhgb_t) +files_dontaudit_search_pids(rhgb_t) +files_dontaudit_search_var(rhgb_t) + +fs_search_auto_mountpoints(rhgb_t) +fs_mount_ramfs(rhgb_t) +fs_unmount_ramfs(rhgb_t) +fs_getattr_tmpfs(rhgb_t) +fs_manage_ramfs_dirs(rhgb_t) +fs_manage_ramfs_files(rhgb_t) +fs_manage_ramfs_pipes(rhgb_t) +fs_manage_ramfs_sockets(rhgb_t) + +selinux_dontaudit_read_fs(rhgb_t) + +term_use_unallocated_ttys(rhgb_t) +term_use_ptmx(rhgb_t) +term_getattr_pty_fs(rhgb_t) + +init_write_initctl(rhgb_t) + +libs_read_lib_files(rhgb_t) + +logging_send_syslog_msg(rhgb_t) + +miscfiles_read_localization(rhgb_t) +miscfiles_read_fonts(rhgb_t) +miscfiles_dontaudit_write_fonts(rhgb_t) + +seutil_search_default_contexts(rhgb_t) +seutil_read_config(rhgb_t) + +sysnet_dns_name_resolve(rhgb_t) +sysnet_domtrans_ifconfig(rhgb_t) + +userdom_dontaudit_use_unpriv_user_fds(rhgb_t) +userdom_dontaudit_search_user_home_content(rhgb_t) + +xserver_read_tmp_files(rhgb_t) +xserver_kill(rhgb_t) +xserver_read_xkb_libs(rhgb_t) +xserver_domtrans(rhgb_t) +xserver_signal(rhgb_t) +xserver_read_xdm_tmp_files(rhgb_t) +xserver_stream_connect(rhgb_t) + +optional_policy(` + consoletype_exec(rhgb_t) +') + +optional_policy(` + nis_use_ypbind(rhgb_t) +') + +optional_policy(` + seutil_sigchld_newrole(rhgb_t) +') + +optional_policy(` + udev_read_db(rhgb_t) +') diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc new file mode 100644 index 000000000..95b6bc5ce --- /dev/null +++ b/policy/modules/services/rhsmcertd.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0) + +/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) + +/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) + +/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) + +/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0) + +/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if new file mode 100644 index 000000000..7bdee3cbb --- /dev/null +++ b/policy/modules/services/rhsmcertd.if @@ -0,0 +1,301 @@ +## <summary>Subscription Management Certificate Daemon.</summary> + +######################################## +## <summary> +## Execute rhsmcertd in the rhsmcertd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhsmcertd_domtrans',` + gen_require(` + type rhsmcertd_t, rhsmcertd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t) +') + +######################################## +## <summary> +## Execute rhsmcertd init scripts +## in the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhsmcertd_initrc_domtrans',` + gen_require(` + type rhsmcertd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t) +') + +######################################## +## <summary> +## Read rhsmcertd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rhsmcertd_read_log',` + gen_require(` + type rhsmcertd_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) +') + +######################################## +## <summary> +## Append rhsmcertd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_append_log',` + gen_require(` + type rhsmcertd_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rhsmcertd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_manage_log',` + gen_require(` + type rhsmcertd_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) + manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) + manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) +') + +######################################## +## <summary> +## Search rhsmcertd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_search_lib',` + gen_require(` + type rhsmcertd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read rhsmcertd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_read_lib_files',` + gen_require(` + type rhsmcertd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rhsmcertd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_manage_lib_files',` + gen_require(` + type rhsmcertd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rhsmcertd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_manage_lib_dirs',` + gen_require(` + type rhsmcertd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +') + +######################################## +## <summary> +## Read rhsmcertd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_read_pid_files',` + gen_require(` + type rhsmcertd_var_run_t; + ') + + files_search_pids($1) + allow $1 rhsmcertd_var_run_t:file read_file_perms; +') + +#################################### +## <summary> +## Connect to rhsmcertd with a +## unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_stream_connect',` + gen_require(` + type rhsmcertd_t, rhsmcertd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t) +') + +####################################### +## <summary> +## Send and receive messages from +## rhsmcertd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_dbus_chat',` + gen_require(` + type rhsmcertd_t; + class dbus send_msg; + ') + + allow $1 rhsmcertd_t:dbus send_msg; + allow rhsmcertd_t $1:dbus send_msg; +') + +###################################### +## <summary> +## Do not audit attempts to send +## and receive messages from +## rhsmcertd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rhsmcertd_dontaudit_dbus_chat',` + gen_require(` + type rhsmcertd_t; + class dbus send_msg; + ') + + dontaudit $1 rhsmcertd_t:dbus send_msg; + dontaudit rhsmcertd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an rhsmcertd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rhsmcertd_admin',` + gen_require(` + type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; + type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t; + ') + + allow $1 rhsmcertd_t:process { ptrace signal_perms }; + ps_process_pattern($1, rhsmcertd_t) + + init_startstop_service($1, $2, rhsmcertd_t, rhsmcertd_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, rhsmcertd_log_t) + + files_search_var_lib($1) + admin_pattern($1, rhsmcertd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, rhsmcertd_var_run_t) + + files_search_locks($1) + admin_pattern($1, rhsmcertd_lock_t) +') diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te new file mode 100644 index 000000000..4419243e5 --- /dev/null +++ b/policy/modules/services/rhsmcertd.te @@ -0,0 +1,74 @@ +policy_module(rhsmcertd, 1.4.0) + +######################################## +# +# Declarations +# + +type rhsmcertd_t; +type rhsmcertd_exec_t; +init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t) + +type rhsmcertd_initrc_exec_t; +init_script_file(rhsmcertd_initrc_exec_t) + +type rhsmcertd_log_t; +logging_log_file(rhsmcertd_log_t) + +type rhsmcertd_lock_t; +files_lock_file(rhsmcertd_lock_t) + +type rhsmcertd_var_lib_t; +files_type(rhsmcertd_var_lib_t) + +type rhsmcertd_var_run_t; +files_pid_file(rhsmcertd_var_run_t) + +######################################## +# +# Local policy +# + +allow rhsmcertd_t self:capability sys_nice; +allow rhsmcertd_t self:process { signal setsched }; +allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; +allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) + +manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) +files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) + +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) + +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) + +kernel_read_network_state(rhsmcertd_t) +kernel_read_system_state(rhsmcertd_t) + +corecmd_exec_bin(rhsmcertd_t) + +dev_read_sysfs(rhsmcertd_t) +dev_read_rand(rhsmcertd_t) +dev_read_urand(rhsmcertd_t) + +files_list_tmp(rhsmcertd_t) +files_read_etc_files(rhsmcertd_t) +files_read_usr_files(rhsmcertd_t) + +init_read_state(rhsmcertd_t) + +miscfiles_read_localization(rhsmcertd_t) +miscfiles_read_generic_certs(rhsmcertd_t) + +sysnet_dns_name_resolve(rhsmcertd_t) + +optional_policy(` + rpm_read_db(rhsmcertd_t) +') diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc new file mode 100644 index 000000000..b7918a936 --- /dev/null +++ b/policy/modules/services/ricci.fc @@ -0,0 +1,21 @@ +/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0) + +/usr/bin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0) +/usr/bin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0) + +/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0) +/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) +/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) +/usr/libexec/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0) +/usr/libexec/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0) + +/usr/sbin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0) +/usr/sbin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0) + +/var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0) + +/var/log/clumond\.log.* -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) + +/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) +/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) +/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0) diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if new file mode 100644 index 000000000..086f434a0 --- /dev/null +++ b/policy/modules/services/ricci.if @@ -0,0 +1,219 @@ +## <summary>Ricci cluster management agent.</summary> + +######################################## +## <summary> +## Execute a domain transition to run ricci. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans',` + gen_require(` + type ricci_t, ricci_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ricci_exec_t, ricci_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run ricci modcluster. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans_modcluster',` + gen_require(` + type ricci_modcluster_t, ricci_modcluster_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) +') + +######################################## +## <summary> +## Do not audit attempts to use +## ricci modcluster file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`ricci_dontaudit_use_modcluster_fds',` + gen_require(` + type ricci_modcluster_t; + ') + + dontaudit $1 ricci_modcluster_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to read write +## ricci modcluster unamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`ricci_dontaudit_rw_modcluster_pipes',` + gen_require(` + type ricci_modcluster_t; + ') + + dontaudit $1 ricci_modcluster_t:fifo_file { read write }; +') + +######################################## +## <summary> +## Connect to ricci_modclusterd with +## a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ricci_stream_connect_modclusterd',` + gen_require(` + type ricci_modclusterd_t, ricci_modcluster_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run ricci modlog. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans_modlog',` + gen_require(` + type ricci_modlog_t, ricci_modlog_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run ricci modrpm. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans_modrpm',` + gen_require(` + type ricci_modrpm_t, ricci_modrpm_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run ricci modservice. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans_modservice',` + gen_require(` + type ricci_modservice_t, ricci_modservice_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run ricci modstorage. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans_modstorage',` + gen_require(` + type ricci_modstorage_t, ricci_modstorage_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ricci environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ricci_admin',` + gen_require(` + type ricci_t, ricci_initrc_exec_t, ricci_tmp_t; + type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; + ') + + allow $1 ricci_t:process { ptrace signal_perms }; + ps_process_pattern($1, ricci_t) + + init_startstop_service($1, $2, ricci_t, ricci_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, ricci_tmp_t) + + files_list_var_lib($1) + admin_pattern($1, ricci_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, ricci_var_log_t) + + files_list_pids($1) + admin_pattern($1, ricci_var_run_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te new file mode 100644 index 000000000..d808ab663 --- /dev/null +++ b/policy/modules/services/ricci.te @@ -0,0 +1,531 @@ +policy_module(ricci, 1.11.0) + +######################################## +# +# Declarations +# + +type ricci_t; +type ricci_exec_t; +init_daemon_domain(ricci_t, ricci_exec_t) + +type ricci_initrc_exec_t; +init_script_file(ricci_initrc_exec_t) + +type ricci_tmp_t; +files_tmp_file(ricci_tmp_t) + +type ricci_var_lib_t; +files_type(ricci_var_lib_t) + +type ricci_var_log_t; +logging_log_file(ricci_var_log_t) + +type ricci_var_run_t; +files_pid_file(ricci_var_run_t) + +type ricci_modcluster_t; +type ricci_modcluster_exec_t; +domain_type(ricci_modcluster_t) +domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t) +role system_r types ricci_modcluster_t; + +type ricci_modcluster_var_lib_t; +files_type(ricci_modcluster_var_lib_t) + +type ricci_modcluster_var_log_t; +logging_log_file(ricci_modcluster_var_log_t) + +type ricci_modcluster_var_run_t; +files_pid_file(ricci_modcluster_var_run_t) + +type ricci_modclusterd_t; +type ricci_modclusterd_exec_t; +init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t) + +type ricci_modclusterd_tmpfs_t; +files_tmpfs_file(ricci_modclusterd_tmpfs_t) + +type ricci_modlog_t; +type ricci_modlog_exec_t; +domain_type(ricci_modlog_t) +domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t) +role system_r types ricci_modlog_t; + +type ricci_modrpm_t; +type ricci_modrpm_exec_t; +domain_type(ricci_modrpm_t) +domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t) +role system_r types ricci_modrpm_t; + +type ricci_modservice_t; +type ricci_modservice_exec_t; +domain_type(ricci_modservice_t) +domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t) +role system_r types ricci_modservice_t; + +type ricci_modstorage_t; +type ricci_modstorage_exec_t; +domain_type(ricci_modstorage_t) +domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t) +role system_r types ricci_modstorage_t; + +type ricci_modstorage_lock_t; +files_lock_file(ricci_modstorage_lock_t) + +######################################## +# +# Local policy +# + +allow ricci_t self:capability { setuid sys_boot sys_nice }; +allow ricci_t self:process setsched; +allow ricci_t self:fifo_file rw_fifo_file_perms; +allow ricci_t self:unix_stream_socket { accept connectto listen }; +allow ricci_t self:tcp_socket { accept listen }; + +domtrans_pattern(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t) +domtrans_pattern(ricci_t, ricci_modlog_exec_t, ricci_modlog_t) +domtrans_pattern(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t) +domtrans_pattern(ricci_t, ricci_modservice_exec_t, ricci_modservice_t) +domtrans_pattern(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t) + +manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) +manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) +files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir }) + +manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) +manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) +manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) +files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file }) + +allow ricci_t ricci_var_log_t:dir setattr_dir_perms; +append_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) +create_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) +setattr_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) +manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) +logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) + +manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) +manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) +files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(ricci_t) +kernel_read_system_state(ricci_t) + +corecmd_exec_bin(ricci_t) + +corenet_all_recvfrom_unlabeled(ricci_t) +corenet_all_recvfrom_netlabel(ricci_t) +corenet_tcp_sendrecv_generic_if(ricci_t) +corenet_tcp_sendrecv_generic_node(ricci_t) +corenet_tcp_bind_generic_node(ricci_t) +corenet_udp_bind_generic_node(ricci_t) + +corenet_sendrecv_ricci_server_packets(ricci_t) +corenet_tcp_bind_ricci_port(ricci_t) +corenet_tcp_sendrecv_ricci_port(ricci_t) +corenet_udp_bind_ricci_port(ricci_t) +corenet_udp_sendrecv_ricci_port(ricci_t) + +corenet_sendrecv_http_client_packets(ricci_t) +corenet_tcp_connect_http_port(ricci_t) +corenet_tcp_sendrecv_http_port(ricci_t) + +dev_read_urand(ricci_t) + +domain_read_all_domains_state(ricci_t) + +files_read_etc_files(ricci_t) +files_read_etc_runtime_files(ricci_t) +files_create_boot_flag(ricci_t) + +auth_domtrans_chk_passwd(ricci_t) +auth_append_login_records(ricci_t) + +init_stream_connect_script(ricci_t) + +locallogin_dontaudit_use_fds(ricci_t) + +logging_send_syslog_msg(ricci_t) + +miscfiles_read_localization(ricci_t) + +sysnet_dns_name_resolve(ricci_t) + +optional_policy(` + ccs_read_config(ricci_t) +') + +optional_policy(` + dbus_system_bus_client(ricci_t) + + optional_policy(` + oddjob_dbus_chat(ricci_t) + ') +') + +optional_policy(` + corecmd_bin_entry_type(ricci_t) + term_dontaudit_search_ptys(ricci_t) + init_exec(ricci_t) + + oddjob_system_entry(ricci_t, ricci_exec_t) +') + +optional_policy(` + rpm_use_script_fds(ricci_t) +') + +optional_policy(` + sasl_connect(ricci_t) +') + +optional_policy(` + shutdown_domtrans(ricci_t) +') + +optional_policy(` + unconfined_use_fds(ricci_t) +') + +optional_policy(` + xen_domtrans_xm(ricci_t) +') + +######################################## +# +# Modcluster local policy +# + +allow ricci_modcluster_t self:capability sys_nice; +allow ricci_modcluster_t self:process setsched; +allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms; + +kernel_read_kernel_sysctls(ricci_modcluster_t) +kernel_read_system_state(ricci_modcluster_t) + +corecmd_exec_bin(ricci_modcluster_t) +corecmd_exec_shell(ricci_modcluster_t) + +corenet_all_recvfrom_unlabeled(ricci_modcluster_t) +corenet_all_recvfrom_netlabel(ricci_modcluster_t) +corenet_tcp_sendrecv_generic_if(ricci_modcluster_t) +corenet_tcp_sendrecv_generic_node(ricci_modcluster_t) +corenet_tcp_sendrecv_all_ports(ricci_modcluster_t) +corenet_tcp_bind_generic_node(ricci_modcluster_t) + +corenet_sendrecv_all_server_packets(ricci_modcluster_t) +corenet_tcp_bind_all_rpc_ports(ricci_modcluster_t) + +corenet_tcp_bind_cluster_port(ricci_modcluster_t) +corenet_sendrecv_cluster_client_packets(ricci_modcluster_t) +corenet_tcp_connect_cluster_port(ricci_modcluster_t) + +domain_read_all_domains_state(ricci_modcluster_t) + +files_search_locks(ricci_modcluster_t) +files_read_etc_runtime_files(ricci_modcluster_t) +files_search_usr(ricci_modcluster_t) + +auth_use_nsswitch(ricci_modcluster_t) + +init_exec(ricci_modcluster_t) +init_domtrans_script(ricci_modcluster_t) + +logging_send_syslog_msg(ricci_modcluster_t) + +miscfiles_read_localization(ricci_modcluster_t) + +ricci_stream_connect_modclusterd(ricci_modcluster_t) + +optional_policy(` + aisexec_stream_connect(ricci_modcluster_t) + corosync_stream_connect(ricci_modcluster_t) +') + +optional_policy(` + ccs_stream_connect(ricci_modcluster_t) + ccs_domtrans(ricci_modcluster_t) + ccs_manage_config(ricci_modcluster_t) +') + +optional_policy(` + lvm_domtrans(ricci_modcluster_t) +') + +optional_policy(` + modutils_domtrans(ricci_modcluster_t) +') + +optional_policy(` + mount_domtrans(ricci_modcluster_t) +') + +optional_policy(` + consoletype_exec(ricci_modcluster_t) +') + +optional_policy(` + oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t) +') + +optional_policy(` + rgmanager_stream_connect(ricci_modcluster_t) +') + +######################################## +# +# Modclusterd local policy +# + +allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config }; +allow ricci_modclusterd_t self:process { signal sigkill setsched }; +allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms; +allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms; +allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms; +allow ricci_modclusterd_t self:socket create_socket_perms; + +allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; +allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t) +manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t) +fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file }) + +allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr_dir_perms; +append_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) +create_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) +setattr_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) +manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) +logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir }) + +manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) +manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) +files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(ricci_modclusterd_t) +kernel_read_system_state(ricci_modclusterd_t) +kernel_request_load_module(ricci_modclusterd_t) + +corecmd_exec_bin(ricci_modclusterd_t) + +corenet_all_recvfrom_unlabeled(ricci_modclusterd_t) +corenet_all_recvfrom_netlabel(ricci_modclusterd_t) +corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t) +corenet_tcp_sendrecv_generic_node(ricci_modclusterd_t) +corenet_tcp_bind_generic_node(ricci_modclusterd_t) + +corenet_sendrecv_ricci_modcluster_server_packets(ricci_modclusterd_t) +corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) +corenet_sendrecv_ricci_modcluster_client_packets(ricci_modclusterd_t) +corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) +corenet_tcp_sendrecv_ricci_modcluster_port(ricci_modclusterd_t) + +domain_read_all_domains_state(ricci_modclusterd_t) + +files_read_etc_runtime_files(ricci_modclusterd_t) + +fs_getattr_xattr_fs(ricci_modclusterd_t) + +auth_use_nsswitch(ricci_modclusterd_t) + +init_stream_connect_script(ricci_modclusterd_t) + +locallogin_dontaudit_use_fds(ricci_modclusterd_t) + +logging_send_syslog_msg(ricci_modclusterd_t) + +miscfiles_read_localization(ricci_modclusterd_t) + +sysnet_domtrans_ifconfig(ricci_modclusterd_t) + +optional_policy(` + aisexec_stream_connect(ricci_modclusterd_t) + corosync_stream_connect(ricci_modclusterd_t) +') + +optional_policy(` + ccs_domtrans(ricci_modclusterd_t) + ccs_stream_connect(ricci_modclusterd_t) + ccs_read_config(ricci_modclusterd_t) +') + +optional_policy(` + rgmanager_stream_connect(ricci_modclusterd_t) +') + +optional_policy(` + unconfined_use_fds(ricci_modclusterd_t) +') + +######################################## +# +# Modlog local policy +# + +allow ricci_modlog_t self:capability sys_nice; +allow ricci_modlog_t self:process setsched; + +kernel_read_kernel_sysctls(ricci_modlog_t) +kernel_read_system_state(ricci_modlog_t) + +corecmd_exec_bin(ricci_modlog_t) + +domain_read_all_domains_state(ricci_modlog_t) + +files_read_etc_files(ricci_modlog_t) +files_search_usr(ricci_modlog_t) + +logging_read_generic_logs(ricci_modlog_t) + +miscfiles_read_localization(ricci_modlog_t) + +optional_policy(` + nscd_dontaudit_search_pid(ricci_modlog_t) +') + +optional_policy(` + oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t) +') + +######################################## +# +# Modrpm local policy +# + +allow ricci_modrpm_t self:fifo_file read_fifo_file_perms; + +kernel_read_kernel_sysctls(ricci_modrpm_t) + +corecmd_exec_bin(ricci_modrpm_t) + +files_search_usr(ricci_modrpm_t) +files_read_etc_files(ricci_modrpm_t) + +miscfiles_read_localization(ricci_modrpm_t) + +optional_policy(` + oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) +') + +optional_policy(` + rpm_domtrans(ricci_modrpm_t) +') + +######################################## +# +# Modservice local policy +# + +allow ricci_modservice_t self:capability { dac_override sys_nice }; +allow ricci_modservice_t self:process setsched; +allow ricci_modservice_t self:fifo_file rw_fifo_file_perms; + +kernel_read_kernel_sysctls(ricci_modservice_t) +kernel_read_system_state(ricci_modservice_t) + +corecmd_exec_bin(ricci_modservice_t) +corecmd_exec_shell(ricci_modservice_t) + +files_read_etc_files(ricci_modservice_t) +files_read_etc_runtime_files(ricci_modservice_t) +files_search_usr(ricci_modservice_t) +files_manage_etc_symlinks(ricci_modservice_t) + +init_domtrans_script(ricci_modservice_t) + +miscfiles_read_localization(ricci_modservice_t) + +optional_policy(` + ccs_read_config(ricci_modservice_t) +') + +optional_policy(` + consoletype_exec(ricci_modservice_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(ricci_modservice_t) +') + +optional_policy(` + oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t) +') + +######################################## +# +# Modstorage local policy +# + +allow ricci_modstorage_t self:capability { mknod sys_nice }; +allow ricci_modstorage_t self:process { setsched signal }; +dontaudit ricci_modstorage_t self:process ptrace; +allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; + +kernel_read_kernel_sysctls(ricci_modstorage_t) +kernel_read_system_state(ricci_modstorage_t) + +create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t) +files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file) + +corecmd_exec_bin(ricci_modstorage_t) +corecmd_exec_shell(ricci_modstorage_t) + +dev_read_sysfs(ricci_modstorage_t) +dev_read_urand(ricci_modstorage_t) +dev_manage_generic_blk_files(ricci_modstorage_t) + +domain_read_all_domains_state(ricci_modstorage_t) + +files_manage_etc_files(ricci_modstorage_t) +files_read_etc_runtime_files(ricci_modstorage_t) +files_read_usr_files(ricci_modstorage_t) +files_read_kernel_modules(ricci_modstorage_t) + +storage_raw_read_fixed_disk(ricci_modstorage_t) + +term_dontaudit_use_console(ricci_modstorage_t) + +logging_send_syslog_msg(ricci_modstorage_t) + +miscfiles_read_localization(ricci_modstorage_t) + +optional_policy(` + aisexec_stream_connect(ricci_modstorage_t) + corosync_stream_connect(ricci_modstorage_t) +') + +optional_policy(` + ccs_stream_connect(ricci_modstorage_t) + ccs_read_config(ricci_modstorage_t) +') + +optional_policy(` + consoletype_exec(ricci_modstorage_t) +') + +optional_policy(` + fstools_domtrans(ricci_modstorage_t) +') + +optional_policy(` + lvm_domtrans(ricci_modstorage_t) + lvm_manage_config(ricci_modstorage_t) +') + +optional_policy(` + modutils_read_module_deps(ricci_modstorage_t) +') + +optional_policy(` + mount_domtrans(ricci_modstorage_t) +') + +optional_policy(` + oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t) +') + +optional_policy(` + raid_domtrans_mdadm(ricci_modstorage_t) +') diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc new file mode 100644 index 000000000..00e7f3a54 --- /dev/null +++ b/policy/modules/services/rlogin.fc @@ -0,0 +1,10 @@ +HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) +HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) + +/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) + +/usr/bin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) + +/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0) + +/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if new file mode 100644 index 000000000..050479dea --- /dev/null +++ b/policy/modules/services/rlogin.if @@ -0,0 +1,150 @@ +## <summary>Remote login daemon.</summary> + +######################################## +## <summary> +## Execute rlogind in the rlogin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rlogin_domtrans',` + gen_require(` + type rlogind_t, rlogind_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rlogind_exec_t, rlogind_t) +') + +######################################## +## <summary> +## Read rlogin user home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +template(`rlogin_read_home_content',` + gen_require(` + type rlogind_home_t; + ') + + userdom_search_user_home_dirs($1) + list_dirs_pattern($1, rlogind_home_t, rlogind_home_t) + read_files_pattern($1, rlogind_home_t, rlogind_home_t) + read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rlogind home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rlogin_manage_rlogind_home_files',` + gen_require(` + type rlogind_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 rlogind_home_t:file manage_file_perms; +') + +######################################## +## <summary> +## Relabel rlogind home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rlogin_relabel_rlogind_home_files',` + gen_require(` + type rlogind_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 rlogind_home_t:file relabel_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the rlogind home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`rlogin_home_filetrans_logind_home',` + gen_require(` + type rlogind_home_t; + ') + + userdom_user_home_dir_filetrans($1, rlogind_home_t, $2, $3) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rlogind temporary content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rlogin_manage_rlogind_tmp_content',` + gen_require(` + type rlogind_tmp_t; + ') + + files_search_tmp($1) + allow $1 rlogind_tmp_t:dir manage_dir_perms; + allow $1 rlogind_tmp_t:file manage_file_perms; +') + +######################################## +## <summary> +## Relabel rlogind temporary content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rlogin_relabel_rlogind_tmp_content',` + gen_require(` + type rlogind_tmp_t; + ') + + files_search_tmp($1) + allow $1 rlogind_tmp_t:dir relabel_dir_perms; + allow $1 rlogind_tmp_t:file relabel_file_perms; +') diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te new file mode 100644 index 000000000..0348564d9 --- /dev/null +++ b/policy/modules/services/rlogin.te @@ -0,0 +1,120 @@ +policy_module(rlogin, 1.13.0) + +######################################## +# +# Declarations +# + +type rlogind_t; +type rlogind_exec_t; +auth_login_pgm_domain(rlogind_t) +inetd_service_domain(rlogind_t, rlogind_exec_t) +init_daemon_domain(rlogind_t, rlogind_exec_t) + +type rlogind_devpts_t; +term_login_pty(rlogind_devpts_t) + +type rlogind_home_t; +userdom_user_home_content(rlogind_home_t) + +type rlogind_keytab_t; +files_type(rlogind_keytab_t) + +type rlogind_tmp_t; +files_tmp_file(rlogind_tmp_t) + +type rlogind_var_run_t; +files_pid_file(rlogind_var_run_t) + +######################################## +# +# Local policy +# + +allow rlogind_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config }; +allow rlogind_t self:process signal_perms; +allow rlogind_t self:fifo_file rw_fifo_file_perms; +allow rlogind_t self:tcp_socket { accept listen }; + +allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(rlogind_t, rlogind_devpts_t) + +allow rlogind_t rlogind_home_t:file read_file_perms; + +allow rlogind_t rlogind_keytab_t:file read_file_perms; + +manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) +manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) +files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file }) + +manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) +files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) + +can_exec(rlogind_t, rlogind_exec_t) + +kernel_read_kernel_sysctls(rlogind_t) +kernel_read_system_state(rlogind_t) +kernel_read_network_state(rlogind_t) + +corenet_all_recvfrom_unlabeled(rlogind_t) +corenet_all_recvfrom_netlabel(rlogind_t) +corenet_tcp_sendrecv_generic_if(rlogind_t) +corenet_tcp_sendrecv_generic_node(rlogind_t) + +corenet_sendrecv_rlogind_server_packets(rlogind_t) +corenet_tcp_bind_rlogind_port(rlogind_t) +corenet_tcp_sendrecv_rlogind_port(rlogind_t) + +dev_read_urand(rlogind_t) + +domain_interactive_fd(rlogind_t) + +fs_getattr_all_fs(rlogind_t) +fs_search_auto_mountpoints(rlogind_t) + +auth_domtrans_chk_passwd(rlogind_t) +auth_rw_login_records(rlogind_t) +auth_use_nsswitch(rlogind_t) + +files_read_etc_runtime_files(rlogind_t) +files_search_default(rlogind_t) + +init_rw_utmp(rlogind_t) + +logging_send_syslog_msg(rlogind_t) + +miscfiles_read_localization(rlogind_t) + +seutil_read_config(rlogind_t) + +userdom_search_user_home_dirs(rlogind_t) +userdom_setattr_user_ptys(rlogind_t) +userdom_use_user_terminals(rlogind_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(rlogind_t) + fs_read_nfs_files(rlogind_t) + fs_read_nfs_symlinks(rlogind_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(rlogind_t) + fs_read_cifs_files(rlogind_t) + fs_read_cifs_symlinks(rlogind_t) +') + +optional_policy(` + kerberos_read_keytab(rlogind_t) + kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0") + kerberos_manage_host_rcache(rlogind_t) + kerberos_use(rlogind_t) +') + +optional_policy(` + remotelogin_domtrans(rlogind_t) + remotelogin_signal(rlogind_t) +') + +optional_policy(` + tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) +') diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc new file mode 100644 index 000000000..c49ab4ac8 --- /dev/null +++ b/policy/modules/services/rngd.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) + +/usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) + +/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) + +/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0) diff --git a/policy/modules/services/rngd.if b/policy/modules/services/rngd.if new file mode 100644 index 000000000..7b26dc322 --- /dev/null +++ b/policy/modules/services/rngd.if @@ -0,0 +1,32 @@ +## <summary>Check and feed random data from hardware device to kernel random device.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an rng environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rngd_admin',` + gen_require(` + type rngd_t, rngd_initrc_exec_t, rngd_var_run_t; + ') + + allow $1 rngd_t:process { ptrace signal_perms }; + ps_process_pattern($1, rngd_t) + + init_startstop_service($1, $2, rngd_t, rngd_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, rngd_var_run_t) +') diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te new file mode 100644 index 000000000..8cf7921dd --- /dev/null +++ b/policy/modules/services/rngd.te @@ -0,0 +1,42 @@ +policy_module(rngd, 1.5.0) + +######################################## +# +# Declarations +# + +type rngd_t; +type rngd_exec_t; +init_daemon_domain(rngd_t, rngd_exec_t) + +type rngd_initrc_exec_t; +init_script_file(rngd_initrc_exec_t) + +type rngd_var_run_t; +files_pid_file(rngd_var_run_t) + +######################################## +# +# Local policy +# + +allow rngd_t self:capability { ipc_lock sys_admin }; +allow rngd_t self:process signal; +allow rngd_t self:fifo_file rw_fifo_file_perms; +allow rngd_t self:unix_stream_socket { accept listen }; + +allow rngd_t rngd_var_run_t:file manage_file_perms; +files_pid_filetrans(rngd_t, rngd_var_run_t, file, "rngd.pid") + +kernel_rw_kernel_sysctl(rngd_t) + +dev_read_rand(rngd_t) +dev_read_urand(rngd_t) +dev_rw_tpm(rngd_t) +dev_write_rand(rngd_t) + +files_read_etc_files(rngd_t) + +logging_send_syslog_msg(rngd_t) + +miscfiles_read_localization(rngd_t) diff --git a/policy/modules/services/roundup.fc b/policy/modules/services/roundup.fc new file mode 100644 index 000000000..6f05cd06a --- /dev/null +++ b/policy/modules/services/roundup.fc @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0) + +/usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0) + +/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if new file mode 100644 index 000000000..c874017b6 --- /dev/null +++ b/policy/modules/services/roundup.if @@ -0,0 +1,36 @@ +## <summary>Roundup Issue Tracking System.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an roundup environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`roundup_admin',` + gen_require(` + type roundup_t, roundup_var_lib_t, roundup_var_run_t; + type roundup_initrc_exec_t; + ') + + allow $1 roundup_t:process { ptrace signal_perms }; + ps_process_pattern($1, roundup_t) + + init_startstop_service($1, $2, roundup_t, roundup_initrc_exec_t) + + files_list_var_lib($1) + admin_pattern($1, roundup_var_lib_t) + + files_list_pids($1) + admin_pattern($1, roundup_var_run_t) +') diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te new file mode 100644 index 000000000..015c344f1 --- /dev/null +++ b/policy/modules/services/roundup.te @@ -0,0 +1,89 @@ +policy_module(roundup, 1.9.0) + +######################################## +# +# Declarations +# + +type roundup_t; +type roundup_exec_t; +init_daemon_domain(roundup_t, roundup_exec_t) + +type roundup_initrc_exec_t; +init_script_file(roundup_initrc_exec_t) + +type roundup_var_run_t; +files_pid_file(roundup_var_run_t) + +type roundup_var_lib_t; +files_type(roundup_var_lib_t) + +######################################## +# +# Local policy +# + +allow roundup_t self:capability { setgid setuid }; +dontaudit roundup_t self:capability sys_tty_config; +allow roundup_t self:process signal_perms; +allow roundup_t self:unix_stream_socket { accept listen }; +allow roundup_t self:tcp_socket { accept listen }; + +manage_files_pattern(roundup_t, roundup_var_lib_t, roundup_var_lib_t) +files_var_lib_filetrans(roundup_t, roundup_var_lib_t, file) + +manage_files_pattern(roundup_t, roundup_var_run_t, roundup_var_run_t) +files_pid_filetrans(roundup_t, roundup_var_run_t, file) + +kernel_read_kernel_sysctls(roundup_t) +kernel_list_proc(roundup_t) +kernel_read_proc_symlinks(roundup_t) + +corecmd_exec_bin(roundup_t) + +corenet_all_recvfrom_unlabeled(roundup_t) +corenet_all_recvfrom_netlabel(roundup_t) +corenet_tcp_sendrecv_generic_if(roundup_t) +corenet_tcp_sendrecv_generic_node(roundup_t) +corenet_tcp_bind_generic_node(roundup_t) + +corenet_sendrecv_http_cache_server_packets(roundup_t) +corenet_tcp_bind_http_cache_port(roundup_t) +corenet_tcp_sendrecv_http_cache_port(roundup_t) + +corenet_sendrecv_smtp_client_packets(roundup_t) +corenet_tcp_connect_smtp_port(roundup_t) +corenet_tcp_sendrecv_smtp_port(roundup_t) + +dev_read_sysfs(roundup_t) +dev_read_urand(roundup_t) + +domain_use_interactive_fds(roundup_t) + +files_read_etc_files(roundup_t) +files_read_usr_files(roundup_t) + +fs_getattr_all_fs(roundup_t) +fs_search_auto_mountpoints(roundup_t) + +logging_send_syslog_msg(roundup_t) + +miscfiles_read_localization(roundup_t) + +sysnet_dns_name_resolve(roundup_t) + +userdom_dontaudit_use_unpriv_user_fds(roundup_t) +userdom_dontaudit_search_user_home_dirs(roundup_t) + +optional_policy(` + mysql_stream_connect(roundup_t) + mysql_tcp_connect(roundup_t) +') + +optional_policy(` + seutil_sigchld_newrole(roundup_t) +') + +optional_policy(` + udev_read_db(roundup_t) +') diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc new file mode 100644 index 000000000..6dfd45166 --- /dev/null +++ b/policy/modules/services/rpc.fc @@ -0,0 +1,32 @@ +/etc/exports -- gen_context(system_u:object_r:exports_t,s0) + +/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + +/usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/usr/bin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/usr/bin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) +/usr/bin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) +/usr/bin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) +/usr/bin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/usr/bin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) +/usr/bin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + +/usr/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_t,s0) +/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0) + +/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) +/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) +/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) +/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) +/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + +/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) + +/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) +/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) +/run/sm-notify\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if new file mode 100644 index 000000000..7063c42f6 --- /dev/null +++ b/policy/modules/services/rpc.if @@ -0,0 +1,395 @@ +## <summary>Remote Procedure Call Daemon.</summary> + +######################################## +## <summary> +## RPC stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_stub',` + gen_require(` + type exports_t; + ') +') + +####################################### +## <summary> +## The template to define a rpc domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`rpc_domain_template',` + gen_require(` + attribute rpc_domain; + ') + + ######################################## + # + # Declarations + # + + type $1_t, rpc_domain; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + + domain_use_interactive_fds($1_t) + + ######################################## + # + # Policy + # + + auth_use_nsswitch($1_t) +') + +######################################## +## <summary> +## Do not audit attempts to get +## attributes of export files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rpc_dontaudit_getattr_exports',` + gen_require(` + type exports_t; + ') + + dontaudit $1 exports_t:file getattr; +') + +######################################## +## <summary> +## Read export files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_read_exports',` + gen_require(` + type exports_t; + ') + + allow $1 exports_t:file read_file_perms; +') + +######################################## +## <summary> +## Write export files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_write_exports',` + gen_require(` + type exports_t; + ') + + allow $1 exports_t:file write; +') + +######################################## +## <summary> +## Execute nfsd in the nfsd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpc_domtrans_nfsd',` + gen_require(` + type nfsd_t, nfsd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nfsd_exec_t, nfsd_t) +') + +####################################### +## <summary> +## Execute nfsd init scripts in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpc_initrc_domtrans_nfsd',` + gen_require(` + type nfsd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, nfsd_initrc_exec_t) +') + +######################################## +## <summary> +## Execute rpcd in the rpcd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpc_domtrans_rpcd',` + gen_require(` + type rpcd_t, rpcd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rpcd_exec_t, rpcd_t) +') + +####################################### +## <summary> +## Execute rpcd init scripts in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpc_initrc_domtrans_rpcd',` + gen_require(` + type rpcd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, rpcd_initrc_exec_t) +') + +######################################## +## <summary> +## Read nfs exported content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpc_read_nfs_content',` + gen_require(` + type nfsd_ro_t, nfsd_rw_t; + ') + + allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; + allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; + allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## nfs exported read write content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpc_manage_nfs_rw_content',` + gen_require(` + type nfsd_rw_t; + ') + + manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t) + manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t) + manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## nfs exported read only content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpc_manage_nfs_ro_content',` + gen_require(` + type nfsd_ro_t; + ') + + manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t) + manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t) + manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t) +') + +######################################## +## <summary> +## Read and write to nfsd tcp sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_tcp_rw_nfs_sockets',` + gen_require(` + type nfsd_t; + ') + + allow $1 nfsd_t:tcp_socket rw_socket_perms; +') + +######################################## +## <summary> +## Read and write to nfsd udp sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_udp_rw_nfs_sockets',` + gen_require(` + type nfsd_t; + ') + + allow $1 nfsd_t:udp_socket rw_socket_perms; +') + +######################################## +## <summary> +## Search nfs lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_search_nfs_state_data',` + gen_require(` + type var_lib_nfs_t; + ') + + files_search_var_lib($1) + allow $1 var_lib_nfs_t:dir search; +') + +######################################## +## <summary> +## Read nfs lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_read_nfs_state_data',` + gen_require(` + type var_lib_nfs_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## nfs lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_manage_nfs_state_data',` + gen_require(` + type var_lib_nfs_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + + ifdef(`distro_gentoo',` + rw_dirs_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + ') +') + +######################################## +## <summary> +## All of the rules required to +## administrate an rpc environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpc_admin',` + gen_require(` + attribute rpc_domain; + type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; + type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; + type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t; + type nfsd_t, rpcd_t; + ') + + allow $1 rpc_domain:process { ptrace signal_perms }; + ps_process_pattern($1, rpc_domain) + + init_startstop_service($1, $2, nfsd_t, nfsd_initrc_exec_t) + init_startstop_service($1, $2, rpcd_t, rpcd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, { gssd_keytab_t exports_t }) + + files_list_var_lib($1) + admin_pattern($1, var_lib_nfs_t) + + files_list_pids($1) + admin_pattern($1, rpcd_var_run_t) + + files_list_all($1) + admin_pattern($1, { nfsd_ro_t nfsd_rw_t }) + + files_list_tmp($1) + admin_pattern($1, gssd_tmp_t) + + fs_search_nfsd_fs($1) +') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te new file mode 100644 index 000000000..2eaf02afd --- /dev/null +++ b/policy/modules/services/rpc.te @@ -0,0 +1,363 @@ +policy_module(rpc, 1.21.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether gssd can read +## generic user temporary content. +## </p> +## </desc> +gen_tunable(allow_gssd_read_tmp, false) + +## <desc> +## <p> +## Determine whether gssd can write +## generic user temporary content. +## </p> +## </desc> +gen_tunable(allow_gssd_write_tmp, false) + +## <desc> +## <p> +## Determine whether nfs can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_nfsd_anon_write, false) + +attribute rpc_domain; + +type exports_t; +files_config_file(exports_t) + +rpc_domain_template(gssd) + +type gssd_keytab_t; +files_type(gssd_keytab_t) + +type gssd_tmp_t; +files_tmp_file(gssd_tmp_t) + +type rpcd_var_run_t; +files_pid_file(rpcd_var_run_t) + +rpc_domain_template(rpcd) + +type rpcd_initrc_exec_t; +init_script_file(rpcd_initrc_exec_t) + +type rpcd_unit_t; +init_unit_file(rpcd_unit_t) + +rpc_domain_template(nfsd) + +type nfsd_initrc_exec_t; +init_script_file(nfsd_initrc_exec_t) + +type nfsd_rw_t; +files_type(nfsd_rw_t) + +type nfsd_ro_t; +files_type(nfsd_ro_t) + +type nfsd_unit_t; +init_unit_file(nfsd_unit_t) + +type var_lib_nfs_t; +files_mountpoint(var_lib_nfs_t) + +######################################## +# +# Common rpc domain local policy +# + +dontaudit rpc_domain self:capability { net_admin sys_tty_config }; +allow rpc_domain self:process signal_perms; +allow rpc_domain self:unix_stream_socket { accept listen }; +allow rpc_domain self:tcp_socket { accept listen }; + +manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) +manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) + +kernel_read_system_state(rpc_domain) +kernel_read_kernel_sysctls(rpc_domain) +kernel_rw_rpc_sysctls(rpc_domain) + +dev_read_sysfs(rpc_domain) +dev_read_urand(rpc_domain) +dev_read_rand(rpc_domain) + +corenet_all_recvfrom_unlabeled(rpc_domain) +corenet_all_recvfrom_netlabel(rpc_domain) +corenet_tcp_sendrecv_generic_if(rpc_domain) +corenet_udp_sendrecv_generic_if(rpc_domain) +corenet_tcp_sendrecv_generic_node(rpc_domain) +corenet_udp_sendrecv_generic_node(rpc_domain) +corenet_tcp_sendrecv_all_ports(rpc_domain) +corenet_udp_sendrecv_all_ports(rpc_domain) +corenet_tcp_bind_generic_node(rpc_domain) +corenet_udp_bind_generic_node(rpc_domain) + +corenet_sendrecv_all_server_packets(rpc_domain) +corenet_tcp_bind_reserved_port(rpc_domain) +corenet_tcp_connect_all_ports(rpc_domain) +corenet_sendrecv_portmap_client_packets(rpc_domain) +corenet_dontaudit_tcp_bind_all_ports(rpc_domain) +corenet_dontaudit_udp_bind_all_ports(rpc_domain) +corenet_tcp_bind_generic_port(rpc_domain) +corenet_udp_bind_generic_port(rpc_domain) +corenet_tcp_bind_all_rpc_ports(rpc_domain) +corenet_udp_bind_all_rpc_ports(rpc_domain) + +fs_rw_rpc_named_pipes(rpc_domain) +fs_search_auto_mountpoints(rpc_domain) + +files_read_etc_runtime_files(rpc_domain) +files_read_usr_files(rpc_domain) +files_list_home(rpc_domain) + +logging_send_syslog_msg(rpc_domain) + +miscfiles_read_localization(rpc_domain) + +userdom_dontaudit_use_unpriv_user_fds(rpc_domain) + +optional_policy(` + rpcbind_stream_connect(rpc_domain) +') + +optional_policy(` + seutil_sigchld_newrole(rpc_domain) +') + +optional_policy(` + udev_read_db(rpc_domain) +') + +######################################## +# +# Local policy +# + +allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin }; +allow rpcd_t self:capability2 block_suspend; +allow rpcd_t self:process { getcap setcap }; +allow rpcd_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) +manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) +files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) + +can_exec(rpcd_t, rpcd_exec_t) + +kernel_read_network_state(rpcd_t) +kernel_read_sysctl(rpcd_t) +kernel_rw_fs_sysctls(rpcd_t) +kernel_dontaudit_getattr_core_if(rpcd_t) +kernel_signal(rpcd_t) +# for /proc/fs/lockd/nlm_end_grace +kernel_write_proc_files(rpcd_t) + +corecmd_exec_bin(rpcd_t) + +files_manage_mounttab(rpcd_t) +files_getattr_all_dirs(rpcd_t) + +fs_list_rpc(rpcd_t) +fs_read_rpc_files(rpcd_t) +fs_read_rpc_symlinks(rpcd_t) +fs_rw_rpc_sockets(rpcd_t) +fs_get_all_fs_quotas(rpcd_t) +fs_set_xattr_fs_quotas(rpcd_t) +fs_getattr_all_fs(rpcd_t) + +storage_getattr_fixed_disk_dev(rpcd_t) + +selinux_dontaudit_read_fs(rpcd_t) + +miscfiles_read_generic_certs(rpcd_t) +miscfiles_read_generic_tls_privkey(rpcd_t) + +seutil_dontaudit_search_config(rpcd_t) + +userdom_signal_all_users(rpcd_t) + +ifdef(`distro_debian',` + term_dontaudit_use_unallocated_ttys(rpcd_t) +') + +optional_policy(` + automount_signal(rpcd_t) + automount_dontaudit_write_pipes(rpcd_t) +') + +optional_policy(` + nis_read_ypserv_config(rpcd_t) +') + +optional_policy(` + quota_manage_db_files(rpcd_t) +') + +optional_policy(` + rgmanager_manage_tmp_files(rpcd_t) +') + +optional_policy(` + unconfined_signal(rpcd_t) +') + +######################################## +# +# NFSD local policy +# + +allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; + +allow nfsd_t exports_t:file read_file_perms; +allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; + +kernel_read_network_state(nfsd_t) +kernel_dontaudit_getattr_core_if(nfsd_t) +kernel_setsched(nfsd_t) +kernel_request_load_module(nfsd_t) +# kernel_mounton_proc(nfsd_t) + +corenet_sendrecv_nfs_server_packets(nfsd_t) +corenet_tcp_bind_nfs_port(nfsd_t) +corenet_udp_bind_nfs_port(nfsd_t) + +corecmd_exec_shell(nfsd_t) + +dev_dontaudit_getattr_all_blk_files(nfsd_t) +dev_dontaudit_getattr_all_chr_files(nfsd_t) +dev_rw_lvm_control(nfsd_t) + +files_getattr_tmp_dirs(nfsd_t) +files_manage_mounttab(nfsd_t) + +fs_mount_nfsd_fs(nfsd_t) +fs_getattr_all_fs(nfsd_t) +fs_getattr_all_dirs(nfsd_t) +fs_rw_nfsd_fs(nfsd_t) +# fs_manage_nfsd_fs(nfsd_t) + +storage_dontaudit_read_fixed_disk(nfsd_t) +storage_raw_read_removable_device(nfsd_t) + +miscfiles_read_public_files(nfsd_t) + +ifdef(`distro_gentoo',` + allow nfsd_t self:udp_socket listen; +') + +tunable_policy(`allow_nfsd_anon_write',` + miscfiles_manage_public_files(nfsd_t) +') + +tunable_policy(`nfs_export_all_rw',` + dev_getattr_all_blk_files(nfsd_t) + dev_getattr_all_chr_files(nfsd_t) + + fs_read_noxattr_fs_files(nfsd_t) + files_manage_non_auth_files(nfsd_t) +') + +tunable_policy(`nfs_export_all_ro',` + dev_getattr_all_blk_files(nfsd_t) + dev_getattr_all_chr_files(nfsd_t) + + files_getattr_all_pipes(nfsd_t) + files_getattr_all_sockets(nfsd_t) + + fs_read_noxattr_fs_files(nfsd_t) + + files_list_non_auth_dirs(nfsd_t) + files_read_non_auth_files(nfsd_t) +') + +optional_policy(` + mount_exec(nfsd_t) +') + +######################################## +# +# GSSD local policy +# + +allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; +allow gssd_t self:process { getsched setsched }; +allow gssd_t self:fifo_file rw_fifo_file_perms; + +allow gssd_t gssd_keytab_t:file read_file_perms; + +manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) + +kernel_read_network_state(gssd_t) +kernel_read_network_state_symlinks(gssd_t) +kernel_request_load_module(gssd_t) +kernel_search_network_sysctl(gssd_t) +kernel_signal(gssd_t) + +corecmd_exec_bin(gssd_t) + +fs_list_inotifyfs(gssd_t) +fs_list_rpc(gssd_t) +fs_rw_rpc_sockets(gssd_t) +fs_read_rpc_files(gssd_t) +fs_read_nfs_files(gssd_t) + +files_list_tmp(gssd_t) +files_dontaudit_write_var_dirs(gssd_t) + +auth_manage_cache(gssd_t) + +miscfiles_read_generic_certs(gssd_t) +miscfiles_read_generic_tls_privkey(gssd_t) + +userdom_signal_all_users(gssd_t) + +tunable_policy(`allow_gssd_read_tmp',` + userdom_list_user_tmp(gssd_t) + userdom_read_user_tmp_files(gssd_t) + userdom_read_user_tmp_symlinks(gssd_t) +') + +tunable_policy(`allow_gssd_write_tmp',` + userdom_list_user_tmp(gssd_t) + userdom_rw_user_tmp_files(gssd_t) +') + +optional_policy(` + automount_signal(gssd_t) +') + +optional_policy(` + gssproxy_stream_connect(gssd_t) +') +optional_policy(` + kerberos_manage_host_rcache(gssd_t) + kerberos_read_keytab(gssd_t) + kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") + kerberos_use(gssd_t) +') + +optional_policy(` + mount_signal(gssd_t) +') + +optional_policy(` + pcscd_read_pid_files(gssd_t) +') + +optional_policy(` + xserver_rw_xdm_tmp_files(gssd_t) +') diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc new file mode 100644 index 000000000..afba9b291 --- /dev/null +++ b/policy/modules/services/rpcbind.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) + +/usr/bin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) + +/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) + +/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) + +/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) + +/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) +/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if new file mode 100644 index 000000000..78ca83a4a --- /dev/null +++ b/policy/modules/services/rpcbind.if @@ -0,0 +1,170 @@ +## <summary>Universal Addresses to RPC Program Number Mapper.</summary> + +######################################## +## <summary> +## Execute a domain transition to run rpcbind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpcbind_domtrans',` + gen_require(` + type rpcbind_t, rpcbind_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) +') + +######################################## +## <summary> +## Connect to rpcbind with a +## unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_stream_connect',` + gen_require(` + type rpcbind_t, rpcbind_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t) +') + +######################################## +## <summary> +## Read rpcbind pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_read_pid_files',` + gen_require(` + type rpcbind_var_run_t; + ') + + files_search_pids($1) + allow $1 rpcbind_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Search rpcbind lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_search_lib',` + gen_require(` + type rpcbind_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 rpcbind_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read rpcbind lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_read_lib_files',` + gen_require(` + type rpcbind_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rpcbind lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_manage_lib_files',` + gen_require(` + type rpcbind_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) +') + +######################################## +## <summary> +## Send null signals to rpcbind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_signull',` + gen_require(` + type rpcbind_t; + ') + + allow $1 rpcbind_t:process signull; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an rpcbind environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpcbind_admin',` + gen_require(` + type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t; + type rpcbind_initrc_exec_t; + ') + + allow $1 rpcbind_t:process { ptrace signal_perms }; + ps_process_pattern($1, rpcbind_t) + + init_startstop_service($1, $2, rpcbind_t, rpcbind_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, rpcbind_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, rpcbind_var_lib_t) +') diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te new file mode 100644 index 000000000..5914af990 --- /dev/null +++ b/policy/modules/services/rpcbind.te @@ -0,0 +1,80 @@ +policy_module(rpcbind, 1.12.0) + +######################################## +# +# Declarations +# + +type rpcbind_t; +type rpcbind_exec_t; +init_daemon_domain(rpcbind_t, rpcbind_exec_t) +init_named_socket_activation(rpcbind_t, rpcbind_var_run_t) + +type rpcbind_initrc_exec_t; +init_script_file(rpcbind_initrc_exec_t) + +type rpcbind_var_run_t; +files_pid_file(rpcbind_var_run_t) +init_daemon_pid_file(rpcbind_var_run_t, dir, "rpcbind") + +type rpcbind_var_lib_t; +files_type(rpcbind_var_lib_t) + +######################################## +# +# Local policy +# + +allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; +# net_admin is for SO_SNDBUFFORCE +dontaudit rpcbind_t self:capability net_admin; +allow rpcbind_t self:fifo_file rw_fifo_file_perms; +allow rpcbind_t self:unix_stream_socket { accept listen }; +allow rpcbind_t self:tcp_socket { accept listen }; + +manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) +manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) +files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file }) + +manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) +manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) +manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) +files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file }) + +kernel_read_system_state(rpcbind_t) +kernel_read_network_state(rpcbind_t) +kernel_request_load_module(rpcbind_t) + +corenet_all_recvfrom_unlabeled(rpcbind_t) +corenet_all_recvfrom_netlabel(rpcbind_t) +corenet_tcp_sendrecv_generic_if(rpcbind_t) +corenet_udp_sendrecv_generic_if(rpcbind_t) +corenet_tcp_sendrecv_generic_node(rpcbind_t) +corenet_udp_sendrecv_generic_node(rpcbind_t) +corenet_tcp_sendrecv_all_ports(rpcbind_t) +corenet_udp_sendrecv_all_ports(rpcbind_t) +corenet_tcp_bind_generic_node(rpcbind_t) +corenet_udp_bind_generic_node(rpcbind_t) + +corenet_sendrecv_all_server_packets(rpcbind_t) +corenet_tcp_bind_portmap_port(rpcbind_t) +corenet_udp_bind_portmap_port(rpcbind_t) +corenet_udp_bind_all_rpc_ports(rpcbind_t) + +corecmd_exec_shell(rpcbind_t) + +dev_read_cpu_online(rpcbind_t) + +domain_use_interactive_fds(rpcbind_t) + +files_read_etc_runtime_files(rpcbind_t) + +auth_use_nsswitch(rpcbind_t) + +logging_send_syslog_msg(rpcbind_t) + +miscfiles_read_localization(rpcbind_t) + +ifdef(`distro_debian',` + term_dontaudit_use_unallocated_ttys(rpcbind_t) +') diff --git a/policy/modules/services/rshd.fc b/policy/modules/services/rshd.fc new file mode 100644 index 000000000..b77f12dca --- /dev/null +++ b/policy/modules/services/rshd.fc @@ -0,0 +1,7 @@ +/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) + +/usr/bin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) +/usr/bin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0) + +/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) +/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0) diff --git a/policy/modules/services/rshd.if b/policy/modules/services/rshd.if new file mode 100644 index 000000000..7ad29c046 --- /dev/null +++ b/policy/modules/services/rshd.if @@ -0,0 +1,20 @@ +## <summary>Remote shell service.</summary> + +######################################## +## <summary> +## Execute rshd in the rshd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rshd_domtrans',` + gen_require(` + type rshd_exec_t, rshd_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rshd_exec_t, rshd_t) +') diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te new file mode 100644 index 000000000..0f4caffc4 --- /dev/null +++ b/policy/modules/services/rshd.te @@ -0,0 +1,79 @@ +policy_module(rshd, 1.10.0) + +######################################## +# +# Declarations +# + +type rshd_t; +type rshd_exec_t; +auth_login_pgm_domain(rshd_t) +inetd_tcp_service_domain(rshd_t, rshd_exec_t) + +type rshd_keytab_t; +files_type(rshd_keytab_t) + +######################################## +# +# Local policy +# + +allow rshd_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; +allow rshd_t self:process { signal_perms setsched setpgid setexec }; +allow rshd_t self:fifo_file rw_fifo_file_perms; +allow rshd_t self:tcp_socket create_stream_socket_perms; + +allow rshd_t rshd_keytab_t:file read_file_perms; + +kernel_read_kernel_sysctls(rshd_t) + +corecmd_search_bin(rshd_t) + +corenet_all_recvfrom_unlabeled(rshd_t) +corenet_all_recvfrom_netlabel(rshd_t) +corenet_tcp_sendrecv_generic_if(rshd_t) +corenet_tcp_sendrecv_generic_node(rshd_t) +corenet_tcp_sendrecv_all_ports(rshd_t) +corenet_tcp_bind_generic_node(rshd_t) + +corenet_sendrecv_all_server_packets(rshd_t) +corenet_tcp_bind_rsh_port(rshd_t) +corenet_tcp_bind_all_rpc_ports(rshd_t) +corenet_tcp_connect_all_ports(rshd_t) +corenet_tcp_connect_all_rpc_ports(rshd_t) + +files_list_home(rshd_t) + +logging_search_logs(rshd_t) + +miscfiles_read_localization(rshd_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(rshd_t) + fs_read_nfs_symlinks(rshd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(rshd_t) + fs_read_cifs_symlinks(rshd_t) +') + +optional_policy(` + kerberos_manage_host_rcache(rshd_t) + kerberos_read_keytab(rshd_t) + kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0") + kerberos_use(rshd_t) +') + +optional_policy(` + rlogin_read_home_content(rshd_t) +') + +optional_policy(` + tcpd_wrapped_domain(rshd_t, rshd_exec_t) +') + +optional_policy(` + unconfined_shell_domtrans(rshd_t) + unconfined_signal(rshd_t) +') diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc new file mode 100644 index 000000000..83b8b4bd5 --- /dev/null +++ b/policy/modules/services/rsync.fc @@ -0,0 +1,7 @@ +/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) + +/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) + +/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) + +/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if new file mode 100644 index 000000000..097f4d3a3 --- /dev/null +++ b/policy/modules/services/rsync.if @@ -0,0 +1,279 @@ +## <summary>Fast incremental file transfer for synchronization.</summary> + +######################################## +## <summary> +## Make rsync executable file an +## entry point for the specified domain. +## </summary> +## <param name="domain"> +## <summary> +## The domain for which rsync_exec_t is an entrypoint. +## </summary> +## </param> +# +interface(`rsync_entry_type',` + gen_require(` + type rsync_exec_t; + ') + + domain_entry_file($1, rsync_exec_t) +') + +######################################## +## <summary> +## Execute a rsync in a specified domain. +## </summary> +## <desc> +## <p> +## Execute a rsync in a specified domain. +## </p> +## <p> +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +## </p> +## </desc> +## <param name="source_domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="target_domain"> +## <summary> +## Domain to transition to. +## </summary> +## </param> +# +interface(`rsync_entry_spec_domtrans',` + gen_require(` + type rsync_exec_t; + ') + + corecmd_search_bin($1) + domain_auto_transition_pattern($1, rsync_exec_t, $2) +') + +######################################## +## <summary> +## Execute a rsync in a specified domain. +## </summary> +## <desc> +## <p> +## Execute a rsync in a specified domain. +## </p> +## <p> +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +## </p> +## </desc> +## <param name="source_domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="target_domain"> +## <summary> +## Domain to transition to. +## </summary> +## </param> +# +interface(`rsync_entry_domtrans',` + gen_require(` + type rsync_exec_t; + ') + + corecmd_search_bin($1) + domain_auto_transition_pattern($1, rsync_exec_t, $2) +') + +######################################## +## <summary> +## Execute the rsync program in the rsync domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rsync_domtrans',` + gen_require(` + type rsync_t, rsync_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rsync_exec_t, rsync_t) +') + +######################################## +## <summary> +## Execute rsync in the rsync domain, and +## allow the specified role the rsync domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`rsync_run',` + gen_require(` + attribute_role rsync_roles; + ') + + rsync_domtrans($1) + roleattribute $2 rsync_roles; +') + +######################################## +## <summary> +## Execute rsync in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rsync_exec',` + gen_require(` + type rsync_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rsync_exec_t) +') + +######################################## +## <summary> +## Read rsync config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rsync_read_config',` + gen_require(` + type rsync_etc_t; + ') + + files_search_etc($1) + allow $1 rsync_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Write rsync config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rsync_write_config',` + gen_require(` + type rsync_etc_t; + ') + + files_search_etc($1) + allow $1 rsync_etc_t:file write_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## rsync config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rsync_manage_config_files',` + gen_require(` + type rsync_etc_t; + ') + + files_search_etc($1) + manage_files_pattern($1, rsync_etc_t, rsync_etc_t) +') + +######################################## +## <summary> +## Create specified objects in etc directories +## with rsync etc type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`rsync_etc_filetrans_config',` + gen_require(` + type rsync_etc_t; + ') + + files_etc_filetrans($1, rsync_etc_t, $2, $3) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an rsync environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role" unused="true"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rsync_admin',` + gen_require(` + type rsync_t, rsync_etc_t, rsync_data_t; + type rsync_log_t, rsync_tmp_t, rsync_var_run_t; + ') + + allow $1 rsync_t:process { ptrace signal_perms }; + ps_process_pattern($1, rsync_t) + + files_search_etc($1) + admin_pattern($1, rsync_etc_t) + + admin_pattern($1, rsync_data_t) + + logging_search_logs($1) + admin_pattern($1, rsync_log_t) + + files_search_tmp($1) + admin_pattern($1, rsync_tmp_t) + + files_search_pids($1) + admin_pattern($1, rsync_var_run_t) +') diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te new file mode 100644 index 000000000..ad85fa79a --- /dev/null +++ b/policy/modules/services/rsync.te @@ -0,0 +1,200 @@ +policy_module(rsync, 1.16.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether rsync can use +## cifs file systems. +## </p> +## </desc> +gen_tunable(rsync_use_cifs, false) + +## <desc> +## <p> +## Determine whether rsync can +## use fuse file systems. +## </p> +## </desc> +gen_tunable(rsync_use_fusefs, false) + +## <desc> +## <p> +## Determine whether rsync can use +## nfs file systems. +## </p> +## </desc> +gen_tunable(rsync_use_nfs, false) + +## <desc> +## <p> +## Determine whether rsync can +## run as a client +## </p> +## </desc> +gen_tunable(rsync_client, false) + +## <desc> +## <p> +## Determine whether rsync can +## export all content read only. +## </p> +## </desc> +gen_tunable(rsync_export_all_ro, false) + +## <desc> +## <p> +## Determine whether rsync can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_rsync_anon_write, false) + +attribute_role rsync_roles; + +type rsync_t; +type rsync_exec_t; +init_daemon_domain(rsync_t, rsync_exec_t) +application_domain(rsync_t, rsync_exec_t) +role rsync_roles types rsync_t; + +type rsync_etc_t; +files_config_file(rsync_etc_t) + +type rsync_data_t; # customizable +files_type(rsync_data_t) + +type rsync_log_t; +logging_log_file(rsync_log_t) + +type rsync_tmp_t; +files_tmp_file(rsync_tmp_t) + +type rsync_var_run_t; +files_pid_file(rsync_var_run_t) + +######################################## +# +# Local policy +# + +allow rsync_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_chroot }; +allow rsync_t self:process signal_perms; +allow rsync_t self:fifo_file rw_fifo_file_perms; +allow rsync_t self:tcp_socket { accept listen }; + +allow rsync_t rsync_etc_t:file read_file_perms; + +allow rsync_t rsync_data_t:dir list_dir_perms; +allow rsync_t rsync_data_t:file read_file_perms; +allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms; + +allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(rsync_t, rsync_log_t, file) + +manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) +manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) +files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) + +manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t) +files_pid_filetrans(rsync_t, rsync_var_run_t, file) + +kernel_read_kernel_sysctls(rsync_t) +kernel_read_system_state(rsync_t) +kernel_read_network_state(rsync_t) + +corenet_all_recvfrom_unlabeled(rsync_t) +corenet_all_recvfrom_netlabel(rsync_t) +corenet_tcp_sendrecv_generic_if(rsync_t) +corenet_tcp_sendrecv_generic_node(rsync_t) +corenet_tcp_bind_generic_node(rsync_t) + +corenet_sendrecv_rsync_server_packets(rsync_t) +corenet_tcp_bind_rsync_port(rsync_t) +corenet_tcp_sendrecv_rsync_port(rsync_t) + +dev_read_urand(rsync_t) + +fs_getattr_all_fs(rsync_t) +fs_search_auto_mountpoints(rsync_t) + +files_getattr_all_pipes(rsync_t) +files_getattr_all_sockets(rsync_t) +files_search_home(rsync_t) + +auth_can_read_shadow_passwords(rsync_t) +auth_use_nsswitch(rsync_t) + +logging_send_syslog_msg(rsync_t) + +miscfiles_read_localization(rsync_t) +miscfiles_read_public_files(rsync_t) + +tunable_policy(`allow_rsync_anon_write',` + miscfiles_manage_public_files(rsync_t) +') + +tunable_policy(`rsync_client',` + corenet_sendrecv_rsync_client_packets(rsync_t) + corenet_tcp_connect_rsync_port(rsync_t) + + corenet_sendrecv_ssh_client_packets(rsync_t) + corenet_tcp_connect_ssh_port(rsync_t) + corenet_tcp_sendrecv_ssh_port(rsync_t) + + manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) + manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) + manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +') + +tunable_policy(`rsync_export_all_ro',` + fs_read_noxattr_fs_files(rsync_t) + fs_read_nfs_files(rsync_t) + fs_read_fusefs_files(rsync_t) + fs_read_cifs_files(rsync_t) + files_list_non_auth_dirs(rsync_t) + files_read_non_auth_files(rsync_t) + files_read_non_auth_symlinks(rsync_t) + auth_tunable_read_shadow(rsync_t) +') + +tunable_policy(`rsync_use_cifs',` + fs_list_cifs(rsync_t) + fs_read_cifs_files(rsync_t) + fs_read_cifs_symlinks(rsync_t) +') + +tunable_policy(`rsync_use_fusefs',` + fs_search_fusefs(rsync_t) + fs_read_fusefs_files(rsync_t) + fs_read_fusefs_symlinks(rsync_t) +') + +tunable_policy(`rsync_use_nfs',` + fs_list_nfs(rsync_t) + fs_read_nfs_files(rsync_t) + fs_read_nfs_symlinks(rsync_t) +') + +optional_policy(` + tunable_policy(`rsync_client',` + ssh_exec(rsync_t) + ') +') + +optional_policy(` + daemontools_service_domain(rsync_t, rsync_exec_t) +') + +optional_policy(` + kerberos_use(rsync_t) +') + +optional_policy(` + inetd_service_domain(rsync_t, rsync_exec_t) +') diff --git a/policy/modules/services/rtkit.fc b/policy/modules/services/rtkit.fc new file mode 100644 index 000000000..a3021dacd --- /dev/null +++ b/policy/modules/services/rtkit.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_initrc_exec_t,s0) + +/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) + +/usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*rtkit-daemon.* -- gen_context(system_u:object_r:rtkit_daemon_unit_t,s0) diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if new file mode 100644 index 000000000..ed6d0cd1d --- /dev/null +++ b/policy/modules/services/rtkit.if @@ -0,0 +1,94 @@ +## <summary>Realtime scheduling for user processes.</summary> + +######################################## +## <summary> +## Execute a domain transition to run rtkit_daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rtkit_daemon_domtrans',` + gen_require(` + type rtkit_daemon_t, rtkit_daemon_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) +') + +######################################## +## <summary> +## Send and receive messages from +## rtkit_daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rtkit_daemon_dbus_chat',` + gen_require(` + type rtkit_daemon_t; + class dbus send_msg; + ') + + allow $1 rtkit_daemon_t:dbus send_msg; + allow rtkit_daemon_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Allow rtkit to control scheduling for your process. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rtkit_scheduled',` + gen_require(` + type rtkit_daemon_t; + ') + + allow rtkit_daemon_t $1:process { getsched setsched }; + + kernel_search_proc($1) + ps_process_pattern(rtkit_daemon_t, $1) + + optional_policy(` + rtkit_daemon_dbus_chat($1) + ') +') + +######################################## +## <summary> +## All of the rules required to +## administrate an rtkit environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rtkit_admin',` + gen_require(` + type rtkit_daemon_t, rtkit_daemon_initrc_exec_t; + ') + + allow $1 rtkit_daemon_t:process { ptrace signal_perms }; + ps_process_pattern($1, rtkit_daemon_t) + + init_startstop_service($1, $2, rtkit_daemon_t, rtkit_daemon_initrc_exec_t) +') diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te new file mode 100644 index 000000000..94edc206e --- /dev/null +++ b/policy/modules/services/rtkit.te @@ -0,0 +1,61 @@ +policy_module(rtkit, 1.6.0) + +######################################## +# +# Declarations +# + +type rtkit_daemon_t; +type rtkit_daemon_exec_t; +init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) + +type rtkit_daemon_initrc_exec_t; +init_script_file(rtkit_daemon_initrc_exec_t) + +type rtkit_daemon_unit_t; +init_unit_file(rtkit_daemon_unit_t) + +######################################## +# +# Local policy +# + +allow rtkit_daemon_t self:capability { dac_read_search setgid setpcap setuid sys_chroot sys_nice sys_ptrace }; +allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; + +kernel_read_system_state(rtkit_daemon_t) + +domain_getsched_all_domains(rtkit_daemon_t) +domain_read_all_domains_state(rtkit_daemon_t) + +fs_rw_anon_inodefs_files(rtkit_daemon_t) + +selinux_getattr_fs(rtkit_daemon_t) + +auth_use_nsswitch(rtkit_daemon_t) + +logging_send_syslog_msg(rtkit_daemon_t) + +miscfiles_read_localization(rtkit_daemon_t) + +seutil_search_default_contexts(rtkit_daemon_t) + +optional_policy(` + dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) + + optional_policy(` + policykit_dbus_chat(rtkit_daemon_t) + ') + + optional_policy(` + xserver_dbus_chat_xdm(rtkit_daemon_t) + ') + + optional_policy(` + xserver_dbus_chat_xdm(rtkit_daemon_t) + ') +') + +optional_policy(` + xserver_setsched_xdm(rtkit_daemon_t) +') diff --git a/policy/modules/services/rwho.fc b/policy/modules/services/rwho.fc new file mode 100644 index 000000000..fd5fdf71b --- /dev/null +++ b/policy/modules/services/rwho.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0) + +/usr/bin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0) + +/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0) + +/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) + +/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0) diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if new file mode 100644 index 000000000..05aa3f160 --- /dev/null +++ b/policy/modules/services/rwho.if @@ -0,0 +1,152 @@ +## <summary>Who is logged in on other machines?</summary> + +######################################## +## <summary> +## Execute a domain transition to run rwho. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rwho_domtrans',` + gen_require(` + type rwho_t, rwho_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rwho_exec_t, rwho_t) +') + +######################################## +## <summary> +## Search rwho log directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rwho_search_log',` + gen_require(` + type rwho_log_t; + ') + + logging_search_logs($1) + allow $1 rwho_log_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read rwho log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rwho_read_log_files',` + gen_require(` + type rwho_log_t; + ') + + logging_search_logs($1) + allow $1 rwho_log_t:dir list_dir_perms; + allow $1 rwho_log_t:file read_file_perms; +') + +######################################## +## <summary> +## Search rwho spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rwho_search_spool',` + gen_require(` + type rwho_spool_t; + ') + + files_search_spool($1) + allow $1 rwho_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read rwho spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rwho_read_spool_files',` + gen_require(` + type rwho_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, rwho_spool_t, rwho_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rwho spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rwho_manage_spool_files',` + gen_require(` + type rwho_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, rwho_spool_t, rwho_spool_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an rwho environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rwho_admin',` + gen_require(` + type rwho_t, rwho_log_t, rwho_spool_t; + type rwho_initrc_exec_t; + ') + + allow $1 rwho_t:process { ptrace signal_perms }; + ps_process_pattern($1, rwho_t) + + init_startstop_service($1, $2, rwho_t, rwho_initrc_exec_t) + + logging_list_logs($1) + admin_pattern($1, rwho_log_t) + + files_list_spool($1) + admin_pattern($1, rwho_spool_t) +') diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te new file mode 100644 index 000000000..7be17dda5 --- /dev/null +++ b/policy/modules/services/rwho.te @@ -0,0 +1,64 @@ +policy_module(rwho, 1.9.0) + +######################################## +# +# Declarations +# + +type rwho_t; +type rwho_exec_t; +init_daemon_domain(rwho_t, rwho_exec_t) + +type rwho_initrc_exec_t; +init_script_file(rwho_initrc_exec_t) + +type rwho_log_t; +files_type(rwho_log_t) + +type rwho_spool_t; +files_type(rwho_spool_t) + +######################################## +# +# Local policy +# + +allow rwho_t self:capability sys_chroot; +allow rwho_t self:process signal; +allow rwho_t self:fifo_file rw_fifo_file_perms; +allow rwho_t self:unix_stream_socket { accept listen }; + +allow rwho_t rwho_log_t:dir manage_dir_perms; +allow rwho_t rwho_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(rwho_t, rwho_log_t, { file dir }) + +allow rwho_t rwho_spool_t:dir manage_dir_perms; +allow rwho_t rwho_spool_t:file manage_file_perms; +files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) + +kernel_read_system_state(rwho_t) + +corenet_all_recvfrom_unlabeled(rwho_t) +corenet_all_recvfrom_netlabel(rwho_t) +corenet_udp_sendrecv_generic_if(rwho_t) +corenet_udp_sendrecv_generic_node(rwho_t) +corenet_udp_bind_generic_node(rwho_t) + +corenet_sendrecv_rwho_server_packets(rwho_t) +corenet_udp_bind_rwho_port(rwho_t) +corenet_udp_sendrecv_rwho_port(rwho_t) + +domain_use_interactive_fds(rwho_t) + +files_read_etc_files(rwho_t) + +init_read_utmp(rwho_t) +init_dontaudit_write_utmp(rwho_t) + +logging_send_syslog_msg(rwho_t) + +miscfiles_read_localization(rwho_t) + +sysnet_dns_name_resolve(rwho_t) + +# userdom_getattr_user_terminals(rwho_t) diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc new file mode 100644 index 000000000..e104d2bad --- /dev/null +++ b/policy/modules/services/samba.fc @@ -0,0 +1,57 @@ +/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) +/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) +/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) + +/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) +/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) +/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) +/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) +/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) + +/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) +/usr/bin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) +/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) +/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) +/usr/bin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) +/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) +/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) +/usr/bin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) +/usr/bin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) + +/usr/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_t,s0) + +/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) +/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) +/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) +/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) + +/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + +/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + +/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) + +/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + +/run/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) + +/run/samba(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/brlock\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/connections\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/gencache\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/locking\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/messages\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/namelist\.debug -- gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/nmbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/share_info\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/smbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0) +/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) + +/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + +/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if new file mode 100644 index 000000000..3d729f0cc --- /dev/null +++ b/policy/modules/services/samba.if @@ -0,0 +1,716 @@ +## <summary>SMB and CIFS client/server programs.</summary> + +######################################## +## <summary> +## Execute nmbd in the nmbd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_nmbd',` + gen_require(` + type nmbd_t, nmbd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nmbd_exec_t, nmbd_t) +') + +####################################### +## <summary> +## Send generic signals to nmbd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_signal_nmbd',` + gen_require(` + type nmbd_t; + ') + allow $1 nmbd_t:process signal; +') + +######################################## +## <summary> +## Connect to nmbd with a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_stream_connect_nmbd',` + gen_require(` + type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t) +') + +######################################## +## <summary> +## Execute samba init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_initrc_domtrans',` + gen_require(` + type samba_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, samba_initrc_exec_t) +') + +######################################## +## <summary> +## Execute samba net in the samba net domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_net',` + gen_require(` + type samba_net_t, samba_net_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, samba_net_exec_t, samba_net_t) +') + +######################################## +## <summary> +## Execute samba net in the samba net +## domain, and allow the specified +## role the samba net domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_run_net',` + gen_require(` + attribute_role samba_net_roles; + ') + + samba_domtrans_net($1) + roleattribute $2 samba_net_roles; +') + +######################################## +## <summary> +## Execute smbmount in the smbmount domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_smbmount',` + gen_require(` + type smbmount_t, smbmount_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, smbmount_exec_t, smbmount_t) +') + +######################################## +## <summary> +## Execute smbmount in the smbmount +## domain, and allow the specified +## role the smbmount domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_run_smbmount',` + gen_require(` + attribute_role smbmount_roles; + ') + + samba_domtrans_smbmount($1) + roleattribute $2 smbmount_roles; +') + +######################################## +## <summary> +## Read samba configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_read_config',` + gen_require(` + type samba_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, samba_etc_t, samba_etc_t) +') + +######################################## +## <summary> +## Read and write samba configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_rw_config',` + gen_require(` + type samba_etc_t; + ') + + files_search_etc($1) + rw_files_pattern($1, samba_etc_t, samba_etc_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## samba configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_manage_config',` + gen_require(` + type samba_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, samba_etc_t, samba_etc_t) + manage_files_pattern($1, samba_etc_t, samba_etc_t) +') + +######################################## +## <summary> +## Read samba log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_read_log',` + gen_require(` + type samba_log_t; + ') + + logging_search_logs($1) + allow $1 samba_log_t:dir list_dir_perms; + read_files_pattern($1, samba_log_t, samba_log_t) +') + +######################################## +## <summary> +## Append to samba log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_append_log',` + gen_require(` + type samba_log_t; + ') + + logging_search_logs($1) + allow $1 samba_log_t:dir list_dir_perms; + allow $1 samba_log_t:file append_file_perms; +') + +######################################## +## <summary> +## Execute samba log files in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_exec_log',` + gen_require(` + type samba_log_t; + ') + + logging_search_logs($1) + can_exec($1, samba_log_t) +') + +######################################## +## <summary> +## Read samba secret files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_read_secrets',` + gen_require(` + type samba_secrets_t; + ') + + files_search_etc($1) + allow $1 samba_secrets_t:file read_file_perms; +') + +######################################## +## <summary> +## Read samba share files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_read_share_files',` + gen_require(` + type samba_share_t; + ') + + allow $1 samba_share_t:filesystem getattr; + read_files_pattern($1, samba_share_t, samba_share_t) +') + +######################################## +## <summary> +## Search samba var directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_search_var',` + gen_require(` + type samba_var_t; + ') + + files_search_var_lib($1) + allow $1 samba_var_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read samba var files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_read_var_files',` + gen_require(` + type samba_var_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, samba_var_t, samba_var_t) +') + +######################################## +## <summary> +## Do not audit attempts to write +## samba var files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`samba_dontaudit_write_var_files',` + gen_require(` + type samba_var_t; + ') + + dontaudit $1 samba_var_t:file write; +') + +######################################## +## <summary> +## Read and write samba var files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_rw_var_files',` + gen_require(` + type samba_var_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, samba_var_t, samba_var_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## samba var files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_manage_var_files',` + gen_require(` + type samba_var_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, samba_var_t, samba_var_t) +') + +######################################## +## <summary> +## Execute smbcontrol in the smbcontrol domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_smbcontrol',` + gen_require(` + type smbcontrol_t, smbcontrol_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) +') + +######################################## +## <summary> +## Execute smbcontrol in the smbcontrol +## domain, and allow the specified +## role the smbcontrol domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`samba_run_smbcontrol',` + gen_require(` + attribute_role smbcontrol_roles; + ') + + samba_domtrans_smbcontrol($1) + roleattribute $2 smbcontrol_roles; +') + +######################################## +## <summary> +## Execute smbd in the smbd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_smbd',` + gen_require(` + type smbd_t, smbd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, smbd_exec_t, smbd_t) +') + +###################################### +## <summary> +## Send generic signals to smbd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_signal_smbd',` + gen_require(` + type smbd_t; + ') + allow $1 smbd_t:process signal; +') + +######################################## +## <summary> +## Do not audit attempts to inherit +## and use smbd file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`samba_dontaudit_use_fds',` + gen_require(` + type smbd_t; + ') + + dontaudit $1 smbd_t:fd use; +') + +######################################## +## <summary> +## Write smbmount tcp sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_write_smbmount_tcp_sockets',` + gen_require(` + type smbmount_t; + ') + + allow $1 smbmount_t:tcp_socket write; +') + +######################################## +## <summary> +## Read and write smbmount tcp sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_rw_smbmount_tcp_sockets',` + gen_require(` + type smbmount_t; + ') + + allow $1 smbmount_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Execute winbind helper in the +## winbind helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_winbind_helper',` + gen_require(` + type winbind_helper_t, winbind_helper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) +') + +####################################### +## <summary> +## Get attributes of winbind executable files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_getattr_winbind_exec',` + gen_require(` + type winbind_exec_t; + ') + + allow $1 winbind_exec_t:file getattr_file_perms; +') + +######################################## +## <summary> +## Execute winbind helper in the winbind +## helper domain, and allow the specified +## role the winbind helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_run_winbind_helper',` + gen_require(` + attribute_role winbind_helper_roles; + ') + + samba_domtrans_winbind_helper($1) + roleattribute $2 winbind_helper_roles; +') + +######################################## +## <summary> +## Read winbind pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_read_winbind_pid',` + gen_require(` + type winbind_var_run_t, smbd_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) +') + +######################################## +## <summary> +## Connect to winbind with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_stream_connect_winbind',` + gen_require(` + type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an samba environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_admin',` + gen_require(` + type nmbd_t, nmbd_var_run_t, smbd_var_run_t; + type smbd_t, smbd_tmp_t; + type samba_log_t, samba_var_t, samba_secrets_t; + type samba_etc_t, samba_share_t, samba_initrc_exec_t; + type swat_var_run_t, swat_tmp_t, winbind_log_t; + type winbind_var_run_t, winbind_tmp_t; + type smbd_keytab_t; + ') + + allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { nmbd_t smbd_t }) + + init_startstop_service($1, $2, samba_t, samba_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, { samba_etc_t smbd_keytab_t }) + + logging_list_logs($1) + admin_pattern($1, { samba_log_t winbind_log_t }) + + files_list_var($1) + admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) + + files_list_spool($1) + + files_list_pids($1) + admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t }) + + files_list_tmp($1) + admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) +') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te new file mode 100644 index 000000000..6a0978b2e --- /dev/null +++ b/policy/modules/services/samba.te @@ -0,0 +1,1037 @@ +policy_module(samba, 1.22.2) + +################################# +# +# Declarations +# + +## <desc> +## <p> +## Determine whether smbd_t can +## read shadow files. +## </p> +## </desc> +gen_tunable(samba_read_shadow, false) + +## <desc> +## <p> +## Determine whether samba can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_smbd_anon_write, false) + +## <desc> +## <p> +## Determine whether samba can +## create home directories via pam. +## </p> +## </desc> +gen_tunable(samba_create_home_dirs, false) + +## <desc> +## <p> +## Determine whether samba can act as the +## domain controller, add users, groups +## and change passwords. +## </p> +## </desc> +gen_tunable(samba_domain_controller, false) + +## <desc> +## <p> +## Determine whether samba can +## act as a portmapper. +## </p> +## </desc> +gen_tunable(samba_portmapper, false) + +## <desc> +## <p> +## Determine whether samba can share +## users home directories. +## </p> +## </desc> +gen_tunable(samba_enable_home_dirs, false) + +## <desc> +## <p> +## Determine whether samba can share +## any content read only. +## </p> +## </desc> +gen_tunable(samba_export_all_ro, false) + +## <desc> +## <p> +## Determine whether samba can share any +## content readable and writable. +## </p> +## </desc> +gen_tunable(samba_export_all_rw, false) + +## <desc> +## <p> +## Determine whether samba can +## run unconfined scripts. +## </p> +## </desc> +gen_tunable(samba_run_unconfined, false) + +## <desc> +## <p> +## Determine whether samba can +## use nfs file systems. +## </p> +## </desc> +gen_tunable(samba_share_nfs, false) + +## <desc> +## <p> +## Determine whether samba can +## use fuse file systems. +## </p> +## </desc> +gen_tunable(samba_share_fusefs, false) + +attribute_role samba_net_roles; +roleattribute system_r samba_net_roles; + +attribute_role smbcontrol_roles; +roleattribute system_r smbcontrol_roles; + +attribute_role smbmount_roles; +roleattribute system_r smbmount_roles; + +attribute_role winbind_helper_roles; +roleattribute system_r winbind_helper_roles; + +type nmbd_t; +type nmbd_exec_t; +init_daemon_domain(nmbd_t, nmbd_exec_t) + +type samba_var_run_t; +typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t }; +init_daemon_pid_file(samba_var_run_t, dir, "samba") + +type samba_etc_t; +files_config_file(samba_etc_t) + +type samba_initrc_exec_t; +init_script_file(samba_initrc_exec_t) + +type samba_log_t; +logging_log_file(samba_log_t) + +type samba_net_t; +type samba_net_exec_t; +application_domain(samba_net_t, samba_net_exec_t) +role samba_net_roles types samba_net_t; + +type samba_net_tmp_t; +files_tmp_file(samba_net_tmp_t) + +type samba_secrets_t; +files_type(samba_secrets_t) + +type samba_share_t; # customizable +files_type(samba_share_t) + +type samba_unit_t; +init_unit_file(samba_unit_t) + +type samba_var_t; +files_type(samba_var_t) + +type smbcontrol_t; +type smbcontrol_exec_t; +application_domain(smbcontrol_t, smbcontrol_exec_t) +role smbcontrol_roles types smbcontrol_t; + +type smbd_t; +type smbd_exec_t; +init_daemon_domain(smbd_t, smbd_exec_t) + +type smbd_keytab_t; +files_type(smbd_keytab_t) + +type smbd_tmp_t; +files_tmp_file(smbd_tmp_t) + +type smbmount_t; +type smbmount_exec_t; +application_domain(smbmount_t, smbmount_exec_t) +role smbmount_roles types smbmount_t; + +type swat_t; +type swat_exec_t; +domain_type(swat_t) +domain_entry_file(swat_t, swat_exec_t) +role system_r types swat_t; + +type swat_tmp_t; +files_tmp_file(swat_tmp_t) + +type swat_var_run_t; +files_pid_file(swat_var_run_t) + +type winbind_t; +type winbind_exec_t; +init_daemon_domain(winbind_t, winbind_exec_t) + +type winbind_helper_t; +type winbind_helper_exec_t; +application_domain(winbind_helper_t, winbind_helper_exec_t) +role winbind_helper_roles types winbind_helper_t; + +type winbind_log_t; +logging_log_file(winbind_log_t) + +type winbind_tmp_t; +files_tmp_file(winbind_tmp_t) + +type winbind_var_run_t; +files_pid_file(winbind_var_run_t) + +######################################## +# +# Net local policy +# + +allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice }; +allow samba_net_t self:capability2 block_suspend; +allow samba_net_t self:process { getsched setsched }; +allow samba_net_t self:unix_stream_socket { accept listen }; + +allow samba_net_t samba_etc_t:file read_file_perms; + +manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t) +filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file) + +manage_dirs_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) +manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) +files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) + +manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) +manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) +files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") + +kernel_read_system_state(samba_net_t) +kernel_read_network_state(samba_net_t) + +corenet_all_recvfrom_unlabeled(samba_net_t) +corenet_all_recvfrom_netlabel(samba_net_t) +corenet_udp_sendrecv_generic_if(samba_net_t) +corenet_tcp_sendrecv_generic_node(samba_net_t) + +corenet_sendrecv_smbd_client_packets(samba_net_t) +corenet_tcp_connect_smbd_port(samba_net_t) +corenet_tcp_sendrecv_smbd_port(samba_net_t) + +dev_read_urand(samba_net_t) + +domain_use_interactive_fds(samba_net_t) + +files_read_usr_symlinks(samba_net_t) + +auth_use_nsswitch(samba_net_t) +auth_manage_cache(samba_net_t) + +logging_send_syslog_msg(samba_net_t) + +miscfiles_read_localization(samba_net_t) + +samba_read_var_files(samba_net_t) + +userdom_use_user_terminals(samba_net_t) +userdom_list_user_home_dirs(samba_net_t) + +optional_policy(` + ldap_stream_connect(samba_net_t) +') + +optional_policy(` + pcscd_read_pid_files(samba_net_t) +') + +optional_policy(` + kerberos_use(samba_net_t) + kerberos_etc_filetrans_keytab(samba_net_t, file) +') + +######################################## +# +# Smbd Local policy +# + +allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource }; +dontaudit smbd_t self:capability sys_tty_config; +allow smbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow smbd_t self:fd use; +allow smbd_t self:fifo_file rw_fifo_file_perms; +allow smbd_t self:msg { send receive }; +allow smbd_t self:msgq create_msgq_perms; +allow smbd_t self:sem create_sem_perms; +allow smbd_t self:shm create_shm_perms; +allow smbd_t self:tcp_socket { accept listen }; +allow smbd_t self:unix_dgram_socket sendto; +allow smbd_t self:unix_stream_socket { accept connectto listen }; + +allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }; + +allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms }; + +allow smbd_t smbd_keytab_t:file read_file_perms; + +manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) +append_files_pattern(smbd_t, samba_log_t, samba_log_t) +create_files_pattern(smbd_t, samba_log_t, samba_log_t) +setattr_files_pattern(smbd_t, samba_log_t, samba_log_t) + +allow smbd_t samba_net_tmp_t:file getattr_file_perms; + +manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) +filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) + +manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) +manage_files_pattern(smbd_t, samba_share_t, samba_share_t) +manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) +allow smbd_t samba_share_t:filesystem { getattr quotaget }; + +manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) +manage_files_pattern(smbd_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) +manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) +files_var_filetrans(smbd_t, samba_var_t, dir, "samba") + +manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) +manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) +files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) + +manage_dirs_pattern(smbd_t, samba_var_run_t, samba_var_run_t) +manage_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t) +manage_sock_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t) +files_pid_filetrans(smbd_t, samba_var_run_t, { dir file }) + +allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms; +stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t) + +stream_connect_pattern(smbd_t, samba_var_run_t, samba_var_run_t, nmbd_t) + +kernel_getattr_core_if(smbd_t) +kernel_getattr_message_if(smbd_t) +kernel_read_network_state(smbd_t) +kernel_read_fs_sysctls(smbd_t) +kernel_read_kernel_sysctls(smbd_t) +kernel_read_software_raid_state(smbd_t) +kernel_read_system_state(smbd_t) + +corecmd_exec_bin(smbd_t) +corecmd_exec_shell(smbd_t) + +corenet_all_recvfrom_unlabeled(smbd_t) +corenet_all_recvfrom_netlabel(smbd_t) +corenet_tcp_sendrecv_generic_if(smbd_t) +corenet_tcp_sendrecv_generic_node(smbd_t) +corenet_tcp_bind_generic_node(smbd_t) + +corenet_sendrecv_smbd_client_packets(smbd_t) +corenet_tcp_connect_smbd_port(smbd_t) +corenet_sendrecv_smbd_server_packets(smbd_t) +corenet_tcp_bind_smbd_port(smbd_t) +corenet_tcp_sendrecv_smbd_port(smbd_t) + +corenet_sendrecv_ipp_client_packets(smbd_t) +corenet_tcp_connect_ipp_port(smbd_t) +corenet_tcp_sendrecv_ipp_port(smbd_t) + +dev_read_sysfs(smbd_t) +dev_read_urand(smbd_t) +dev_getattr_mtrr_dev(smbd_t) +dev_dontaudit_getattr_usbfs_dirs(smbd_t) +dev_getattr_all_blk_files(smbd_t) +dev_getattr_all_chr_files(smbd_t) + +domain_use_interactive_fds(smbd_t) +domain_dontaudit_list_all_domains_state(smbd_t) + +files_list_var_lib(smbd_t) +files_read_etc_runtime_files(smbd_t) +files_read_usr_files(smbd_t) +files_search_spool(smbd_t) +files_dontaudit_getattr_all_dirs(smbd_t) +files_dontaudit_list_all_mountpoints(smbd_t) +files_list_mnt(smbd_t) + +fs_getattr_all_fs(smbd_t) +fs_getattr_all_dirs(smbd_t) +fs_get_xattr_fs_quotas(smbd_t) +fs_search_auto_mountpoints(smbd_t) +fs_getattr_rpc_dirs(smbd_t) +fs_list_inotifyfs(smbd_t) +fs_get_all_fs_quotas(smbd_t) + +term_use_ptmx(smbd_t) + +auth_use_nsswitch(smbd_t) +auth_domtrans_chk_passwd(smbd_t) +auth_domtrans_upd_passwd(smbd_t) +auth_manage_cache(smbd_t) +auth_write_login_records(smbd_t) +auth_can_read_shadow_passwords(smbd_t) + +init_rw_utmp(smbd_t) + +logging_search_logs(smbd_t) +logging_send_syslog_msg(smbd_t) + +miscfiles_read_localization(smbd_t) +miscfiles_read_public_files(smbd_t) + +sysnet_use_ldap(smbd_t) + +userdom_use_unpriv_users_fds(smbd_t) +userdom_signal_all_users(smbd_t) +userdom_home_filetrans_user_home_dir(smbd_t) +userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) + +usermanage_read_crack_db(smbd_t) + +ifdef(`hide_broken_symptoms',` + files_dontaudit_getattr_default_dirs(smbd_t) + files_dontaudit_getattr_boot_dirs(smbd_t) + fs_dontaudit_getattr_tmpfs_dirs(smbd_t) +') + +tunable_policy(`allow_smbd_anon_write',` + miscfiles_manage_public_files(smbd_t) +') + +tunable_policy(`samba_create_home_dirs',` + allow smbd_t self:capability chown; + userdom_create_user_home_dirs(smbd_t) +') + +tunable_policy(`samba_domain_controller',` + gen_require(` + class passwd passwd; + ') + + usermanage_domtrans_passwd(smbd_t) + usermanage_kill_passwd(smbd_t) + usermanage_domtrans_useradd(smbd_t) + usermanage_domtrans_groupadd(smbd_t) + allow smbd_t self:passwd passwd; +') + +tunable_policy(`samba_enable_home_dirs',` + userdom_manage_user_home_content_dirs(smbd_t) + userdom_manage_user_home_content_files(smbd_t) + userdom_manage_user_home_content_symlinks(smbd_t) + userdom_manage_user_home_content_sockets(smbd_t) + userdom_manage_user_home_content_pipes(smbd_t) +') + +tunable_policy(`samba_portmapper',` + corenet_sendrecv_all_server_packets(smbd_t) + corenet_tcp_bind_epmap_port(smbd_t) + corenet_tcp_bind_all_unreserved_ports(smbd_t) + corenet_tcp_sendrecv_all_ports(smbd_t) +') + +tunable_policy(`samba_read_shadow',` + auth_tunable_read_shadow(smbd_t) +') + +tunable_policy(`samba_share_nfs',` + fs_manage_nfs_dirs(smbd_t) + fs_manage_nfs_files(smbd_t) + fs_manage_nfs_symlinks(smbd_t) + fs_manage_nfs_named_pipes(smbd_t) + fs_manage_nfs_named_sockets(smbd_t) +') + +tunable_policy(`samba_share_fusefs',` + fs_manage_fusefs_dirs(smbd_t) + fs_manage_fusefs_files(smbd_t) +',` + fs_search_fusefs(smbd_t) +') + +tunable_policy(`samba_export_all_ro',` + fs_read_noxattr_fs_files(smbd_t) + files_list_non_auth_dirs(smbd_t) + files_read_non_auth_files(smbd_t) +') + +tunable_policy(`samba_export_all_rw',` + fs_read_noxattr_fs_files(smbd_t) + files_manage_non_auth_files(smbd_t) +') + +optional_policy(` + ccs_read_config(smbd_t) +') + +optional_policy(` + ctdbd_stream_connect(smbd_t) + ctdbd_manage_lib_files(smbd_t) +') + +optional_policy(` + cups_read_rw_config(smbd_t) + cups_stream_connect(smbd_t) +') + +optional_policy(` + kerberos_read_keytab(smbd_t) + kerberos_use(smbd_t) +') + +optional_policy(` + lpd_exec_lpr(smbd_t) +') + +optional_policy(` + qemu_manage_tmp_dirs(smbd_t) + qemu_manage_tmp_files(smbd_t) +') + +optional_policy(` + rpc_search_nfs_state_data(smbd_t) +') + +optional_policy(` + seutil_sigchld_newrole(smbd_t) +') + +optional_policy(` + udev_read_db(smbd_t) +') + +######################################## +# +# Nmbd Local policy +# + +dontaudit nmbd_t self:capability sys_tty_config; +allow nmbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow nmbd_t self:fd use; +allow nmbd_t self:fifo_file rw_fifo_file_perms; +allow nmbd_t self:msg { send receive }; +allow nmbd_t self:msgq create_msgq_perms; +allow nmbd_t self:sem create_sem_perms; +allow nmbd_t self:shm create_shm_perms; +allow nmbd_t self:tcp_socket { accept listen }; +allow nmbd_t self:unix_dgram_socket sendto; +allow nmbd_t self:unix_stream_socket { accept connectto listen }; + +manage_dirs_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) +manage_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) +manage_sock_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) +files_pid_filetrans(nmbd_t, samba_var_run_t, { dir file sock_file }) + +read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) + +manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) +append_files_pattern(nmbd_t, samba_log_t, samba_log_t) +create_files_pattern(nmbd_t, samba_log_t, samba_log_t) +setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) + +manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) +manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) +files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") +files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") + +allow nmbd_t { swat_t smbcontrol_t }:process signal; + +allow nmbd_t samba_var_run_t:dir rw_dir_perms; + +kernel_getattr_core_if(nmbd_t) +kernel_getattr_message_if(nmbd_t) +kernel_read_kernel_sysctls(nmbd_t) +kernel_read_network_state(nmbd_t) +kernel_read_software_raid_state(nmbd_t) +kernel_read_system_state(nmbd_t) + +corecmd_search_bin(nmbd_t) + +corenet_all_recvfrom_unlabeled(nmbd_t) +corenet_all_recvfrom_netlabel(nmbd_t) +corenet_tcp_sendrecv_generic_if(nmbd_t) +corenet_udp_sendrecv_generic_if(nmbd_t) +corenet_tcp_sendrecv_generic_node(nmbd_t) +corenet_udp_sendrecv_generic_node(nmbd_t) +corenet_udp_bind_generic_node(nmbd_t) + +corenet_sendrecv_nmbd_server_packets(nmbd_t) +corenet_udp_bind_nmbd_port(nmbd_t) +corenet_udp_sendrecv_nmbd_port(nmbd_t) + +corenet_sendrecv_smbd_client_packets(nmbd_t) +corenet_tcp_connect_smbd_port(nmbd_t) +corenet_tcp_sendrecv_smbd_port(nmbd_t) + +dev_read_urand(nmbd_t) +dev_read_sysfs(nmbd_t) +dev_getattr_mtrr_dev(nmbd_t) + +domain_use_interactive_fds(nmbd_t) + +files_read_usr_files(nmbd_t) +files_list_var_lib(nmbd_t) + +fs_getattr_all_fs(nmbd_t) +fs_search_auto_mountpoints(nmbd_t) + +auth_use_nsswitch(nmbd_t) + +logging_search_logs(nmbd_t) +logging_send_syslog_msg(nmbd_t) + +miscfiles_read_localization(nmbd_t) + +userdom_use_unpriv_users_fds(nmbd_t) +userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) + +tunable_policy(`samba_export_all_ro',` + fs_read_noxattr_fs_files(nmbd_t) + files_list_non_auth_dirs(nmbd_t) + files_read_non_auth_files(nmbd_t) +') + +tunable_policy(`samba_export_all_rw',` + fs_read_noxattr_fs_files(nmbd_t) + files_manage_non_auth_files(nmbd_t) +') + +optional_policy(` + seutil_sigchld_newrole(nmbd_t) +') + +optional_policy(` + udev_read_db(nmbd_t) +') + +######################################## +# +# Smbcontrol local policy +# + +allow smbcontrol_t self:process signal; +allow smbcontrol_t self:fifo_file rw_fifo_file_perms; +allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; +allow smbcontrol_t self:process { signal signull }; + +allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; +read_files_pattern(smbcontrol_t, samba_var_run_t, samba_var_run_t) + +manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) + +samba_read_config(smbcontrol_t) +samba_search_var(smbcontrol_t) +samba_read_winbind_pid(smbcontrol_t) + +domain_use_interactive_fds(smbcontrol_t) + +dev_read_urand(smbcontrol_t) + +files_read_etc_files(smbcontrol_t) +files_search_var_lib(smbcontrol_t) + +term_use_console(smbcontrol_t) + +miscfiles_read_localization(smbcontrol_t) + +sysnet_use_ldap(smbcontrol_t) + +userdom_use_user_terminals(smbcontrol_t) + +optional_policy(` + ctdbd_stream_connect(smbcontrol_t) +') + +######################################## +# +# Smbmount Local policy +# + +allow smbmount_t self:capability { chown dac_override sys_admin sys_rawio }; +allow smbmount_t self:process signal_perms; +allow smbmount_t self:tcp_socket { accept listen }; +allow smbmount_t self:unix_dgram_socket create_socket_perms; +allow smbmount_t self:unix_stream_socket create_socket_perms; + +allow smbmount_t samba_etc_t:dir list_dir_perms; +allow smbmount_t samba_etc_t:file read_file_perms; + +allow smbmount_t samba_log_t:dir list_dir_perms; +append_files_pattern(smbmount_t, samba_log_t, samba_log_t) +create_files_pattern(smbmount_t, samba_log_t, samba_log_t) +setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t) + +allow smbmount_t samba_secrets_t:file manage_file_perms; + +manage_dirs_pattern(smbmount_t, samba_var_t, samba_var_t) +manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) +files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") + +can_exec(smbmount_t, smbmount_exec_t) + +kernel_read_system_state(smbmount_t) + +corenet_all_recvfrom_unlabeled(smbmount_t) +corenet_all_recvfrom_netlabel(smbmount_t) +corenet_tcp_sendrecv_generic_if(smbmount_t) +corenet_tcp_sendrecv_generic_node(smbmount_t) + +corenet_sendrecv_all_client_packets(smbmount_t) +corenet_tcp_connect_all_ports(smbmount_t) +corenet_tcp_sendrecv_all_ports(smbmount_t) + +corecmd_list_bin(smbmount_t) + +files_list_mnt(smbmount_t) +files_list_var_lib(smbmount_t) +files_mounton_mnt(smbmount_t) +files_manage_etc_runtime_files(smbmount_t) +files_etc_filetrans_etc_runtime(smbmount_t, file) + +fs_getattr_cifs(smbmount_t) +fs_mount_cifs(smbmount_t) +fs_remount_cifs(smbmount_t) +fs_unmount_cifs(smbmount_t) +fs_list_cifs(smbmount_t) +fs_read_cifs_files(smbmount_t) + +storage_raw_read_fixed_disk(smbmount_t) +storage_raw_write_fixed_disk(smbmount_t) + +auth_use_nsswitch(smbmount_t) + +miscfiles_read_localization(smbmount_t) + +mount_use_fds(smbmount_t) + +locallogin_use_fds(smbmount_t) + +logging_search_logs(smbmount_t) + +userdom_use_user_terminals(smbmount_t) +userdom_use_all_users_fds(smbmount_t) + +optional_policy(` + cups_read_rw_config(smbmount_t) +') + +######################################## +# +# Swat Local policy +# + +allow swat_t self:capability { dac_override setgid setuid sys_resource }; +allow swat_t self:process { setrlimit signal_perms }; +allow swat_t self:fifo_file rw_fifo_file_perms; +allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow swat_t self:tcp_socket { accept listen }; +allow swat_t self:unix_stream_socket connectto; + +allow swat_t { nmbd_t smbd_t }:process { signal signull }; + +allow swat_t samba_var_run_t:file read_file_perms; +allow swat_t samba_var_run_t:file { lock delete_file_perms }; + +rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) +read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) + +manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) +append_files_pattern(swat_t, samba_log_t, samba_log_t) +create_files_pattern(swat_t, samba_log_t, samba_log_t) +setattr_files_pattern(swat_t, samba_log_t, samba_log_t) + +manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) + +manage_dirs_pattern(swat_t, samba_var_t, samba_var_t) +manage_files_pattern(swat_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t) +files_var_filetrans(swat_t, samba_var_t, dir, "samba") + +allow swat_t smbd_exec_t:file mmap_exec_file_perms ; + +allow swat_t { winbind_t smbd_t }:process { signal signull }; + +manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) +manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) +files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) + +manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) +files_pid_filetrans(swat_t, swat_var_run_t, file) + +read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) +allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms }; +allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms }; + +read_files_pattern(swat_t, samba_var_run_t, samba_var_run_t) +stream_connect_pattern(swat_t, samba_var_run_t, samba_var_run_t, nmbd_t) + +samba_domtrans_smbd(swat_t) +samba_domtrans_nmbd(swat_t) + +domtrans_pattern(swat_t, winbind_exec_t, winbind_t) + +kernel_read_kernel_sysctls(swat_t) +kernel_read_system_state(swat_t) +kernel_read_network_state(swat_t) + +corecmd_search_bin(swat_t) + +corenet_all_recvfrom_unlabeled(swat_t) +corenet_all_recvfrom_netlabel(swat_t) +corenet_tcp_sendrecv_generic_if(swat_t) +corenet_udp_sendrecv_generic_if(swat_t) +corenet_tcp_sendrecv_generic_node(swat_t) +corenet_udp_sendrecv_generic_node(swat_t) +corenet_tcp_bind_generic_node(swat_t) +corenet_udp_bind_generic_node(swat_t) + +corenet_sendrecv_nmbd_server_packets(swat_t) +corenet_udp_bind_nmbd_port(swat_t) +corenet_udp_sendrecv_nmbd_port(swat_t) + +corenet_sendrecv_smbd_client_packets(swat_t) +corenet_tcp_connect_smbd_port(swat_t) +corenet_sendrecv_smbd_server_packets(swat_t) +corenet_tcp_bind_smbd_port(swat_t) +corenet_tcp_sendrecv_smbd_port(swat_t) + +corenet_sendrecv_ipp_client_packets(swat_t) +corenet_tcp_connect_ipp_port(swat_t) +corenet_tcp_sendrecv_ipp_port(swat_t) + +dev_read_urand(swat_t) + +files_list_var_lib(swat_t) +files_search_home(swat_t) +files_read_usr_files(swat_t) +fs_getattr_xattr_fs(swat_t) +files_list_var_lib(swat_t) + +auth_domtrans_chk_passwd(swat_t) +auth_use_nsswitch(swat_t) + +init_read_utmp(swat_t) +init_dontaudit_write_utmp(swat_t) + +logging_send_syslog_msg(swat_t) +logging_send_audit_msgs(swat_t) +logging_search_logs(swat_t) + +miscfiles_read_localization(swat_t) + +sysnet_use_ldap(swat_t) + +optional_policy(` + cups_read_rw_config(swat_t) + cups_stream_connect(swat_t) +') + +optional_policy(` + inetd_service_domain(swat_t, swat_exec_t) +') + +optional_policy(` + kerberos_use(swat_t) +') + +######################################## +# +# Winbind local policy +# + +allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +dontaudit winbind_t self:capability sys_tty_config; +allow winbind_t self:process { signal_perms getsched setsched }; +allow winbind_t self:fifo_file rw_fifo_file_perms; +allow winbind_t self:unix_stream_socket { accept listen }; +allow winbind_t self:tcp_socket { accept listen }; + +allow winbind_t nmbd_t:process { signal signull }; + +allow winbind_t samba_var_run_t:file read_file_perms; +stream_connect_pattern(winbind_t, samba_var_run_t, samba_var_run_t, nmbd_t) + +allow winbind_t samba_etc_t:dir list_dir_perms; +read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) +read_lnk_files_pattern(winbind_t, samba_etc_t, samba_etc_t) + +manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) + +manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) +append_files_pattern(winbind_t, samba_log_t, samba_log_t) +create_files_pattern(winbind_t, samba_log_t, samba_log_t) +setattr_files_pattern(winbind_t, samba_log_t, samba_log_t) +manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) + +manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) +manage_files_pattern(winbind_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) +manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) +files_var_filetrans(winbind_t, samba_var_t, dir, "samba") + +rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) + +# This needs a file context specification +allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(winbind_t, winbind_log_t, file) + +manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) + +manage_dirs_pattern(winbind_t, { samba_var_run_t winbind_var_run_t }, winbind_var_run_t) +manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) +manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) +files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) +filetrans_pattern(winbind_t, samba_var_run_t, winbind_var_run_t, dir) + +manage_dirs_pattern(winbind_t, samba_var_run_t, samba_var_run_t) +manage_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t) +manage_sock_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t) + +kernel_read_network_state(winbind_t) +kernel_read_kernel_sysctls(winbind_t) +kernel_read_system_state(winbind_t) + +corecmd_exec_bin(winbind_t) + +corenet_all_recvfrom_unlabeled(winbind_t) +corenet_all_recvfrom_netlabel(winbind_t) +corenet_tcp_sendrecv_generic_if(winbind_t) +corenet_tcp_sendrecv_generic_node(winbind_t) +corenet_tcp_sendrecv_all_ports(winbind_t) + +corenet_sendrecv_all_client_packets(winbind_t) +corenet_tcp_connect_smbd_port(winbind_t) +corenet_tcp_connect_epmap_port(winbind_t) +corenet_tcp_connect_all_unreserved_ports(winbind_t) + +dev_read_sysfs(winbind_t) +dev_read_urand(winbind_t) + +domain_use_interactive_fds(winbind_t) + +files_read_usr_symlinks(winbind_t) +files_list_var_lib(winbind_t) + +fs_getattr_all_fs(winbind_t) +fs_search_auto_mountpoints(winbind_t) + +auth_domtrans_chk_passwd(winbind_t) +auth_use_nsswitch(winbind_t) +auth_manage_cache(winbind_t) + +logging_send_syslog_msg(winbind_t) + +miscfiles_read_localization(winbind_t) +miscfiles_read_generic_certs(winbind_t) +miscfiles_read_generic_tls_privkey(winbind_t) + +userdom_dontaudit_use_unpriv_user_fds(winbind_t) +userdom_manage_user_home_content_dirs(winbind_t) +userdom_manage_user_home_content_files(winbind_t) +userdom_manage_user_home_content_symlinks(winbind_t) +userdom_manage_user_home_content_pipes(winbind_t) +userdom_manage_user_home_content_sockets(winbind_t) +userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) + +optional_policy(` + ctdbd_stream_connect(winbind_t) + ctdbd_manage_lib_files(winbind_t) +') + +optional_policy(` + kerberos_use(winbind_t) +') + +optional_policy(` + seutil_sigchld_newrole(winbind_t) +') + +optional_policy(` + udev_read_db(winbind_t) +') + +######################################## +# +# Winbind helper local policy +# + +allow winbind_helper_t self:unix_stream_socket { accept listen }; + +allow winbind_helper_t samba_etc_t:dir list_dir_perms; +read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) +read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) + +allow winbind_helper_t samba_var_t:dir search_dir_perms; + +allow winbind_t smbcontrol_t:process signal; + +stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) + +domain_use_interactive_fds(winbind_helper_t) + +files_list_var_lib(winbind_helper_t) + +term_list_ptys(winbind_helper_t) + +auth_use_nsswitch(winbind_helper_t) + +logging_send_syslog_msg(winbind_helper_t) + +miscfiles_read_localization(winbind_helper_t) + +userdom_use_user_terminals(winbind_helper_t) + +optional_policy(` + apache_append_log(winbind_helper_t) +') + +optional_policy(` + squid_read_log(winbind_helper_t) + squid_append_log(winbind_helper_t) + squid_rw_stream_sockets(winbind_helper_t) +') + +######################################## +# +# Unconfined script local policy +# + +optional_policy(` + type samba_unconfined_script_t; + type samba_unconfined_script_exec_t; + domain_type(samba_unconfined_script_t) + domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) + corecmd_shell_entry_type(samba_unconfined_script_t) + role system_r types samba_unconfined_script_t; + + allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; + allow smbd_t samba_unconfined_script_exec_t:file ioctl; + + unconfined_domain(samba_unconfined_script_t) + + tunable_policy(`samba_run_unconfined',` + domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) + ',` + can_exec(smbd_t, samba_unconfined_script_exec_t) + ') +') diff --git a/policy/modules/services/sanlock.fc b/policy/modules/services/sanlock.fc new file mode 100644 index 000000000..6c6f3dec6 --- /dev/null +++ b/policy/modules/services/sanlock.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) + +/usr/bin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) + +/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) + +/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) + +/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0) diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if new file mode 100644 index 000000000..dbca6c8e0 --- /dev/null +++ b/policy/modules/services/sanlock.if @@ -0,0 +1,114 @@ +## <summary>shared storage lock manager.</summary> + +######################################## +## <summary> +## Execute a domain transition to run sanlock. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sanlock_domtrans',` + gen_require(` + type sanlock_t, sanlock_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, sanlock_exec_t, sanlock_t) +') + +######################################## +## <summary> +## Execute sanlock init scripts in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sanlock_initrc_domtrans',` + gen_require(` + type sanlock_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, sanlock_initrc_exec_t) +') + +###################################### +## <summary> +## Create, read, write, and delete +## sanlock pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sanlock_manage_pid_files',` + gen_require(` + type sanlock_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, sanlock_var_run_t, sanlock_var_run_t) +') + +######################################## +## <summary> +## Connect to sanlock with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sanlock_stream_connect',` + gen_require(` + type sanlock_t, sanlock_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an sanlock environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sanlock_admin',` + gen_require(` + type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t; + type sanlock_log_t; + ') + + allow $1 sanlock_t:process { ptrace signal_perms }; + ps_process_pattern($1, sanlock_t) + + init_startstop_service($1, $2, sanlock_t, sanlock_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, sanlock_var_run_t) + + logging_search_logs($1) + admin_pattern($1, sanlock_log_t) +') diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te new file mode 100644 index 000000000..6fc33eb85 --- /dev/null +++ b/policy/modules/services/sanlock.te @@ -0,0 +1,106 @@ +policy_module(sanlock, 1.4.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether sanlock can use +## nfs file systems. +## </p> +## </desc> +gen_tunable(sanlock_use_nfs, false) + +## <desc> +## <p> +## Determine whether sanlock can use +## cifs file systems. +## </p> +## </desc> +gen_tunable(sanlock_use_samba, false) + +type sanlock_t; +type sanlock_exec_t; +init_daemon_domain(sanlock_t, sanlock_exec_t) + +type sanlock_var_run_t; +files_pid_file(sanlock_var_run_t) + +type sanlock_log_t; +logging_log_file(sanlock_log_t) + +type sanlock_initrc_exec_t; +init_script_file(sanlock_initrc_exec_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh) +') + +######################################## +# +# Local policy +# + +allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; +allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; +allow sanlock_t self:fifo_file rw_fifo_file_perms; +allow sanlock_t self:unix_stream_socket { accept listen }; + +append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) +create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) +setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) +logging_log_filetrans(sanlock_t, sanlock_log_t, file) + +manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) + +kernel_read_system_state(sanlock_t) +kernel_read_kernel_sysctls(sanlock_t) + +dev_read_rand(sanlock_t) +dev_read_urand(sanlock_t) + +domain_use_interactive_fds(sanlock_t) + +storage_raw_rw_fixed_disk(sanlock_t) + +auth_use_nsswitch(sanlock_t) + +init_read_utmp(sanlock_t) +init_dontaudit_write_utmp(sanlock_t) + +logging_send_syslog_msg(sanlock_t) + +miscfiles_read_localization(sanlock_t) + +tunable_policy(`sanlock_use_nfs',` + fs_manage_nfs_dirs(sanlock_t) + fs_manage_nfs_files(sanlock_t) + fs_manage_nfs_named_sockets(sanlock_t) + fs_read_nfs_symlinks(sanlock_t) +') + +tunable_policy(`sanlock_use_samba',` + fs_manage_cifs_dirs(sanlock_t) + fs_manage_cifs_files(sanlock_t) + fs_manage_cifs_named_sockets(sanlock_t) + fs_read_cifs_symlinks(sanlock_t) +') + +optional_policy(` + wdmd_stream_connect(sanlock_t) +') + +optional_policy(` + virt_kill_all_virt_domains(sanlock_t) + virt_manage_lib_files(sanlock_t) + virt_signal_all_virt_domains(sanlock_t) +') diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc new file mode 100644 index 000000000..72551273e --- /dev/null +++ b/policy/modules/services/sasl.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) + +/usr/bin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) + +/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) + +/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) + +/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if new file mode 100644 index 000000000..edb4de2ae --- /dev/null +++ b/policy/modules/services/sasl.if @@ -0,0 +1,55 @@ +## <summary>SASL authentication server.</summary> + +######################################## +## <summary> +## Connect to SASL. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sasl_connect',` + gen_require(` + type saslauthd_t, saslauthd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an sasl environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sasl_admin',` + gen_require(` + type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t; + type saslauthd_keytab_t; + ') + + allow $1 saslauthd_t:process { ptrace signal_perms }; + ps_process_pattern($1, saslauthd_t) + + init_startstop_service($1, $2, saslauthd_t, saslauthd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, saslauthd_keytab_t) + + files_list_pids($1) + admin_pattern($1, saslauthd_var_run_t) +') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te new file mode 100644 index 000000000..231d6b2b6 --- /dev/null +++ b/policy/modules/services/sasl.te @@ -0,0 +1,117 @@ +policy_module(sasl, 1.19.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether sasl can +## read shadow files. +## </p> +## </desc> +gen_tunable(allow_saslauthd_read_shadow, false) + +type saslauthd_t; +type saslauthd_exec_t; +init_daemon_domain(saslauthd_t, saslauthd_exec_t) + +type saslauthd_initrc_exec_t; +init_script_file(saslauthd_initrc_exec_t) + +type saslauthd_keytab_t; +files_type(saslauthd_keytab_t) + +type saslauthd_var_run_t; +files_pid_file(saslauthd_var_run_t) + +######################################## +# +# Local policy +# + +allow saslauthd_t self:capability { setgid setuid sys_nice }; +dontaudit saslauthd_t self:capability sys_tty_config; +allow saslauthd_t self:process { setsched signal_perms }; +allow saslauthd_t self:fifo_file rw_fifo_file_perms; +allow saslauthd_t self:unix_stream_socket { accept listen }; + +allow saslauthd_t saslauthd_keytab_t:file read_file_perms; + +manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) +manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) +manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) +files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(saslauthd_t) +kernel_read_system_state(saslauthd_t) +kernel_rw_afs_state(saslauthd_t) + +corenet_all_recvfrom_unlabeled(saslauthd_t) +corenet_all_recvfrom_netlabel(saslauthd_t) +corenet_tcp_sendrecv_generic_if(saslauthd_t) +corenet_tcp_sendrecv_generic_node(saslauthd_t) + +corenet_sendrecv_pop_client_packets(saslauthd_t) +corenet_tcp_connect_pop_port(saslauthd_t) +corenet_tcp_sendrecv_pop_port(saslauthd_t) + +corenet_sendrecv_zarafa_client_packets(saslauthd_t) +corenet_tcp_connect_zarafa_port(saslauthd_t) +corenet_tcp_sendrecv_zarafa_port(saslauthd_t) + +corecmd_exec_bin(saslauthd_t) + +dev_read_urand(saslauthd_t) + +domain_use_interactive_fds(saslauthd_t) + +files_dontaudit_read_etc_runtime_files(saslauthd_t) +files_dontaudit_getattr_home_dir(saslauthd_t) +files_dontaudit_getattr_tmp_dirs(saslauthd_t) + +fs_getattr_all_fs(saslauthd_t) +fs_search_auto_mountpoints(saslauthd_t) + +selinux_compute_access_vector(saslauthd_t) + +auth_use_pam(saslauthd_t) + +init_dontaudit_stream_connect_script(saslauthd_t) + +logging_send_syslog_msg(saslauthd_t) + +miscfiles_read_localization(saslauthd_t) +miscfiles_read_generic_certs(saslauthd_t) + +seutil_dontaudit_read_config(saslauthd_t) + +userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) +userdom_dontaudit_search_user_home_dirs(saslauthd_t) + +auth_can_read_shadow_passwords(saslauthd_t) +tunable_policy(`allow_saslauthd_read_shadow',` + allow saslauthd_t self:capability dac_override; + auth_tunable_read_shadow(saslauthd_t) +') + +optional_policy(` + kerberos_read_keytab(saslauthd_t) + kerberos_manage_host_rcache(saslauthd_t) + kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0") + kerberos_use(saslauthd_t) +') + +optional_policy(` + mysql_stream_connect(saslauthd_t) + mysql_tcp_connect(saslauthd_t) +') + +optional_policy(` + seutil_sigchld_newrole(saslauthd_t) +') + +optional_policy(` + udev_read_db(saslauthd_t) +') diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc new file mode 100644 index 000000000..f1450f0ff --- /dev/null +++ b/policy/modules/services/sendmail.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) + +/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) +/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) + +/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if new file mode 100644 index 000000000..5358d1597 --- /dev/null +++ b/policy/modules/services/sendmail.if @@ -0,0 +1,363 @@ +## <summary>Internetwork email routing facility.</summary> + +######################################## +## <summary> +## Sendmail stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_stub',` + gen_require(` + type sendmail_t; + ') +') + +######################################## +## <summary> +## Read and write sendmail unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_rw_pipes',` + gen_require(` + type sendmail_t; + ') + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Execute a domain transition to run sendmail. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sendmail_domtrans',` + gen_require(` + type sendmail_t; + ') + + corecmd_search_bin($1) + mta_sendmail_domtrans($1, sendmail_t) + + allow sendmail_t $1:fd use; + allow sendmail_t $1:fifo_file rw_fifo_file_perms; + allow sendmail_t $1:process sigchld; +') + +######################################## +## <summary> +## Execute the sendmail program in the +## sendmail domain, and allow the +## specified role the sendmail domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sendmail_run',` + gen_require(` + attribute_role sendmail_roles; + ') + + sendmail_domtrans($1) + roleattribute $2 sendmail_roles; +') + +######################################## +## <summary> +## Send generic signals to sendmail. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_signal',` + gen_require(` + type sendmail_t; + ') + + allow $1 sendmail_t:process signal; +') + +######################################## +## <summary> +## Read and write sendmail TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_rw_tcp_sockets',` + gen_require(` + type sendmail_t; + ') + + allow $1 sendmail_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## sendmail TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`sendmail_dontaudit_rw_tcp_sockets',` + gen_require(` + type sendmail_t; + ') + + dontaudit $1 sendmail_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Read and write sendmail unix +## domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_rw_unix_stream_sockets',` + gen_require(` + type sendmail_t; + ') + + allow $1 sendmail_t:unix_stream_socket rw_socket_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## sendmail unix_stream_sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`sendmail_dontaudit_rw_unix_stream_sockets',` + gen_require(` + type sendmail_t; + ') + + dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms; +') + +######################################## +## <summary> +## Read sendmail log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sendmail_read_log',` + gen_require(` + type sendmail_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, sendmail_log_t, sendmail_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## sendmail log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sendmail_manage_log',` + gen_require(` + type sendmail_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, sendmail_log_t, sendmail_log_t) +') + +######################################## +## <summary> +## Create specified objects in generic +## log directories sendmail log file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`sendmail_log_filetrans_sendmail_log',` + gen_require(` + type sendmail_log_t; + ') + + logging_log_filetrans($1, sendmail_log_t, $2, $3) +') + +######################################## +## <summary> +## Create, read, write, and delete +## sendmail tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_manage_tmp_files',` + gen_require(` + type sendmail_tmp_t; + ') + + files_search_tmp($1) + manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t) +') + +######################################## +## <summary> +## Execute sendmail in the unconfined sendmail domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sendmail_domtrans_unconfined',` + gen_require(` + type unconfined_sendmail_t; + ') + + mta_sendmail_domtrans($1, unconfined_sendmail_t) + + allow unconfined_sendmail_t $1:fd use; + allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms; + allow unconfined_sendmail_t $1:process sigchld; +') + +######################################## +## <summary> +## Execute sendmail in the unconfined +## sendmail domain, and allow the +## specified role the unconfined +## sendmail domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sendmail_run_unconfined',` + gen_require(` + attribute_role sendmail_unconfined_roles; + ') + + sendmail_domtrans_unconfined($1) + roleattribute $2 sendmail_unconfined_roles; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an sendmail environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sendmail_admin',` + gen_require(` + type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; + type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; + type sendmail_keytab_t; + ') + + allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { unconfined_sendmail_t sendmail_t }) + + init_startstop_service($1, $2, sendmail_t, sendmail_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, sendmail_keytab_t) + + logging_list_logs($1) + admin_pattern($1, sendmail_log_t) + + files_list_tmp($1) + admin_pattern($1, sendmail_tmp_t) + + files_list_pids($1) + admin_pattern($1, sendmail_var_run_t) + + sendmail_run($1, $2) + sendmail_run_unconfined($1, $2) +') diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te new file mode 100644 index 000000000..9fb6b6496 --- /dev/null +++ b/policy/modules/services/sendmail.te @@ -0,0 +1,215 @@ +policy_module(sendmail, 1.16.1) + +######################################## +# +# Declarations +# + +attribute_role sendmail_roles; + +attribute_role sendmail_unconfined_roles; +roleattribute system_r sendmail_unconfined_roles; + +type sendmail_initrc_exec_t; +init_script_file(sendmail_initrc_exec_t) + +type sendmail_keytab_t; +files_type(sendmail_keytab_t) + +type sendmail_log_t; +logging_log_file(sendmail_log_t) + +type sendmail_tmp_t; +files_tmp_file(sendmail_tmp_t) + +type sendmail_var_run_t; +files_pid_file(sendmail_var_run_t) + +type sendmail_t; +mta_sendmail_mailserver(sendmail_t) +mta_mailserver_delivery(sendmail_t) +mta_mailserver_sender(sendmail_t) +role sendmail_roles types sendmail_t; + +type unconfined_sendmail_t; +application_type(unconfined_sendmail_t) +mta_sendmail_entry_point(unconfined_sendmail_t) +role sendmail_unconfined_roles types unconfined_sendmail_t; + +######################################## +# +# Local policy +# + +allow sendmail_t self:capability { chown dac_override setgid setuid sys_nice sys_tty_config }; +allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; +allow sendmail_t self:fifo_file rw_fifo_file_perms; +allow sendmail_t self:unix_stream_socket { accept listen }; +allow sendmail_t self:tcp_socket { accept listen }; + +allow sendmail_t sendmail_keytab_t:file read_file_perms; + +allow sendmail_t sendmail_log_t:dir setattr_dir_perms; +append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) +create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) +setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) +logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) + +manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) +manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) +files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) + +allow sendmail_t sendmail_var_run_t:file manage_file_perms; +files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) + +kernel_read_network_state(sendmail_t) +kernel_read_kernel_sysctls(sendmail_t) +kernel_read_system_state(sendmail_t) + +corenet_all_recvfrom_unlabeled(sendmail_t) +corenet_all_recvfrom_netlabel(sendmail_t) +corenet_tcp_sendrecv_generic_if(sendmail_t) +corenet_tcp_sendrecv_generic_node(sendmail_t) +corenet_tcp_sendrecv_all_ports(sendmail_t) +corenet_tcp_bind_generic_node(sendmail_t) + +corenet_sendrecv_smtp_server_packets(sendmail_t) +corenet_tcp_bind_smtp_port(sendmail_t) + +corenet_sendrecv_all_client_packets(sendmail_t) +corenet_tcp_connect_all_ports(sendmail_t) + +corecmd_exec_bin(sendmail_t) +corecmd_exec_shell(sendmail_t) + +dev_read_sysfs(sendmail_t) +dev_read_urand(sendmail_t) + +domain_use_interactive_fds(sendmail_t) + +files_read_all_tmp_files(sendmail_t) +files_read_etc_runtime_files(sendmail_t) +files_read_usr_files(sendmail_t) +files_search_spool(sendmail_t) + +fs_getattr_all_fs(sendmail_t) +fs_search_auto_mountpoints(sendmail_t) +fs_rw_anon_inodefs_files(sendmail_t) + +term_dontaudit_use_console(sendmail_t) +term_dontaudit_use_generic_ptys(sendmail_t) + +init_use_fds(sendmail_t) +init_use_script_ptys(sendmail_t) +init_read_utmp(sendmail_t) +init_dontaudit_write_utmp(sendmail_t) +init_rw_script_tmp_files(sendmail_t) + +auth_use_nsswitch(sendmail_t) + +libs_read_lib_files(sendmail_t) + +logging_send_syslog_msg(sendmail_t) +logging_dontaudit_write_generic_logs(sendmail_t) + +miscfiles_read_generic_certs(sendmail_t) +miscfiles_read_localization(sendmail_t) +miscfiles_read_generic_tls_privkey(sendmail_t) + +userdom_dontaudit_use_unpriv_user_fds(sendmail_t) + +mta_etc_filetrans_aliases(sendmail_t, file, "aliases") +mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db") +mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp") +mta_manage_aliases(sendmail_t) +mta_manage_queue(sendmail_t) +mta_manage_spool(sendmail_t) +mta_read_config(sendmail_t) +mta_sendmail_exec(sendmail_t) + +optional_policy(` + cfengine_dontaudit_write_log_files(sendmail_t) +') + +optional_policy(` + cron_read_pipes(sendmail_t) +') + +optional_policy(` + clamav_search_lib(sendmail_t) + clamav_stream_connect(sendmail_t) +') + +optional_policy(` + cyrus_stream_connect(sendmail_t) +') + +optional_policy(` + dovecot_write_inherited_tmp_files(sendmail_t) +') + +optional_policy(` + exim_domtrans(sendmail_t) + exim_manage_spool_files(sendmail_t) + exim_manage_spool_dirs(sendmail_t) + exim_read_log(sendmail_t) +') + +optional_policy(` + fail2ban_read_lib_files(sendmail_t) + fail2ban_rw_stream_sockets(sendmail_t) +') + +optional_policy(` + kerberos_read_keytab(sendmail_t) + kerberos_use(sendmail_t) +') + +optional_policy(` + milter_stream_connect_all(sendmail_t) +') + +optional_policy(` + munin_dontaudit_search_lib(sendmail_t) +') + +optional_policy(` + postfix_domtrans_postdrop(sendmail_t) + postfix_domtrans_master(sendmail_t) + postfix_domtrans_postqueue(sendmail_t) + postfix_read_config(sendmail_t) + postfix_search_spool(sendmail_t) +') + +optional_policy(` + procmail_domtrans(sendmail_t) + procmail_rw_tmp_files(sendmail_t) +') + +optional_policy(` + seutil_sigchld_newrole(sendmail_t) +') + +optional_policy(` + sasl_connect(sendmail_t) +') + +optional_policy(` + udev_read_db(sendmail_t) +') + +optional_policy(` + uucp_domtrans_uux(sendmail_t) +') + +######################################## +# +# Unconfined local policy +# + +optional_policy(` + mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases") + mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db") + mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp") + unconfined_domain(unconfined_sendmail_t) +') diff --git a/policy/modules/services/sensord.fc b/policy/modules/services/sensord.fc new file mode 100644 index 000000000..1216f4bf8 --- /dev/null +++ b/policy/modules/services/sensord.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0) + +/usr/bin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) + +/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) + +/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) diff --git a/policy/modules/services/sensord.if b/policy/modules/services/sensord.if new file mode 100644 index 000000000..e58af365d --- /dev/null +++ b/policy/modules/services/sensord.if @@ -0,0 +1,32 @@ +## <summary>Sensor information logging daemon.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an sensord environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sensord_admin',` + gen_require(` + type sensord_t, sensord_initrc_exec_t, sensord_var_run_t; + ') + + allow $1 sensord_t:process { ptrace signal_perms }; + ps_process_pattern($1, sensord_t) + + init_startstop_service($1, $2, sensord_t, sensord_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, sensord_var_run_t) +') diff --git a/policy/modules/services/sensord.te b/policy/modules/services/sensord.te new file mode 100644 index 000000000..e880ae300 --- /dev/null +++ b/policy/modules/services/sensord.te @@ -0,0 +1,35 @@ +policy_module(sensord, 1.3.0) + +######################################## +# +# Declarations +# + +type sensord_t; +type sensord_exec_t; +init_daemon_domain(sensord_t, sensord_exec_t) + +type sensord_initrc_exec_t; +init_script_file(sensord_initrc_exec_t) + +type sensord_var_run_t; +files_pid_file(sensord_var_run_t) + +######################################## +# +# Local policy +# + +allow sensord_t self:fifo_file rw_fifo_file_perms; +allow sensord_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t) +files_pid_filetrans(sensord_t, sensord_var_run_t, file) + +dev_read_sysfs(sensord_t) + +files_read_etc_files(sensord_t) + +logging_send_syslog_msg(sensord_t) + +miscfiles_read_localization(sensord_t) diff --git a/policy/modules/services/setroubleshoot.fc b/policy/modules/services/setroubleshoot.fc new file mode 100644 index 000000000..096fd47ca --- /dev/null +++ b/policy/modules/services/setroubleshoot.fc @@ -0,0 +1,11 @@ +/usr/bin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) + +/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) + +/usr/share/setroubleshoot/SetroubleshootFixit\.py -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) + +/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) + +/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) + +/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if new file mode 100644 index 000000000..f7d788b8e --- /dev/null +++ b/policy/modules/services/setroubleshoot.if @@ -0,0 +1,160 @@ +## <summary>SELinux troubleshooting service.</summary> + +######################################## +## <summary> +## Connect to setroubleshootd with a +## unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`setroubleshoot_stream_connect',` + gen_require(` + type setroubleshootd_t, setroubleshoot_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) + allow $1 setroubleshoot_var_run_t:sock_file read; +') + +######################################## +## <summary> +## Do not audit attempts to connect to +## setroubleshootd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`setroubleshoot_dontaudit_stream_connect',` + gen_require(` + type setroubleshootd_t, setroubleshoot_var_run_t; + ') + + dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; + dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; +') + +####################################### +## <summary> +## Send null signals to setroubleshoot. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`setroubleshoot_signull',` + gen_require(` + type setroubleshootd_t; + ') + + allow $1 setroubleshootd_t:process signull; +') + +######################################## +## <summary> +## Send and receive messages from +## setroubleshoot over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`setroubleshoot_dbus_chat',` + gen_require(` + type setroubleshootd_t; + class dbus send_msg; + ') + + allow $1 setroubleshootd_t:dbus send_msg; + allow setroubleshootd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Do not audit send and receive messages from +## setroubleshoot over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`setroubleshoot_dontaudit_dbus_chat',` + gen_require(` + type setroubleshootd_t; + class dbus send_msg; + ') + + dontaudit $1 setroubleshootd_t:dbus send_msg; + dontaudit setroubleshootd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## setroubleshoot fixit over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`setroubleshoot_dbus_chat_fixit',` + gen_require(` + type setroubleshoot_fixit_t; + class dbus send_msg; + ') + + allow $1 setroubleshoot_fixit_t:dbus send_msg; + allow setroubleshoot_fixit_t $1:dbus send_msg; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an setroubleshoot environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role" unused="true"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`setroubleshoot_admin',` + gen_require(` + type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t; + type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; + ') + + allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t }) + + logging_list_logs($1) + admin_pattern($1, setroubleshoot_var_log_t) + + files_list_var_lib($1) + admin_pattern($1, setroubleshoot_var_lib_t) + + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te new file mode 100644 index 000000000..7610a7cef --- /dev/null +++ b/policy/modules/services/setroubleshoot.te @@ -0,0 +1,199 @@ +policy_module(setroubleshoot, 1.16.1) + +######################################## +# +# Declarations +# + +type setroubleshootd_t alias setroubleshoot_t; +type setroubleshootd_exec_t; +init_system_domain(setroubleshootd_t, setroubleshootd_exec_t) + +type setroubleshoot_fixit_t; +type setroubleshoot_fixit_exec_t; +init_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) + +type setroubleshoot_var_lib_t; +files_type(setroubleshoot_var_lib_t) + +type setroubleshoot_var_log_t; +logging_log_file(setroubleshoot_var_log_t) + +type setroubleshoot_var_run_t; +files_pid_file(setroubleshoot_var_run_t) + +######################################## +# +# Local policy +# + +allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack }; +allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; +allow setroubleshootd_t self:tcp_socket { accept listen }; +allow setroubleshootd_t self:unix_stream_socket { accept connectto listen }; + +allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms; +manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) +files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir }) + +allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr_dir_perms; +append_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) +create_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) +setattr_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) +manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) +logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) + +manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) +manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) +manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) +files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) + +kernel_read_kernel_sysctls(setroubleshootd_t) +kernel_read_system_state(setroubleshootd_t) +kernel_read_net_sysctls(setroubleshootd_t) +kernel_read_network_state(setroubleshootd_t) +kernel_dontaudit_list_all_proc(setroubleshootd_t) +kernel_read_irq_sysctls(setroubleshootd_t) +kernel_read_unlabeled_state(setroubleshootd_t) + +corecmd_exec_bin(setroubleshootd_t) +corecmd_exec_shell(setroubleshootd_t) +corecmd_read_all_executables(setroubleshootd_t) + +corenet_all_recvfrom_unlabeled(setroubleshootd_t) +corenet_all_recvfrom_netlabel(setroubleshootd_t) +corenet_tcp_sendrecv_generic_if(setroubleshootd_t) +corenet_tcp_sendrecv_generic_node(setroubleshootd_t) + +corenet_sendrecv_smtp_client_packets(setroubleshootd_t) +corenet_tcp_connect_smtp_port(setroubleshootd_t) +corenet_tcp_sendrecv_smtp_port(setroubleshootd_t) + +dev_read_urand(setroubleshootd_t) +dev_read_sysfs(setroubleshootd_t) +dev_getattr_all_blk_files(setroubleshootd_t) +dev_getattr_all_chr_files(setroubleshootd_t) +dev_getattr_mtrr_dev(setroubleshootd_t) + +domain_dontaudit_search_all_domains_state(setroubleshootd_t) +domain_signull_all_domains(setroubleshootd_t) + +files_read_usr_files(setroubleshootd_t) +files_list_all(setroubleshootd_t) +files_getattr_all_files(setroubleshootd_t) +files_getattr_all_pipes(setroubleshootd_t) +files_getattr_all_sockets(setroubleshootd_t) +files_read_all_symlinks(setroubleshootd_t) +files_read_mnt_files(setroubleshootd_t) + +fs_getattr_all_dirs(setroubleshootd_t) +fs_getattr_all_files(setroubleshootd_t) +fs_read_fusefs_symlinks(setroubleshootd_t) +fs_list_inotifyfs(setroubleshootd_t) +fs_dontaudit_read_nfs_files(setroubleshootd_t) +fs_dontaudit_read_cifs_files(setroubleshootd_t) + +selinux_get_enforce_mode(setroubleshootd_t) +selinux_validate_context(setroubleshootd_t) +selinux_read_policy(setroubleshootd_t) + +term_dontaudit_use_all_ptys(setroubleshootd_t) +term_dontaudit_use_all_ttys(setroubleshootd_t) + +mls_dbus_recv_all_levels(setroubleshootd_t) + +auth_use_nsswitch(setroubleshootd_t) + +init_read_utmp(setroubleshootd_t) +init_dontaudit_write_utmp(setroubleshootd_t) + +libs_exec_ld_so(setroubleshootd_t) + +locallogin_dontaudit_use_fds(setroubleshootd_t) + +logging_send_audit_msgs(setroubleshootd_t) +logging_send_syslog_msg(setroubleshootd_t) +logging_stream_connect_dispatcher(setroubleshootd_t) + +miscfiles_read_localization(setroubleshootd_t) + +seutil_read_config(setroubleshootd_t) +seutil_read_file_contexts(setroubleshootd_t) +seutil_read_bin_policy(setroubleshootd_t) + +userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) + +optional_policy(` + dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) + + optional_policy(` + abrt_dbus_chat(setroubleshootd_t) + ') +') + +optional_policy(` + locate_read_lib_files(setroubleshootd_t) +') + +optional_policy(` + modutils_read_module_config(setroubleshootd_t) +') + +optional_policy(` + rpm_exec(setroubleshootd_t) + rpm_signull(setroubleshootd_t) + rpm_read_db(setroubleshootd_t) + rpm_dontaudit_manage_db(setroubleshootd_t) + rpm_use_script_fds(setroubleshootd_t) +') + +######################################## +# +# Fixit local policy +# + +allow setroubleshoot_fixit_t self:capability sys_nice; +allow setroubleshoot_fixit_t self:process { setsched getsched }; +allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; + +allow setroubleshoot_fixit_t setroubleshootd_t:process signull; + +setroubleshoot_stream_connect(setroubleshoot_fixit_t) + +kernel_read_system_state(setroubleshoot_fixit_t) + +corecmd_exec_bin(setroubleshoot_fixit_t) +corecmd_exec_shell(setroubleshoot_fixit_t) +corecmd_getattr_all_executables(setroubleshoot_fixit_t) + +seutil_domtrans_setfiles(setroubleshoot_fixit_t) + +files_read_usr_files(setroubleshoot_fixit_t) +files_list_tmp(setroubleshoot_fixit_t) + +auth_use_nsswitch(setroubleshoot_fixit_t) + +logging_send_audit_msgs(setroubleshoot_fixit_t) +logging_send_syslog_msg(setroubleshoot_fixit_t) + +miscfiles_read_localization(setroubleshoot_fixit_t) + +userdom_read_all_users_state(setroubleshoot_fixit_t) +userdom_signull_unpriv_users(setroubleshoot_fixit_t) + +optional_policy(` + dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) + setroubleshoot_dbus_chat(setroubleshoot_fixit_t) + + optional_policy(` + policykit_dbus_chat(setroubleshoot_fixit_t) + ') +') + +optional_policy(` + rpm_signull(setroubleshoot_fixit_t) + rpm_read_db(setroubleshoot_fixit_t) + rpm_dontaudit_manage_db(setroubleshoot_fixit_t) + rpm_use_script_fds(setroubleshoot_fixit_t) +') diff --git a/policy/modules/services/shibboleth.fc b/policy/modules/services/shibboleth.fc new file mode 100644 index 000000000..fc32f7c9a --- /dev/null +++ b/policy/modules/services/shibboleth.fc @@ -0,0 +1,8 @@ +/etc/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_etc_t,s0) + +/usr/bin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0) + +/usr/sbin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0) + +/var/log/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_log_t,s0) +/run/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_var_run_t,s0) diff --git a/policy/modules/services/shibboleth.if b/policy/modules/services/shibboleth.if new file mode 100644 index 000000000..4a3ba0225 --- /dev/null +++ b/policy/modules/services/shibboleth.if @@ -0,0 +1,40 @@ +## <summary>Shibboleth authentication deamon</summary> + +######################################## +## <summary> +## Allow your application domain to access +## config files from shibboleth +## </summary> +## <param name="domain"> +## <summary> +## The domain which should be enabled. +## </summary> +## </param> +# +interface(`shibboleth_read_config',` + gen_require(` + type shibboleth_etc_t; + ') + + read_files_pattern($1, shibboleth_etc_t, shibboleth_etc_t) +') + +######################################## +## <summary> +## Allow the specified domain to connect to shibboleth with a unix socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shibboleth_stream_connect',` + gen_require(` + type shibboleth_t; + type shibboleth_var_run_t; + ') + + stream_connect_pattern($1, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t) + files_search_pids($1) +') diff --git a/policy/modules/services/shibboleth.te b/policy/modules/services/shibboleth.te new file mode 100644 index 000000000..8b52f701c --- /dev/null +++ b/policy/modules/services/shibboleth.te @@ -0,0 +1,72 @@ +policy_module(shibboleth, 1.3.0) + +######################################## +# +# Declarations +# + +type shibboleth_t; +type shibboleth_exec_t; +init_daemon_domain(shibboleth_t, shibboleth_exec_t) + +type shibboleth_etc_t; +files_config_file(shibboleth_etc_t) + +type shibboleth_log_t; +logging_log_file(shibboleth_log_t) + +type shibboleth_var_run_t; +files_pid_file(shibboleth_var_run_t) +init_daemon_pid_file(shibboleth_var_run_t, dir, "shibboleth") + +######################################## +# +# Local policy +# + +allow shibboleth_t self:process { signal_perms }; + +# networking: +# shibboleth uses tcp sockets for connecting to central +# authentication server and unix stream sockets +# to exchange information with the apache module +allow shibboleth_t self:unix_stream_socket create_stream_socket_perms; +allow shibboleth_t self:tcp_socket create_stream_socket_perms; + +read_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t) +read_lnk_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t) + +manage_files_pattern(shibboleth_t, shibboleth_log_t, shibboleth_log_t) + +manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t) +manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t) + +corenet_all_recvfrom_netlabel(shibboleth_t) +corenet_all_recvfrom_unlabeled(shibboleth_t) +corenet_tcp_connect_http_port(shibboleth_t) +corenet_tcp_sendrecv_all_ports(shibboleth_t) +corenet_tcp_sendrecv_generic_if(shibboleth_t) +corenet_tcp_sendrecv_generic_node(shibboleth_t) + +dev_read_urand(shibboleth_t) + +domain_dontaudit_use_interactive_fds(shibboleth_t) + +files_read_etc_files(shibboleth_t) +files_read_usr_files(shibboleth_t) +files_search_etc(shibboleth_t) + +term_dontaudit_search_ptys(shibboleth_t) +term_dontaudit_use_all_ptys(shibboleth_t) +term_dontaudit_use_all_ttys(shibboleth_t) + +logging_log_filetrans(shibboleth_t, shibboleth_log_t, { file dir }) +logging_send_syslog_msg(shibboleth_t) + +miscfiles_read_localization(shibboleth_t) + +sysnet_dns_name_resolve(shibboleth_t) + +# permissions for the configuration files +# there is shared information between apache and shibboleth, e.g., certificates +apache_read_config(shibboleth_t) diff --git a/policy/modules/services/slpd.fc b/policy/modules/services/slpd.fc new file mode 100644 index 000000000..77ff516b5 --- /dev/null +++ b/policy/modules/services/slpd.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/slpd -- gen_context(system_u:object_r:slpd_initrc_exec_t,s0) + +/usr/bin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0) + +/usr/sbin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0) + +/var/log/slpd\.log.* -- gen_context(system_u:object_r:slpd_log_t,s0) + +/run/slpd\.pid -- gen_context(system_u:object_r:slpd_var_run_t,s0) diff --git a/policy/modules/services/slpd.if b/policy/modules/services/slpd.if new file mode 100644 index 000000000..ffacc363d --- /dev/null +++ b/policy/modules/services/slpd.if @@ -0,0 +1,36 @@ +## <summary>OpenSLP server daemon to dynamically register services.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an slpd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`slpd_admin',` + gen_require(` + type slpd_t, slpd_initrc_exec_t, slpd_log_t; + type slpd_var_run_t; + ') + + allow $1 slpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, slpd_t) + + init_startstop_service($1, $2, slpd_t, slpd_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, slpd_log_t) + + files_search_pids($1) + admin_pattern($1, slpd_var_run_t) +') diff --git a/policy/modules/services/slpd.te b/policy/modules/services/slpd.te new file mode 100644 index 000000000..a76acb7f7 --- /dev/null +++ b/policy/modules/services/slpd.te @@ -0,0 +1,55 @@ +policy_module(slpd, 1.4.0) + +######################################## +# +# Declarations +# + +type slpd_t; +type slpd_exec_t; +init_daemon_domain(slpd_t, slpd_exec_t) + +type slpd_initrc_exec_t; +init_script_file(slpd_initrc_exec_t) + +type slpd_log_t; +logging_log_file(slpd_log_t) + +type slpd_var_run_t; +files_pid_file(slpd_var_run_t) + +######################################## +# +# Local policy +# + +allow slpd_t self:capability { kill setgid setuid }; +allow slpd_t self:process signal; +allow slpd_t self:fifo_file rw_fifo_file_perms; +allow slpd_t self:tcp_socket { accept listen }; +allow slpd_t self:unix_stream_socket create_stream_socket_perms; + +allow slpd_t slpd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(slpd_t, slpd_log_t, file) + +manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t) +files_pid_filetrans(slpd_t, slpd_var_run_t, file) + +corenet_all_recvfrom_unlabeled(slpd_t) +corenet_all_recvfrom_netlabel(slpd_t) +corenet_tcp_sendrecv_generic_if(slpd_t) +corenet_udp_sendrecv_generic_if(slpd_t) +corenet_tcp_sendrecv_generic_node(slpd_t) +corenet_udp_sendrecv_generic_node(slpd_t) +corenet_tcp_sendrecv_all_ports(slpd_t) +corenet_udp_sendrecv_all_ports(slpd_t) +corenet_tcp_bind_generic_node(slpd_t) +corenet_udp_bind_generic_node(slpd_t) + +corenet_sendrecv_svrloc_server_packets(slpd_t) +corenet_tcp_bind_svrloc_port(slpd_t) +corenet_udp_bind_svrloc_port(slpd_t) + +auth_use_nsswitch(slpd_t) + +miscfiles_read_localization(slpd_t) diff --git a/policy/modules/services/slrnpull.fc b/policy/modules/services/slrnpull.fc new file mode 100644 index 000000000..d0f1dd7d9 --- /dev/null +++ b/policy/modules/services/slrnpull.fc @@ -0,0 +1,7 @@ +/usr/bin/slrnpull -- gen_context(system_u:object_r:slrnpull_exec_t,s0) + +/var/log/slrnpull\.log.* -- gen_context(system_u:object_r:slrnpull_log_t,s0) + +/run/slrnpull\.pid -- gen_context(system_u:object_r:slrnpull_var_run_t,s0) + +/var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0) diff --git a/policy/modules/services/slrnpull.if b/policy/modules/services/slrnpull.if new file mode 100644 index 000000000..a0b173403 --- /dev/null +++ b/policy/modules/services/slrnpull.if @@ -0,0 +1,42 @@ +## <summary>Service for downloading news feeds the slrn newsreader.</summary> + +######################################## +## <summary> +## Search slrnpull spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`slrnpull_search_spool',` + gen_require(` + type slrnpull_spool_t; + ') + + files_search_spool($1) + allow $1 slrnpull_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## slrnpull spool content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`slrnpull_manage_spool',` + gen_require(` + type slrnpull_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t) + manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) + manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) +') diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te new file mode 100644 index 000000000..9d4515abc --- /dev/null +++ b/policy/modules/services/slrnpull.te @@ -0,0 +1,70 @@ +policy_module(slrnpull, 1.6.0) + +######################################## +# +# Declarations +# + +type slrnpull_t; +type slrnpull_exec_t; +init_system_domain(slrnpull_t, slrnpull_exec_t) + +type slrnpull_var_run_t; +files_pid_file(slrnpull_var_run_t) + +type slrnpull_spool_t; +files_type(slrnpull_spool_t) + +type slrnpull_log_t; +logging_log_file(slrnpull_log_t) + +######################################## +# +# Local policy +# + +dontaudit slrnpull_t self:capability sys_tty_config; +allow slrnpull_t self:process signal_perms; + +allow slrnpull_t slrnpull_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(slrnpull_t, slrnpull_log_t, file) + +manage_dirs_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) +manage_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) +manage_lnk_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) + +manage_files_pattern(slrnpull_t, slrnpull_var_run_t, slrnpull_var_run_t) +files_pid_filetrans(slrnpull_t, slrnpull_var_run_t, file) + +kernel_list_proc(slrnpull_t) +kernel_read_kernel_sysctls(slrnpull_t) +kernel_read_proc_symlinks(slrnpull_t) + +dev_read_sysfs(slrnpull_t) + +domain_use_interactive_fds(slrnpull_t) + +files_read_etc_files(slrnpull_t) +files_search_spool(slrnpull_t) + +fs_getattr_all_fs(slrnpull_t) +fs_search_auto_mountpoints(slrnpull_t) + +logging_send_syslog_msg(slrnpull_t) + +miscfiles_read_localization(slrnpull_t) + +userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) +userdom_dontaudit_search_user_home_dirs(slrnpull_t) + +optional_policy(` + cron_system_entry(slrnpull_t, slrnpull_exec_t) +') + +optional_policy(` + seutil_sigchld_newrole(slrnpull_t) +') + +optional_policy(` + udev_read_db(slrnpull_t) +') diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc new file mode 100644 index 000000000..daff956c5 --- /dev/null +++ b/policy/modules/services/smartmon.fc @@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) +/etc/rc\.d/init\.d/smartmontools -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) + +/usr/bin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) + +/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) + +/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) + +/var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if new file mode 100644 index 000000000..08f4ee20c --- /dev/null +++ b/policy/modules/services/smartmon.if @@ -0,0 +1,58 @@ +## <summary>Smart disk monitoring daemon.</summary> + +####################################### +## <summary> +## Read smartmon temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smartmon_read_tmp_files',` + gen_require(` + type fsdaemon_tmp_t; + ') + + files_search_tmp($1) + allow $1 fsdaemon_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an smartmon environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`smartmon_admin',` + gen_require(` + type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; + type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; + ') + + allow $1 fsdaemon_t:process { ptrace signal_perms }; + ps_process_pattern($1, fsdaemon_t) + + init_startstop_service($1, $2, fsdaemon_t, fsdaemon_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, fsdaemon_tmp_t) + + files_list_pids($1) + admin_pattern($1, fsdaemon_var_run_t) + + files_list_var_lib($1) + admin_pattern($1, fsdaemon_var_lib_t) +') diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te new file mode 100644 index 000000000..f1d7e36d4 --- /dev/null +++ b/policy/modules/services/smartmon.te @@ -0,0 +1,125 @@ +policy_module(smartmon, 1.15.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether smartmon can support +## devices on 3ware controllers. +## </p> +## </desc> +gen_tunable(smartmon_3ware, false) + +type fsdaemon_t; +type fsdaemon_exec_t; +init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) + +type fsdaemon_initrc_exec_t; +init_script_file(fsdaemon_initrc_exec_t) + +type fsdaemon_var_run_t; +files_pid_file(fsdaemon_var_run_t) + +type fsdaemon_var_lib_t; +files_type(fsdaemon_var_lib_t) + +type fsdaemon_tmp_t; +files_tmp_file(fsdaemon_tmp_t) + +ifdef(`enable_mls',` + init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh) +') + +######################################## +# +# Local policy +# + +allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio }; +dontaudit fsdaemon_t self:capability sys_tty_config; +allow fsdaemon_t self:process { getcap setcap signal_perms }; +allow fsdaemon_t self:fifo_file rw_fifo_file_perms; +allow fsdaemon_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) +manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) +files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) + +manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) +files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) + +manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) + +kernel_read_kernel_sysctls(fsdaemon_t) +kernel_read_network_state(fsdaemon_t) +kernel_read_software_raid_state(fsdaemon_t) +kernel_read_system_state(fsdaemon_t) + +corecmd_exec_all_executables(fsdaemon_t) + +dev_read_sysfs(fsdaemon_t) +dev_read_urand(fsdaemon_t) + +domain_use_interactive_fds(fsdaemon_t) + +files_exec_etc_files(fsdaemon_t) +files_read_etc_files(fsdaemon_t) +files_read_etc_runtime_files(fsdaemon_t) +files_read_usr_files(fsdaemon_t) +files_search_var_lib(fsdaemon_t) + +fs_getattr_all_fs(fsdaemon_t) +fs_search_auto_mountpoints(fsdaemon_t) + +mls_file_read_all_levels(fsdaemon_t) + +storage_raw_read_fixed_disk(fsdaemon_t) +storage_raw_write_fixed_disk(fsdaemon_t) +storage_raw_read_removable_device(fsdaemon_t) +storage_read_scsi_generic(fsdaemon_t) +storage_write_scsi_generic(fsdaemon_t) + +term_dontaudit_search_ptys(fsdaemon_t) + +application_signull(fsdaemon_t) + +init_read_utmp(fsdaemon_t) + +libs_exec_ld_so(fsdaemon_t) +libs_exec_lib_files(fsdaemon_t) + +logging_send_syslog_msg(fsdaemon_t) + +miscfiles_read_localization(fsdaemon_t) + +sysnet_dns_name_resolve(fsdaemon_t) + +userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) +userdom_dontaudit_search_user_home_dirs(fsdaemon_t) + +tunable_policy(`smartmon_3ware',` + allow fsdaemon_t self:process setfscreate; + + storage_create_fixed_disk_dev(fsdaemon_t) + storage_delete_fixed_disk_dev(fsdaemon_t) + storage_dev_filetrans_fixed_disk(fsdaemon_t) + + selinux_validate_context(fsdaemon_t) + + seutil_read_file_contexts(fsdaemon_t) +') + +optional_policy(` + mta_send_mail(fsdaemon_t) +') + +optional_policy(` + seutil_sigchld_newrole(fsdaemon_t) +') + +optional_policy(` + udev_read_db(fsdaemon_t) +') diff --git a/policy/modules/services/smokeping.fc b/policy/modules/services/smokeping.fc new file mode 100644 index 000000000..c75825e86 --- /dev/null +++ b/policy/modules/services/smokeping.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0) + +/usr/bin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0) + +/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0) + +/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0) + +/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) + +/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if new file mode 100644 index 000000000..4f49c998e --- /dev/null +++ b/policy/modules/services/smokeping.if @@ -0,0 +1,171 @@ +## <summary>Smokeping network latency measurement.</summary> + +######################################## +## <summary> +## Execute a domain transition to run smokeping. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`smokeping_domtrans',` + gen_require(` + type smokeping_t, smokeping_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, smokeping_exec_t, smokeping_t) +') + +######################################## +## <summary> +## Execute smokeping init scripts in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`smokeping_initrc_domtrans',` + gen_require(` + type smokeping_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, smokeping_initrc_exec_t) +') + +######################################## +## <summary> +## Read smokeping pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smokeping_read_pid_files',` + gen_require(` + type smokeping_var_run_t; + ') + + files_search_pids($1) + allow $1 smokeping_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## smokeping pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smokeping_manage_pid_files',` + gen_require(` + type smokeping_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t) +') + +######################################## +## <summary> +## Get attributes of smokeping lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smokeping_getattr_lib_files',` + gen_require(` + type smokeping_var_lib_t; + ') + + files_search_var_lib($1) + getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) +') + +######################################## +## <summary> +## Read smokeping lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smokeping_read_lib_files',` + gen_require(` + type smokeping_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## smokeping lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smokeping_manage_lib_files',` + gen_require(` + type smokeping_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate a smokeping environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`smokeping_admin',` + gen_require(` + type smokeping_t, smokeping_initrc_exec_t, smokeping_var_lib_t; + type smokeping_var_run_t; + ') + + allow $1 smokeping_t:process { ptrace signal_perms }; + ps_process_pattern($1, smokeping_t) + + init_startstop_service($1, $2, smokeping_t, smokeping_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, smokeping_var_lib_t) + + files_search_pids($1) + admin_pattern($1, smokeping_var_run_t) +') diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te new file mode 100644 index 000000000..65a3441dc --- /dev/null +++ b/policy/modules/services/smokeping.te @@ -0,0 +1,78 @@ +policy_module(smokeping, 1.5.0) + +######################################## +# +# Declarations +# + +type smokeping_t; +type smokeping_exec_t; +init_daemon_domain(smokeping_t, smokeping_exec_t) + +type smokeping_initrc_exec_t; +init_script_file(smokeping_initrc_exec_t) + +type smokeping_var_run_t; +files_pid_file(smokeping_var_run_t) + +type smokeping_var_lib_t; +files_type(smokeping_var_lib_t) + +######################################## +# +# Local policy +# + +dontaudit smokeping_t self:capability { dac_override dac_read_search }; +allow smokeping_t self:fifo_file rw_fifo_file_perms; +allow smokeping_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) +manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) +files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir }) + +manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) +manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) +files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir }) + +corecmd_exec_bin(smokeping_t) + +dev_read_urand(smokeping_t) + +files_read_usr_files(smokeping_t) +files_search_tmp(smokeping_t) + +auth_use_nsswitch(smokeping_t) +auth_dontaudit_read_shadow(smokeping_t) + +logging_send_syslog_msg(smokeping_t) + +miscfiles_read_localization(smokeping_t) + +netutils_domtrans_ping(smokeping_t) + +optional_policy(` + mta_send_mail(smokeping_t) +') + +####################################### +# +# Cgi local policy +# + +optional_policy(` + apache_content_template(smokeping_cgi) + + manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) + manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) + + getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) + + files_read_etc_files(httpd_smokeping_cgi_script_t) + files_search_tmp(httpd_smokeping_cgi_script_t) + files_search_var_lib(httpd_smokeping_cgi_script_t) + + sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) + + netutils_domtrans_ping(httpd_smokeping_cgi_script_t) +') diff --git a/policy/modules/services/smstools.fc b/policy/modules/services/smstools.fc new file mode 100644 index 000000000..12a585110 --- /dev/null +++ b/policy/modules/services/smstools.fc @@ -0,0 +1,15 @@ +/etc/smsd\.conf -- gen_context(system_u:object_r:smsd_conf_t,s0) + +/etc/rc\.d/init\.d/(smsd|smstools) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0) + +/usr/bin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0) + +/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0) + +/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0) + +/var/log/smsd(/.*)? gen_context(system_u:object_r:smsd_log_t,s0) + +/run/smsd(/.*)? gen_context(system_u:object_r:smsd_var_run_t,s0) + +/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0) diff --git a/policy/modules/services/smstools.if b/policy/modules/services/smstools.if new file mode 100644 index 000000000..fc420a534 --- /dev/null +++ b/policy/modules/services/smstools.if @@ -0,0 +1,46 @@ +## <summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an smstools environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`smstools_admin',` + gen_require(` + type smsd_t, smsd_initrc_exec_t, smsd_conf_t; + type smsd_log_t, smsd_var_lib_t, smsd_var_run_t; + type smsd_spool_t; + ') + + allow $1 smsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, smsd_t) + + init_startstop_service($1, $2, smsd_t, smsd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, smsd_conf_t) + + files_search_var_lib($1) + admin_pattern($1, smsd_var_lib_t) + + files_search_spool($1) + admin_pattern($1, smsd_spool_t) + + files_search_pids($1) + admin_pattern($1, smsd_var_run_t) + + logging_search_logs($1) + admin_pattern($1, smsd_log_t) +') diff --git a/policy/modules/services/smstools.te b/policy/modules/services/smstools.te new file mode 100644 index 000000000..c5ec9f95b --- /dev/null +++ b/policy/modules/services/smstools.te @@ -0,0 +1,74 @@ +policy_module(smstools, 1.3.0) + +######################################## +# +# Declarations +# + +type smsd_t; +type smsd_exec_t; +init_daemon_domain(smsd_t, smsd_exec_t) + +type smsd_initrc_exec_t; +init_script_file(smsd_initrc_exec_t) + +type smsd_conf_t; +files_config_file(smsd_conf_t) + +type smsd_log_t; +logging_log_file(smsd_log_t) + +type smsd_var_lib_t; +files_type(smsd_var_lib_t) + +type smsd_var_run_t; +files_pid_file(smsd_var_run_t) + +type smsd_spool_t; +files_type(smsd_spool_t) + +######################################## +# +# Local policy +# + +allow smsd_t self:capability { kill setgid setuid }; +allow smsd_t self:process signal; +allow smsd_t self:fifo_file rw_fifo_file_perms; +allow smsd_t self:unix_stream_socket { accept listen }; + +allow smsd_t smsd_conf_t:file read_file_perms; + +manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t) +create_files_pattern(smsd_t, smsd_log_t, smsd_log_t) +append_files_pattern(smsd_t, smsd_log_t, smsd_log_t) +setattr_files_pattern(smsd_t, smsd_log_t, smsd_log_t) +manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t) +logging_log_filetrans(smsd_t, smsd_log_t, { dir file }) + +manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) +manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) +manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) + +manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) +manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) +manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) +files_pid_filetrans(smsd_t, smsd_var_run_t, { dir file }) + +manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t) +manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) +manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) +files_spool_filetrans(smsd_t, smsd_spool_t, dir) + +kernel_read_kernel_sysctls(smsd_t) +kernel_read_system_state(smsd_t) + +corecmd_exec_shell(smsd_t) + +auth_use_nsswitch(smsd_t) + +logging_send_syslog_msg(smsd_t) + +optional_policy(` + mysql_stream_connect(smsd_t) +') diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc new file mode 100644 index 000000000..8974ac9d2 --- /dev/null +++ b/policy/modules/services/snmp.fc @@ -0,0 +1,23 @@ +/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) + +/usr/bin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0) +/usr/bin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) +/usr/bin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) + +/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0) +/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) +/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) + +/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0) + +/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) +/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) + +/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) +/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + +/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) + +/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if new file mode 100644 index 000000000..d8a75680e --- /dev/null +++ b/policy/modules/services/snmp.if @@ -0,0 +1,201 @@ +## <summary>Simple network management protocol services.</summary> + +######################################## +## <summary> +## Connect to snmpd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snmp_stream_connect',` + gen_require(` + type snmpd_t, snmpd_var_lib_t; + ') + + files_search_var_lib($1) + stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) +') + +######################################## +## <summary> +## Connect to snmp over the TCP network. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snmp_tcp_connect',` + gen_require(` + type snmpd_t; + ') + + corenet_tcp_recvfrom_labeled($1, snmpd_t) + corenet_tcp_sendrecv_snmp_port($1) + corenet_tcp_connect_snmp_port($1) + corenet_sendrecv_snmp_client_packets($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## snmp lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snmp_manage_var_lib_dirs',` + gen_require(` + type snmpd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 snmpd_var_lib_t:dir manage_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## snmp lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snmp_manage_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 snmpd_var_lib_t:dir list_dir_perms; + manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) +') + +######################################## +## <summary> +## Read snmpd lib content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snmp_read_snmp_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + + allow $1 snmpd_var_lib_t:dir list_dir_perms; + read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) + read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) +') + +######################################## +## <summary> +## Do not audit attempts to read +## snmpd lib content. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`snmp_dontaudit_read_snmp_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + + dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; + dontaudit $1 snmpd_var_lib_t:file read_file_perms; + dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to write +## snmpd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`snmp_dontaudit_write_snmp_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + + dontaudit $1 snmpd_var_lib_t:file write; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an snmp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`snmp_admin',` + gen_require(` + type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; + type snmpd_var_lib_t, snmpd_var_run_t; + ') + + allow $1 snmpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, snmpd_t) + + init_startstop_service($1, $2, snmpd_t, snmpd_initrc_exec_t) + + logging_list_logs($1) + admin_pattern($1, snmpd_log_t) + + files_list_var_lib($1) + admin_pattern($1, snmpd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, snmpd_var_run_t) +') + +# Gentoo stuff but cannot use ifdef distro_gentoo + +######################################## +## <summary> +## Append to the snmp variable lib data +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snmp_append_var_lib_files',` + gen_require(` + type snmp_var_lib_t; + ') + + allow $1 snmp_var_lib_t:file append_file_perms; +') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te new file mode 100644 index 000000000..af4897d8f --- /dev/null +++ b/policy/modules/services/snmp.te @@ -0,0 +1,185 @@ +policy_module(snmp, 1.17.0) + +######################################## +# +# Declarations +# + +type snmpd_t; +type snmpd_exec_t; +init_daemon_domain(snmpd_t, snmpd_exec_t) + +type snmpd_initrc_exec_t; +init_script_file(snmpd_initrc_exec_t) + +type snmpd_log_t; +logging_log_file(snmpd_log_t) + +type snmpd_var_run_t; +files_pid_file(snmpd_var_run_t) + +type snmpd_var_lib_t; +files_type(snmpd_var_lib_t) + +######################################## +# +# Local policy +# + +allow snmpd_t self:capability { chown dac_override ipc_lock kill net_admin setgid setuid sys_nice sys_ptrace sys_tty_config }; +dontaudit snmpd_t self:capability { sys_module sys_tty_config }; +allow snmpd_t self:process { signal_perms getsched setsched }; +allow snmpd_t self:fifo_file rw_fifo_file_perms; +allow snmpd_t self:unix_stream_socket { accept connectto listen }; +allow snmpd_t self:tcp_socket { accept listen }; +allow snmpd_t self:udp_socket connected_stream_socket_perms; + +allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(snmpd_t, snmpd_log_t, file) + +manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) +manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) +manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) +files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) +files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) +files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file }) + +manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) +manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) +files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir }) + +kernel_read_device_sysctls(snmpd_t) +kernel_read_kernel_sysctls(snmpd_t) +kernel_read_fs_sysctls(snmpd_t) +kernel_read_net_sysctls(snmpd_t) +kernel_read_network_state(snmpd_t) +kernel_read_system_state(snmpd_t) + +corecmd_exec_bin(snmpd_t) +corecmd_exec_shell(snmpd_t) + +corenet_all_recvfrom_unlabeled(snmpd_t) +corenet_all_recvfrom_netlabel(snmpd_t) +corenet_tcp_sendrecv_generic_if(snmpd_t) +corenet_udp_sendrecv_generic_if(snmpd_t) +corenet_tcp_sendrecv_generic_node(snmpd_t) +corenet_udp_sendrecv_generic_node(snmpd_t) +corenet_tcp_bind_generic_node(snmpd_t) +corenet_udp_bind_generic_node(snmpd_t) + +corenet_sendrecv_snmp_server_packets(snmpd_t) +corenet_sendrecv_snmp_client_packets(snmpd_t) +corenet_tcp_bind_snmp_port(snmpd_t) +corenet_tcp_connect_snmp_port(snmpd_t) +corenet_udp_bind_snmp_port(snmpd_t) +corenet_tcp_sendrecv_snmp_port(snmpd_t) +corenet_udp_sendrecv_snmp_port(snmpd_t) + +corenet_sendrecv_snmp_client_packets(snmpd_t) +corenet_tcp_connect_agentx_port(snmpd_t) +corenet_sendrecv_snmp_server_packets(snmpd_t) +corenet_tcp_bind_agentx_port(snmpd_t) +corenet_udp_bind_agentx_port(snmpd_t) +corenet_tcp_sendrecv_agentx_port(snmpd_t) +corenet_udp_sendrecv_agentx_port(snmpd_t) + +dev_list_sysfs(snmpd_t) +dev_read_sysfs(snmpd_t) +dev_read_urand(snmpd_t) +dev_read_rand(snmpd_t) +dev_getattr_usbfs_dirs(snmpd_t) + +domain_use_interactive_fds(snmpd_t) +domain_signull_all_domains(snmpd_t) +domain_read_all_domains_state(snmpd_t) +domain_exec_all_entry_files(snmpd_t) + +files_read_usr_files(snmpd_t) +files_read_etc_runtime_files(snmpd_t) +files_search_home(snmpd_t) + +fs_getattr_all_dirs(snmpd_t) +fs_getattr_all_fs(snmpd_t) +files_list_all(snmpd_t) +files_search_all_mountpoints(snmpd_t) +fs_search_auto_mountpoints(snmpd_t) + +storage_dontaudit_read_fixed_disk(snmpd_t) +storage_dontaudit_read_removable_device(snmpd_t) +storage_dontaudit_write_removable_device(snmpd_t) + +auth_use_nsswitch(snmpd_t) + +init_read_utmp(snmpd_t) +init_dontaudit_write_utmp(snmpd_t) + +logging_send_syslog_msg(snmpd_t) + +miscfiles_read_localization(snmpd_t) + +seutil_dontaudit_search_config(snmpd_t) + +userdom_dontaudit_use_unpriv_user_fds(snmpd_t) +userdom_dontaudit_search_user_home_dirs(snmpd_t) + +optional_policy(` + amanda_dontaudit_read_dumpdates(snmpd_t) +') + +optional_policy(` + consoletype_exec(snmpd_t) +') + +optional_policy(` + corosync_stream_connect(snmpd_t) +') + +optional_policy(` + cups_read_rw_config(snmpd_t) +') + +optional_policy(` + mta_read_config(snmpd_t) + mta_search_queue(snmpd_t) +') + +optional_policy(` + ricci_stream_connect_modclusterd(snmpd_t) +') + +optional_policy(` + rpc_search_nfs_state_data(snmpd_t) +') + +optional_policy(` + rpm_read_db(snmpd_t) + rpm_dontaudit_manage_db(snmpd_t) +') + +optional_policy(` + sendmail_read_log(snmpd_t) +') + +optional_policy(` + seutil_sigchld_newrole(snmpd_t) +') + +optional_policy(` + squid_read_config(snmpd_t) +') + +optional_policy(` + udev_read_db(snmpd_t) +') + +optional_policy(` + virt_stream_connect(snmpd_t) +') + +optional_policy(` + kernel_read_xen_state(snmpd_t) + kernel_write_xen_state(snmpd_t) + + xen_stream_connect(snmpd_t) + xen_stream_connect_xenstore(snmpd_t) +') diff --git a/policy/modules/services/snort.fc b/policy/modules/services/snort.fc new file mode 100644 index 000000000..97797bd6a --- /dev/null +++ b/policy/modules/services/snort.fc @@ -0,0 +1,14 @@ +/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0) + +/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) + +/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) +/usr/bin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) + +/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) +/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) + +/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) + +/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) +/run/snort(/.*)? gen_context(system_u:object_r:snort_var_run_t,s0) diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if new file mode 100644 index 000000000..e6ae26e5e --- /dev/null +++ b/policy/modules/services/snort.if @@ -0,0 +1,58 @@ +## <summary>Snort network intrusion detection system.</summary> + +######################################## +## <summary> +## Execute a domain transition to run snort. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`snort_domtrans',` + gen_require(` + type snort_t, snort_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, snort_exec_t, snort_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an snort environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`snort_admin',` + gen_require(` + type snort_t, snort_var_run_t, snort_log_t; + type snort_etc_t, snort_initrc_exec_t; + ') + + allow $1 snort_t:process { ptrace signal_perms }; + ps_process_pattern($1, snort_t) + + init_startstop_service($1, $2, snort_t, snort_initrc_exec_t) + + admin_pattern($1, snort_etc_t) + files_search_etc($1) + + admin_pattern($1, snort_log_t) + logging_search_logs($1) + + admin_pattern($1, snort_var_run_t) + files_search_pids($1) +') diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te new file mode 100644 index 000000000..9eaaa70ae --- /dev/null +++ b/policy/modules/services/snort.te @@ -0,0 +1,117 @@ +policy_module(snort, 1.15.0) + +######################################## +# +# Declarations +# + +type snort_t; +type snort_exec_t; +init_daemon_domain(snort_t, snort_exec_t) + +type snort_etc_t; +files_config_file(snort_etc_t) + +type snort_initrc_exec_t; +init_script_file(snort_initrc_exec_t) + +type snort_log_t; +logging_log_file(snort_log_t) + +type snort_tmp_t; +files_tmp_file(snort_tmp_t) + +type snort_var_run_t; +files_pid_file(snort_var_run_t) +init_daemon_pid_file(snort_var_run_t, dir, "snort") + +######################################## +# +# Local policy +# + +allow snort_t self:capability { dac_override net_admin net_raw setgid setuid }; +dontaudit snort_t self:capability sys_tty_config; +allow snort_t self:process signal_perms; +allow snort_t self:netlink_socket create_socket_perms; +allow snort_t self:tcp_socket { accept listen }; +allow snort_t self:packet_socket create_socket_perms; +allow snort_t self:socket create_socket_perms; +allow snort_t self:netlink_firewall_socket create_socket_perms; + +allow snort_t snort_etc_t:dir list_dir_perms; +allow snort_t snort_etc_t:file read_file_perms; +allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(snort_t, snort_log_t, snort_log_t) +create_files_pattern(snort_t, snort_log_t, snort_log_t) +setattr_files_pattern(snort_t, snort_log_t, snort_log_t) +write_files_pattern(snort_t, snort_log_t, snort_log_t) +logging_log_filetrans(snort_t, snort_log_t, { file dir }) + +manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) +manage_files_pattern(snort_t, snort_tmp_t, snort_tmp_t) +files_tmp_filetrans(snort_t, snort_tmp_t, { file dir }) + +manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t) +files_pid_filetrans(snort_t, snort_var_run_t, file) + +kernel_read_kernel_sysctls(snort_t) +kernel_read_sysctl(snort_t) +kernel_list_proc(snort_t) +kernel_read_proc_symlinks(snort_t) +kernel_request_load_module(snort_t) +kernel_dontaudit_read_system_state(snort_t) +kernel_read_network_state(snort_t) + +corenet_all_recvfrom_unlabeled(snort_t) +corenet_all_recvfrom_netlabel(snort_t) +corenet_tcp_sendrecv_generic_if(snort_t) +corenet_udp_sendrecv_generic_if(snort_t) +corenet_raw_sendrecv_generic_if(snort_t) +corenet_tcp_sendrecv_generic_node(snort_t) +corenet_udp_sendrecv_generic_node(snort_t) +corenet_raw_sendrecv_generic_node(snort_t) +corenet_tcp_sendrecv_all_ports(snort_t) +corenet_udp_sendrecv_all_ports(snort_t) + +corenet_sendrecv_prelude_client_packets(snort_t) +corenet_tcp_connect_prelude_port(snort_t) +corenet_tcp_sendrecv_prelude_port(snort_t) + +dev_read_sysfs(snort_t) +dev_read_rand(snort_t) +dev_read_urand(snort_t) +dev_read_usbmon_dev(snort_t) +dev_rw_generic_usb_dev(snort_t) + +domain_use_interactive_fds(snort_t) + +files_read_etc_files(snort_t) +files_dontaudit_read_etc_runtime_files(snort_t) + +fs_getattr_all_fs(snort_t) +fs_search_auto_mountpoints(snort_t) + +init_read_utmp(snort_t) + +logging_send_syslog_msg(snort_t) + +miscfiles_read_localization(snort_t) + +sysnet_dns_name_resolve(snort_t) + +userdom_dontaudit_use_unpriv_user_fds(snort_t) +userdom_dontaudit_search_user_home_dirs(snort_t) + +optional_policy(` + prelude_manage_spool(snort_t) +') + +optional_policy(` + seutil_sigchld_newrole(snort_t) +') + +optional_policy(` + udev_read_db(snort_t) +') diff --git a/policy/modules/services/soundserver.fc b/policy/modules/services/soundserver.fc new file mode 100644 index 000000000..d1880f66a --- /dev/null +++ b/policy/modules/services/soundserver.fc @@ -0,0 +1,15 @@ +/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) +/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) + +/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0) + +/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) +/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0) +/usr/bin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) + +/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) + +/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) +/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) + +/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if new file mode 100644 index 000000000..106e07002 --- /dev/null +++ b/policy/modules/services/soundserver.if @@ -0,0 +1,46 @@ +## <summary>sound server for network audio server programs, nasd, yiff, etc</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an soundd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`soundserver_admin',` + gen_require(` + type soundd_t, soundd_etc_t, soundd_initrc_exec_t; + type soundd_tmp_t, soundd_var_run_t, soundd_tmpfs_t; + type soundd_state_t; + ') + + allow $1 soundd_t:process { ptrace signal_perms }; + ps_process_pattern($1, soundd_t) + + init_startstop_service($1, $2, soundd_t, soundd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, soundd_etc_t) + + files_list_tmp($1) + admin_pattern($1, soundd_tmp_t) + + fs_list_tmpfs($1) + admin_pattern($1, soundd_tmpfs_t) + + files_list_var($1) + admin_pattern($1, soundd_state_t) + + files_list_pids($1) + admin_pattern($1, soundd_var_run_t) +') diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te new file mode 100644 index 000000000..651420ca6 --- /dev/null +++ b/policy/modules/services/soundserver.te @@ -0,0 +1,109 @@ +policy_module(soundserver, 1.12.0) + +######################################## +# +# Declarations +# + +type soundd_t; +type soundd_exec_t; +init_daemon_domain(soundd_t, soundd_exec_t) + +type soundd_etc_t alias etc_soundd_t; +files_config_file(soundd_etc_t) + +type soundd_initrc_exec_t; +init_script_file(soundd_initrc_exec_t) + +type soundd_state_t; +files_type(soundd_state_t) + +type soundd_tmp_t; +files_tmp_file(soundd_tmp_t) + +type soundd_tmpfs_t; +files_tmpfs_file(soundd_tmpfs_t) + +type soundd_var_run_t; +files_pid_file(soundd_var_run_t) + +######################################## +# +# Declarations +# + +allow soundd_t self:capability dac_override; +dontaudit soundd_t self:capability sys_tty_config; +allow soundd_t self:process { setpgid signal_perms }; +allow soundd_t self:shm create_shm_perms; +allow soundd_t self:tcp_socket create_stream_socket_perms; +allow soundd_t self:udp_socket create_socket_perms; +allow soundd_t self:unix_stream_socket { accept connectto listen }; + +read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) +read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) + +manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t) +manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t) + +manage_dirs_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t) +manage_files_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t) +files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir }) + +manage_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) +manage_lnk_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) +manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) +manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) +fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) +manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) +manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) +files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(soundd_t) +kernel_list_proc(soundd_t) +kernel_read_proc_symlinks(soundd_t) + +corenet_all_recvfrom_unlabeled(soundd_t) +corenet_all_recvfrom_netlabel(soundd_t) +corenet_tcp_sendrecv_generic_if(soundd_t) +corenet_tcp_sendrecv_generic_node(soundd_t) +corenet_tcp_bind_generic_node(soundd_t) + +corenet_sendrecv_soundd_server_packets(soundd_t) +corenet_tcp_bind_soundd_port(soundd_t) +corenet_tcp_sendrecv_soundd_port(soundd_t) + +dev_read_sysfs(soundd_t) +dev_read_sound(soundd_t) +dev_write_sound(soundd_t) + +domain_use_interactive_fds(soundd_t) + +files_read_etc_files(soundd_t) +files_read_etc_runtime_files(soundd_t) + +fs_getattr_all_fs(soundd_t) +fs_search_auto_mountpoints(soundd_t) + +logging_send_syslog_msg(soundd_t) + +miscfiles_read_localization(soundd_t) + +sysnet_read_config(soundd_t) + +userdom_dontaudit_use_unpriv_user_fds(soundd_t) +userdom_dontaudit_search_user_home_dirs(soundd_t) + +optional_policy(` + alsa_domtrans(soundd_t) +') + +optional_policy(` + seutil_sigchld_newrole(soundd_t) +') + +optional_policy(` + udev_read_db(soundd_t) +') diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc new file mode 100644 index 000000000..a8b3c019d --- /dev/null +++ b/policy/modules/services/spamassassin.fc @@ -0,0 +1,39 @@ +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) + +/etc/rc\.d/init\.d/spamassassin -- gen_context(system_u:object_r:spamassassin_initrc_exec_t,s0) +/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) + +/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0) + +/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) + +/usr/lib/systemd/system/spamassassin\.service -- gen_context(system_u:object_r:spamassassin_unit_t,s0) + +/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) +/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) + +/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) +/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0) + +/var/vmail/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) + +/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/run/spamassassin\.pid -- gen_context(system_u:object_r:spamd_var_run_t,s0) +/run/spamd\.pid -- gen_context(system_u:object_r:spamd_var_run_t,s0) + +/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if new file mode 100644 index 000000000..75550eec9 --- /dev/null +++ b/policy/modules/services/spamassassin.if @@ -0,0 +1,435 @@ +## <summary>Filter used for removing unsolicited email.</summary> + +######################################## +## <summary> +## Role access for spamassassin. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`spamassassin_role',` + gen_require(` + type spamc_t, spamc_exec_t, spamc_tmp_t; + type spamassassin_t, spamassassin_exec_t, spamd_home_t; + type spamassassin_home_t, spamassassin_tmp_t; + ') + + role $1 types { spamc_t spamassassin_t }; + + domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) + domtrans_pattern($2, spamc_exec_t, spamc_t) + + admin_process_pattern($2, { spamc_t spamassassin_t }) + + allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin") + userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd") +') + +######################################## +## <summary> +## Execute sa-update in the spamd-update domain, +## and allow the specified role +## the spamd-update domain. Also allow transitive +## access to the private gpg domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`spamassassin_run_update',` + gen_require(` + type spamd_gpg_t, spamd_update_exec_t, spamd_update_t; + ') + + role $2 types { spamd_gpg_t spamd_update_t }; + domtrans_pattern($1, spamd_update_exec_t, spamd_update_t) +') + +######################################## +## <summary> +## Execute the standalone spamassassin +## program in the caller directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_exec',` + gen_require(` + type spamassassin_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, spamassassin_exec_t) +') + +######################################## +## <summary> +## Send generic signals to spamd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_signal_spamd',` + gen_require(` + type spamd_t; + ') + + allow $1 spamd_t:process signal; +') + +######################################## +## <summary> +## Execute spamd in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_exec_spamd',` + gen_require(` + type spamd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, spamd_exec_t) +') + +######################################## +## <summary> +## Execute spamc in the spamc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`spamassassin_domtrans_client',` + gen_require(` + type spamc_t, spamc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, spamc_exec_t, spamc_t) +') + +######################################## +## <summary> +## Execute spamc in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_exec_client',` + gen_require(` + type spamc_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, spamc_exec_t) +') + +######################################## +## <summary> +## Send kill signals to spamc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_kill_client',` + gen_require(` + type spamc_t; + ') + + allow $1 spamc_t:process sigkill; +') + +######################################## +## <summary> +## Execute spamassassin standalone client +## in the user spamassassin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`spamassassin_domtrans_local_client',` + gen_require(` + type spamassassin_t, spamassassin_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## spamd home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_manage_spamd_home_content',` + gen_require(` + type spamd_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 spamd_home_t:dir manage_dir_perms; + allow $1 spamd_home_t:file manage_file_perms; + allow $1 spamd_home_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Relabel spamd home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_relabel_spamd_home_content',` + gen_require(` + type spamd_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 spamd_home_t:dir relabel_dir_perms; + allow $1 spamd_home_t:file relabel_file_perms; + allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the spamd home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`spamassassin_home_filetrans_spamd_home',` + gen_require(` + type spamd_home_t; + ') + + userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3) +') + +######################################## +## <summary> +## Read spamd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_read_lib_files',` + gen_require(` + type spamd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## spamd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_manage_lib_files',` + gen_require(` + type spamd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) +') + +######################################## +## <summary> +## Read spamd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_read_spamd_pid_files',` + gen_require(` + type spamd_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) +') + +######################################## +## <summary> +## Read temporary spamd files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_read_spamd_tmp_files',` + gen_require(` + type spamd_tmp_t; + ') + + allow $1 spamd_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to get +## attributes of temporary spamd sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` + gen_require(` + type spamd_tmp_t; + ') + + dontaudit $1 spamd_tmp_t:sock_file getattr; +') + +######################################## +## <summary> +## Connect to spamd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_stream_connect_spamd',` + gen_require(` + type spamd_t, spamd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an spamassassin environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`spamassassin_admin',` + gen_require(` + type spamd_t, spamd_tmp_t, spamd_log_t; + type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; + type spamd_initrc_exec_t, spamassassin_unit_t; + type spamd_gpg_t, spamd_update_t, spamd_update_tmp_t; + ') + + admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t }) + + init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t) + + files_list_tmp($1) + admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t }) + + logging_list_logs($1) + admin_pattern($1, spamd_log_t) + + files_list_spool($1) + admin_pattern($1, spamd_spool_t) + + files_list_var_lib($1) + admin_pattern($1, spamd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) + + # This makes it impossible to apply _admin if _role has already been applied + #spamassassin_role($2, $1) + + # sa-update + spamassassin_run_update($1, $2) +') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te new file mode 100644 index 000000000..000c67eab --- /dev/null +++ b/policy/modules/services/spamassassin.te @@ -0,0 +1,573 @@ +policy_module(spamassassin, 2.12.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether spamassassin +## clients can use the network. +## </p> +## </desc> +gen_tunable(spamassassin_can_network, false) + +## <desc> +## <p> +## Determine whether spamd can manage +## generic user home content. +## </p> +## </desc> +gen_tunable(spamd_enable_home_dirs, false) + +type spamd_update_t; +type spamd_update_exec_t; +init_system_domain(spamd_update_t, spamd_update_exec_t) + +type spamd_update_tmp_t; +files_tmp_file(spamd_update_tmp_t) + +type spamassassin_t; +type spamassassin_exec_t; +typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; +typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; +userdom_user_application_domain(spamassassin_t, spamassassin_exec_t) + +type spamassassin_home_t; +typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; +typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; +userdom_user_home_content(spamassassin_home_t) + +type spamassassin_initrc_exec_t; +init_script_file(spamassassin_initrc_exec_t) + +type spamassassin_tmp_t; +typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; +typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; +userdom_user_tmp_file(spamassassin_tmp_t) + +type spamassassin_unit_t; +init_unit_file(spamassassin_unit_t) + +type spamc_t; +type spamc_exec_t; +typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; +typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; +userdom_user_application_domain(spamc_t, spamc_exec_t) +role system_r types spamc_t; + +type spamc_tmp_t; +typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; +typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; +userdom_user_tmp_file(spamc_tmp_t) + +type spamd_t; +type spamd_exec_t; +init_daemon_domain(spamd_t, spamd_exec_t) + +type spamd_compiled_t; +files_type(spamd_compiled_t) + +type spamd_etc_t; +files_config_file(spamd_etc_t) + +type spamd_gpg_t; +domain_type(spamd_gpg_t) + +type spamd_home_t; +userdom_user_home_content(spamd_home_t) + +type spamd_initrc_exec_t; +init_script_file(spamd_initrc_exec_t) + +type spamd_log_t; +logging_log_file(spamd_log_t) + +type spamd_spool_t; +files_type(spamd_spool_t) + +type spamd_tmp_t; +files_tmp_file(spamd_tmp_t) + +type spamd_var_lib_t; +files_type(spamd_var_lib_t) + +type spamd_var_run_t; +files_pid_file(spamd_var_run_t) + +######################################## +# +# Standalone local policy +# + +allow spamassassin_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow spamassassin_t self:fd use; +allow spamassassin_t self:fifo_file rw_fifo_file_perms; +allow spamassassin_t self:unix_dgram_socket sendto; +allow spamassassin_t self:unix_stream_socket { accept connectto listen }; + +manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin") + +manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) +manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) +files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(spamassassin_t) + +dev_read_urand(spamassassin_t) + +fs_getattr_all_fs(spamassassin_t) +fs_search_auto_mountpoints(spamassassin_t) + +domain_use_interactive_fds(spamassassin_t) + +files_read_etc_files(spamassassin_t) +files_read_etc_runtime_files(spamassassin_t) +files_list_home(spamassassin_t) +files_read_usr_files(spamassassin_t) + +logging_send_syslog_msg(spamassassin_t) + +miscfiles_read_localization(spamassassin_t) + +sysnet_dns_name_resolve(spamassassin_t) + +tunable_policy(`spamassassin_can_network',` + allow spamassassin_t self:tcp_socket { accept listen }; + + corenet_all_recvfrom_unlabeled(spamassassin_t) + corenet_all_recvfrom_netlabel(spamassassin_t) + corenet_tcp_sendrecv_generic_if(spamassassin_t) + corenet_tcp_sendrecv_generic_node(spamassassin_t) + corenet_tcp_sendrecv_all_ports(spamassassin_t) + + corenet_tcp_connect_all_ports(spamassassin_t) + corenet_sendrecv_all_client_packets(spamassassin_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamassassin_t) + fs_manage_nfs_files(spamassassin_t) + fs_manage_nfs_symlinks(spamassassin_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamassassin_t) + fs_manage_cifs_files(spamassassin_t) + fs_manage_cifs_symlinks(spamassassin_t) +') + +optional_policy(` + tunable_policy(`spamassassin_can_network && allow_ypbind',` + nis_use_ypbind_uncond(spamassassin_t) + ') +') + +optional_policy(` + mta_read_config(spamassassin_t) + sendmail_stub(spamassassin_t) +') + +######################################## +# +# Client local policy +# + +allow spamc_t self:capability dac_override; +allow spamc_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow spamc_t self:fd use; +allow spamc_t self:fifo_file rw_fifo_file_perms; +allow spamc_t self:unix_dgram_socket sendto; +allow spamc_t self:unix_stream_socket { accept connectto listen }; +allow spamc_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) +manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) +files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) + +manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin") + +list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) +read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + +stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t) + +kernel_read_kernel_sysctls(spamc_t) +kernel_read_system_state(spamc_t) + +corenet_all_recvfrom_unlabeled(spamc_t) +corenet_all_recvfrom_netlabel(spamc_t) +corenet_tcp_sendrecv_generic_if(spamc_t) +corenet_tcp_sendrecv_generic_node(spamc_t) +corenet_tcp_sendrecv_all_ports(spamc_t) + +corenet_sendrecv_all_client_packets(spamc_t) +corenet_tcp_connect_all_ports(spamc_t) + +corecmd_exec_bin(spamc_t) + +dev_read_rand(spamc_t) +dev_read_urand(spamc_t) + +domain_use_interactive_fds(spamc_t) + +fs_getattr_all_fs(spamc_t) +fs_search_auto_mountpoints(spamc_t) + +files_read_etc_runtime_files(spamc_t) +files_read_usr_files(spamc_t) +files_list_home(spamc_t) +files_list_var_lib(spamc_t) + +auth_use_nsswitch(spamc_t) + +logging_send_syslog_msg(spamc_t) + +miscfiles_read_localization(spamc_t) + +userdom_use_inherited_user_terminals(spamc_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamc_t) + fs_manage_nfs_files(spamc_t) + fs_manage_nfs_symlinks(spamc_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamc_t) + fs_manage_cifs_files(spamc_t) + fs_manage_cifs_symlinks(spamc_t) +') + +optional_policy(` + abrt_stream_connect(spamc_t) +') + +optional_policy(` + amavis_manage_spool_files(spamc_t) +') + +optional_policy(` + evolution_stream_connect(spamc_t) +') + +optional_policy(` + milter_manage_spamass_state(spamc_t) +') + +optional_policy(` + mta_send_mail(spamc_t) + mta_read_config(spamc_t) + mta_read_queue(spamc_t) + sendmail_rw_pipes(spamc_t) + sendmail_stub(spamc_t) +') + +optional_policy(` + postfix_domtrans_postdrop(spamc_t) + postfix_search_spool(spamc_t) + postfix_rw_local_pipes(spamc_t) + postfix_rw_inherited_master_pipes(spamc_t) +') + +######################################## +# +# Daemon local policy +# + +allow spamd_t self:capability { dac_override kill setgid setuid }; +allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow spamd_t self:fd use; +allow spamd_t self:fifo_file rw_fifo_file_perms; +allow spamd_t self:unix_dgram_socket sendto; +allow spamd_t self:unix_stream_socket { accept connectto listen }; +allow spamd_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t) +manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd") + +manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") + +manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) +manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) + +allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(spamd_t, spamd_log_t, file) + +manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) +manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) +manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) +files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) + +manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) + +allow spamd_t spamd_var_lib_t:dir list_dir_perms; +manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) +manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) + +manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) + +can_exec(spamd_t, { spamd_exec_t spamd_compiled_t }) + +kernel_read_all_sysctls(spamd_t) +kernel_read_system_state(spamd_t) + +corenet_all_recvfrom_unlabeled(spamd_t) +corenet_all_recvfrom_netlabel(spamd_t) +corenet_tcp_sendrecv_generic_if(spamd_t) +corenet_udp_sendrecv_generic_if(spamd_t) +corenet_tcp_sendrecv_generic_node(spamd_t) +corenet_udp_sendrecv_generic_node(spamd_t) +corenet_tcp_sendrecv_all_ports(spamd_t) +corenet_udp_sendrecv_all_ports(spamd_t) +corenet_tcp_bind_generic_node(spamd_t) +corenet_udp_bind_generic_node(spamd_t) + +corenet_sendrecv_spamd_server_packets(spamd_t) +corenet_tcp_bind_spamd_port(spamd_t) + +corenet_sendrecv_razor_client_packets(spamd_t) +corenet_tcp_connect_razor_port(spamd_t) + +corenet_sendrecv_smtp_client_packets(spamd_t) +corenet_tcp_connect_smtp_port(spamd_t) + +corenet_sendrecv_generic_server_packets(spamd_t) +corenet_udp_bind_generic_port(spamd_t) + +corenet_sendrecv_imaze_server_packets(spamd_t) +corenet_udp_bind_imaze_port(spamd_t) + +corenet_dontaudit_udp_bind_all_ports(spamd_t) + +corecmd_exec_bin(spamd_t) + +dev_read_sysfs(spamd_t) +dev_read_urand(spamd_t) + +domain_use_interactive_fds(spamd_t) + +files_read_usr_files(spamd_t) +files_read_etc_runtime_files(spamd_t) + +fs_getattr_all_fs(spamd_t) +fs_search_auto_mountpoints(spamd_t) + +auth_dontaudit_read_shadow(spamd_t) +auth_use_nsswitch(spamd_t) + +libs_use_ld_so(spamd_t) +libs_use_shared_libs(spamd_t) + +logging_send_syslog_msg(spamd_t) + +miscfiles_read_localization(spamd_t) + +sysnet_use_ldap(spamd_t) + +tunable_policy(`spamd_enable_home_dirs',` + userdom_manage_user_home_content_dirs(spamd_t) + userdom_manage_user_home_content_files(spamd_t) + userdom_manage_user_home_content_symlinks(spamd_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamd_t) + fs_manage_nfs_files(spamd_t) + fs_manage_nfs_symlinks(spamd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamd_t) + fs_manage_cifs_files(spamd_t) + fs_manage_cifs_symlinks(spamd_t) +') + +optional_policy(` + amavis_manage_lib_files(spamd_t) +') + +optional_policy(` + clamav_stream_connect(spamd_t) +') + +optional_policy(` + cron_system_entry(spamd_t, spamd_exec_t) +') + +optional_policy(` + daemontools_service_domain(spamd_t, spamd_exec_t) +') + +optional_policy(` + dcc_domtrans_cdcc(spamd_t) + dcc_domtrans_client(spamd_t) + dcc_signal_client(spamd_t) + dcc_stream_connect_dccifd(spamd_t) +') + +optional_policy(` + evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) +') + +optional_policy(` + exim_manage_spool_dirs(spamd_t) + exim_manage_spool_files(spamd_t) +') + +optional_policy(` + milter_manage_spamass_state(spamd_t) +') + +optional_policy(` + mta_getattr_spool(spamd_t) +') + +optional_policy(` + mysql_stream_connect(spamd_t) + mysql_tcp_connect(spamd_t) +') + +optional_policy(` + postfix_read_config(spamd_t) +') + +optional_policy(` + postgresql_stream_connect(spamd_t) + postgresql_tcp_connect(spamd_t) +') + +optional_policy(` + pyzor_domtrans(spamd_t) + pyzor_signal(spamd_t) +') + +optional_policy(` + razor_domtrans(spamd_t) + razor_read_lib_files(spamd_t) + razor_manage_home_content(spamd_t) +') + +optional_policy(` + sendmail_stub(spamd_t) + mta_read_config(spamd_t) + mta_send_mail(spamd_t) +') + +optional_policy(` + udev_read_db(spamd_t) +') + +######################################## +# +# Update local policy +# + +allow spamd_update_t self:capability dac_read_search; +allow spamd_update_t self:process signal; +allow spamd_update_t self:fifo_file manage_fifo_file_perms; +allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t) +manage_files_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t) +files_tmp_filetrans(spamd_update_t, spamd_update_tmp_t, { file dir }) + +manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) +manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) +manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) + +kernel_read_system_state(spamd_update_t) + +corecmd_exec_bin(spamd_update_t) +corecmd_exec_shell(spamd_update_t) + +corenet_all_recvfrom_unlabeled(spamd_update_t) +corenet_all_recvfrom_netlabel(spamd_update_t) +corenet_tcp_sendrecv_generic_if(spamd_update_t) +corenet_tcp_sendrecv_generic_node(spamd_update_t) +corenet_tcp_sendrecv_all_ports(spamd_update_t) +corenet_sendrecv_http_client_packets(spamd_update_t) +corenet_tcp_connect_http_port(spamd_update_t) +corenet_tcp_sendrecv_http_port(spamd_update_t) +corenet_tcp_bind_generic_node(spamd_update_t) +corenet_udp_bind_generic_node(spamd_update_t) + +dev_read_urand(spamd_update_t) + +domain_use_interactive_fds(spamd_update_t) + +files_read_usr_files(spamd_update_t) + +fs_getattr_xattr_fs(spamd_update_t) + +auth_use_nsswitch(spamd_update_t) +auth_dontaudit_read_shadow(spamd_update_t) + +miscfiles_read_localization(spamd_update_t) + +userdom_use_inherited_user_terminals(spamd_update_t) +userdom_dontaudit_search_user_home_dirs(spamd_update_t) +userdom_dontaudit_search_user_home_content(spamd_update_t) + +optional_policy(` + cron_system_entry(spamd_update_t, spamd_update_exec_t) +') + +optional_policy(` + gpg_spec_domtrans(spamd_update_t, spamd_gpg_t) + gpg_entry_type(spamd_gpg_t) + role system_r types spamd_gpg_t; + + allow spamd_gpg_t self:capability { dac_override dac_read_search }; + allow spamd_gpg_t self:unix_stream_socket { connect create }; + + allow spamd_gpg_t spamd_update_t:fd use; + allow spamd_gpg_t spamd_update_t:process sigchld; + allow spamd_gpg_t spamd_update_t:fifo_file { getattr write }; + allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms; + allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms; + allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms; + + # fips + kernel_read_crypto_sysctls(spamd_gpg_t) + + domain_use_interactive_fds(spamd_gpg_t) + + files_read_etc_files(spamd_gpg_t) + files_read_usr_files(spamd_gpg_t) + files_search_var_lib(spamd_gpg_t) + files_search_pids(spamd_gpg_t) + files_search_tmp(spamd_gpg_t) + + init_use_fds(spamd_gpg_t) + init_rw_inherited_stream_socket(spamd_gpg_t) + + miscfiles_read_localization(spamd_gpg_t) + + userdom_use_inherited_user_terminals(spamd_gpg_t) +') diff --git a/policy/modules/services/speedtouch.fc b/policy/modules/services/speedtouch.fc new file mode 100644 index 000000000..48fe2da36 --- /dev/null +++ b/policy/modules/services/speedtouch.fc @@ -0,0 +1,5 @@ +/usr/bin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0) + +/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0) + +/run/speedmgmt\.pid -- gen_context(system_u:object_r:speedmgmt_var_run_t,s0) diff --git a/policy/modules/services/speedtouch.if b/policy/modules/services/speedtouch.if new file mode 100644 index 000000000..826e2db0b --- /dev/null +++ b/policy/modules/services/speedtouch.if @@ -0,0 +1 @@ +## <summary>Alcatel speedtouch USB ADSL modem</summary> diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te new file mode 100644 index 000000000..68b45e060 --- /dev/null +++ b/policy/modules/services/speedtouch.te @@ -0,0 +1,61 @@ +policy_module(speedtouch, 1.7.0) + +####################################### +# +# Declarations +# + +type speedmgmt_t; +type speedmgmt_exec_t; +init_daemon_domain(speedmgmt_t, speedmgmt_exec_t) + +type speedmgmt_tmp_t; +files_tmp_file(speedmgmt_tmp_t) + +type speedmgmt_var_run_t; +files_pid_file(speedmgmt_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit speedmgmt_t self:capability sys_tty_config; +allow speedmgmt_t self:process signal_perms; + +manage_dirs_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) +manage_files_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) +files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir }) + +manage_files_pattern(speedmgmt_t, speedmgmt_var_run_t, speedmgmt_var_run_t) +files_pid_filetrans(speedmgmt_t, speedmgmt_var_run_t, file) + +kernel_read_kernel_sysctls(speedmgmt_t) +kernel_list_proc(speedmgmt_t) +kernel_read_proc_symlinks(speedmgmt_t) + +dev_read_sysfs(speedmgmt_t) +dev_read_usbfs(speedmgmt_t) + +domain_use_interactive_fds(speedmgmt_t) + +files_read_etc_files(speedmgmt_t) +files_read_usr_files(speedmgmt_t) + +fs_getattr_all_fs(speedmgmt_t) +fs_search_auto_mountpoints(speedmgmt_t) + +logging_send_syslog_msg(speedmgmt_t) + +miscfiles_read_localization(speedmgmt_t) + +userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t) +userdom_dontaudit_search_user_home_dirs(speedmgmt_t) + +optional_policy(` + seutil_sigchld_newrole(speedmgmt_t) +') + +optional_policy(` + udev_read_db(speedmgmt_t) +') diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc new file mode 100644 index 000000000..4d838b278 --- /dev/null +++ b/policy/modules/services/squid.fc @@ -0,0 +1,22 @@ +/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) + +/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) + +/usr/bin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0) + +/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) + +/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0) + +/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) + +/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + +/var/log/squid.* gen_context(system_u:object_r:squid_log_t,s0) +/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) + +/run/squid3.* gen_context(system_u:object_r:squid_var_run_t,s0) + +/var/spool/squid.* gen_context(system_u:object_r:squid_cache_t,s0) + +/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if new file mode 100644 index 000000000..2443afbde --- /dev/null +++ b/policy/modules/services/squid.if @@ -0,0 +1,243 @@ +## <summary>Squid caching http proxy server.</summary> + +######################################## +## <summary> +## Execute squid in the squid domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`squid_domtrans',` + gen_require(` + type squid_t, squid_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, squid_exec_t, squid_t) +') + +######################################## +## <summary> +## Execute squid in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_exec',` + gen_require(` + type squid_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, squid_exec_t) +') + +######################################## +## <summary> +## Send generic signals to squid. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_signal',` + gen_require(` + type squid_t; + ') + + allow $1 squid_t:process signal; +') + +######################################## +## <summary> +## Read and write squid unix +## domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_rw_stream_sockets',` + gen_require(` + type squid_t; + ') + + allow $1 squid_t:unix_stream_socket { getattr read write }; +') + +######################################## +## <summary> +## Do not audit attempts to search +## squid cache directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_dontaudit_search_cache',` + gen_require(` + type squid_cache_t; + ') + + dontaudit $1 squid_cache_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read squid configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_read_config',` + gen_require(` + type squid_conf_t; + ') + + files_search_etc($1) + read_files_pattern($1, squid_conf_t, squid_conf_t) +') + +######################################## +## <summary> +## Read squid log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_read_log',` + gen_require(` + type squid_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, squid_log_t, squid_log_t) +') + +######################################## +## <summary> +## Append squid log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_append_log',` + gen_require(` + type squid_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, squid_log_t, squid_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## squid log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_manage_logs',` + gen_require(` + type squid_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, squid_log_t, squid_log_t) +') + +######################################## +## <summary> +## dontaudit statting tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not be audited +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_dontaudit_read_tmpfs_files',` + gen_require(` + type squid_tmpfs_t; + ') + + dontaudit $1 squid_tmpfs_t:file getattr; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an squid environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_admin',` + gen_require(` + type squid_t, squid_cache_t, squid_conf_t; + type squid_log_t, squid_var_run_t, squid_tmpfs_t; + type squid_initrc_exec_t, squid_tmp_t; + ') + + allow $1 squid_t:process { ptrace signal_perms }; + ps_process_pattern($1, squid_t) + + init_startstop_service($1, $2, squid_t, squid_initrc_exec_t) + + files_list_var($1) + admin_pattern($1, squid_cache_t) + + files_list_etc($1) + admin_pattern($1, squid_conf_t) + + logging_list_logs($1) + admin_pattern($1, squid_log_t) + + files_list_pids($1) + admin_pattern($1, squid_var_run_t) + + fs_list_tmpfs($1) + admin_pattern($1, squid_tmpfs_t) + + files_list_tmp($1) + admin_pattern($1, squid_tmp_t) +') diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te new file mode 100644 index 000000000..05a87c133 --- /dev/null +++ b/policy/modules/services/squid.te @@ -0,0 +1,252 @@ +policy_module(squid, 1.17.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether squid can +## connect to all TCP ports. +## </p> +## </desc> +gen_tunable(squid_connect_any, false) + +## <desc> +## <p> +## Determine whether squid can run +## as a transparent proxy. +## </p> +## </desc> +gen_tunable(squid_use_tproxy, false) + +## <desc> +## <p> +## Determine whether squid can use the +## pinger daemon (needs raw net access) +## </p> +## </desc> +gen_tunable(squid_use_pinger, true) + +type squid_t; +type squid_exec_t; +init_daemon_domain(squid_t, squid_exec_t) + +type squid_cache_t; +files_type(squid_cache_t) + +type squid_conf_t; +files_type(squid_conf_t) + +type squid_initrc_exec_t; +init_script_file(squid_initrc_exec_t) + +type squid_log_t; +logging_log_file(squid_log_t) + +type squid_tmp_t; +files_tmp_file(squid_tmp_t) + +type squid_tmpfs_t; +files_tmpfs_file(squid_tmpfs_t) + +type squid_var_run_t; +files_pid_file(squid_var_run_t) + +######################################## +# +# Local policy +# + +allow squid_t self:capability { dac_override kill setgid setuid sys_resource }; +dontaudit squid_t self:capability sys_tty_config; +allow squid_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow squid_t self:fifo_file rw_fifo_file_perms; +allow squid_t self:fd use; +allow squid_t self:shm create_shm_perms; +allow squid_t self:sem create_sem_perms; +allow squid_t self:msgq create_msgq_perms; +allow squid_t self:msg { send receive }; +allow squid_t self:unix_dgram_socket sendto; +allow squid_t self:unix_stream_socket { accept connectto listen }; +allow squid_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) +manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) +manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) +files_var_filetrans(squid_t, squid_cache_t, dir, "squid") + +allow squid_t squid_conf_t:dir list_dir_perms; +allow squid_t squid_conf_t:file read_file_perms; +allow squid_t squid_conf_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) +manage_files_pattern(squid_t, squid_log_t, squid_log_t) +manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) +logging_log_filetrans(squid_t, squid_log_t, { file dir }) + +manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) +manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) +files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) + +manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) +fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) + +manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) +files_pid_filetrans(squid_t, squid_var_run_t, file) + +can_exec(squid_t, squid_exec_t) + +kernel_read_kernel_sysctls(squid_t) +kernel_read_system_state(squid_t) +kernel_read_network_state(squid_t) + +corenet_all_recvfrom_unlabeled(squid_t) +corenet_all_recvfrom_netlabel(squid_t) +corenet_tcp_sendrecv_generic_if(squid_t) +corenet_udp_sendrecv_generic_if(squid_t) +corenet_tcp_sendrecv_generic_node(squid_t) +corenet_udp_sendrecv_generic_node(squid_t) +corenet_tcp_bind_generic_node(squid_t) +corenet_udp_bind_generic_node(squid_t) + +corenet_sendrecv_http_client_packets(squid_t) +corenet_tcp_connect_http_port(squid_t) +corenet_sendrecv_http_server_packets(squid_t) +corenet_tcp_bind_http_port(squid_t) +corenet_tcp_sendrecv_http_port(squid_t) + +corenet_sendrecv_http_cache_client_packets(squid_t) +corenet_tcp_connect_http_cache_port(squid_t) +corenet_sendrecv_http_cache_server_packets(squid_t) +corenet_tcp_bind_http_cache_port(squid_t) +corenet_udp_bind_http_cache_port(squid_t) +corenet_tcp_sendrecv_http_cache_port(squid_t) +corenet_udp_sendrecv_http_cache_port(squid_t) + +corenet_sendrecv_ftp_client_packets(squid_t) +corenet_tcp_connect_ftp_port(squid_t) +corenet_sendrecv_ftp_server_packets(squid_t) +corenet_tcp_bind_ftp_port(squid_t) +corenet_tcp_sendrecv_ftp_port(squid_t) + +corenet_sendrecv_gopher_client_packets(squid_t) +corenet_tcp_connect_gopher_port(squid_t) +corenet_sendrecv_gopher_server_packets(squid_t) +corenet_tcp_bind_gopher_port(squid_t) +corenet_udp_bind_gopher_port(squid_t) +corenet_tcp_sendrecv_gopher_port(squid_t) +corenet_udp_sendrecv_gopher_port(squid_t) + +corenet_sendrecv_squid_server_packets(squid_t) +corenet_tcp_bind_squid_port(squid_t) +corenet_udp_bind_squid_port(squid_t) +corenet_tcp_sendrecv_squid_port(squid_t) +corenet_udp_sendrecv_squid_port(squid_t) + +corenet_sendrecv_wccp_server_packets(squid_t) +corenet_udp_bind_wccp_port(squid_t) +corenet_udp_sendrecv_wccp_port(squid_t) + +corenet_sendrecv_pgpkeyserver_client_packets(squid_t) +corenet_tcp_connect_pgpkeyserver_port(squid_t) +corenet_tcp_sendrecv_pgpkeyserver_port(squid_t) + +corecmd_exec_bin(squid_t) +corecmd_exec_shell(squid_t) + +dev_read_sysfs(squid_t) +dev_read_urand(squid_t) + +domain_use_interactive_fds(squid_t) + +files_read_etc_runtime_files(squid_t) +files_read_usr_files(squid_t) +files_search_spool(squid_t) +files_dontaudit_getattr_tmp_dirs(squid_t) +files_getattr_home_dir(squid_t) +files_dontaudit_getattr_boot_dirs(squid_t) + +fs_getattr_all_fs(squid_t) +fs_search_auto_mountpoints(squid_t) +fs_list_inotifyfs(squid_t) + +selinux_dontaudit_getattr_dir(squid_t) + +term_dontaudit_getattr_pty_dirs(squid_t) + +auth_use_nsswitch(squid_t) +auth_domtrans_chk_passwd(squid_t) + +libs_exec_lib_files(squid_t) + +logging_send_syslog_msg(squid_t) + +miscfiles_read_generic_certs(squid_t) +miscfiles_read_localization(squid_t) +miscfiles_read_generic_tls_privkey(squid_t) + +userdom_use_unpriv_users_fds(squid_t) +userdom_dontaudit_search_user_home_dirs(squid_t) + +tunable_policy(`squid_connect_any',` + corenet_tcp_connect_all_ports(squid_t) + corenet_tcp_bind_all_ports(squid_t) + corenet_sendrecv_all_packets(squid_t) + corenet_tcp_sendrecv_all_ports(squid_t) +') + +tunable_policy(`squid_use_pinger',` + allow squid_t self:rawip_socket connected_socket_perms; + allow squid_t self:capability net_raw; +') + +tunable_policy(`squid_use_tproxy',` + allow squid_t self:capability net_admin; + corenet_sendrecv_netport_server_packets(squid_t) + corenet_tcp_bind_netport_port(squid_t) + corenet_tcp_sendrecv_netport_port(squid_t) +') + +optional_policy(` + apache_content_template(squid) + + corenet_all_recvfrom_unlabeled(httpd_squid_script_t) + corenet_all_recvfrom_netlabel(httpd_squid_script_t) + corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) + corenet_tcp_sendrecv_generic_node(httpd_squid_script_t) + + corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t) + corenet_tcp_connect_http_cache_port(httpd_squid_script_t) + corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) + + sysnet_dns_name_resolve(httpd_squid_script_t) + + squid_read_config(httpd_squid_script_t) +') + +optional_policy(` + cron_system_entry(squid_t, squid_exec_t) +') + +optional_policy(` + kerberos_manage_host_rcache(squid_t) + kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0") +') + +optional_policy(` + mysql_stream_connect(squid_t) +') + +optional_policy(` + samba_domtrans_winbind_helper(squid_t) +') + +optional_policy(` + seutil_sigchld_newrole(squid_t) +') + +optional_policy(` + udev_read_db(squid_t) +') diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc new file mode 100644 index 000000000..ef8a215ba --- /dev/null +++ b/policy/modules/services/sssd.fc @@ -0,0 +1,17 @@ +/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) + +/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) + +/usr/bin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) + +/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) + +/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) + +/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) + +/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) + +/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) + +/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if new file mode 100644 index 000000000..bdb7f8810 --- /dev/null +++ b/policy/modules/services/sssd.if @@ -0,0 +1,358 @@ +## <summary>System Security Services Daemon.</summary> + +####################################### +## <summary> +## Get attributes of sssd executable files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_getattr_exec',` + gen_require(` + type sssd_exec_t; + ') + + allow $1 sssd_exec_t:file getattr_file_perms; +') + +######################################## +## <summary> +## Execute a domain transition to run sssd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sssd_domtrans',` + gen_require(` + type sssd_t, sssd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, sssd_exec_t, sssd_t) +') + +######################################## +## <summary> +## Execute sssd init scripts in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sssd_initrc_domtrans',` + gen_require(` + type sssd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, sssd_initrc_exec_t) +') + +####################################### +## <summary> +## Read sssd configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_read_config',` + gen_require(` + type sssd_conf_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) + read_files_pattern($1, sssd_conf_t, sssd_conf_t) +') + +###################################### +## <summary> +## Write sssd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_write_config',` + gen_require(` + type sssd_conf_t; + ') + + files_search_etc($1) + write_files_pattern($1, sssd_conf_t, sssd_conf_t) +') + +#################################### +## <summary> +## Create, read, write, and delete +## sssd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_manage_config',` + gen_require(` + type sssd_conf_t; + ') + + files_search_etc($1) + manage_files_pattern($1, sssd_conf_t, sssd_conf_t) +') + +######################################## +## <summary> +## Read sssd public files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_read_public_files',` + gen_require(` + type sssd_public_t; + ') + + sssd_search_lib($1) + allow $1 sssd_public_t:dir list_dir_perms; + read_files_pattern($1, sssd_public_t, sssd_public_t) +') + +####################################### +## <summary> +## Create, read, write, and delete +## sssd public files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_manage_public_files',` + gen_require(` + type sssd_public_t; + ') + + sssd_search_lib($1) + manage_files_pattern($1, sssd_public_t, sssd_public_t) +') + +######################################## +## <summary> +## Read sssd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_read_pid_files',` + gen_require(` + type sssd_var_run_t; + ') + + files_search_pids($1) + allow $1 sssd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## sssd pid content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_manage_pids',` + gen_require(` + type sssd_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) + manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) +') + +######################################## +## <summary> +## Search sssd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_search_lib',` + gen_require(` + type sssd_var_lib_t; + ') + + allow $1 sssd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Do not audit attempts to search +## sssd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`sssd_dontaudit_search_lib',` + gen_require(` + type sssd_var_lib_t; + ') + + dontaudit $1 sssd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read sssd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_read_lib_files',` + gen_require(` + type sssd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) + read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## sssd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_manage_lib_files',` + gen_require(` + type sssd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) + manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) +') + +######################################## +## <summary> +## Send and receive messages from +## sssd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_dbus_chat',` + gen_require(` + type sssd_t; + class dbus send_msg; + ') + + allow $1 sssd_t:dbus send_msg; + allow sssd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Connect to sssd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_stream_connect',` + gen_require(` + type sssd_t, sssd_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an sssd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sssd_admin',` + gen_require(` + type sssd_t, sssd_public_t, sssd_initrc_exec_t; + type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t; + type sssd_var_log_t; + ') + + allow $1 sssd_t:process { ptrace signal_perms }; + ps_process_pattern($1, sssd_t) + + init_startstop_service($1, $2, sssd_t, sssd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, sssd_conf_t) + + files_search_var_lib($1) + admin_pattern($1, { sssd_var_lib_t sssd_public_t }) + + files_search_pids($1) + admin_pattern($1, sssd_var_run_t) + + logging_search_logs($1) + admin_pattern($1, sssd_var_log_t) +') diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te new file mode 100644 index 000000000..32c9761b1 --- /dev/null +++ b/policy/modules/services/sssd.te @@ -0,0 +1,129 @@ +policy_module(sssd, 1.5.1) + +######################################## +# +# Declarations +# + +type sssd_t; +type sssd_exec_t; +init_daemon_domain(sssd_t, sssd_exec_t) + +type sssd_initrc_exec_t; +init_script_file(sssd_initrc_exec_t) + +type sssd_conf_t; +files_config_file(sssd_conf_t) + +type sssd_public_t; +files_pid_file(sssd_public_t) + +type sssd_var_lib_t; +files_type(sssd_var_lib_t) +mls_trusted_object(sssd_var_lib_t) + +type sssd_var_log_t; +logging_log_file(sssd_var_log_t) + +type sssd_var_run_t; +files_pid_file(sssd_var_run_t) + +######################################## +# +# Local policy +# + +allow sssd_t self:capability { chown dac_override dac_read_search kill net_admin setgid setuid sys_admin sys_nice sys_resource }; +allow sssd_t self:capability2 block_suspend; +allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; +allow sssd_t self:fifo_file rw_fifo_file_perms; +allow sssd_t self:key manage_key_perms; +allow sssd_t self:unix_stream_socket { accept connectto listen }; + +read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) + +manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) +manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) + +manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) + +append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) +create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) +setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) +logging_log_filetrans(sssd_t, sssd_var_log_t, file) + +manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) + +kernel_read_network_state(sssd_t) +kernel_read_system_state(sssd_t) + +corenet_all_recvfrom_unlabeled(sssd_t) +corenet_all_recvfrom_netlabel(sssd_t) +corenet_udp_sendrecv_generic_if(sssd_t) +corenet_udp_sendrecv_generic_node(sssd_t) +corenet_udp_sendrecv_all_ports(sssd_t) +corenet_udp_bind_generic_node(sssd_t) + +corenet_sendrecv_generic_server_packets(sssd_t) +corenet_udp_bind_generic_port(sssd_t) +corenet_dontaudit_udp_bind_all_ports(sssd_t) + +corecmd_exec_bin(sssd_t) + +dev_read_urand(sssd_t) +dev_read_sysfs(sssd_t) + +domain_read_all_domains_state(sssd_t) +domain_obj_id_change_exemption(sssd_t) + +files_list_tmp(sssd_t) +files_read_etc_files(sssd_t) +files_read_etc_runtime_files(sssd_t) +files_read_usr_files(sssd_t) +files_list_var_lib(sssd_t) + +fs_list_inotifyfs(sssd_t) + +selinux_validate_context(sssd_t) + +seutil_read_file_contexts(sssd_t) +# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module +# seutil_rw_login_config_dirs(sssd_t) +# seutil_manage_login_config_files(sssd_t) + +mls_file_read_to_clearance(sssd_t) +mls_socket_read_to_clearance(sssd_t) +mls_socket_write_to_clearance(sssd_t) +mls_trusted_object(sssd_t) + +auth_domtrans_chk_passwd(sssd_t) +auth_domtrans_upd_passwd(sssd_t) +auth_manage_cache(sssd_t) + +init_read_utmp(sssd_t) + +logging_send_syslog_msg(sssd_t) +logging_send_audit_msgs(sssd_t) + +miscfiles_read_generic_certs(sssd_t) +miscfiles_read_localization(sssd_t) + +sysnet_dns_name_resolve(sssd_t) +sysnet_use_ldap(sssd_t) + +optional_policy(` + dbus_system_bus_client(sssd_t) + dbus_connect_system_bus(sssd_t) +') + +optional_policy(` + kerberos_read_config(sssd_t) + kerberos_manage_host_rcache(sssd_t) + kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0") +') diff --git a/policy/modules/services/stunnel.fc b/policy/modules/services/stunnel.fc new file mode 100644 index 000000000..d85430625 --- /dev/null +++ b/policy/modules/services/stunnel.fc @@ -0,0 +1,7 @@ +/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) + +/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) + +/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) + +/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if new file mode 100644 index 000000000..038efa890 --- /dev/null +++ b/policy/modules/services/stunnel.if @@ -0,0 +1,46 @@ +## <summary>SSL Tunneling Proxy.</summary> + +######################################## +## <summary> +## Define the specified domain as a stunnel inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the stunnel inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`stunnel_service_domain',` + gen_require(` + type stunnel_t; + ') + + domtrans_pattern(stunnel_t, $2, $1) + allow $1 stunnel_t:tcp_socket rw_socket_perms; +') + +######################################## +## <summary> +## Read stunnel configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`stunnel_read_config',` + gen_require(` + type stunnel_etc_t; + ') + + files_search_etc($1) + allow $1 stunnel_etc_t:dir list_dir_perms; + allow $1 stunnel_etc_t:file read_file_perms; + allow $1 stunnel_etc_t:lnk_file read_lnk_file_perms; +') diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te new file mode 100644 index 000000000..a68d2b78f --- /dev/null +++ b/policy/modules/services/stunnel.te @@ -0,0 +1,109 @@ +policy_module(stunnel, 1.13.0) + +######################################## +# +# Declarations +# + +type stunnel_t; +type stunnel_exec_t; +init_daemon_domain(stunnel_t, stunnel_exec_t) + +type stunnel_etc_t; +files_config_file(stunnel_etc_t) + +type stunnel_tmp_t; +files_tmp_file(stunnel_tmp_t) + +type stunnel_var_run_t; +files_pid_file(stunnel_var_run_t) + +######################################## +# +# Local policy +# + +allow stunnel_t self:capability { setgid setuid sys_chroot }; +dontaudit stunnel_t self:capability sys_tty_config; +allow stunnel_t self:process signal_perms; +allow stunnel_t self:fifo_file rw_fifo_file_perms; +allow stunnel_t self:tcp_socket { accept listen }; +allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + +allow stunnel_t stunnel_etc_t:dir list_dir_perms; +allow stunnel_t stunnel_etc_t:file read_file_perms; +allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) +manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) +files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) + +manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) +manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) +files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file }) + +kernel_read_kernel_sysctls(stunnel_t) +kernel_read_system_state(stunnel_t) +kernel_read_network_state(stunnel_t) + +corecmd_exec_bin(stunnel_t) + +corenet_all_recvfrom_unlabeled(stunnel_t) +corenet_all_recvfrom_netlabel(stunnel_t) +corenet_tcp_sendrecv_generic_if(stunnel_t) +corenet_tcp_sendrecv_generic_node(stunnel_t) +corenet_tcp_sendrecv_all_ports(stunnel_t) +corenet_tcp_bind_all_ports(stunnel_t) +corenet_tcp_bind_generic_node(stunnel_t) + +corenet_sendrecv_all_client_packets(stunnel_t) +corenet_tcp_connect_all_ports(stunnel_t) + +dev_read_sysfs(stunnel_t) +dev_read_urand(stunnel_t) + +domain_use_interactive_fds(stunnel_t) + +files_read_etc_runtime_files(stunnel_t) +files_search_home(stunnel_t) + +fs_getattr_all_fs(stunnel_t) +fs_search_auto_mountpoints(stunnel_t) + +auth_use_nsswitch(stunnel_t) + +logging_send_syslog_msg(stunnel_t) + +miscfiles_read_generic_certs(stunnel_t) +miscfiles_read_localization(stunnel_t) +miscfiles_read_generic_tls_privkey(stunnel_t) + +userdom_dontaudit_use_unpriv_user_fds(stunnel_t) +userdom_dontaudit_search_user_home_dirs(stunnel_t) + +optional_policy(` + daemontools_service_domain(stunnel_t, stunnel_exec_t) +') + +optional_policy(` + inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) +') + +optional_policy(` + kerberos_use(stunnel_t) +') + +optional_policy(` + seutil_sigchld_newrole(stunnel_t) +') + +optional_policy(` + udev_read_db(stunnel_t) +') + +# hack since this port has no interfaces since it doesnt +# have net_contexts +gen_require(` + type stunnel_port_t; +') +allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/policy/modules/services/svnserve.fc b/policy/modules/services/svnserve.fc new file mode 100644 index 000000000..b1da9ca2d --- /dev/null +++ b/policy/modules/services/svnserve.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) + +/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0) + +/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) + +/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) +/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) diff --git a/policy/modules/services/svnserve.if b/policy/modules/services/svnserve.if new file mode 100644 index 000000000..618dccb3e --- /dev/null +++ b/policy/modules/services/svnserve.if @@ -0,0 +1,32 @@ +## <summary>Server for the svn repository access method.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an svnserve environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`svnserve_admin',` + gen_require(` + type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t; + ') + + allow $1 svnserve_t:process { ptrace signal_perms }; + ps_process_pattern($1, svnserve_t) + + init_startstop_service($1, $2, svnserve_t, svnserve_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, svnserve_var_run_t) +') diff --git a/policy/modules/services/svnserve.te b/policy/modules/services/svnserve.te new file mode 100644 index 000000000..5fcd8b412 --- /dev/null +++ b/policy/modules/services/svnserve.te @@ -0,0 +1,59 @@ +policy_module(svnserve, 1.4.0) + +######################################## +# +# Declarations +# + +type svnserve_t; +type svnserve_exec_t; +init_daemon_domain(svnserve_t, svnserve_exec_t) + +type svnserve_initrc_exec_t; +init_script_file(svnserve_initrc_exec_t) + +type svnserve_content_t; +files_type(svnserve_content_t) + +type svnserve_var_run_t; +files_pid_file(svnserve_var_run_t) + +######################################## +# +# Local policy +# + +allow svnserve_t self:fifo_file rw_fifo_file_perms; +allow svnserve_t self:tcp_socket create_stream_socket_perms; +allow svnserve_t self:unix_stream_socket { listen accept }; + +manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) +manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) + +manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) +manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) +files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) + +files_read_etc_files(svnserve_t) +files_read_usr_files(svnserve_t) + +corenet_all_recvfrom_unlabeled(svnserve_t) +corenet_all_recvfrom_netlabel(svnserve_t) +corenet_tcp_sendrecv_generic_if(svnserve_t) +corenet_udp_sendrecv_generic_if(svnserve_t) +corenet_tcp_sendrecv_generic_node(svnserve_t) +corenet_udp_sendrecv_generic_node(svnserve_t) +corenet_tcp_bind_generic_node(svnserve_t) +corenet_udp_bind_generic_node(svnserve_t) + +corenet_sendrecv_svn_server_packets(svnserve_t) +corenet_tcp_bind_svn_port(svnserve_t) +corenet_tcp_sendrecv_svn_port(svnserve_t) +corenet_udp_bind_svn_port(svnserve_t) +corenet_udp_sendrecv_svn_port(svnserve_t) + +logging_send_syslog_msg(svnserve_t) + +miscfiles_read_localization(svnserve_t) + +sysnet_dns_name_resolve(svnserve_t) diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc new file mode 100644 index 000000000..b660cfc3e --- /dev/null +++ b/policy/modules/services/sysstat.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/sysstat -- gen_context(system_u:object_r:sysstat_initrc_exec_t,s0) + +/opt/sartest(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) + +/usr/lib/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) +/usr/lib/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) +/usr/lib/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) + +/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) +/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) +/var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/policy/modules/services/sysstat.if b/policy/modules/services/sysstat.if new file mode 100644 index 000000000..a00a0dd4e --- /dev/null +++ b/policy/modules/services/sysstat.if @@ -0,0 +1,53 @@ +## <summary>Reports on various system states.</summary> + +######################################## +## <summary> +## Create, read, write, and delete +## sysstat log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sysstat_manage_log',` + gen_require(` + type sysstat_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, sysstat_log_t, sysstat_log_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an sysstat environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sysstat_admin',` + gen_require(` + type sysstat_t, sysstat_initrc_exec_t, sysstat_log_t; + ') + + allow $1 sysstat_t:process { ptrace signal_perms }; + ps_process_pattern($1, sysstat_t) + + init_startstop_service($1, $2, sysstat_t, sysstat_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, sysstat_log_t) +') diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te new file mode 100644 index 000000000..bfb44a335 --- /dev/null +++ b/policy/modules/services/sysstat.te @@ -0,0 +1,77 @@ +policy_module(sysstat, 1.10.0) + +######################################## +# +# Declarations +# + +type sysstat_t; +type sysstat_exec_t; +init_system_domain(sysstat_t, sysstat_exec_t) + +type sysstat_initrc_exec_t; +init_script_file(sysstat_initrc_exec_t) + +type sysstat_log_t; +logging_log_file(sysstat_log_t) + +######################################## +# +# Local policy +# + +allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config }; +allow sysstat_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) +manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) +setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) +manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) +logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) + +can_exec(sysstat_t, sysstat_exec_t) + +kernel_read_system_state(sysstat_t) +kernel_read_network_state(sysstat_t) +kernel_read_kernel_sysctls(sysstat_t) +kernel_read_fs_sysctls(sysstat_t) +kernel_read_rpc_sysctls(sysstat_t) + +corecmd_exec_bin(sysstat_t) +corecmd_exec_shell(sysstat_t) + +dev_read_sysfs(sysstat_t) +dev_getattr_sysfs(sysstat_t) +dev_read_urand(sysstat_t) + +files_search_var(sysstat_t) +files_read_etc_runtime_files(sysstat_t) +files_search_all_mountpoints(sysstat_t) + +fs_getattr_xattr_fs(sysstat_t) +fs_list_inotifyfs(sysstat_t) + +term_use_console(sysstat_t) +term_use_all_terms(sysstat_t) + +auth_use_nsswitch(sysstat_t) + +init_use_fds(sysstat_t) + +locallogin_use_fds(sysstat_t) + +logging_send_syslog_msg(sysstat_t) + +miscfiles_read_localization(sysstat_t) + +userdom_dontaudit_list_user_home_dirs(sysstat_t) + +optional_policy(` + cron_system_entry(sysstat_t, sysstat_exec_t) + cron_rw_tmp_files(sysstat_t) +') + +ifdef(`distro_gentoo',` + corecmd_exec_shell(sysstat_t) + manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) +') diff --git a/policy/modules/services/systemtap.fc b/policy/modules/services/systemtap.fc new file mode 100644 index 000000000..72cbadb8b --- /dev/null +++ b/policy/modules/services/systemtap.fc @@ -0,0 +1,11 @@ +/etc/stap-server(/.*)? -- gen_context(system_u:object_r:stapserver_conf_t,s0) + +/etc/rc\.d/init\.d/stap-server -- gen_context(system_u:object_r:stapserver_initrc_exec_t,s0) + +/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0) + +/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0) + +/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0) + +/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) diff --git a/policy/modules/services/systemtap.if b/policy/modules/services/systemtap.if new file mode 100644 index 000000000..62520b334 --- /dev/null +++ b/policy/modules/services/systemtap.if @@ -0,0 +1,42 @@ +## <summary>instrumentation system for Linux.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an stapserver environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`stapserver_admin',` + gen_require(` + type stapserver_t, stapserver_conf_t, stapserver_log_t; + type stapserver_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t; + ') + + allow $1 stapserver_t:process { ptrace signal_perms }; + ps_process_pattern($1, stapserver_t) + + init_startstop_service($1, $2, stapserver_t, stapserver_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, stapserver_conf_t) + + files_search_var_lib($1) + admin_pattern($1, stapserver_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, stapserver_log_t) + + files_search_pids($1) + admin_pattern($1, stapserver_var_run_t) +') diff --git a/policy/modules/services/systemtap.te b/policy/modules/services/systemtap.te new file mode 100644 index 000000000..c0ddb6377 --- /dev/null +++ b/policy/modules/services/systemtap.te @@ -0,0 +1,101 @@ +policy_module(systemtap, 1.4.0) + +######################################## +# +# Declarations +# + +type stapserver_t; +type stapserver_exec_t; +init_daemon_domain(stapserver_t, stapserver_exec_t) + +type stapserver_initrc_exec_t; +init_script_file(stapserver_initrc_exec_t) + +type stapserver_conf_t; +files_config_file(stapserver_conf_t) + +type stapserver_var_lib_t; +files_type(stapserver_var_lib_t) + +type stapserver_log_t; +logging_log_file(stapserver_log_t) + +type stapserver_var_run_t; +files_pid_file(stapserver_var_run_t) + +######################################## +# +# Local policy +# + +allow stapserver_t self:capability { dac_override kill setgid setuid }; +allow stapserver_t self:process { setrlimit setsched signal }; +allow stapserver_t self:fifo_file rw_fifo_file_perms; +allow stapserver_t self:key write; +allow stapserver_t self:unix_stream_socket { accept listen }; +allow stapserver_t self:tcp_socket create_stream_socket_perms; + +allow stapserver_t stapserver_conf_t:file read_file_perms; + +manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) +manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) +files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) + +manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) + +manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) +manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) +files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) + +kernel_read_kernel_sysctls(stapserver_t) +kernel_read_system_state(stapserver_t) + +corecmd_exec_bin(stapserver_t) +corecmd_exec_shell(stapserver_t) + +domain_read_all_domains_state(stapserver_t) + +dev_read_rand(stapserver_t) +dev_read_sysfs(stapserver_t) +dev_read_urand(stapserver_t) + +files_list_tmp(stapserver_t) +files_read_usr_files(stapserver_t) +files_search_kernel_modules(stapserver_t) + +auth_use_nsswitch(stapserver_t) + +init_read_utmp(stapserver_t) + +logging_send_audit_msgs(stapserver_t) +logging_send_syslog_msg(stapserver_t) + +miscfiles_read_localization(stapserver_t) +miscfiles_read_hwdata(stapserver_t) + +userdom_use_user_terminals(stapserver_t) + +optional_policy(` + consoletype_exec(stapserver_t) +') + +optional_policy(` + dbus_system_bus_client(stapserver_t) +') + +optional_policy(` + hostname_exec(stapserver_t) +') + +optional_policy(` + plymouthd_exec_plymouth(stapserver_t) +') + +optional_policy(` + rpm_exec(stapserver_t) +') diff --git a/policy/modules/services/tcpd.fc b/policy/modules/services/tcpd.fc new file mode 100644 index 000000000..57fe2bf1a --- /dev/null +++ b/policy/modules/services/tcpd.fc @@ -0,0 +1,3 @@ +/usr/bin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0) + +/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0) diff --git a/policy/modules/services/tcpd.if b/policy/modules/services/tcpd.if new file mode 100644 index 000000000..9eb34fd0e --- /dev/null +++ b/policy/modules/services/tcpd.if @@ -0,0 +1,46 @@ +## <summary>TCP daemon.</summary> + +######################################## +## <summary> +## Execute tcpd in the tcpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tcpd_domtrans',` + gen_require(` + type tcpd_t, tcpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, tcpd_exec_t, tcpd_t) +') + +######################################## +## <summary> +## Create a domain for services that +## utilize tcp wrappers. +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +# +interface(`tcpd_wrapped_domain',` + gen_require(` + type tcpd_t; + role system_r; + ') + + domtrans_pattern(tcpd_t, $2, $1) + role system_r types $1; +') diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te new file mode 100644 index 000000000..aa4585de0 --- /dev/null +++ b/policy/modules/services/tcpd.te @@ -0,0 +1,49 @@ +policy_module(tcpd, 1.6.0) + +######################################## +# +# Declarations +# + +type tcpd_t; +type tcpd_exec_t; +inetd_tcp_service_domain(tcpd_t, tcpd_exec_t) + +type tcpd_tmp_t; +files_tmp_file(tcpd_tmp_t) + +######################################## +# +# Local policy +# + +allow tcpd_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) +manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) +files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) + +corenet_all_recvfrom_unlabeled(tcpd_t) +corenet_all_recvfrom_netlabel(tcpd_t) +corenet_tcp_sendrecv_generic_if(tcpd_t) +corenet_tcp_sendrecv_generic_node(tcpd_t) +corenet_tcp_sendrecv_all_ports(tcpd_t) + +fs_getattr_xattr_fs(tcpd_t) + +corecmd_search_bin(tcpd_t) + +files_read_etc_files(tcpd_t) +files_dontaudit_search_var(tcpd_t) + +logging_send_syslog_msg(tcpd_t) + +miscfiles_read_localization(tcpd_t) + +sysnet_read_config(tcpd_t) + +inetd_domtrans_child(tcpd_t) + +optional_policy(` + nis_use_ypbind(tcpd_t) +') diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc new file mode 100644 index 000000000..d69803346 --- /dev/null +++ b/policy/modules/services/tcsd.fc @@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) + +/usr/bin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0) + +/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) + +/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if new file mode 100644 index 000000000..5140a7d7e --- /dev/null +++ b/policy/modules/services/tcsd.if @@ -0,0 +1,148 @@ +## <summary>TSS Core Services daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run tcsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tcsd_domtrans',` + gen_require(` + type tcsd_t, tcsd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, tcsd_exec_t, tcsd_t) +') + +######################################## +## <summary> +## Execute tcsd init scripts in the +## initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tcsd_initrc_domtrans',` + gen_require(` + type tcsd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, tcsd_initrc_exec_t) +') + +######################################## +## <summary> +## Search tcsd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tcsd_search_lib',` + gen_require(` + type tcsd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 tcsd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## tcsd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tcsd_manage_lib_dirs',` + gen_require(` + type tcsd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) +') + +######################################## +## <summary> +## Read tcsd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tcsd_read_lib_files',` + gen_require(` + type tcsd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## tcsd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tcsd_manage_lib_files',` + gen_require(` + type tcsd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an tcsd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tcsd_admin',` + gen_require(` + type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t; + ') + + allow $1 tcsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, tcsd_t) + + init_startstop_service($1, $2, tcsd_t, tcsd_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, tcsd_var_lib_t) +') diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te new file mode 100644 index 000000000..6ad0cacba --- /dev/null +++ b/policy/modules/services/tcsd.te @@ -0,0 +1,55 @@ +policy_module(tcsd, 1.4.0) + +######################################## +# +# Declarations +# + +type tcsd_t; +type tcsd_exec_t; +init_daemon_domain(tcsd_t, tcsd_exec_t) + +type tcsd_initrc_exec_t; +init_script_file(tcsd_initrc_exec_t) + +type tcsd_unit_t; +init_unit_file(tcsd_unit_t) + +type tcsd_var_lib_t; +files_type(tcsd_var_lib_t) + +######################################## +# +# Local policy +# + +allow tcsd_t self:capability { dac_override setuid }; +allow tcsd_t self:process { signal sigkill }; +allow tcsd_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) +manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) +files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, dir) + +corenet_all_recvfrom_unlabeled(tcsd_t) +corenet_all_recvfrom_netlabel(tcsd_t) +corenet_tcp_sendrecv_generic_if(tcsd_t) +corenet_tcp_sendrecv_generic_node(tcsd_t) +corenet_tcp_bind_generic_node(tcsd_t) + +corenet_sendrecv_tcs_server_packets(tcsd_t) +corenet_tcp_bind_tcs_port(tcsd_t) +corenet_tcp_sendrecv_tcs_port(tcsd_t) + +dev_read_urand(tcsd_t) +dev_rw_tpm(tcsd_t) + +files_read_usr_files(tcsd_t) + +auth_use_nsswitch(tcsd_t) + +init_read_utmp(tcsd_t) + +logging_send_syslog_msg(tcsd_t) + +miscfiles_read_localization(tcsd_t) diff --git a/policy/modules/services/telnet.fc b/policy/modules/services/telnet.fc new file mode 100644 index 000000000..05d4726c7 --- /dev/null +++ b/policy/modules/services/telnet.fc @@ -0,0 +1,5 @@ +/usr/bin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) + +/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) + +/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if new file mode 100644 index 000000000..42a17ca37 --- /dev/null +++ b/policy/modules/services/telnet.if @@ -0,0 +1,20 @@ +## <summary>Telnet daemon.</summary> + +######################################## +## <summary> +## Read and write telnetd pty devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telnet_use_ptys',` + gen_require(` + type telnetd_devpts_t; + ') + + term_list_ptys($1) + allow $1 telnetd_devpts_t:chr_file rw_term_perms; +') diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te new file mode 100644 index 000000000..76e257b5f --- /dev/null +++ b/policy/modules/services/telnet.te @@ -0,0 +1,103 @@ +policy_module(telnet, 1.13.0) + +######################################## +# +# Declarations +# + +type telnetd_t; +type telnetd_exec_t; +inetd_service_domain(telnetd_t, telnetd_exec_t) +init_daemon_domain(telnetd_t, telnetd_exec_t) + +type telnetd_devpts_t; +term_login_pty(telnetd_devpts_t) + +type telnetd_keytab_t; +files_type(telnetd_keytab_t) + +type telnetd_tmp_t; +files_tmp_file(telnetd_tmp_t) + +type telnetd_var_run_t; +files_pid_file(telnetd_var_run_t) + +######################################## +# +# Local policy +# + +allow telnetd_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config }; +allow telnetd_t self:process signal_perms; +allow telnetd_t self:fifo_file rw_fifo_file_perms; +allow telnetd_t self:tcp_socket { accept listen }; + +allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(telnetd_t, telnetd_devpts_t) + +allow telnetd_t telnetd_keytab_t:file read_file_perms; + +manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) +manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) +files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) + +manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) +files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) + +kernel_read_kernel_sysctls(telnetd_t) +kernel_read_system_state(telnetd_t) +kernel_read_network_state(telnetd_t) + +corenet_all_recvfrom_unlabeled(telnetd_t) +corenet_all_recvfrom_netlabel(telnetd_t) +corenet_tcp_sendrecv_generic_if(telnetd_t) +corenet_tcp_sendrecv_generic_node(telnetd_t) + +corenet_sendrecv_telnetd_server_packets(telnetd_t) +corenet_tcp_bind_telnetd_port(telnetd_t) +corenet_tcp_sendrecv_telnetd_port(telnetd_t) + +corecmd_search_bin(telnetd_t) + +dev_read_urand(telnetd_t) + +domain_interactive_fd(telnetd_t) + +files_read_usr_files(telnetd_t) +files_read_etc_runtime_files(telnetd_t) +files_search_home(telnetd_t) + +fs_getattr_xattr_fs(telnetd_t) + +auth_rw_login_records(telnetd_t) +auth_use_nsswitch(telnetd_t) + +init_rw_utmp(telnetd_t) + +logging_send_syslog_msg(telnetd_t) + +miscfiles_read_localization(telnetd_t) + +seutil_read_config(telnetd_t) + +userdom_search_user_home_dirs(telnetd_t) +userdom_setattr_user_ptys(telnetd_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_search_nfs(telnetd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_search_cifs(telnetd_t) +') + +optional_policy(` + kerberos_read_keytab(telnetd_t) + kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0") + kerberos_manage_host_rcache(telnetd_t) + kerberos_use(telnetd_t) +') + +optional_policy(` + remotelogin_domtrans(telnetd_t) +') diff --git a/policy/modules/services/tftp.fc b/policy/modules/services/tftp.fc new file mode 100644 index 000000000..dbd7f2a87 --- /dev/null +++ b/policy/modules/services/tftp.fc @@ -0,0 +1,13 @@ +/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0) + +/usr/bin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) +/usr/bin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) +/usr/bin/tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) + +/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) +/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) + +/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) +/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) + +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if new file mode 100644 index 000000000..b32fa3c08 --- /dev/null +++ b/policy/modules/services/tftp.if @@ -0,0 +1,183 @@ +## <summary>Trivial file transfer protocol daemon.</summary> + +######################################## +## <summary> +## Read tftp content files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tftp_read_content',` + gen_require(` + type tftpdir_t; + ') + + files_search_var_lib($1) + allow $1 tftpdir_t:dir list_dir_perms; + allow $1 tftpdir_t:file read_file_perms; + allow $1 tftpdir_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## tftp rw content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tftp_manage_rw_content',` + gen_require(` + type tftpdir_rw_t; + ') + + files_search_var_lib($1) + allow $1 tftpdir_rw_t:dir manage_dir_perms; + allow $1 tftpdir_rw_t:file manage_file_perms; + allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Read tftpd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tftp_read_config_files',` + gen_require(` + type tftpd_conf_t; + ') + + files_search_etc($1) + allow $1 tftpd_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## tftpd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tftp_manage_config_files',` + gen_require(` + type tftpd_conf_t; + ') + + files_search_etc($1) + allow $1 tftpd_conf_t:file manage_file_perms; +') + +######################################## +## <summary> +## Create objects in etc directories +## with tftp conf type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`tftp_etc_filetrans_config',` + gen_require(` + type tftpd_conf_t; + ') + + files_etc_filetrans($1, tftpd_conf_t, $2, $3) +') + +######################################## +## <summary> +## Create objects in tftpdir directories +## with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## Private file type. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`tftp_filetrans_tftpdir',` + gen_require(` + type tftpdir_rw_t; + ') + + files_search_var_lib($1) + filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an tftp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role" unused="true"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tftp_admin',` + gen_require(` + type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; + type tftpd_conf_t; + ') + + allow $1 tftpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, tftpd_t) + + files_search_etc($1) + admin_pattern($1, tftpd_conf_t) + + files_search_var_lib($1) + admin_pattern($1, { tftpdir_t tftpdir_rw_t }) + + files_list_pids($1) + admin_pattern($1, tftpd_var_run_t) +') diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te new file mode 100644 index 000000000..add997025 --- /dev/null +++ b/policy/modules/services/tftp.te @@ -0,0 +1,140 @@ +policy_module(tftp, 1.14.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether tftp can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(tftp_anon_write, false) + +## <desc> +## <p> +## Determine whether tftp can manage +## generic user home content. +## </p> +## </desc> +gen_tunable(tftp_enable_homedir, false) + +type tftpd_t; +type tftpd_exec_t; +init_daemon_domain(tftpd_t, tftpd_exec_t) + +type tftpd_conf_t; +files_config_file(tftpd_conf_t) + +type tftpd_var_run_t; +files_pid_file(tftpd_var_run_t) + +type tftpdir_t; +files_type(tftpdir_t) + +type tftpdir_rw_t; +files_type(tftpdir_rw_t) + +######################################## +# +# Local policy +# + +allow tftpd_t self:capability { setgid setuid sys_chroot }; +dontaudit tftpd_t self:capability sys_tty_config; +allow tftpd_t self:tcp_socket { accept listen }; +allow tftpd_t self:unix_stream_socket { accept listen }; + +allow tftpd_t tftpd_conf_t:file read_file_perms; + +allow tftpd_t tftpdir_t:dir list_dir_perms; +allow tftpd_t tftpdir_t:file read_file_perms; +allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) +manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) +manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) + +manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) +files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) + +kernel_read_system_state(tftpd_t) +kernel_read_kernel_sysctls(tftpd_t) + +corenet_all_recvfrom_unlabeled(tftpd_t) +corenet_all_recvfrom_netlabel(tftpd_t) +corenet_udp_sendrecv_generic_if(tftpd_t) +corenet_udp_sendrecv_generic_node(tftpd_t) +corenet_udp_bind_generic_node(tftpd_t) + +corenet_sendrecv_tftp_server_packets(tftpd_t) +corenet_udp_bind_tftp_port(tftpd_t) +corenet_udp_sendrecv_tftp_port(tftpd_t) + +dev_read_sysfs(tftpd_t) + +domain_use_interactive_fds(tftpd_t) + +files_read_etc_runtime_files(tftpd_t) +files_read_var_files(tftpd_t) +files_read_var_symlinks(tftpd_t) +files_search_var(tftpd_t) + +fs_getattr_all_fs(tftpd_t) +fs_search_auto_mountpoints(tftpd_t) + +auth_use_nsswitch(tftpd_t) + +logging_send_syslog_msg(tftpd_t) + +miscfiles_read_localization(tftpd_t) +miscfiles_read_public_files(tftpd_t) + +userdom_dontaudit_use_unpriv_user_fds(tftpd_t) +userdom_dontaudit_use_user_terminals(tftpd_t) +userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file }) + +tunable_policy(`tftp_anon_write',` + miscfiles_manage_public_files(tftpd_t) +') + +tunable_policy(`tftp_enable_homedir',` + allow tftpd_t self:capability { dac_override dac_read_search }; + + files_list_home(tftpd_t) + userdom_manage_user_home_content_dirs(tftpd_t) + userdom_manage_user_home_content_files(tftpd_t) + userdom_manage_user_home_content_symlinks(tftpd_t) +') + +tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',` + fs_manage_nfs_dirs(tftpd_t) + fs_manage_nfs_files(tftpd_t) + fs_read_nfs_symlinks(tftpd_t) +') + +tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',` + fs_manage_cifs_dirs(tftpd_t) + fs_manage_cifs_files(tftpd_t) + fs_read_cifs_symlinks(tftpd_t) +') + +optional_policy(` + cobbler_read_lib_files(tftpd_t) +') + +optional_policy(` + inetd_udp_service_domain(tftpd_t, tftpd_exec_t) +') + +optional_policy(` + seutil_sigchld_newrole(tftpd_t) +') + +optional_policy(` + udev_read_db(tftpd_t) +') diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc new file mode 100644 index 000000000..1989d0909 --- /dev/null +++ b/policy/modules/services/tgtd.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) + +/usr/bin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) + +/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) + +/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) + +/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if new file mode 100644 index 000000000..3056b2edf --- /dev/null +++ b/policy/modules/services/tgtd.if @@ -0,0 +1,99 @@ +## <summary>Linux Target Framework Daemon.</summary> + +##################################### +## <summary> +## Read and write tgtd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tgtd_rw_semaphores',` + gen_require(` + type tgtd_t; + ') + + allow $1 tgtd_t:sem rw_sem_perms; +') + +###################################### +## <summary> +## Create, read, write, and delete +## tgtd sempaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tgtd_manage_semaphores',` + gen_require(` + type tgtd_t; + ') + + allow $1 tgtd_t:sem create_sem_perms; +') + +###################################### +## <summary> +## Connect to tgtd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tgtd_stream_connect',` + gen_require(` + type tgtd_t, tgtd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an tgtd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tgtd_admin',` + gen_require(` + type tgtd_t, tgtd_initrc_exec_t, tgtd_var_lib_t; + type tgtd_var_run_t, tgtd_tmp_t, tgtd_tmpfs_t; + ') + + allow $1 tgtd_t:process { ptrace signal_perms }; + ps_process_pattern($1, tgtd_t) + + init_startstop_service($1, $2, tgtd_t, tgtd_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, tgtd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, tgtd_var_run_t) + + files_search_tmp($1) + admin_pattern($1, tgtd_tmp_t) + + fs_search_tmpfs($1) + admin_pattern($1, tgtd_tmpfs_t) +') diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te new file mode 100644 index 000000000..c0f740098 --- /dev/null +++ b/policy/modules/services/tgtd.te @@ -0,0 +1,87 @@ +policy_module(tgtd, 1.7.0) + +######################################## +# +# Declarations +# + +type tgtd_t; +type tgtd_exec_t; +init_daemon_domain(tgtd_t, tgtd_exec_t) + +type tgtd_initrc_exec_t; +init_script_file(tgtd_initrc_exec_t) + +type tgtd_tmp_t; +files_tmp_file(tgtd_tmp_t) + +type tgtd_tmpfs_t; +files_tmpfs_file(tgtd_tmpfs_t) + +type tgtd_var_lib_t; +files_type(tgtd_var_lib_t) + +type tgtd_var_run_t; +files_pid_file(tgtd_var_run_t) + +######################################## +# +# Local policy +# + +allow tgtd_t self:capability sys_resource; +allow tgtd_t self:capability2 block_suspend; +allow tgtd_t self:process { setrlimit signal }; +allow tgtd_t self:fifo_file rw_fifo_file_perms; +allow tgtd_t self:netlink_route_socket r_netlink_socket_perms; +allow tgtd_t self:shm create_shm_perms; +allow tgtd_t self:sem create_sem_perms; +allow tgtd_t self:tcp_socket create_stream_socket_perms; +allow tgtd_t self:udp_socket create_socket_perms; + +manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t) +files_tmp_filetrans(tgtd_t, tgtd_tmp_t, sock_file) + +manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t) +fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file) + +manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) +manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) +files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) + +manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) +manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) +manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) +files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) + +kernel_read_system_state(tgtd_t) +kernel_read_fs_sysctls(tgtd_t) + +corenet_all_recvfrom_netlabel(tgtd_t) +corenet_all_recvfrom_unlabeled(tgtd_t) +corenet_tcp_sendrecv_generic_if(tgtd_t) +corenet_tcp_sendrecv_generic_node(tgtd_t) +corenet_tcp_bind_generic_node(tgtd_t) + +corenet_sendrecv_iscsi_server_packets(tgtd_t) +corenet_tcp_bind_iscsi_port(tgtd_t) +corenet_tcp_sendrecv_iscsi_port(tgtd_t) + +corenet_sendrecv_iscsi_client_packets(tgtd_t) +corenet_tcp_connect_isns_port(tgtd_t) + +dev_read_sysfs(tgtd_t) + +files_read_etc_files(tgtd_t) + +fs_read_anon_inodefs_files(tgtd_t) + +storage_manage_fixed_disk(tgtd_t) + +logging_send_syslog_msg(tgtd_t) + +miscfiles_read_localization(tgtd_t) + +optional_policy(` + iscsi_manage_semaphores(tgtd_t) +') diff --git a/policy/modules/services/timidity.fc b/policy/modules/services/timidity.fc new file mode 100644 index 000000000..1c703ecb7 --- /dev/null +++ b/policy/modules/services/timidity.fc @@ -0,0 +1 @@ +/usr/bin/timidity -- gen_context(system_u:object_r:timidity_exec_t,s0) diff --git a/policy/modules/services/timidity.if b/policy/modules/services/timidity.if new file mode 100644 index 000000000..b6ff6dc7b --- /dev/null +++ b/policy/modules/services/timidity.if @@ -0,0 +1 @@ +## <summary>MIDI to WAV converter and player configured as a service.</summary> diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te new file mode 100644 index 000000000..97cd15589 --- /dev/null +++ b/policy/modules/services/timidity.te @@ -0,0 +1,75 @@ +policy_module(timidity, 1.10.0) + +######################################## +# +# Declarations +# + +type timidity_t; +type timidity_exec_t; +init_daemon_domain(timidity_t, timidity_exec_t) +application_executable_file(timidity_exec_t) + +type timidity_tmpfs_t; +files_tmpfs_file(timidity_tmpfs_t) + +######################################## +# +# Local policy +# + +allow timidity_t self:capability { dac_override dac_read_search }; +dontaudit timidity_t self:capability sys_tty_config; +allow timidity_t self:process { signal_perms getsched }; +allow timidity_t self:shm create_shm_perms; +allow timidity_t self:unix_stream_socket { accept listen }; +allow timidity_t self:tcp_socket create_stream_socket_perms; +allow timidity_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) +manage_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) +manage_lnk_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) +manage_fifo_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) +manage_sock_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) +fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(timidity_t) +kernel_read_system_state(timidity_t) + +corenet_all_recvfrom_unlabeled(timidity_t) +corenet_all_recvfrom_netlabel(timidity_t) +corenet_tcp_sendrecv_generic_if(timidity_t) +corenet_udp_sendrecv_generic_if(timidity_t) +corenet_tcp_sendrecv_generic_node(timidity_t) +corenet_udp_sendrecv_generic_node(timidity_t) +corenet_tcp_sendrecv_all_ports(timidity_t) +corenet_udp_sendrecv_all_ports(timidity_t) + +dev_read_sysfs(timidity_t) +dev_read_sound(timidity_t) +dev_write_sound(timidity_t) + +domain_use_interactive_fds(timidity_t) + +files_read_etc_files(timidity_t) +files_read_usr_files(timidity_t) +files_search_tmp(timidity_t) + +fs_search_auto_mountpoints(timidity_t) + +libs_read_lib_files(timidity_t) + +logging_send_syslog_msg(timidity_t) + +sysnet_read_config(timidity_t) + +userdom_dontaudit_use_unpriv_user_fds(timidity_t) +userdom_search_user_home_dirs(timidity_t) + +optional_policy(` + seutil_sigchld_newrole(timidity_t) +') + +optional_policy(` + udev_read_db(timidity_t) +') diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc new file mode 100644 index 000000000..5c9507130 --- /dev/null +++ b/policy/modules/services/tor.fc @@ -0,0 +1,15 @@ +/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0) + +/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0) + +/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) +/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) + +/usr/lib/systemd/system/tor.*\.service -- gen_context(system_u:object_r:tor_unit_t,s0) + +/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) +/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) + +/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) + +/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if new file mode 100644 index 000000000..f2fc7a720 --- /dev/null +++ b/policy/modules/services/tor.if @@ -0,0 +1,61 @@ +## <summary>The onion router.</summary> + +######################################## +## <summary> +## Execute a domain transition to run tor. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tor_domtrans',` + gen_require(` + type tor_t, tor_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, tor_exec_t, tor_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an tor environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tor_admin',` + gen_require(` + type tor_t, tor_var_log_t, tor_etc_t; + type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t; + ') + + allow $1 tor_t:process { ptrace signal_perms }; + ps_process_pattern($1, tor_t) + + init_startstop_service($1, $2, tor_t, tor_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, tor_etc_t) + + files_list_var_lib($1) + admin_pattern($1, tor_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, tor_var_log_t) + + files_list_pids($1) + admin_pattern($1, tor_var_run_t) +') diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te new file mode 100644 index 000000000..8029630f0 --- /dev/null +++ b/policy/modules/services/tor.te @@ -0,0 +1,124 @@ +policy_module(tor, 1.14.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether tor can bind +## tcp sockets to all unreserved ports. +## </p> +## </desc> +gen_tunable(tor_bind_all_unreserved_ports, false) + +type tor_t; +type tor_exec_t; +init_daemon_domain(tor_t, tor_exec_t) + +type tor_etc_t; +files_config_file(tor_etc_t) + +type tor_initrc_exec_t; +init_script_file(tor_initrc_exec_t) + +type tor_unit_t; +init_unit_file(tor_unit_t) + +type tor_var_lib_t; +files_type(tor_var_lib_t) + +type tor_var_log_t; +logging_log_file(tor_var_log_t) + +type tor_var_run_t; +files_pid_file(tor_var_run_t) +init_daemon_pid_file(tor_var_run_t, dir, "tor") + +######################################## +# +# Local policy +# + +allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config }; +# net_admin is for SO_SNDBUFFORCE +dontaudit tor_t self:capability net_admin; +allow tor_t self:process signal; +allow tor_t self:fifo_file rw_fifo_file_perms; +allow tor_t self:unix_stream_socket { accept listen }; +allow tor_t self:tcp_socket { accept listen }; + +allow tor_t tor_etc_t:dir list_dir_perms; +allow tor_t tor_etc_t:file read_file_perms; +allow tor_t tor_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) +manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) +allow tor_t tor_var_lib_t:file map; +manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) +files_var_lib_filetrans(tor_t, tor_var_lib_t, dir) + +allow tor_t tor_var_log_t:dir setattr_dir_perms; +append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) +create_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) +setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) +manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) +logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) + +manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t) +manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) +manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) +files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) + +kernel_read_kernel_sysctls(tor_t) +kernel_read_net_sysctls(tor_t) +kernel_read_system_state(tor_t) + +corenet_all_recvfrom_unlabeled(tor_t) +corenet_all_recvfrom_netlabel(tor_t) +corenet_tcp_sendrecv_generic_if(tor_t) +corenet_udp_sendrecv_generic_if(tor_t) +corenet_tcp_sendrecv_generic_node(tor_t) +corenet_udp_sendrecv_generic_node(tor_t) +corenet_tcp_bind_generic_node(tor_t) +corenet_udp_bind_generic_node(tor_t) + +corenet_sendrecv_dns_server_packets(tor_t) +corenet_udp_bind_dns_port(tor_t) +corenet_udp_sendrecv_dns_port(tor_t) + +corenet_sendrecv_tor_server_packets(tor_t) +corenet_tcp_bind_tor_port(tor_t) +corenet_tcp_sendrecv_tor_port(tor_t) + +corenet_sendrecv_all_client_packets(tor_t) +corenet_tcp_connect_all_ports(tor_t) +corenet_tcp_connect_all_reserved_ports(tor_t) +corenet_tcp_sendrecv_all_ports(tor_t) +corenet_tcp_sendrecv_all_reserved_ports(tor_t) + +dev_read_sysfs(tor_t) +dev_read_urand(tor_t) + +domain_use_interactive_fds(tor_t) + +files_read_etc_runtime_files(tor_t) +files_read_usr_files(tor_t) + +fs_search_tmpfs(tor_t) + +auth_use_nsswitch(tor_t) + +logging_send_syslog_msg(tor_t) + +miscfiles_read_localization(tor_t) + +tunable_policy(`tor_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(tor_t) + corenet_tcp_bind_all_unreserved_ports(tor_t) +') + +optional_policy(` + seutil_sigchld_newrole(tor_t) +') diff --git a/policy/modules/services/transproxy.fc b/policy/modules/services/transproxy.fc new file mode 100644 index 000000000..ce0eb7d6a --- /dev/null +++ b/policy/modules/services/transproxy.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/transproxy -- gen_context(system_u:object_r:transproxy_initrc_exec_t,s0) + +/usr/bin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0) + +/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0) + +/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0) diff --git a/policy/modules/services/transproxy.if b/policy/modules/services/transproxy.if new file mode 100644 index 000000000..946881b3d --- /dev/null +++ b/policy/modules/services/transproxy.if @@ -0,0 +1,32 @@ +## <summary>Portable Transparent Proxy Solution.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an transproxy environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`transproxy_admin',` + gen_require(` + type transproxy_t, transproxy_initrc_exec_t, transproxy_var_run_t; + ') + + allow $1 transproxy_t:process { ptrace signal_perms }; + ps_process_pattern($1, transproxy_t) + + init_startstop_service($1, $2, transproxy_t, transproxy_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, transproxy_var_run_t) +') diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te new file mode 100644 index 000000000..f267800ca --- /dev/null +++ b/policy/modules/services/transproxy.te @@ -0,0 +1,69 @@ +policy_module(transproxy, 1.11.0) + +######################################## +# +# Declarations +# + +type transproxy_t; +type transproxy_exec_t; +init_daemon_domain(transproxy_t, transproxy_exec_t) + +type transproxy_initrc_exec_t; +init_script_file(transproxy_initrc_exec_t) + +type transproxy_var_run_t; +files_pid_file(transproxy_var_run_t) + +######################################## +# +# Local policy +# + +allow transproxy_t self:capability { setgid setuid }; +dontaudit transproxy_t self:capability sys_tty_config; +allow transproxy_t self:process signal_perms; +allow transproxy_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(transproxy_t, transproxy_var_run_t, transproxy_var_run_t) +files_pid_filetrans(transproxy_t, transproxy_var_run_t, file) + +kernel_read_kernel_sysctls(transproxy_t) +kernel_list_proc(transproxy_t) +kernel_read_proc_symlinks(transproxy_t) + +corenet_all_recvfrom_unlabeled(transproxy_t) +corenet_all_recvfrom_netlabel(transproxy_t) +corenet_tcp_sendrecv_generic_if(transproxy_t) +corenet_tcp_sendrecv_generic_node(transproxy_t) +corenet_tcp_bind_generic_node(transproxy_t) + +corenet_sendrecv_transproxy_server_packets(transproxy_t) +corenet_tcp_bind_transproxy_port(transproxy_t) +corenet_tcp_sendrecv_transproxy_port(transproxy_t) + +dev_read_sysfs(transproxy_t) + +domain_use_interactive_fds(transproxy_t) + +files_read_etc_files(transproxy_t) + +fs_getattr_all_fs(transproxy_t) +fs_search_auto_mountpoints(transproxy_t) + +logging_send_syslog_msg(transproxy_t) + +miscfiles_read_localization(transproxy_t) + +sysnet_read_config(transproxy_t) + +userdom_dontaudit_use_unpriv_user_fds(transproxy_t) +userdom_dontaudit_search_user_home_dirs(transproxy_t) + +optional_policy(` + seutil_sigchld_newrole(transproxy_t) +') + +optional_policy(` + udev_read_db(transproxy_t) +') diff --git a/policy/modules/services/tuned.fc b/policy/modules/services/tuned.fc new file mode 100644 index 000000000..21ea12951 --- /dev/null +++ b/policy/modules/services/tuned.fc @@ -0,0 +1,14 @@ +/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0) + +/etc/tuned(/.*)? gen_context(system_u:object_r:tuned_etc_t,s0) +/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0) + +/usr/bin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) + +/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) + +/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) +/var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0) + +/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0) +/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if new file mode 100644 index 000000000..5ca6fa59a --- /dev/null +++ b/policy/modules/services/tuned.if @@ -0,0 +1,135 @@ +## <summary>Dynamic adaptive system tuning daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run tuned. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tuned_domtrans',` + gen_require(` + type tuned_t, tuned_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, tuned_exec_t, tuned_t) +') + +####################################### +## <summary> +## Execute tuned in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tuned_exec',` + gen_require(` + type tuned_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, tuned_exec_t) +') + +###################################### +## <summary> +## Read tuned pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tuned_read_pid_files',` + gen_require(` + type tuned_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, tuned_var_run_t, tuned_var_run_t) +') + +####################################### +## <summary> +## Create, read, write, and delete +## tuned pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tuned_manage_pid_files',` + gen_require(` + type tuned_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t) +') + +######################################## +## <summary> +## Execute tuned init scripts in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tuned_initrc_domtrans',` + gen_require(` + type tuned_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, tuned_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an tuned environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tuned_admin',` + gen_require(` + type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; + type tuned_etc_t, tuned_rw_etc_t, tuned_log_t; + ') + + allow $1 tuned_t:process { ptrace signal_perms }; + ps_process_pattern($1, tuned_t) + + init_startstop_service($1, $2, tuned_t, tuned_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, { tuned_etc_t tuned_rw_etc_t }) + + logging_search_logs($1) + admin_pattern($1, tuned_log_t) + + files_search_pids($1) + admin_pattern($1, tuned_var_run_t) +') diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te new file mode 100644 index 000000000..f853dff3b --- /dev/null +++ b/policy/modules/services/tuned.te @@ -0,0 +1,98 @@ +policy_module(tuned, 1.5.0) + +######################################## +# +# Declarations +# + +type tuned_t; +type tuned_exec_t; +init_daemon_domain(tuned_t, tuned_exec_t) + +type tuned_initrc_exec_t; +init_script_file(tuned_initrc_exec_t) + +type tuned_etc_t; +files_config_file(tuned_etc_t) + +type tuned_rw_etc_t; +files_config_file(tuned_rw_etc_t) + +type tuned_log_t; +logging_log_file(tuned_log_t) + +type tuned_var_run_t; +files_pid_file(tuned_var_run_t) + +######################################## +# +# Local policy +# + +allow tuned_t self:capability { sys_admin sys_nice }; +dontaudit tuned_t self:capability { dac_override sys_tty_config }; +allow tuned_t self:process { setsched signal }; +allow tuned_t self:fifo_file rw_fifo_file_perms; + +read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) +exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) + +manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) +files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") + +manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) +append_files_pattern(tuned_t, tuned_log_t, tuned_log_t) +create_files_pattern(tuned_t, tuned_log_t, tuned_log_t) +setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t) +logging_log_filetrans(tuned_t, tuned_log_t, file) + +manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) +manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) +files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) + +kernel_read_system_state(tuned_t) +kernel_read_network_state(tuned_t) +kernel_read_kernel_sysctls(tuned_t) +kernel_request_load_module(tuned_t) +kernel_rw_kernel_sysctl(tuned_t) +kernel_rw_hotplug_sysctls(tuned_t) +kernel_rw_vm_sysctls(tuned_t) + +corecmd_exec_bin(tuned_t) +corecmd_exec_shell(tuned_t) + +dev_getattr_all_blk_files(tuned_t) +dev_getattr_all_chr_files(tuned_t) +dev_read_urand(tuned_t) +dev_rw_sysfs(tuned_t) +dev_rw_netcontrol(tuned_t) + +files_read_usr_files(tuned_t) +files_dontaudit_search_home(tuned_t) +files_dontaudit_list_tmp(tuned_t) + +fs_getattr_xattr_fs(tuned_t) + +logging_send_syslog_msg(tuned_t) + +miscfiles_read_localization(tuned_t) + +udev_read_pid_files(tuned_t) + +userdom_dontaudit_search_user_home_dirs(tuned_t) + +optional_policy(` + fstools_domtrans(tuned_t) +') + +optional_policy(` + mount_domtrans(tuned_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(tuned_t) +') + +optional_policy(` + unconfined_dbus_send(tuned_t) +') diff --git a/policy/modules/services/ucspitcp.fc b/policy/modules/services/ucspitcp.fc new file mode 100644 index 000000000..f2b4e91ec --- /dev/null +++ b/policy/modules/services/ucspitcp.fc @@ -0,0 +1,2 @@ +/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0) +/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0) diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if new file mode 100644 index 000000000..b729778ed --- /dev/null +++ b/policy/modules/services/ucspitcp.if @@ -0,0 +1,29 @@ +## <summary>UNIX Client-Server Program Interface for TCP.</summary> + +######################################## +## <summary> +## Define a specified domain as a ucspitcp service. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`ucspitcp_service_domain',` + gen_require(` + type ucspitcp_t; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(ucspitcp_t, $2, $1) +') diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te new file mode 100644 index 000000000..7745b72e6 --- /dev/null +++ b/policy/modules/services/ucspitcp.te @@ -0,0 +1,93 @@ +policy_module(ucspitcp, 1.4.0) + +######################################## +# +# Declarations +# + +type rblsmtpd_t; +type rblsmtpd_exec_t; +init_system_domain(rblsmtpd_t, rblsmtpd_exec_t) + +type ucspitcp_t; +type ucspitcp_exec_t; +init_system_domain(ucspitcp_t, ucspitcp_exec_t) + +######################################## +# +# Smtpd local policy +# + +ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t) + +corecmd_search_bin(rblsmtpd_t) + +corenet_all_recvfrom_unlabeled(rblsmtpd_t) +corenet_all_recvfrom_netlabel(rblsmtpd_t) +corenet_tcp_sendrecv_generic_if(rblsmtpd_t) +corenet_udp_sendrecv_generic_if(rblsmtpd_t) +corenet_tcp_sendrecv_generic_node(rblsmtpd_t) +corenet_udp_sendrecv_generic_node(rblsmtpd_t) +corenet_tcp_sendrecv_all_ports(rblsmtpd_t) +corenet_udp_sendrecv_all_ports(rblsmtpd_t) +corenet_tcp_bind_generic_node(rblsmtpd_t) +corenet_udp_bind_generic_port(rblsmtpd_t) + +files_read_etc_files(rblsmtpd_t) +files_search_var(rblsmtpd_t) + +optional_policy(` + daemontools_ipc_domain(rblsmtpd_t) +') + +######################################## +# +# Tcp local policy +# + +allow ucspitcp_t self:capability { setgid setuid }; +allow ucspitcp_t self:fifo_file rw_fifo_file_perms; +allow ucspitcp_t self:tcp_socket create_stream_socket_perms; +allow ucspitcp_t self:udp_socket create_socket_perms; + +corecmd_search_bin(ucspitcp_t) + +corenet_all_recvfrom_unlabeled(ucspitcp_t) +corenet_all_recvfrom_netlabel(ucspitcp_t) +corenet_tcp_sendrecv_generic_if(ucspitcp_t) +corenet_udp_sendrecv_generic_if(ucspitcp_t) +corenet_tcp_sendrecv_generic_node(ucspitcp_t) +corenet_udp_sendrecv_generic_node(ucspitcp_t) +corenet_tcp_sendrecv_all_ports(ucspitcp_t) +corenet_udp_sendrecv_all_ports(ucspitcp_t) +corenet_tcp_bind_generic_node(ucspitcp_t) +corenet_udp_bind_generic_node(ucspitcp_t) + +corenet_sendrecv_ftp_server_packets(ucspitcp_t) +corenet_tcp_bind_ftp_port(ucspitcp_t) + +corenet_sendrecv_ftp_data_server_packets(ucspitcp_t) +corenet_tcp_bind_ftp_data_port(ucspitcp_t) + +corenet_sendrecv_http_server_packets(ucspitcp_t) +corenet_tcp_bind_http_port(ucspitcp_t) + +corenet_sendrecv_smtp_server_packets(ucspitcp_t) +corenet_tcp_bind_smtp_port(ucspitcp_t) + +corenet_sendrecv_dns_server_packets(ucspitcp_t) +corenet_tcp_bind_dns_port(ucspitcp_t) +corenet_udp_bind_dns_port(ucspitcp_t) + +corenet_sendrecv_generic_server_packets(ucspitcp_t) +corenet_udp_bind_generic_port(ucspitcp_t) + +files_read_etc_files(ucspitcp_t) +files_search_var(ucspitcp_t) + +sysnet_read_config(ucspitcp_t) + +optional_policy(` + daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) + daemontools_read_svc(ucspitcp_t) +') diff --git a/policy/modules/services/ulogd.fc b/policy/modules/services/ulogd.fc new file mode 100644 index 000000000..ca27a1d22 --- /dev/null +++ b/policy/modules/services/ulogd.fc @@ -0,0 +1,11 @@ +/etc/ulogd\.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) + +/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) + +/usr/bin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) + +/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) + +/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) + +/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if new file mode 100644 index 000000000..290eb1b40 --- /dev/null +++ b/policy/modules/services/ulogd.if @@ -0,0 +1,139 @@ +## <summary>Iptables/netfilter userspace logging daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run ulogd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ulogd_domtrans',` + gen_require(` + type ulogd_t, ulogd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ulogd_exec_t, ulogd_t) +') + +######################################## +## <summary> +## Read ulogd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ulogd_read_config',` + gen_require(` + type ulogd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) +') + +######################################## +## <summary> +## Read ulogd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ulogd_read_log',` + gen_require(` + type ulogd_var_log_t; + ') + + logging_search_logs($1) + allow $1 ulogd_var_log_t:dir list_dir_perms; + read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) +') + +####################################### +## <summary> +## Search ulogd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ulogd_search_log',` + gen_require(` + type ulogd_var_log_t; + ') + + logging_search_logs($1) + allow $1 ulogd_var_log_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Append to ulogd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ulogd_append_log',` + gen_require(` + type ulogd_var_log_t; + ') + + logging_search_logs($1) + allow $1 ulogd_var_log_t:dir list_dir_perms; + allow $1 ulogd_var_log_t:file append_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an ulogd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ulogd_admin',` + gen_require(` + type ulogd_t, ulogd_etc_t, ulogd_modules_t; + type ulogd_var_log_t, ulogd_initrc_exec_t; + ') + + allow $1 ulogd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ulogd_t) + + init_startstop_service($1, $2, ulogd_t, ulogd_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, ulogd_etc_t) + + logging_list_logs($1) + admin_pattern($1, ulogd_var_log_t) + + files_list_usr($1) + admin_pattern($1, ulogd_modules_t) +') diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te new file mode 100644 index 000000000..18779e5dc --- /dev/null +++ b/policy/modules/services/ulogd.te @@ -0,0 +1,60 @@ +policy_module(ulogd, 1.5.0) + +######################################## +# +# Declarations +# + +type ulogd_t; +type ulogd_exec_t; +init_daemon_domain(ulogd_t, ulogd_exec_t) + +type ulogd_etc_t; +files_config_file(ulogd_etc_t) + +type ulogd_initrc_exec_t; +init_script_file(ulogd_initrc_exec_t) + +type ulogd_modules_t; +files_type(ulogd_modules_t) + +type ulogd_var_log_t; +logging_log_file(ulogd_var_log_t) + +######################################## +# +# Local policy +# + +allow ulogd_t self:capability { net_admin setgid setuid sys_nice }; +allow ulogd_t self:process setsched; +allow ulogd_t self:netlink_nflog_socket create_socket_perms; +allow ulogd_t self:netlink_socket create_socket_perms; +allow ulogd_t self:tcp_socket create_stream_socket_perms; + +read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) + +list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) +mmap_exec_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) + +append_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) +create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) +setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) +logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) + +files_read_etc_files(ulogd_t) +files_read_usr_files(ulogd_t) + +miscfiles_read_localization(ulogd_t) + +sysnet_dns_name_resolve(ulogd_t) + +optional_policy(` + mysql_stream_connect(ulogd_t) + mysql_tcp_connect(ulogd_t) +') + +optional_policy(` + postgresql_stream_connect(ulogd_t) + postgresql_tcp_connect(ulogd_t) +') diff --git a/policy/modules/services/uptime.fc b/policy/modules/services/uptime.fc new file mode 100644 index 000000000..535dda0b4 --- /dev/null +++ b/policy/modules/services/uptime.fc @@ -0,0 +1,11 @@ +/etc/uptimed\.conf -- gen_context(system_u:object_r:uptimed_etc_t,s0) + +/etc/rc\.d/init\.d/uptimed -- gen_context(system_u:object_r:uptimed_initrc_exec_t,s0) + +/usr/bin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0) + +/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0) + +/run/uptimed\.pid -- gen_context(system_u:object_r:uptimed_var_run_t,s0) + +/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0) diff --git a/policy/modules/services/uptime.if b/policy/modules/services/uptime.if new file mode 100644 index 000000000..ce3bc3b9f --- /dev/null +++ b/policy/modules/services/uptime.if @@ -0,0 +1,39 @@ +## <summary>Daemon to record and keep track of system up times.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an uptime environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`uptime_admin',` + gen_require(` + type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t; + type uptimed_spool_t, uptimed_var_run_t; + ') + + allow $1 uptimed_t:process { ptrace signal_perms }; + ps_process_pattern($1, uptimed_t) + + init_startstop_service($1, $2, uptimed_t, uptimed_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, uptimed_etc_t) + + files_search_spool($1) + admin_pattern($1, uptimed_spool_t) + + files_search_pids($1) + admin_pattern($1, uptimed_var_run_t) +') diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te new file mode 100644 index 000000000..c131e543c --- /dev/null +++ b/policy/modules/services/uptime.te @@ -0,0 +1,73 @@ +policy_module(uptime, 1.9.0) + +######################################## +# +# Declarations +# + +type uptimed_t; +type uptimed_exec_t; +init_daemon_domain(uptimed_t, uptimed_exec_t) + +type uptimed_etc_t alias etc_uptimed_t; +files_config_file(uptimed_etc_t) + +type uptimed_initrc_exec_t; +init_script_file(uptimed_initrc_exec_t) + +type uptimed_spool_t; +files_type(uptimed_spool_t) + +type uptimed_var_run_t; +files_pid_file(uptimed_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit uptimed_t self:capability sys_tty_config; +allow uptimed_t self:process signal_perms; +allow uptimed_t self:fifo_file rw_fifo_file_perms; + +allow uptimed_t uptimed_etc_t:file read_file_perms; + +manage_files_pattern(uptimed_t, uptimed_var_run_t, uptimed_var_run_t) +files_pid_filetrans(uptimed_t, uptimed_var_run_t, file) + +manage_dirs_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) +manage_files_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) +files_spool_filetrans(uptimed_t, uptimed_spool_t, { dir file }) + +kernel_read_system_state(uptimed_t) +kernel_read_kernel_sysctls(uptimed_t) + +corecmd_exec_shell(uptimed_t) + +dev_read_sysfs(uptimed_t) + +domain_use_interactive_fds(uptimed_t) + +files_read_etc_runtime_files(uptimed_t) + +fs_getattr_all_fs(uptimed_t) +fs_search_auto_mountpoints(uptimed_t) + +logging_send_syslog_msg(uptimed_t) + +miscfiles_read_localization(uptimed_t) + +userdom_dontaudit_use_unpriv_user_fds(uptimed_t) +userdom_dontaudit_search_user_home_dirs(uptimed_t) + +optional_policy(` + mta_send_mail(uptimed_t) +') + +optional_policy(` + seutil_sigchld_newrole(uptimed_t) +') + +optional_policy(` + udev_read_db(uptimed_t) +') diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc new file mode 100644 index 000000000..dd949dde1 --- /dev/null +++ b/policy/modules/services/usbmuxd.fc @@ -0,0 +1,5 @@ +/usr/bin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if new file mode 100644 index 000000000..1ec5e996b --- /dev/null +++ b/policy/modules/services/usbmuxd.if @@ -0,0 +1,40 @@ +## <summary>USB multiplexing daemon for communicating with Apple iPod Touch and iPhone.</summary> + +######################################## +## <summary> +## Execute a domain transition to run usbmuxd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usbmuxd_domtrans',` + gen_require(` + type usbmuxd_t, usbmuxd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t) +') + +##################################### +## <summary> +## Connect to usbmuxd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`usbmuxd_stream_connect',` + gen_require(` + type usbmuxd_t, usbmuxd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) +') diff --git a/policy/modules/services/usbmuxd.te b/policy/modules/services/usbmuxd.te new file mode 100644 index 000000000..32036a2e5 --- /dev/null +++ b/policy/modules/services/usbmuxd.te @@ -0,0 +1,43 @@ +policy_module(usbmuxd, 1.4.0) + +######################################## +# +# Declarations +# + +attribute_role usbmuxd_roles; +roleattribute system_r usbmuxd_roles; + +type usbmuxd_t; +type usbmuxd_exec_t; +application_domain(usbmuxd_t, usbmuxd_exec_t) +role usbmuxd_roles types usbmuxd_t; + +type usbmuxd_var_run_t; +files_pid_file(usbmuxd_var_run_t) + +######################################## +# +# Local policy +# + +allow usbmuxd_t self:capability { kill setgid setuid }; +allow usbmuxd_t self:process { signal signull }; +allow usbmuxd_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) + +kernel_read_kernel_sysctls(usbmuxd_t) +kernel_read_system_state(usbmuxd_t) + +dev_read_sysfs(usbmuxd_t) +dev_rw_generic_usb_dev(usbmuxd_t) + +auth_use_nsswitch(usbmuxd_t) + +miscfiles_read_localization(usbmuxd_t) + +logging_send_syslog_msg(usbmuxd_t) diff --git a/policy/modules/services/uucp.fc b/policy/modules/services/uucp.fc new file mode 100644 index 000000000..21b5d723b --- /dev/null +++ b/policy/modules/services/uucp.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/uucp -- gen_context(system_u:object_r:uucpd_initrc_exec_t,s0) + +/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0) +/usr/bin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0) + +/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0) + +/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) +/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) + +/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) + +/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0) diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if new file mode 100644 index 000000000..a06faaf98 --- /dev/null +++ b/policy/modules/services/uucp.if @@ -0,0 +1,125 @@ +## <summary>Unix to Unix Copy.</summary> + +######################################## +## <summary> +## Execute uucico in the uucpd_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`uucp_domtrans',` + gen_require(` + type uucpd_t, uucpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, uucpd_exec_t, uucpd_t) +') + +######################################## +## <summary> +## Append uucp log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uucp_append_log',` + gen_require(` + type uucpd_log_t; + ') + + logging_search_logs($1) + allow $1 uucpd_log_t:dir list_dir_perms; + append_files_pattern($1, uucpd_log_t, uucpd_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## uucp spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uucp_manage_spool',` + gen_require(` + type uucpd_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t) + manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t) + manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t) +') + +######################################## +## <summary> +## Execute uux in the uux_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`uucp_domtrans_uux',` + gen_require(` + type uux_t, uux_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, uux_exec_t, uux_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an uucp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`uucp_admin',` + gen_require(` + type uucpd_t, uucpd_tmp_t, uucpd_log_t; + type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t; + type uucpd_var_run_t, uucpd_initrc_exec_t; + ') + + init_startstop_service($1, $2, uucpd_t, uucpd_initrc_exec_t) + + allow $1 uucpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, uucpd_t) + + logging_list_logs($1) + admin_pattern($1, uucpd_log_t) + + files_list_spool($1) + admin_pattern($1, uucpd_spool_t) + + admin_pattern($1, { uucpd_rw_t uucpd_ro_t }) + + files_list_tmp($1) + admin_pattern($1, uucpd_tmp_t) + + files_list_pids($1) + admin_pattern($1, uucpd_var_run_t) +') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te new file mode 100644 index 000000000..c18f3557d --- /dev/null +++ b/policy/modules/services/uucp.te @@ -0,0 +1,169 @@ +policy_module(uucp, 1.15.0) + +######################################## +# +# Declarations +# + +attribute_role uux_roles; +roleattribute system_r uux_roles; + +type uucpd_t; +type uucpd_exec_t; +init_daemon_domain(uucpd_t, uucpd_exec_t) + +type uucpd_initrc_exec_t; +init_script_file(uucpd_initrc_exec_t) + +type uucpd_lock_t; +files_lock_file(uucpd_lock_t) + +type uucpd_tmp_t; +files_tmp_file(uucpd_tmp_t) + +type uucpd_var_run_t; +files_pid_file(uucpd_var_run_t) + +type uucpd_rw_t; +files_type(uucpd_rw_t) + +type uucpd_ro_t; +files_type(uucpd_ro_t) + +type uucpd_spool_t; +files_type(uucpd_spool_t) + +type uucpd_log_t; +logging_log_file(uucpd_log_t) + +type uux_t; +type uux_exec_t; +application_domain(uux_t, uux_exec_t) +role uux_roles types uux_t; + +######################################## +# +# Local policy +# + +allow uucpd_t self:capability { setgid setuid }; +allow uucpd_t self:process signal_perms; +allow uucpd_t self:fifo_file rw_fifo_file_perms; +allow uucpd_t self:tcp_socket { accept listen }; +allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + +allow uucpd_t uucpd_log_t:dir setattr_dir_perms; +append_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t) +create_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t) +setattr_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t) +logging_log_filetrans(uucpd_t, uucpd_log_t, { file dir }) + +allow uucpd_t uucpd_ro_t:dir list_dir_perms; +allow uucpd_t uucpd_ro_t:file read_file_perms; +allow uucpd_t uucpd_ro_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) +manage_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) +manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) + +manage_dirs_pattern(uucpd_t, uucpd_spool_t, uucpd_spool_t) +manage_files_pattern(uucpd_t, uucpd_spool_t, uucpd_spool_t) +manage_lnk_files_pattern(uucpd_t, uucpd_spool_t, uucpd_spool_t) + +manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) +manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) + +manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) +manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) +files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir }) + +manage_files_pattern(uucpd_t, uucpd_var_run_t, uucpd_var_run_t) +files_pid_filetrans(uucpd_t, uucpd_var_run_t, file) + +kernel_read_kernel_sysctls(uucpd_t) +kernel_read_system_state(uucpd_t) +kernel_read_network_state(uucpd_t) + +corenet_all_recvfrom_unlabeled(uucpd_t) +corenet_all_recvfrom_netlabel(uucpd_t) +corenet_tcp_sendrecv_generic_if(uucpd_t) +corenet_tcp_sendrecv_generic_node(uucpd_t) + +corenet_sendrecv_ssh_client_packets(uucpd_t) +corenet_tcp_connect_ssh_port(uucpd_t) +corenet_tcp_sendrecv_ssh_port(uucpd_t) + +corecmd_exec_bin(uucpd_t) +corecmd_exec_shell(uucpd_t) + +dev_read_urand(uucpd_t) + +files_search_home(uucpd_t) +files_search_locks(uucpd_t) +files_search_spool(uucpd_t) + +fs_getattr_xattr_fs(uucpd_t) + +term_setattr_controlling_term(uucpd_t) + +auth_use_nsswitch(uucpd_t) + +logging_send_syslog_msg(uucpd_t) + +miscfiles_read_localization(uucpd_t) + +optional_policy(` + cron_system_entry(uucpd_t, uucpd_exec_t) +') + +optional_policy(` + inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) +') + +optional_policy(` + kerberos_use(uucpd_t) +') + +optional_policy(` + mta_send_mail(uucpd_t) +') + +optional_policy(` + ssh_exec(uucpd_t) +') + +######################################## +# +# UUX Local policy +# + +allow uux_t self:capability { setgid setuid }; +allow uux_t self:fifo_file write_fifo_file_perms; + +domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t) + +allow uux_t uucpd_log_t:dir list_dir_perms; +append_files_pattern(uux_t, uucpd_log_t, uucpd_log_t) + +manage_dirs_pattern(uux_t, uucpd_spool_t, uucpd_spool_t) +manage_files_pattern(uux_t, uucpd_spool_t, uucpd_spool_t) +manage_lnk_files_pattern(uux_t, uucpd_spool_t, uucpd_spool_t) + +corecmd_exec_bin(uux_t) + +files_search_spool(uux_t) + +fs_rw_anon_inodefs_files(uux_t) + +auth_use_nsswitch(uux_t) + +logging_search_logs(uux_t) +logging_send_syslog_msg(uux_t) + +miscfiles_read_localization(uux_t) + +optional_policy(` + mta_send_mail(uux_t) + mta_read_queue(uux_t) + sendmail_dontaudit_rw_unix_stream_sockets(uux_t) +') diff --git a/policy/modules/services/uuidd.fc b/policy/modules/services/uuidd.fc new file mode 100644 index 000000000..d0a8520da --- /dev/null +++ b/policy/modules/services/uuidd.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) + +/usr/bin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) + +/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) + +/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0) + +/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0) diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if new file mode 100644 index 000000000..30f45ebf3 --- /dev/null +++ b/policy/modules/services/uuidd.if @@ -0,0 +1,191 @@ +## <summary>UUID generation daemon.</summary> + +######################################## +## <summary> +## Execute uuidd in the uuidd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`uuidd_domtrans',` + gen_require(` + type uuidd_t, uuidd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, uuidd_exec_t, uuidd_t) +') + +######################################## +## <summary> +## Execute uuidd init scripts in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_initrc_domtrans',` + gen_require(` + type uuidd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, uuidd_initrc_exec_t) +') + +######################################## +## <summary> +## Search uuidd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_search_lib',` + gen_require(` + type uuidd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 uuidd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read uuidd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_read_lib_files',` + gen_require(` + type uuidd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## uuidd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_manage_lib_files',` + gen_require(` + type uuidd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## uuidd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_manage_lib_dirs',` + gen_require(` + type uuidd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) +') + +######################################## +## <summary> +## Read uuidd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_read_pid_files',` + gen_require(` + type uuidd_var_run_t; + ') + + files_search_pids($1) + allow $1 uuidd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Connect to uuidd with an unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_stream_connect_manager',` + gen_require(` + type uuidd_t, uuidd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an uuidd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`uuidd_admin',` + gen_require(` + type uuidd_t, uuidd_initrc_exec_t; + type uuidd_var_run_t, uuidd_var_lib_t; + ') + + allow $1 uuidd_t:process signal_perms; + ps_process_pattern($1, uuidd_t) + + init_startstop_service($1, $2, uuidd_t, uuidd_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, uuidd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, uuidd_var_run_t) +') diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te new file mode 100644 index 000000000..8c0defb36 --- /dev/null +++ b/policy/modules/services/uuidd.te @@ -0,0 +1,47 @@ +policy_module(uuidd, 1.4.0) + +######################################## +# +# Declarations +# + +type uuidd_t; +type uuidd_exec_t; +init_daemon_domain(uuidd_t, uuidd_exec_t) + +type uuidd_initrc_exec_t; +init_script_file(uuidd_initrc_exec_t) + +type uuidd_var_lib_t; +files_type(uuidd_var_lib_t) + +type uuidd_var_run_t; +files_pid_file(uuidd_var_run_t) + +######################################## +# +# Local policy +# + +allow uuidd_t self:capability setuid; +allow uuidd_t self:process signal; +allow uuidd_t self:fifo_file rw_fifo_file_perms; +allow uuidd_t self:unix_stream_socket create_stream_socket_perms; +allow uuidd_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) +manage_files_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) +files_var_lib_filetrans(uuidd_t, uuidd_var_lib_t, { dir file }) + +manage_dirs_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) +manage_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) +manage_sock_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) +files_pid_filetrans(uuidd_t, uuidd_var_run_t, { dir file sock_file }) + +dev_read_urand(uuidd_t) + +domain_use_interactive_fds(uuidd_t) + +files_read_etc_files(uuidd_t) + +miscfiles_read_localization(uuidd_t) diff --git a/policy/modules/services/uwimap.fc b/policy/modules/services/uwimap.fc new file mode 100644 index 000000000..92db9eaca --- /dev/null +++ b/policy/modules/services/uwimap.fc @@ -0,0 +1,3 @@ +/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0) + +/run/imapd\.pid -- gen_context(system_u:object_r:imapd_var_run_t,s0) diff --git a/policy/modules/services/uwimap.if b/policy/modules/services/uwimap.if new file mode 100644 index 000000000..42f34a697 --- /dev/null +++ b/policy/modules/services/uwimap.if @@ -0,0 +1,20 @@ +## <summary>University of Washington IMAP toolkit POP3 and IMAP mail server.</summary> + +######################################## +## <summary> +## Execute imapd in the imapd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`uwimap_domtrans',` + gen_require(` + type imapd_t, imapd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, imapd_exec_t, imapd_t) +') diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te new file mode 100644 index 000000000..02a45cf17 --- /dev/null +++ b/policy/modules/services/uwimap.te @@ -0,0 +1,107 @@ +policy_module(uwimap, 1.11.0) + +######################################## +# +# Declarations +# + +type imapd_t; +type imapd_exec_t; +init_daemon_domain(imapd_t, imapd_exec_t) + +type imapd_tmp_t; +files_tmp_file(imapd_tmp_t) + +type imapd_var_run_t; +files_pid_file(imapd_var_run_t) + +######################################## +# +# Local policy +# + +allow imapd_t self:capability { dac_override setgid setuid sys_resource }; +dontaudit imapd_t self:capability sys_tty_config; +allow imapd_t self:process signal_perms; +allow imapd_t self:fifo_file rw_fifo_file_perms; +allow imapd_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) +manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) +files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir }) + +manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t) +files_pid_filetrans(imapd_t, imapd_var_run_t, file) + +kernel_read_kernel_sysctls(imapd_t) +kernel_list_proc(imapd_t) +kernel_read_proc_symlinks(imapd_t) + +corenet_all_recvfrom_unlabeled(imapd_t) +corenet_all_recvfrom_netlabel(imapd_t) +corenet_tcp_sendrecv_generic_if(imapd_t) +corenet_tcp_sendrecv_generic_node(imapd_t) +corenet_tcp_sendrecv_all_ports(imapd_t) +corenet_tcp_bind_generic_node(imapd_t) + +corenet_sendrecv_pop_server_packets(imapd_t) +corenet_tcp_bind_pop_port(imapd_t) + +corenet_sendrecv_all_client_packets(imapd_t) +corenet_tcp_connect_all_ports(imapd_t) + +dev_read_rand(imapd_t) +dev_read_sysfs(imapd_t) +dev_read_urand(imapd_t) + +domain_use_interactive_fds(imapd_t) + +files_read_etc_files(imapd_t) + +fs_getattr_all_fs(imapd_t) +fs_search_auto_mountpoints(imapd_t) + +auth_domtrans_chk_passwd(imapd_t) + +logging_send_syslog_msg(imapd_t) + +miscfiles_read_localization(imapd_t) + +sysnet_dns_name_resolve(imapd_t) + +userdom_dontaudit_use_unpriv_user_fds(imapd_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(imapd_t) + fs_manage_nfs_files(imapd_t) + fs_manage_nfs_symlinks(imapd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(imapd_t) + fs_manage_cifs_files(imapd_t) + fs_manage_cifs_symlinks(imapd_t) +') + +optional_policy(` + inetd_tcp_service_domain(imapd_t, imapd_exec_t) +') + +optional_policy(` + mta_manage_spool(imapd_t) + mta_manage_mail_home_rw_content(imapd_t) + mta_home_filetrans_mail_home_rw(imapd_t, dir, "Maildir") + mta_home_filetrans_mail_home_rw(imapd_t, dir, ".maildir") +') + +optional_policy(` + seutil_sigchld_newrole(imapd_t) +') + +optional_policy(` + tcpd_wrapped_domain(imapd_t, imapd_exec_t) +') + +optional_policy(` + udev_read_db(imapd_t) +') diff --git a/policy/modules/services/varnishd.fc b/policy/modules/services/varnishd.fc new file mode 100644 index 000000000..5d3f0915a --- /dev/null +++ b/policy/modules/services/varnishd.fc @@ -0,0 +1,19 @@ +/etc/rc\.d/init\.d/varnish -- gen_context(system_u:object_r:varnishd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/varnishlog -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) +/etc/rc\.d/init\.d/varnishncsa -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) + +/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0) + +/usr/bin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0) +/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0) +/usr/bin/varnishncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0) + +/usr/sbin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0) + +/var/lib/varnish(/.*)? gen_context(system_u:object_r:varnishd_var_lib_t,s0) + +/var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0) + +/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0) +/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) +/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if new file mode 100644 index 000000000..e2dc5ea1e --- /dev/null +++ b/policy/modules/services/varnishd.if @@ -0,0 +1,212 @@ +## <summary>Varnishd http accelerator daemon.</summary> + +####################################### +## <summary> +## Execute varnishd in the varnishd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`varnishd_domtrans',` + gen_require(` + type varnishd_t, varnishd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, varnishd_exec_t, varnishd_t) +') + +####################################### +## <summary> +## Execute varnishd in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_exec',` + gen_require(` + type varnishd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, varnishd_exec_t) +') + +###################################### +## <summary> +## Read varnishd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_read_config',` + gen_require(` + type varnishd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) +') + +##################################### +## <summary> +## Read varnish lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_read_lib_files',` + gen_require(` + type varnishd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) +') + +####################################### +## <summary> +## Read varnish log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_read_log',` + gen_require(` + type varnishlog_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, varnishlog_log_t, varnishlog_log_t) +') + +###################################### +## <summary> +## Append varnish log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_append_log',` + gen_require(` + type varnishlog_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, varnishlog_log_t, varnishlog_log_t) +') + +##################################### +## <summary> +## Create, read, write, and delete +## varnish log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_manage_log',` + gen_require(` + type varnishlog_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t) +') + +###################################### +## <summary> +## All of the rules required to +## administrate an varnishlog environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`varnishd_admin_varnishlog',` + gen_require(` + type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; + type varnishlog_var_run_t; + ') + + allow $1 varnishlog_t:process { ptrace signal_perms }; + ps_process_pattern($1, varnishlog_t) + + init_startstop_service($1, $2, varnishlog_t, varnishlog_initrc_exec_t) + + files_list_pids($1) + admin_pattern($1, varnishlog_var_run_t) + + logging_list_logs($1) + admin_pattern($1, varnishlog_log_t) +') + +####################################### +## <summary> +## All of the rules required to +## administrate an varnishd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`varnishd_admin',` + gen_require(` + type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; + type varnishd_var_run_t, varnishd_tmp_t; + type varnishd_initrc_exec_t; + ') + + allow $1 varnishd_t:process { ptrace signal_perms }; + ps_process_pattern($1, varnishd_t) + + init_startstop_service($1, $2, varnishd_t, varnishd_initrc_exec_t) + + files_list_var_lib($1) + admin_pattern($1, varnishd_var_lib_t) + + files_list_etc($1) + admin_pattern($1, varnishd_etc_t) + + files_list_pids($1) + admin_pattern($1, varnishd_var_run_t) + + files_list_tmp($1) + admin_pattern($1, varnishd_tmp_t) +') diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te new file mode 100644 index 000000000..665e31c80 --- /dev/null +++ b/policy/modules/services/varnishd.te @@ -0,0 +1,142 @@ +policy_module(varnishd, 1.6.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether varnishd can +## use the full TCP network. +## </p> +## </desc> +gen_tunable(varnishd_connect_any, false) + +type varnishd_t; +type varnishd_exec_t; +init_daemon_domain(varnishd_t, varnishd_exec_t) + +type varnishd_initrc_exec_t; +init_script_file(varnishd_initrc_exec_t) + +type varnishd_etc_t; +files_type(varnishd_etc_t) + +type varnishd_tmp_t; +files_tmp_file(varnishd_tmp_t) + +type varnishd_var_lib_t; +files_type(varnishd_var_lib_t) + +type varnishd_var_run_t; +files_pid_file(varnishd_var_run_t) + +type varnishlog_t; +type varnishlog_exec_t; +init_daemon_domain(varnishlog_t, varnishlog_exec_t) + +type varnishlog_initrc_exec_t; +init_script_file(varnishlog_initrc_exec_t) + +type varnishlog_var_run_t; +files_pid_file(varnishlog_var_run_t) + +type varnishlog_log_t; +files_type(varnishlog_log_t) + +######################################## +# +# Local policy +# + +allow varnishd_t self:capability { dac_override ipc_lock kill setgid setuid }; +dontaudit varnishd_t self:capability sys_tty_config; +allow varnishd_t self:process signal; +allow varnishd_t self:fifo_file rw_fifo_file_perms; +allow varnishd_t self:tcp_socket { accept listen }; + +allow varnishd_t varnishd_etc_t:dir list_dir_perms; +allow varnishd_t varnishd_etc_t:file read_file_perms; +allow varnishd_t varnishd_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t) +manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t) +files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir }) + +manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) +manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) +files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file }) + +manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t) +files_pid_filetrans(varnishd_t, varnishd_var_run_t, file) + +can_exec(varnishd_t, varnishd_var_lib_t) + +kernel_read_system_state(varnishd_t) + +corecmd_exec_bin(varnishd_t) +corecmd_exec_shell(varnishd_t) + +corenet_all_recvfrom_unlabeled(varnishd_t) +corenet_all_recvfrom_netlabel(varnishd_t) +corenet_tcp_sendrecv_generic_if(varnishd_t) +corenet_tcp_sendrecv_generic_node(varnishd_t) +corenet_tcp_sendrecv_all_ports(varnishd_t) +corenet_tcp_bind_generic_node(varnishd_t) + +corenet_sendrecv_http_server_packets(varnishd_t) +corenet_tcp_bind_http_port(varnishd_t) +corenet_sendrecv_http_client_packets(varnishd_t) +corenet_tcp_connect_http_port(varnishd_t) +corenet_tcp_sendrecv_http_port(varnishd_t) + +corenet_sendrecv_http_cache_server_packets(varnishd_t) +corenet_tcp_bind_http_cache_port(varnishd_t) +corenet_sendrecv_http_cache_client_packets(varnishd_t) +corenet_tcp_connect_http_cache_port(varnishd_t) +corenet_tcp_sendrecv_http_cache_port(varnishd_t) + +corenet_sendrecv_varnishd_server_packets(varnishd_t) +corenet_tcp_bind_varnishd_port(varnishd_t) +corenet_tcp_sendrecv_varnishd_port(varnishd_t) + +dev_read_urand(varnishd_t) + +files_read_usr_files(varnishd_t) + +fs_getattr_all_fs(varnishd_t) + +auth_use_nsswitch(varnishd_t) + +logging_send_syslog_msg(varnishd_t) + +miscfiles_read_localization(varnishd_t) + +tunable_policy(`varnishd_connect_any',` + corenet_sendrecv_all_client_packets(varnishd_t) + corenet_tcp_connect_all_ports(varnishd_t) + corenet_sendrecv_all_server_packets(varnishd_t) + corenet_tcp_bind_all_ports(varnishd_t) + corenet_tcp_sendrecv_all_ports(varnishd_t) +') + +####################################### +# +# Log local policy +# + +manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t) +files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file) + +manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) +append_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) +create_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) +setattr_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) +logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir }) + +read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t) + +files_search_var_lib(varnishlog_t) + +miscfiles_read_localization(varnishlog_t) diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc new file mode 100644 index 000000000..13aecb581 --- /dev/null +++ b/policy/modules/services/vdagent.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/spice-vdagentd -- gen_context(system_u:object_r:vdagentd_initrc_exec_t,s0) + +/usr/bin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) + +/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) + +/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) +/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0) + +/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) +/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if new file mode 100644 index 000000000..c4a5ed7ef --- /dev/null +++ b/policy/modules/services/vdagent.if @@ -0,0 +1,131 @@ +## <summary>Spice agent for Linux.</summary> + +######################################## +## <summary> +## Execute a domain transition to run vdagent. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vdagent_domtrans',` + gen_require(` + type vdagent_t, vdagent_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, vdagent_exec_t, vdagent_t) +') + +##################################### +## <summary> +## Get attributes of vdagent executable files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vdagent_getattr_exec_files',` + gen_require(` + type vdagent_exec_t; + ') + + allow $1 vdagent_exec_t:file getattr_file_perms; +') + +####################################### +## <summary> +## Get attributes of vdagent log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vdagent_getattr_log',` + gen_require(` + type vdagent_log_t; + ') + + logging_search_logs($1) + allow $1 vdagent_log_t:file getattr_file_perms; +') + +######################################## +## <summary> +## Read vdagent pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vdagent_read_pid_files',` + gen_require(` + type vdagent_var_run_t; + ') + + files_search_pids($1) + allow $1 vdagent_var_run_t:file read_file_perms; +') + +##################################### +## <summary> +## Connect to vdagent with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vdagent_stream_connect',` + gen_require(` + type vdagent_var_run_t, vdagent_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an vdagent environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vdagent_admin',` + gen_require(` + type vdagent_t, vdagent_var_run_t, vdagentd_initrc_exec_t; + type vdagent_log_t; + ') + + allow $1 vdagent_t:process signal_perms; + ps_process_pattern($1, vdagent_t) + + init_startstop_service($1, $2, vdagentd_t, vdagentd_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, vdagent_log_t) + + files_search_pids($1) + admin_pattern($1, vdagent_var_run_t) +') diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te new file mode 100644 index 000000000..1c7919c3a --- /dev/null +++ b/policy/modules/services/vdagent.te @@ -0,0 +1,65 @@ +policy_module(vdagent, 1.5.0) + +######################################## +# +# Declarations +# + +type vdagent_t; +type vdagent_exec_t; +init_daemon_domain(vdagent_t, vdagent_exec_t) + +type vdagentd_initrc_exec_t; +init_script_file(vdagentd_initrc_exec_t) + +type vdagent_var_run_t; +files_pid_file(vdagent_var_run_t) + +type vdagent_log_t; +logging_log_file(vdagent_log_t) + +######################################## +# +# Local policy +# + +dontaudit vdagent_t self:capability sys_admin; +allow vdagent_t self:process signal; +allow vdagent_t self:fifo_file rw_fifo_file_perms; +allow vdagent_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) +manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) +manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) +files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) +append_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) +create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) +setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) +logging_log_filetrans(vdagent_t, vdagent_log_t, file) + +dev_rw_input_dev(vdagent_t) +dev_rw_mtrr(vdagent_t) +dev_read_sysfs(vdagent_t) +dev_dontaudit_write_mtrr(vdagent_t) + +files_read_etc_files(vdagent_t) + +term_use_virtio_console(vdagent_t) + +init_read_state(vdagent_t) + +logging_send_syslog_msg(vdagent_t) + +miscfiles_read_localization(vdagent_t) + +userdom_read_all_users_state(vdagent_t) + +optional_policy(` + dbus_system_bus_client(vdagent_t) + + optional_policy(` + consolekit_dbus_chat(vdagent_t) + ') +') diff --git a/policy/modules/services/vhostmd.fc b/policy/modules/services/vhostmd.fc new file mode 100644 index 000000000..ded76282e --- /dev/null +++ b/policy/modules/services/vhostmd.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) + +/usr/bin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) + +/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) + +/run/vhostmd.* gen_context(system_u:object_r:vhostmd_var_run_t,s0) diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if new file mode 100644 index 000000000..3c66a92ca --- /dev/null +++ b/policy/modules/services/vhostmd.if @@ -0,0 +1,229 @@ +## <summary>Virtual host metrics daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run vhostmd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vhostmd_domtrans',` + gen_require(` + type vhostmd_t, vhostmd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, vhostmd_exec_t, vhostmd_t) +') + +######################################## +## <summary> +## Execute vhostmd init scripts in +## the initrc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vhostmd_initrc_domtrans',` + gen_require(` + type vhostmd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, vhostmd_initrc_exec_t) +') + +######################################## +## <summary> +## Read vhostmd tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_read_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + fs_search_tmpfs($1) + allow $1 vhostmd_tmpfs_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read +## vhostmd tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`vhostmd_dontaudit_read_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + dontaudit $1 vhostmd_tmpfs_t:file read_file_perms; +') + +####################################### +## <summary> +## Read and write vhostmd tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_rw_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + fs_search_tmpfs($1) + rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## vhostmd tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_manage_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + fs_search_tmpfs($1) + manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +') + +######################################## +## <summary> +## Read vhostmd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_read_pid_files',` + gen_require(` + type vhostmd_var_run_t; + ') + + files_search_pids($1) + allow $1 vhostmd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## vhostmd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_manage_pid_files',` + gen_require(` + type vhostmd_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) +') + +######################################## +## <summary> +## Connect to vhostmd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_stream_connect',` + gen_require(` + type vhostmd_t, vhostmd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t) +') + +####################################### +## <summary> +## Do not audit attempts to read and +## write vhostmd unix domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`vhostmd_dontaudit_rw_stream_connect',` + gen_require(` + type vhostmd_t; + ') + + dontaudit $1 vhostmd_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an vhostmd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vhostmd_admin',` + gen_require(` + type vhostmd_t, vhostmd_initrc_exec_t, vhostmd_var_run_t; + type vhostmd_tmpfs_t; + ') + + allow $1 vhostmd_t:process { ptrace signal_perms }; + ps_process_pattern($1, vhostmd_t) + + init_startstop_service($1, $2, vhostmd_t, vhostmd_initrc_exec_t) + + fs_search_tmpfs($1) + admin_pattern($1, vhostmd_tmpfs_t) + + files_search_pids($1) + admin_pattern($1, vhostmd_var_run_t) +') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te new file mode 100644 index 000000000..685e7b8b8 --- /dev/null +++ b/policy/modules/services/vhostmd.te @@ -0,0 +1,87 @@ +policy_module(vhostmd, 1.4.0) + +######################################## +# +# Declarations +# + +type vhostmd_t; +type vhostmd_exec_t; +init_daemon_domain(vhostmd_t, vhostmd_exec_t) + +type vhostmd_initrc_exec_t; +init_script_file(vhostmd_initrc_exec_t) + +type vhostmd_tmpfs_t; +files_tmpfs_file(vhostmd_tmpfs_t) + +type vhostmd_var_run_t; +files_pid_file(vhostmd_var_run_t) + +######################################## +# +# Local policy +# + +allow vhostmd_t self:capability { dac_override ipc_lock setgid setuid }; +allow vhostmd_t self:process { setsched getsched signal }; +allow vhostmd_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir }) + +manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) +manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) +manage_sock_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) +files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir sock_file }) + +kernel_read_kernel_sysctls(vhostmd_t) +kernel_read_system_state(vhostmd_t) +kernel_read_network_state(vhostmd_t) +kernel_write_xen_state(vhostmd_t) + +corecmd_exec_bin(vhostmd_t) +corecmd_exec_shell(vhostmd_t) + +corenet_all_recvfrom_unlabeled(vhostmd_t) +corenet_all_recvfrom_netlabel(vhostmd_t) +corenet_tcp_sendrecv_generic_if(vhostmd_t) +corenet_tcp_sendrecv_generic_node(vhostmd_t) + +corenet_sendrecv_soundd_client_packets(vhostmd_t) +corenet_tcp_connect_soundd_port(vhostmd_t) +corenet_tcp_sendrecv_soundd_port(vhostmd_t) + +dev_read_rand(vhostmd_t) +dev_read_urand(vhostmd_t) +dev_read_sysfs(vhostmd_t) + +files_list_tmp(vhostmd_t) +files_read_usr_files(vhostmd_t) + +auth_use_nsswitch(vhostmd_t) + +logging_send_syslog_msg(vhostmd_t) + +miscfiles_read_localization(vhostmd_t) + +optional_policy(` + hostname_exec(vhostmd_t) +') + +optional_policy(` + rpm_exec(vhostmd_t) + rpm_read_db(vhostmd_t) +') + +optional_policy(` + virt_stream_connect(vhostmd_t) +') + +optional_policy(` + xen_domtrans_xm(vhostmd_t) + xen_stream_connect(vhostmd_t) + xen_stream_connect_xenstore(vhostmd_t) + xen_stream_connect_xm(vhostmd_t) +') diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc new file mode 100644 index 000000000..eb5ff0d87 --- /dev/null +++ b/policy/modules/services/virt.fc @@ -0,0 +1,67 @@ +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) + +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) + +/etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) + +/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) + +/usr/lib/libvirt/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/lib/libvirt/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0) +/usr/lib/qemu/qemu-bridge-helper -- gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) + +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) +/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0) + +/usr/bin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/bin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) +/usr/bin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/bin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/bin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) + +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) + +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) +/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virtlockd_var_lib_t,s0) + +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) + +/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + +/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) +/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) +/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) +/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) +/run/libvirt/virtlockd-sock -s gen_context(system_u:object_r:virtlockd_run_t,s0) +/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/run/virtlockd.pid -- gen_context(system_u:object_r:virtlockd_run_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if new file mode 100644 index 000000000..993ee6c84 --- /dev/null +++ b/policy/modules/services/virt.if @@ -0,0 +1,1190 @@ +## <summary>Libvirt virtualization API.</summary> + +####################################### +## <summary> +## The template to define a virt domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`virt_domain_template',` + gen_require(` + attribute_role virt_domain_roles; + attribute virt_image_type, virt_domain, virt_tmpfs_type; + attribute virt_ptynode, virt_tmp_type; + ') + + ######################################## + # + # Declarations + # + + type $1_t, virt_domain; + application_type($1_t) + domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) + mcs_constrained($1_t) + role virt_domain_roles types $1_t; + + type $1_devpts_t, virt_ptynode; + term_pty($1_devpts_t) + + type $1_tmp_t, virt_tmp_type; + files_tmp_file($1_tmp_t) + + type $1_tmpfs_t, virt_tmpfs_type; + files_tmpfs_file($1_tmpfs_t) + + optional_policy(` + pulseaudio_tmpfs_content($1_tmpfs_t) + ') + + type $1_image_t, virt_image_type; + files_type($1_image_t) + dev_node($1_image_t) + dev_associate_sysfs($1_image_t) + + ifdef(`distro_gentoo',` + optional_policy(` + qemu_entry_type($1_t) + ') + ') + + ######################################## + # + # Policy + # + + allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; + term_create_pty($1_t, $1_devpts_t) + + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) + manage_sock_files_pattern($1_t, $1_image_t, $1_image_t) + rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) + rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) + fs_hugetlbfs_filetrans($1_t, $1_image_t, file) + + manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) + + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) + + optional_policy(` + pulseaudio_run($1_t, virt_domain_roles) + ') + + optional_policy(` + xserver_rw_shm($1_t) + ') +') + +####################################### +## <summary> +## The template to define a virt lxc domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`virt_lxc_domain_template',` + gen_require(` + attribute_role svirt_lxc_domain_roles; + attribute svirt_lxc_domain; + ') + + type $1_t, svirt_lxc_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) + mcs_constrained($1_t) + role svirt_lxc_domain_roles types $1_t; +') + +######################################## +## <summary> +## Make the specified type virt image type. +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a virtual image. +## </summary> +## </param> +# +interface(`virt_image',` + gen_require(` + attribute virt_image_type; + ') + + typeattribute $1 virt_image_type; + files_type($1) + dev_node($1) +') + +######################################## +## <summary> +## Execute a domain transition to run virtd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virt_domtrans',` + gen_require(` + type virtd_t, virtd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, virtd_exec_t, virtd_t) +') + +######################################## +## <summary> +## Execute a domain transition to run virt qmf. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virt_domtrans_qmf',` + gen_require(` + type virt_qmf_t, virt_qmf_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run virt bridgehelper. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virt_domtrans_bridgehelper',` + gen_require(` + type virt_bridgehelper_t, virt_bridgehelper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run virt leaseshelper. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virt_domtrans_leaseshelper',` + gen_require(` + type virt_leaseshelper_t, virt_leaseshelper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, virt_leaseshelper_exec_t, virt_leaseshelper_t) +') + +######################################## +## <summary> +## Execute bridgehelper in the bridgehelper +## domain, and allow the specified role +## the bridgehelper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`virt_run_bridgehelper',` + gen_require(` + attribute_role virt_bridgehelper_roles; + ') + + virt_domtrans_bridgehelper($1) + roleattribute $2 virt_bridgehelper_roles; +') + +######################################## +## <summary> +## Execute virt domain in the their +## domain, and allow the specified +## role that virt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`virt_run_virt_domain',` + gen_require(` + attribute virt_domain; + attribute_role virt_domain_roles; + ') + + allow $1 virt_domain:process { signal transition }; + roleattribute $2 virt_domain_roles; + + allow virt_domain $1:fd use; + allow virt_domain $1:fifo_file rw_fifo_file_perms; + allow virt_domain $1:process sigchld; +') + +######################################## +## <summary> +## Send generic signals to all virt domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_signal_all_virt_domains',` + gen_require(` + attribute virt_domain; + ') + + allow $1 virt_domain:process signal; +') + +######################################## +## <summary> +## Send kill signals to all virt domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_kill_all_virt_domains',` + gen_require(` + attribute virt_domain; + ') + + allow $1 virt_domain:process sigkill; +') + +######################################## +## <summary> +## Execute svirt lxc domains in their +## domain, and allow the specified +## role that svirt lxc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`virt_run_svirt_lxc_domain',` + gen_require(` + attribute svirt_lxc_domain; + attribute_role svirt_lxc_domain_roles; + ') + + allow $1 svirt_lxc_domain:process { signal transition }; + roleattribute $2 svirt_lxc_domain_roles; + + allow svirt_lxc_domain $1:fd use; + allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; + allow svirt_lxc_domain $1:process sigchld; +') + +####################################### +## <summary> +## Get attributes of virtd executable files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_getattr_virtd_exec_files',` + gen_require(` + type virtd_exec_t; + ') + + allow $1 virtd_exec_t:file getattr_file_perms; +') + +####################################### +## <summary> +## Connect to virt with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_stream_connect',` + gen_require(` + type virtd_t, virt_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) +') + +######################################## +## <summary> +## Attach to virt tun devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_attach_tun_iface',` + gen_require(` + type virtd_t; + ') + + allow $1 virtd_t:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') + +######################################## +## <summary> +## Read virt configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_config',` + gen_require(` + type virt_etc_t, virt_etc_rw_t; + ') + + files_search_etc($1) + allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms; + read_files_pattern($1, virt_etc_t, virt_etc_t) + read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_config',` + gen_require(` + type virt_etc_t, virt_etc_rw_t; + ') + + files_search_etc($1) + allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms; + manage_files_pattern($1, virt_etc_t, virt_etc_t) + manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +') + +######################################## +## <summary> +## Read virt content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_content',` + gen_require(` + type virt_content_t; + ') + + virt_search_lib($1) + allow $1 virt_content_t:dir list_dir_perms; + list_dirs_pattern($1, virt_content_t, virt_content_t) + read_files_pattern($1, virt_content_t, virt_content_t) + read_lnk_files_pattern($1, virt_content_t, virt_content_t) + read_blk_files_pattern($1, virt_content_t, virt_content_t) + + tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_virt_content',` + gen_require(` + type virt_content_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 virt_content_t:dir manage_dir_perms; + allow $1 virt_content_t:file manage_file_perms; + allow $1 virt_content_t:fifo_file manage_fifo_file_perms; + allow $1 virt_content_t:lnk_file manage_lnk_file_perms; + allow $1 virt_content_t:sock_file manage_sock_file_perms; + allow $1 virt_content_t:blk_file manage_blk_file_perms; + + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + fs_manage_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + fs_manage_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## Relabel virt content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_relabel_virt_content',` + gen_require(` + type virt_content_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 virt_content_t:dir relabel_dir_perms; + allow $1 virt_content_t:file relabel_file_perms; + allow $1 virt_content_t:fifo_file relabel_fifo_file_perms; + allow $1 virt_content_t:lnk_file relabel_lnk_file_perms; + allow $1 virt_content_t:sock_file relabel_sock_file_perms; + allow $1 virt_content_t:blk_file relabel_blk_file_perms; +') + +######################################## +## <summary> +## Create specified objects in user home +## directories with the virt content type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`virt_home_filetrans_virt_content',` + gen_require(` + type virt_content_t; + ') + + virt_home_filetrans($1, virt_content_t, $2, $3) +') + +######################################## +## <summary> +## Create, read, write, and delete +## svirt home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_svirt_home_content',` + gen_require(` + type svirt_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 svirt_home_t:dir manage_dir_perms; + allow $1 svirt_home_t:file manage_file_perms; + allow $1 svirt_home_t:fifo_file manage_fifo_file_perms; + allow $1 svirt_home_t:lnk_file manage_lnk_file_perms; + allow $1 svirt_home_t:sock_file manage_sock_file_perms; + + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + fs_manage_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + fs_manage_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## Relabel svirt home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_relabel_svirt_home_content',` + gen_require(` + type svirt_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 svirt_home_t:dir relabel_dir_perms; + allow $1 svirt_home_t:file relabel_file_perms; + allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms; + allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms; + allow $1 svirt_home_t:sock_file relabel_sock_file_perms; +') + +######################################## +## <summary> +## Create specified objects in user home +## directories with the svirt home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`virt_home_filetrans_svirt_home',` + gen_require(` + type svirt_home_t; + ') + + virt_home_filetrans($1, svirt_home_t, $2, $3) +') + +######################################## +## <summary> +## Create specified objects in generic +## virt home directories with private +## home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## Private file type. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`virt_home_filetrans',` + gen_require(` + type virt_home_t; + ') + + userdom_search_user_home_dirs($1) + filetrans_pattern($1, virt_home_t, $2, $3, $4) +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_home_files',` + gen_require(` + type virt_home_t; + ') + + userdom_search_user_home_dirs($1) + manage_files_pattern($1, virt_home_t, virt_home_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_generic_virt_home_content',` + gen_require(` + type virt_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 virt_home_t:dir manage_dir_perms; + allow $1 virt_home_t:file manage_file_perms; + allow $1 virt_home_t:fifo_file manage_fifo_file_perms; + allow $1 virt_home_t:lnk_file manage_lnk_file_perms; + allow $1 virt_home_t:sock_file manage_sock_file_perms; + + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + fs_manage_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + fs_manage_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## Relabel virt home content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_relabel_generic_virt_home_content',` + gen_require(` + type virt_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 virt_home_t:dir relabel_dir_perms; + allow $1 virt_home_t:file relabel_file_perms; + allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; + allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; + allow $1 virt_home_t:sock_file relabel_sock_file_perms; +') + +######################################## +## <summary> +## Create specified objects in user home +## directories with the generic virt +## home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`virt_home_filetrans_virt_home',` + gen_require(` + type virt_home_t; + ') + + userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) +') + +######################################## +## <summary> +## Read virt pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_pid_files',` + gen_require(` + type virt_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, virt_var_run_t, virt_var_run_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_pid_files',` + gen_require(` + type virt_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, virt_var_run_t, virt_var_run_t) +') + +######################################## +## <summary> +## Search virt lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_search_lib',` + gen_require(` + type virt_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 virt_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read virt lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_lib_files',` + gen_require(` + type virt_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_lib_files',` + gen_require(` + type virt_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +') + +######################################## +## <summary> +## Create objects in virt pid +## directories with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +## <infoflow type="write" weight="10"/> +# +interface(`virt_pid_filetrans',` + gen_require(` + type virt_var_run_t; + ') + + files_search_pids($1) + filetrans_pattern($1, virt_var_run_t, $2, $3, $4) +') + +######################################## +## <summary> +## Read virt log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`virt_read_log',` + gen_require(` + type virt_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## <summary> +## Append virt log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_append_log',` + gen_require(` + type virt_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_log',` + gen_require(` + type virt_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, virt_log_t, virt_log_t) + manage_files_pattern($1, virt_log_t, virt_log_t) + manage_lnk_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## <summary> +## Search virt image directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_search_images',` + gen_require(` + attribute virt_image_type; + ') + + virt_search_lib($1) + allow $1 virt_image_type:dir search_dir_perms; +') + +######################################## +## <summary> +## Read virt image files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_images',` + gen_require(` + type virt_var_lib_t; + attribute virt_image_type; + ') + + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + list_dirs_pattern($1, virt_image_type, virt_image_type) + read_files_pattern($1, virt_image_type, virt_image_type) + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + read_blk_files_pattern($1, virt_image_type, virt_image_type) + + tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## Read and write all virt image +## character files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_rw_all_image_chr_files',` + gen_require(` + attribute virt_image_type; + ') + + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + rw_chr_files_pattern($1, virt_image_type, virt_image_type) +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt cache content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_virt_cache',` + gen_require(` + type virt_cache_t; + ') + + files_search_var($1) + manage_dirs_pattern($1, virt_cache_t, virt_cache_t) + manage_files_pattern($1, virt_cache_t, virt_cache_t) + manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt image files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_images',` + gen_require(` + type virt_var_lib_t; + attribute virt_image_type; + ') + + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + manage_dirs_pattern($1, virt_image_type, virt_image_type) + manage_files_pattern($1, virt_image_type, virt_image_type) + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + rw_blk_files_pattern($1, virt_image_type, virt_image_type) + + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + fs_read_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_manage_cifs_files($1) + fs_manage_cifs_files($1) + fs_read_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## All of the rules required to +## administrate an virt environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`virt_admin',` + gen_require(` + attribute virt_domain, virt_image_type, virt_tmpfs_type; + attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type; + type virtd_t, virtd_initrc_exec_t, virtd_lxc_t; + type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t; + type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t; + type virt_var_run_t, virt_tmp_t, virt_log_t; + type virt_lock_t, svirt_var_run_t, virt_etc_rw_t; + type virt_etc_t, svirt_cache_t, virtd_keytab_t; + ') + + allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms }; + allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) + ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) + + init_startstop_service($1, $2, virtd_t, virtd_initrc_exec_t) + + fs_search_tmpfs($1) + admin_pattern($1, virt_tmpfs_type) + + files_search_tmp($1) + admin_pattern($1, { virt_tmp_type virt_tmp_t }) + + files_search_etc($1) + admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) + + logging_search_logs($1) + admin_pattern($1, virt_log_t) + + files_search_pids($1) + admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) + + files_search_var($1) + admin_pattern($1, svirt_cache_t) + + files_search_var_lib($1) + admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) + + files_search_locks($1) + admin_pattern($1, virt_lock_t) + + dev_list_all_dev_nodes($1) + allow $1 virt_ptynode:chr_file rw_term_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te new file mode 100644 index 000000000..766298851 --- /dev/null +++ b/policy/modules/services/virt.te @@ -0,0 +1,1391 @@ +policy_module(virt, 1.13.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether confined virtual guests +## can use serial/parallel communication ports. +## </p> +## </desc> +gen_tunable(virt_use_comm, false) + +## <desc> +## <p> +## Determine whether confined virtual guests +## can use executable memory and can make +## their stack executable. +## </p> +## </desc> +gen_tunable(virt_use_execmem, false) + +## <desc> +## <p> +## Determine whether confined virtual guests +## can use fuse file systems. +## </p> +## </desc> +gen_tunable(virt_use_fusefs, false) + +## <desc> +## <p> +## Determine whether confined virtual guests +## can use nfs file systems. +## </p> +## </desc> +gen_tunable(virt_use_nfs, false) + +## <desc> +## <p> +## Determine whether confined virtual guests +## can use cifs file systems. +## </p> +## </desc> +gen_tunable(virt_use_samba, false) + +## <desc> +## <p> +## Determine whether confined virtual guests +## can manage device configuration. +## </p> +## </desc> +gen_tunable(virt_use_sysfs, false) + +## <desc> +## <p> +## Determine whether confined virtual guests +## can use usb devices. +## </p> +## </desc> +gen_tunable(virt_use_usb, false) + +## <desc> +## <p> +## Determine whether confined virtual guests +## can interact with xserver. +## </p> +## </desc> +gen_tunable(virt_use_xserver, false) + +## <desc> +## <p> +## Determine whether confined virtual guests +## can use vfio for pci device pass through (vt-d). +## </p> +## </desc> +gen_tunable(virt_use_vfio, false) + +attribute virt_ptynode; +attribute virt_domain; +attribute virt_image_type; +attribute virt_tmp_type; +attribute virt_tmpfs_type; + +attribute svirt_lxc_domain; + +attribute_role virt_domain_roles; +roleattribute system_r virt_domain_roles; + +attribute_role virt_bridgehelper_roles; +roleattribute system_r virt_bridgehelper_roles; + +attribute_role svirt_lxc_domain_roles; +roleattribute system_r svirt_lxc_domain_roles; + +virt_domain_template(svirt) +virt_domain_template(svirt_prot_exec) + +type virt_cache_t alias svirt_cache_t; +files_type(virt_cache_t) + +type virt_etc_t; +files_config_file(virt_etc_t) + +type virt_etc_rw_t; +files_type(virt_etc_rw_t) + +type virt_home_t; +userdom_user_home_content(virt_home_t) + +type svirt_home_t; +userdom_user_home_content(svirt_home_t) + +type svirt_var_run_t; +files_pid_file(svirt_var_run_t) +mls_trusted_object(svirt_var_run_t) + +type virt_image_t; # customizable +virt_image(virt_image_t) +files_mountpoint(virt_image_t) + +type virt_content_t; # customizable +virt_image(virt_content_t) +userdom_user_home_content(virt_content_t) + +type virt_lock_t; +files_lock_file(virt_lock_t) + +type virt_log_t; +logging_log_file(virt_log_t) +mls_trusted_object(virt_log_t) + +type virt_tmp_t; +files_tmp_file(virt_tmp_t) + +type virt_tmpfs_t; +files_tmpfs_file(virt_tmpfs_t) + +type virt_var_run_t; +files_pid_file(virt_var_run_t) + +type virt_var_lib_t; +files_mountpoint(virt_var_lib_t) + +type virtd_t; +type virtd_exec_t; +init_daemon_domain(virtd_t, virtd_exec_t) +domain_obj_id_change_exemption(virtd_t) +domain_subj_id_change_exemption(virtd_t) + +type virtd_initrc_exec_t; +init_script_file(virtd_initrc_exec_t) + +type virtd_keytab_t; +files_type(virtd_keytab_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) +') + +type virt_qmf_t; +type virt_qmf_exec_t; +init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) + +type virt_bridgehelper_t; +type virt_bridgehelper_exec_t; +domain_type(virt_bridgehelper_t) +domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) +role virt_bridgehelper_roles types virt_bridgehelper_t; + +type virt_leaseshelper_t; +type virt_leaseshelper_exec_t; +domain_type(virt_leaseshelper_t) +domain_entry_file(virt_leaseshelper_t, virt_leaseshelper_exec_t) +role system_r types virt_leaseshelper_t; + +type virtd_lxc_t; +type virtd_lxc_exec_t; +init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) + +type virtd_lxc_var_run_t; +files_pid_file(virtd_lxc_var_run_t) + +type svirt_lxc_file_t; +files_mountpoint(svirt_lxc_file_t) +fs_noxattr_type(svirt_lxc_file_t) +term_pty(svirt_lxc_file_t) + +virt_lxc_domain_template(svirt_lxc_net) + +type virsh_t; +type virsh_exec_t; +init_system_domain(virsh_t, virsh_exec_t) + +type virtlockd_t; +type virtlockd_exec_t; +init_daemon_domain(virtlockd_t, virtlockd_exec_t) + +type virtlockd_run_t; +files_pid_file(virtlockd_run_t) + +type virtlockd_var_lib_t; +files_type(virtlockd_var_lib_t) + +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) +') + +######################################## +# +# Common virt domain local policy +# + +allow virt_domain self:process { signal getsched signull }; +allow virt_domain self:fifo_file rw_fifo_file_perms; +allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow virt_domain self:netlink_route_socket r_netlink_socket_perms; +allow virt_domain self:shm create_shm_perms; +allow virt_domain self:tcp_socket create_stream_socket_perms; +allow virt_domain self:unix_stream_socket { accept listen }; +allow virt_domain self:unix_dgram_socket sendto; + +allow virt_domain virtd_t:fd use; +allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; +allow virt_domain virtd_t:process sigchld; + +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + +dontaudit virt_domain virtd_t:unix_stream_socket { read write }; + +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) + +manage_dirs_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +manage_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +manage_sock_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file }) + +stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t) +stream_connect_pattern(virt_domain, virt_var_run_t, virtlockd_run_t, virtlockd_t) + +dontaudit virt_domain virt_tmpfs_type:file { read write }; + +append_files_pattern(virt_domain, virt_log_t, virt_log_t) + +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +kernel_read_system_state(virt_domain) + +fs_getattr_xattr_fs(virt_domain) + +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + +corenet_all_recvfrom_unlabeled(virt_domain) +corenet_all_recvfrom_netlabel(virt_domain) +corenet_tcp_sendrecv_generic_if(virt_domain) +corenet_tcp_sendrecv_generic_node(virt_domain) +corenet_tcp_bind_generic_node(virt_domain) + +corenet_sendrecv_vnc_server_packets(virt_domain) +corenet_tcp_bind_vnc_port(virt_domain) +corenet_tcp_sendrecv_vnc_port(virt_domain) + +corenet_sendrecv_virt_migration_server_packets(virt_domain) +corenet_tcp_bind_virt_migration_port(virt_domain) +corenet_sendrecv_virt_migration_client_packets(virt_domain) +corenet_tcp_connect_virt_migration_port(virt_domain) +corenet_tcp_sendrecv_virt_migration_port(virt_domain) + +corenet_rw_tun_tap_dev(virt_domain) + +dev_getattr_fs(virt_domain) +dev_list_sysfs(virt_domain) +dev_read_generic_symlinks(virt_domain) +dev_read_rand(virt_domain) +dev_read_sound(virt_domain) +dev_read_urand(virt_domain) +dev_write_sound(virt_domain) +dev_rw_ksm(virt_domain) +dev_rw_kvm(virt_domain) +dev_rw_qemu(virt_domain) +dev_rw_vhost(virt_domain) + +domain_use_interactive_fds(virt_domain) + +files_read_etc_files(virt_domain) +files_read_mnt_symlinks(virt_domain) +files_read_usr_files(virt_domain) +files_read_var_files(virt_domain) +files_search_all(virt_domain) + +fs_getattr_all_fs(virt_domain) +fs_rw_anon_inodefs_files(virt_domain) +fs_rw_tmpfs_files(virt_domain) +fs_getattr_hugetlbfs(virt_domain) + +# fs_rw_inherited_nfs_files(virt_domain) +# fs_rw_inherited_cifs_files(virt_domain) +# fs_rw_inherited_noxattr_fs_files(virt_domain) + +storage_raw_write_removable_device(virt_domain) +storage_raw_read_removable_device(virt_domain) + +term_use_all_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) +term_use_ptmx(virt_domain) + +logging_send_syslog_msg(virt_domain) + +miscfiles_read_localization(virt_domain) +miscfiles_read_public_files(virt_domain) + +sysnet_read_config(virt_domain) + +userdom_search_user_home_dirs(virt_domain) +userdom_read_all_users_state(virt_domain) + +virt_run_bridgehelper(virt_domain, virt_domain_roles) +virt_read_config(virt_domain) +virt_read_lib_files(virt_domain) +virt_read_content(virt_domain) +virt_stream_connect(virt_domain) + +ifdef(`distro_gentoo',` + optional_policy(` + qemu_exec(virt_domain) + ') +') + +tunable_policy(`virt_use_execmem',` + allow virt_domain self:process { execmem execstack }; +') + +tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) +') + +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) + fs_manage_fusefs_files(virt_domain) + fs_read_fusefs_symlinks(virt_domain) +') + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virt_domain) + fs_manage_nfs_files(virt_domain) + fs_manage_nfs_named_sockets(virt_domain) + fs_read_nfs_symlinks(virt_domain) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) + fs_manage_cifs_named_sockets(virt_domain) + fs_read_cifs_symlinks(virt_domain) +') + +tunable_policy(`virt_use_sysfs',` + dev_rw_sysfs(virt_domain) +') + +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(virt_domain) + dev_read_sysfs(virt_domain) + fs_getattr_dos_fs(virt_domain) + fs_manage_dos_dirs(virt_domain) + fs_manage_dos_files(virt_domain) +') + +optional_policy(` + tunable_policy(`virt_use_xserver',` + xserver_read_xdm_pid(virt_domain) + xserver_stream_connect(virt_domain) + ') +') + +optional_policy(` + dbus_read_lib_files(virt_domain) +') + +optional_policy(` + nscd_use(virt_domain) +') + +optional_policy(` + samba_domtrans_smbd(virt_domain) +') + +optional_policy(` + xen_rw_image_files(virt_domain) +') + +######################################## +# +# svirt local policy +# + +list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_t, virt_content_t, virt_content_t) + +dontaudit svirt_t virt_content_t:file write_file_perms; +dontaudit svirt_t virt_content_t:dir rw_dir_perms; + +append_files_pattern(svirt_t, virt_home_t, virt_home_t) +manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) +manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) +manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) + +filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") + +stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) + +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) +corenet_udp_bind_generic_node(svirt_t) + +corenet_all_recvfrom_unlabeled(svirt_t) +corenet_all_recvfrom_netlabel(svirt_t) +corenet_tcp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_tcp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_tcp_sendrecv_all_ports(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) +corenet_tcp_bind_generic_node(svirt_t) +corenet_udp_bind_generic_node(svirt_t) + +corenet_sendrecv_all_server_packets(svirt_t) +corenet_udp_bind_all_ports(svirt_t) +corenet_tcp_bind_all_ports(svirt_t) + +corenet_sendrecv_all_client_packets(svirt_t) +corenet_tcp_connect_all_ports(svirt_t) + +tunable_policy(`virt_use_vfio',` + dev_rw_vfio_dev(svirt_t) +') + +######################################## +# +# virtd local policy +# + +allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; +allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; +allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; +allow virtd_t self:tcp_socket { accept listen }; +allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; +allow virtd_t self:rawip_socket create_socket_perms; +allow virtd_t self:packet_socket create_socket_perms; +allow virtd_t self:netlink_generic_socket create_socket_perms; +allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow virtd_t self:netlink_route_socket nlmsg_write; + +allow virtd_t virt_domain:process { getattr getsched setsched transition rlimitinh signal signull sigkill }; +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; + +allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_lxc_domain:process signal_perms; + +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + +allow virtd_t virtd_lxc_t:process { signal signull sigkill }; + +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) + +manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) +manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) +files_var_filetrans(virtd_t, virt_cache_t, { file dir }) + +manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) +manage_files_pattern(virtd_t, virt_content_t, virt_content_t) +filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") + +allow virtd_t virtd_keytab_t:file read_file_perms; + +allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir { mounton relabel_dir_perms }; +manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu") + +read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) +read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) + +manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) + +manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) +manage_files_pattern(virtd_t, virt_home_t, virt_home_t) +manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) +manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) + +userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".libvirt") +userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".virtinst") +userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, "VirtualMachines") + +manage_files_pattern(virtd_t, virt_image_type, virt_image_type) +manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) +manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) +manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) + +allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; +allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; +allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; +allow virtd_t virt_image_type:sock_file manage_sock_file_perms; + +allow virtd_t virt_ptynode:chr_file rw_term_perms; + +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) + +manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +manage_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +manage_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +manage_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +relabel_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +relabel_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +relabel_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir }) +allow virtd_t virt_tmpfs_t:dir mounton; + +# This needs a file context specification +manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) +manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t) +manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t) +files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file }) + +manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) +append_files_pattern(virtd_t, virt_log_t, virt_log_t) +create_files_pattern(virtd_t, virt_log_t, virt_log_t) +read_files_pattern(virtd_t, virt_log_t, virt_log_t) +setattr_files_pattern(virtd_t, virt_log_t, virt_log_t) +logging_log_filetrans(virtd_t, virt_log_t, { file dir }) + +manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) + +manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) + +manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") + +stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) + +can_exec(virtd_t, virt_tmp_t) + +kernel_read_crypto_sysctls(virtd_t) +kernel_read_system_state(virtd_t) +kernel_read_network_state(virtd_t) +kernel_rw_net_sysctls(virtd_t) +kernel_read_kernel_sysctls(virtd_t) +kernel_read_vm_overcommit_sysctl(virtd_t) +kernel_request_load_module(virtd_t) +kernel_search_debugfs(virtd_t) +kernel_setsched(virtd_t) + +corecmd_exec_bin(virtd_t) +corecmd_exec_shell(virtd_t) + +corenet_all_recvfrom_netlabel(virtd_t) +corenet_tcp_sendrecv_generic_if(virtd_t) +corenet_tcp_sendrecv_generic_node(virtd_t) +corenet_tcp_bind_generic_node(virtd_t) + +corenet_sendrecv_virt_server_packets(virtd_t) +corenet_tcp_bind_virt_port(virtd_t) +corenet_tcp_sendrecv_virt_port(virtd_t) + +corenet_sendrecv_vnc_server_packets(virtd_t) +corenet_tcp_bind_vnc_port(virtd_t) +corenet_sendrecv_vnc_client_packets(virtd_t) +corenet_tcp_connect_vnc_port(virtd_t) +corenet_tcp_sendrecv_vnc_port(virtd_t) + +corenet_sendrecv_soundd_client_packets(virtd_t) +corenet_tcp_connect_soundd_port(virtd_t) +corenet_tcp_sendrecv_soundd_port(virtd_t) + +corenet_rw_tun_tap_dev(virtd_t) + +dev_rw_sysfs(virtd_t) +dev_read_urand(virtd_t) +dev_read_rand(virtd_t) +dev_rw_kvm(virtd_t) +dev_getattr_all_chr_files(virtd_t) +dev_rw_mtrr(virtd_t) +dev_rw_vhost(virtd_t) +dev_setattr_generic_usb_dev(virtd_t) +dev_relabel_generic_usb_dev(virtd_t) +dev_relabel_all_dev_nodes(virtd_t) +dev_relabel_generic_symlinks(virtd_t) +dev_mounton(virtd_t) + +domain_use_interactive_fds(virtd_t) +domain_read_all_domains_state(virtd_t) + +files_read_usr_files(virtd_t) +files_read_etc_runtime_files(virtd_t) +files_search_all(virtd_t) +files_read_kernel_modules(virtd_t) +files_read_usr_src_files(virtd_t) +files_mounton_root(virtd_t) + +# Manages /etc/sysconfig/system-config-firewall +# files_relabelto_system_conf_files(virtd_t) +# files_relabelfrom_system_conf_files(virtd_t) +# files_manage_system_conf_files(virtd_t) + +fs_list_auto_mountpoints(virtd_t) +fs_getattr_all_fs(virtd_t) +fs_rw_anon_inodefs_files(virtd_t) +fs_list_inotifyfs(virtd_t) +fs_manage_cgroup_dirs(virtd_t) +fs_rw_cgroup_files(virtd_t) +fs_manage_hugetlbfs_dirs(virtd_t) +fs_rw_hugetlbfs_files(virtd_t) +fs_read_nsfs_files(virtd_t) +fs_mount_tmpfs(virtd_t) + +mls_fd_share_all_levels(virtd_t) +mls_file_read_to_clearance(virtd_t) +mls_file_write_to_clearance(virtd_t) +mls_process_read_to_clearance(virtd_t) +mls_process_write_to_clearance(virtd_t) +mls_net_write_within_range(virtd_t) +mls_socket_write_to_clearance(virtd_t) +mls_socket_read_to_clearance(virtd_t) +mls_rangetrans_source(virtd_t) + +mcs_process_set_categories(virtd_t) + +storage_manage_fixed_disk(virtd_t) +storage_relabel_fixed_disk(virtd_t) +storage_raw_write_removable_device(virtd_t) +storage_raw_read_removable_device(virtd_t) + +term_getattr_pty_fs(virtd_t) +term_use_generic_ptys(virtd_t) +term_use_ptmx(virtd_t) + +auth_use_nsswitch(virtd_t) + +miscfiles_read_localization(virtd_t) +miscfiles_read_generic_certs(virtd_t) +miscfiles_read_hwdata(virtd_t) +miscfiles_read_generic_tls_privkey(virtd_t) + +modutils_read_module_deps(virtd_t) +modutils_manage_module_config(virtd_t) + +logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) + +selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) +seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) + +sysnet_signull_ifconfig(virtd_t) +sysnet_signal_ifconfig(virtd_t) +sysnet_domtrans_ifconfig(virtd_t) + +userdom_read_all_users_state(virtd_t) + +ifdef(`hide_broken_symptoms',` + dontaudit virtd_t self:capability { sys_module sys_ptrace }; +') + +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virtd_t) + fs_manage_fusefs_files(virtd_t) + fs_read_fusefs_symlinks(virtd_t) +') + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virtd_t) + fs_manage_nfs_files(virtd_t) + fs_read_nfs_symlinks(virtd_t) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(virtd_t) + fs_manage_cifs_files(virtd_t) + fs_read_cifs_symlinks(virtd_t) +') + +tunable_policy(`virt_use_vfio',` + allow virtd_t self:capability sys_resource; + dev_relabelfrom_vfio_dev(virtd_t) +') + +optional_policy(` + brctl_domtrans(virtd_t) +') + +optional_policy(` + consoletype_exec(virtd_t) +') + +optional_policy(` + dbus_system_bus_client(virtd_t) + + optional_policy(` + avahi_dbus_chat(virtd_t) + ') + + optional_policy(` + consolekit_dbus_chat(virtd_t) + ') + + optional_policy(` + firewalld_dbus_chat(virtd_t) + ') + + optional_policy(` + hal_dbus_chat(virtd_t) + ') + + optional_policy(` + networkmanager_dbus_chat(virtd_t) + ') + + optional_policy(` + policykit_dbus_chat(virtd_t) + ') +') + +optional_policy(` + dmidecode_domtrans(virtd_t) +') + +optional_policy(` + dnsmasq_domtrans(virtd_t) + dnsmasq_signal(virtd_t) + dnsmasq_kill(virtd_t) + dnsmasq_signull(virtd_t) + dnsmasq_create_pid_dirs(virtd_t) + dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network") + dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid") + dnsmasq_manage_pid_files(virtd_t) +') + +optional_policy(` + iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) + iptables_manage_config(virtd_t) +') + +optional_policy(` + kerberos_read_keytab(virtd_t) + kerberos_use(virtd_t) +') + +optional_policy(` + lvm_domtrans(virtd_t) +') + +optional_policy(` + mount_domtrans(virtd_t) + mount_signal(virtd_t) +') + +optional_policy(` + policykit_domtrans_auth(virtd_t) + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +') + +optional_policy(` + qemu_exec(virtd_t) +') + +optional_policy(` + sasl_connect(virtd_t) +') + +optional_policy(` + systemd_write_inherited_logind_inhibit_pipes(virtd_t) +') + +optional_policy(` + kernel_read_xen_state(virtd_t) + kernel_write_xen_state(virtd_t) + + xen_exec(virtd_t) + xen_stream_connect(virtd_t) + xen_stream_connect_xenstore(virtd_t) + xen_read_image_files(virtd_t) +') + +optional_policy(` + udev_domtrans(virtd_t) + udev_read_db(virtd_t) + udev_read_pid_files(virtd_t) +') + +######################################## +# +# Virsh local policy +# + +allow virsh_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { accept connectto listen }; +allow virsh_t self:tcp_socket { accept listen }; + +manage_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) + +manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) + +manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") + +dontaudit virsh_t virt_var_lib_t:file read_file_perms; + +allow virsh_t svirt_lxc_domain:process transition; + +can_exec(virsh_t, virsh_exec_t) + +virt_domtrans(virsh_t) +virt_manage_images(virsh_t) +virt_manage_config(virsh_t) +virt_stream_connect(virsh_t) + +kernel_read_crypto_sysctls(virsh_t) +kernel_read_system_state(virsh_t) +kernel_read_network_state(virsh_t) +kernel_read_kernel_sysctls(virsh_t) +kernel_read_sysctl(virsh_t) +kernel_read_xen_state(virsh_t) +kernel_write_xen_state(virsh_t) + +corecmd_exec_bin(virsh_t) +corecmd_exec_shell(virsh_t) + +corenet_all_recvfrom_unlabeled(virsh_t) +corenet_all_recvfrom_netlabel(virsh_t) +corenet_tcp_sendrecv_generic_if(virsh_t) +corenet_tcp_sendrecv_generic_node(virsh_t) +corenet_tcp_bind_generic_node(virsh_t) + +corenet_sendrecv_soundd_client_packets(virsh_t) +corenet_tcp_connect_soundd_port(virsh_t) +corenet_tcp_sendrecv_soundd_port(virsh_t) + +dev_read_rand(virsh_t) +dev_read_urand(virsh_t) +dev_read_sysfs(virsh_t) + +files_read_etc_runtime_files(virsh_t) +files_read_etc_files(virsh_t) +files_read_usr_files(virsh_t) +files_list_mnt(virsh_t) +files_list_tmp(virsh_t) + +fs_getattr_all_fs(virsh_t) +fs_manage_xenfs_dirs(virsh_t) +fs_manage_xenfs_files(virsh_t) +fs_search_auto_mountpoints(virsh_t) + +storage_raw_read_fixed_disk(virsh_t) + +term_use_all_terms(virsh_t) + +init_stream_connect_script(virsh_t) +init_rw_script_stream_sockets(virsh_t) +init_use_fds(virsh_t) + +logging_send_syslog_msg(virsh_t) + +miscfiles_read_localization(virsh_t) + +sysnet_dns_name_resolve(virsh_t) + +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virsh_t) + fs_manage_fusefs_files(virsh_t) + fs_read_fusefs_symlinks(virsh_t) +') + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virsh_t) + fs_manage_nfs_files(virsh_t) + fs_read_nfs_symlinks(virsh_t) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(virsh_t) + fs_manage_cifs_files(virsh_t) + fs_read_cifs_symlinks(virsh_t) +') + +optional_policy(` + cron_system_entry(virsh_t, virsh_exec_t) +') + +optional_policy(` + rpm_exec(virsh_t) +') + +optional_policy(` + xen_manage_image_dirs(virsh_t) + xen_append_log(virsh_t) + xen_domtrans(virsh_t) + xen_read_xenstored_pid_files(virsh_t) + xen_stream_connect(virsh_t) + xen_stream_connect_xenstore(virsh_t) +') + +optional_policy(` + dbus_system_bus_client(virsh_t) + + optional_policy(` + hal_dbus_chat(virsh_t) + ') +') + +optional_policy(` + vhostmd_rw_tmpfs_files(virsh_t) + vhostmd_stream_connect(virsh_t) + vhostmd_dontaudit_rw_stream_connect(virsh_t) +') + +optional_policy(` + ssh_basic_client_template(virsh, virsh_t, system_r) + + kernel_read_xen_state(virsh_ssh_t) + kernel_write_xen_state(virsh_ssh_t) + + files_search_tmp(virsh_ssh_t) + + fs_manage_xenfs_dirs(virsh_ssh_t) + fs_manage_xenfs_files(virsh_ssh_t) +') + +######################################## +# +# Lxc local policy +# + +allow virtd_lxc_t self:capability { chown dac_override net_admin net_raw setpcap sys_admin sys_boot sys_resource }; +allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; +allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; +allow virtd_lxc_t self:netlink_route_socket nlmsg_write; +allow virtd_lxc_t self:unix_stream_socket { accept listen }; +allow virtd_lxc_t self:packet_socket create_socket_perms; + +allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; + +allow virtd_lxc_t virt_image_type:dir mounton; +manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) + +allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; +manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir }) + +manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; +allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; + +storage_manage_fixed_disk(virtd_lxc_t) + +kernel_read_all_sysctls(virtd_lxc_t) +kernel_read_network_state(virtd_lxc_t) +kernel_read_system_state(virtd_lxc_t) +kernel_list_unlabeled(virtd_lxc_t) + +corecmd_exec_bin(virtd_lxc_t) +corecmd_exec_shell(virtd_lxc_t) + +dev_relabel_all_dev_nodes(virtd_lxc_t) +dev_rw_sysfs(virtd_lxc_t) +dev_read_sysfs(virtd_lxc_t) +dev_read_urand(virtd_lxc_t) + +domain_use_interactive_fds(virtd_lxc_t) + +files_associate_rootfs(svirt_lxc_file_t) +files_search_all(virtd_lxc_t) +files_getattr_all_files(virtd_lxc_t) +files_read_usr_files(virtd_lxc_t) +files_relabel_rootfs(virtd_lxc_t) +files_mounton_non_security(virtd_lxc_t) +files_mount_all_file_type_fs(virtd_lxc_t) +files_unmount_all_file_type_fs(virtd_lxc_t) +files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) + +fs_getattr_all_fs(virtd_lxc_t) +fs_manage_tmpfs_dirs(virtd_lxc_t) +fs_manage_tmpfs_chr_files(virtd_lxc_t) +fs_manage_tmpfs_symlinks(virtd_lxc_t) +fs_manage_cgroup_dirs(virtd_lxc_t) +fs_mounton_tmpfs(virtd_lxc_t) +fs_remount_all_fs(virtd_lxc_t) +fs_rw_cgroup_files(virtd_lxc_t) +fs_unmount_all_fs(virtd_lxc_t) +fs_relabelfrom_tmpfs(virtd_lxc_t) + +selinux_mount_fs(virtd_lxc_t) +selinux_unmount_fs(virtd_lxc_t) +selinux_get_enforce_mode(virtd_lxc_t) +selinux_get_fs_mount(virtd_lxc_t) +selinux_validate_context(virtd_lxc_t) +selinux_compute_access_vector(virtd_lxc_t) +selinux_compute_create_context(virtd_lxc_t) +selinux_compute_relabel_context(virtd_lxc_t) +selinux_compute_user_contexts(virtd_lxc_t) + +term_use_generic_ptys(virtd_lxc_t) +term_use_ptmx(virtd_lxc_t) +term_relabel_pty_fs(virtd_lxc_t) + +auth_use_nsswitch(virtd_lxc_t) + +logging_send_syslog_msg(virtd_lxc_t) + +miscfiles_read_localization(virtd_lxc_t) + +seutil_domtrans_setfiles(virtd_lxc_t) +seutil_read_config(virtd_lxc_t) +seutil_read_default_contexts(virtd_lxc_t) + +sysnet_domtrans_ifconfig(virtd_lxc_t) + +######################################## +# +# Common virt lxc domain local policy +# + +allow svirt_lxc_domain self:capability { dac_override kill setgid setuid sys_boot }; +allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +allow svirt_lxc_domain self:fifo_file manage_file_perms; +allow svirt_lxc_domain self:sem create_sem_perms; +allow svirt_lxc_domain self:shm create_shm_perms; +allow svirt_lxc_domain self:msgq create_msgq_perms; +allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; + +allow svirt_lxc_domain virtd_lxc_t:fd use; +allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +allow svirt_lxc_domain virtd_lxc_t:process sigchld; + +allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; + +allow svirt_lxc_domain virsh_t:fd use; +allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +allow svirt_lxc_domain virsh_t:process sigchld; + +allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; + +manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) + +allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; + +can_exec(svirt_lxc_domain, svirt_lxc_file_t) + +kernel_getattr_proc(svirt_lxc_domain) +kernel_list_all_proc(svirt_lxc_domain) +kernel_read_kernel_sysctls(svirt_lxc_domain) +kernel_rw_net_sysctls(svirt_lxc_domain) +kernel_read_system_state(svirt_lxc_domain) +kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) + +corecmd_exec_all_executables(svirt_lxc_domain) + +files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +files_dontaudit_getattr_all_files(svirt_lxc_domain) +files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +# files_entrypoint_all_files(svirt_lxc_domain) +files_list_var(svirt_lxc_domain) +files_list_var_lib(svirt_lxc_domain) +files_search_all(svirt_lxc_domain) +files_read_config_files(svirt_lxc_domain) +files_read_usr_files(svirt_lxc_domain) +files_read_usr_symlinks(svirt_lxc_domain) + +fs_getattr_all_fs(svirt_lxc_domain) +fs_list_inotifyfs(svirt_lxc_domain) + +# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +# fs_rw_inherited_cifs_files(svirt_lxc_domain) +# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) + +auth_dontaudit_read_login_records(svirt_lxc_domain) +auth_dontaudit_write_login_records(svirt_lxc_domain) +auth_search_pam_console_data(svirt_lxc_domain) + +clock_read_adjtime(svirt_lxc_domain) + +init_read_utmp(svirt_lxc_domain) +init_dontaudit_write_utmp(svirt_lxc_domain) + +libs_dontaudit_setattr_lib_files(svirt_lxc_domain) + +miscfiles_read_localization(svirt_lxc_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +miscfiles_read_fonts(svirt_lxc_domain) + +mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) + +optional_policy(` + udev_read_pid_files(svirt_lxc_domain) +') + +optional_policy(` + apache_exec_modules(svirt_lxc_domain) + apache_read_sys_content(svirt_lxc_domain) +') + +######################################## +# +# Lxc net local policy +# + +allow svirt_lxc_net_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_raw setpcap sys_admin sys_nice sys_ptrace sys_resource }; +dontaudit svirt_lxc_net_t self:capability2 block_suspend; +allow svirt_lxc_net_t self:process setrlimit; +allow svirt_lxc_net_t self:tcp_socket { accept listen }; +allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write; +allow svirt_lxc_net_t self:packet_socket create_socket_perms; +allow svirt_lxc_net_t self:socket create_socket_perms; +allow svirt_lxc_net_t self:rawip_socket create_socket_perms; +allow svirt_lxc_net_t self:netlink_socket create_socket_perms; +allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; +allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; + +kernel_read_network_state(svirt_lxc_net_t) +kernel_read_irq_sysctls(svirt_lxc_net_t) + +corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) +corenet_all_recvfrom_netlabel(svirt_lxc_net_t) +corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t) +corenet_udp_sendrecv_generic_if(svirt_lxc_net_t) +corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t) +corenet_udp_sendrecv_generic_node(svirt_lxc_net_t) +corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t) +corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) +corenet_tcp_bind_generic_node(svirt_lxc_net_t) +corenet_udp_bind_generic_node(svirt_lxc_net_t) + +corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +corenet_udp_bind_all_ports(svirt_lxc_net_t) +corenet_tcp_bind_all_ports(svirt_lxc_net_t) + +corenet_sendrecv_all_client_packets(svirt_lxc_net_t) +corenet_tcp_connect_all_ports(svirt_lxc_net_t) + +dev_getattr_mtrr_dev(svirt_lxc_net_t) +dev_read_rand(svirt_lxc_net_t) +dev_read_sysfs(svirt_lxc_net_t) +dev_read_urand(svirt_lxc_net_t) + +files_read_kernel_modules(svirt_lxc_net_t) + +fs_mount_cgroup(svirt_lxc_net_t) +fs_manage_cgroup_dirs(svirt_lxc_net_t) +fs_rw_cgroup_files(svirt_lxc_net_t) + +auth_use_nsswitch(svirt_lxc_net_t) + +logging_send_audit_msgs(svirt_lxc_net_t) + +userdom_use_user_ptys(svirt_lxc_net_t) + +optional_policy(` + rpm_read_db(svirt_lxc_net_t) +') + +####################################### +# +# Prot exec local policy +# + +allow svirt_prot_exec_t self:process { execmem execstack }; + +######################################## +# +# Qmf local policy +# + +allow virt_qmf_t self:capability { sys_nice sys_tty_config }; +allow virt_qmf_t self:process { setsched signal }; +allow virt_qmf_t self:fifo_file rw_fifo_file_perms; +allow virt_qmf_t self:unix_stream_socket { accept listen }; +allow virt_qmf_t self:tcp_socket create_stream_socket_perms; +allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; + +can_exec(virt_qmf_t, virtd_exec_t) + +kernel_read_system_state(virt_qmf_t) +kernel_read_network_state(virt_qmf_t) + +dev_read_sysfs(virt_qmf_t) +dev_read_rand(virt_qmf_t) +dev_read_urand(virt_qmf_t) + +domain_use_interactive_fds(virt_qmf_t) + +logging_send_syslog_msg(virt_qmf_t) + +miscfiles_read_localization(virt_qmf_t) + +sysnet_read_config(virt_qmf_t) + +optional_policy(` + dbus_read_lib_files(virt_qmf_t) +') + +optional_policy(` + virt_stream_connect(virt_qmf_t) +') + +######################################## +# +# Bridgehelper local policy +# + +allow virt_bridgehelper_t self:process { setcap getcap }; +allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid }; +allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +allow virt_bridgehelper_t self:tun_socket create_socket_perms; +allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; + +manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t) + +kernel_read_network_state(virt_bridgehelper_t) + +corenet_rw_tun_tap_dev(virt_bridgehelper_t) + +userdom_search_user_home_dirs(virt_bridgehelper_t) +userdom_use_user_ptys(virt_bridgehelper_t) + +######################################## +# +# Leaseshelper local policy +# + +allow virt_leaseshelper_t virtd_t:fd use; +allow virt_leaseshelper_t virtd_t:fifo_file write_fifo_file_perms; + +manage_dirs_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t) +files_var_lib_filetrans(virt_leaseshelper_t, virt_var_lib_t, { file dir }) + +manage_files_pattern(virt_leaseshelper_t, virt_var_run_t, virt_var_run_t) +files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file) + +kernel_dontaudit_read_system_state(virt_leaseshelper_t) + +######################################## +# +# Virtlockd local policy +# + +allow virtlockd_t self:capability dac_override; +allow virtlockd_t self:fifo_file rw_fifo_file_perms; + +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + +allow virtlockd_t virt_image_type:dir list_dir_perms; +allow virtlockd_t virt_image_type:file rw_file_perms; + +create_files_pattern(virtlockd_t, virt_log_t, virt_log_t) + +list_dirs_pattern(virtlockd_t, virt_var_lib_t, virt_var_lib_t) + +manage_dirs_pattern(virtlockd_t, { virt_var_lib_t virtlockd_var_lib_t }, virtlockd_var_lib_t) +manage_files_pattern(virtlockd_t, virtlockd_var_lib_t, virtlockd_var_lib_t) +filetrans_pattern(virtlockd_t, virt_var_lib_t, virtlockd_var_lib_t, dir) + +manage_files_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t) +manage_sock_files_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t) +filetrans_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t, sock_file) +files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) + +can_exec(virtlockd_t, virtlockd_exec_t) + +kernel_read_system_state(virtlockd_t) + +files_read_etc_files(virtlockd_t) +files_list_var_lib(virtlockd_t) + +miscfiles_read_localization(virtlockd_t) + +virt_append_log(virtlockd_t) +virt_read_config(virtlockd_t) + +######################################## +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +can_exec(virtlogd_t, virtlogd_exec_t) + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +kernel_read_system_state(virtlogd_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +sysnet_dns_name_resolve(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t) diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc new file mode 100644 index 000000000..303f5009e --- /dev/null +++ b/policy/modules/services/vnstatd.fc @@ -0,0 +1,17 @@ +/etc/rc\.d/init\.d/vnstat -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0) + +/run/vnstat.* gen_context(system_u:object_r:vnstatd_pid_t,s0) + +/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) +/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) + +/usr/lib/systemd/system/vnstat\.service -- gen_context(system_u:object_r:vnstatd_unit_t,s0) + +/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) + +/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) + +ifdef(`distro_gentoo',` +# Fix bug 528602 - name is vnstatd in Gentoo +/etc/rc\.d/init\.d/vnstatd -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0) +') diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if new file mode 100644 index 000000000..ee614638f --- /dev/null +++ b/policy/modules/services/vnstatd.if @@ -0,0 +1,189 @@ +## <summary>Console network traffic monitor.</summary> + +######################################## +## <summary> +## Execute a domain transition to run vnstat. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vnstatd_domtrans_vnstat',` + gen_require(` + type vnstat_t, vnstat_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, vnstat_exec_t, vnstat_t) +') + +######################################## +## <summary> +## Execute vnstat in the vnstat domain, +## and allow the specified role +## the vnstat domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`vnstatd_run_vnstat',` + gen_require(` + attribute_role vnstat_roles; + ') + + vnstatd_domtrans_vnstat($1) + roleattribute $2 vnstat_roles; +') + +######################################## +## <summary> +## Execute a domain transition to run vnstatd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vnstatd_domtrans',` + refpolicywarn(`$0($*) has been deprecated') + + gen_require(` + type vnstatd_t, vnstatd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) +') + +######################################## +## <summary> +## Search vnstatd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vnstatd_search_lib',` + refpolicywarn(`$0($*) has been deprecated') + + gen_require(` + type vnstatd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 vnstatd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## vnstatd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vnstatd_manage_lib_dirs',` + refpolicywarn(`$0($*) has been deprecated') + + gen_require(` + type vnstatd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) +') + +######################################## +## <summary> +## Read vnstatd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vnstatd_read_lib_files',` + refpolicywarn(`$0($*) has been deprecated') + + gen_require(` + type vnstatd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## vnstatd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vnstatd_manage_lib_files',` + refpolicywarn(`$0($*) has been deprecated') + + gen_require(` + type vnstatd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an vnstatd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vnstatd_admin',` + gen_require(` + type vnstatd_t, vnstatd_initrc_exec_t; + type vnstatd_pid_t, vnstatd_unit_t, vnstatd_var_lib_t; + ') + + admin_process_pattern($1, vnstatd_t) + + init_startstop_service($1, $2, vnstatd_t, vnstatd_initrc_exec_t, vnstatd_unit_t) + + files_search_pids($1) + admin_pattern($1, vnstatd_pid_t) + + files_list_var_lib($1) + admin_pattern($1, vnstatd_var_lib_t) + + vnstatd_run_vnstat($1, $2) +') diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te new file mode 100644 index 000000000..3aa1fee2f --- /dev/null +++ b/policy/modules/services/vnstatd.te @@ -0,0 +1,103 @@ +policy_module(vnstatd, 1.4.0) + +######################################## +# +# Declarations +# + +attribute_role vnstat_roles; + +type vnstat_t; +type vnstat_exec_t; +application_domain(vnstat_t, vnstat_exec_t) +role vnstat_roles types vnstat_t; + +type vnstatd_t; +type vnstatd_exec_t; +init_daemon_domain(vnstatd_t, vnstatd_exec_t) + +type vnstatd_initrc_exec_t; +init_script_file(vnstatd_initrc_exec_t) + +type vnstatd_pid_t; +typealias vnstatd_pid_t alias vnstatd_var_run_t; +files_pid_file(vnstatd_pid_t) + +type vnstatd_unit_t; +init_unit_file(vnstatd_unit_t) + +type vnstatd_var_lib_t; +files_type(vnstatd_var_lib_t) + +######################################## +# +# Daemon local policy +# + +allow vnstatd_t self:process signal; +allow vnstatd_t self:fifo_file rw_fifo_file_perms; +allow vnstatd_t self:unix_stream_socket { accept listen }; + +manage_files_pattern(vnstatd_t, vnstatd_pid_t, vnstatd_pid_t) +files_pid_filetrans(vnstatd_t, vnstatd_pid_t, file) + +manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) + +kernel_read_network_state(vnstatd_t) +kernel_read_system_state(vnstatd_t) + +# read /sys/class/net/eth0 +dev_read_sysfs(vnstatd_t) + +files_read_etc_files(vnstatd_t) +files_search_var_lib(vnstatd_t) + +fs_getattr_xattr_fs(vnstatd_t) + +logging_send_syslog_msg(vnstatd_t) + +miscfiles_read_localization(vnstatd_t) + +######################################## +# +# Client local policy +# + +# dac_override : write /var/lib/vnstat/* +allow vnstat_t self:capability dac_override; +allow vnstat_t self:process signal; +allow vnstat_t self:fifo_file rw_fifo_file_perms; +allow vnstat_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) + +kernel_read_network_state(vnstat_t) +kernel_read_system_state(vnstat_t) + +# read /sys/class/net/eth0 +dev_read_sysfs(vnstat_t) + +domain_use_interactive_fds(vnstat_t) + +files_dontaudit_search_home(vnstat_t) +files_read_etc_files(vnstat_t) +files_search_var_lib(vnstat_t) + +fs_getattr_xattr_fs(vnstat_t) + +miscfiles_read_localization(vnstat_t) + +userdom_dontaudit_search_user_home_dirs(vnstat_t) + +userdom_use_inherited_user_terminals(vnstat_t) + +optional_policy(` + cron_system_entry(vnstat_t, vnstat_exec_t) +') + +ifdef(`distro_gentoo',` + dev_read_sysfs(vnstat_t) + userdom_use_user_terminals(vnstat_t) +') diff --git a/policy/modules/services/w3c.fc b/policy/modules/services/w3c.fc new file mode 100644 index 000000000..463c799f4 --- /dev/null +++ b/policy/modules/services/w3c.fc @@ -0,0 +1,4 @@ +/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) + +/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) +/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) diff --git a/policy/modules/services/w3c.if b/policy/modules/services/w3c.if new file mode 100644 index 000000000..6a4204bc3 --- /dev/null +++ b/policy/modules/services/w3c.if @@ -0,0 +1 @@ +## <summary>W3C Markup Validator.</summary> diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te new file mode 100644 index 000000000..b14d6a948 --- /dev/null +++ b/policy/modules/services/w3c.te @@ -0,0 +1,34 @@ +policy_module(w3c, 1.1.0) + +######################################## +# +# Declarations +# + +apache_content_template(w3c_validator) + +######################################## +# +# Local policy +# + +corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t) +corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_generic_node(httpd_w3c_validator_script_t) + +corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t) +corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) + +corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t) +corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) + +corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t) +corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) + +miscfiles_read_generic_certs(httpd_w3c_validator_script_t) + +sysnet_dns_name_resolve(httpd_w3c_validator_script_t) diff --git a/policy/modules/services/watchdog.fc b/policy/modules/services/watchdog.fc new file mode 100644 index 000000000..1e4f11583 --- /dev/null +++ b/policy/modules/services/watchdog.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0) + +/usr/bin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0) + +/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0) + +/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0) + +/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/policy/modules/services/watchdog.if b/policy/modules/services/watchdog.if new file mode 100644 index 000000000..b0fe9221e --- /dev/null +++ b/policy/modules/services/watchdog.if @@ -0,0 +1,36 @@ +## <summary>Software watchdog.</summary> + +######################################## +## <summary> +## All of the rules required to +## administrate an watchdog environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`watchdog_admin',` + gen_require(` + type watchdog_t, watchdog_initrc_exec_t, watchdog_log_t; + type watchdog_var_run_t; + ') + + allow $1 watchdog_t:process { ptrace signal_perms }; + ps_process_pattern($1, watchdog_t) + + init_startstop_service($1, $2, watchdog_t, watchdog_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, watchdog_log_t) + + files_search_pids($1) + admin_pattern($1, watchdog_var_run_t) +') diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te new file mode 100644 index 000000000..d1e4ea8ce --- /dev/null +++ b/policy/modules/services/watchdog.te @@ -0,0 +1,102 @@ +policy_module(watchdog, 1.13.0) + +################################# +# +# Declarations +# + +type watchdog_t; +type watchdog_exec_t; +init_daemon_domain(watchdog_t, watchdog_exec_t) + +type watchdog_initrc_exec_t; +init_script_file(watchdog_initrc_exec_t) + +type watchdog_log_t; +logging_log_file(watchdog_log_t) + +type watchdog_var_run_t; +files_pid_file(watchdog_var_run_t) + +######################################## +# +# Local policy +# + +allow watchdog_t self:capability { ipc_lock net_admin net_raw sys_admin sys_boot sys_nice sys_pacct sys_resource }; +dontaudit watchdog_t self:capability sys_tty_config; +allow watchdog_t self:process { setsched signal_perms }; +allow watchdog_t self:fifo_file rw_fifo_file_perms; +allow watchdog_t self:rawip_socket create_socket_perms; +allow watchdog_t self:tcp_socket { accept listen }; + +allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(watchdog_t, watchdog_log_t, file) + +manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) +files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) + +kernel_read_network_state(watchdog_t) +kernel_read_system_state(watchdog_t) +kernel_read_kernel_sysctls(watchdog_t) +kernel_unmount_proc(watchdog_t) + +corecmd_exec_shell(watchdog_t) + +corenet_all_recvfrom_unlabeled(watchdog_t) +corenet_all_recvfrom_netlabel(watchdog_t) +corenet_tcp_sendrecv_generic_if(watchdog_t) +corenet_tcp_sendrecv_generic_node(watchdog_t) +corenet_tcp_sendrecv_all_ports(watchdog_t) + +corenet_sendrecv_all_client_packets(watchdog_t) +corenet_tcp_connect_all_ports(watchdog_t) + +dev_read_sysfs(watchdog_t) +dev_write_watchdog(watchdog_t) +dev_dontaudit_read_rand(watchdog_t) +dev_dontaudit_read_urand(watchdog_t) + +domain_use_interactive_fds(watchdog_t) +domain_getsession_all_domains(watchdog_t) +domain_sigchld_all_domains(watchdog_t) +domain_sigstop_all_domains(watchdog_t) +domain_signull_all_domains(watchdog_t) +domain_signal_all_domains(watchdog_t) +domain_kill_all_domains(watchdog_t) + +files_read_etc_files(watchdog_t) +files_manage_etc_runtime_files(watchdog_t) +files_etc_filetrans_etc_runtime(watchdog_t, file) +files_read_all_pids(watchdog_t) + +fs_unmount_xattr_fs(watchdog_t) +fs_getattr_all_fs(watchdog_t) +fs_search_auto_mountpoints(watchdog_t) + +auth_append_login_records(watchdog_t) + +logging_send_syslog_msg(watchdog_t) + +miscfiles_read_localization(watchdog_t) + +sysnet_dns_name_resolve(watchdog_t) + +userdom_dontaudit_use_unpriv_user_fds(watchdog_t) +userdom_dontaudit_search_user_home_dirs(watchdog_t) + +optional_policy(` + mta_send_mail(watchdog_t) +') + +optional_policy(` + nis_use_ypbind(watchdog_t) +') + +optional_policy(` + seutil_sigchld_newrole(watchdog_t) +') + +optional_policy(` + udev_read_db(watchdog_t) +') diff --git a/policy/modules/services/wdmd.fc b/policy/modules/services/wdmd.fc new file mode 100644 index 000000000..849f93ccd --- /dev/null +++ b/policy/modules/services/wdmd.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0) + +/usr/bin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) + +/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) + +/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if new file mode 100644 index 000000000..53de648e8 --- /dev/null +++ b/policy/modules/services/wdmd.if @@ -0,0 +1,52 @@ +## <summary>Watchdog multiplexing daemon.</summary> + +######################################## +## <summary> +## Connect to wdmd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wdmd_stream_connect',` + gen_require(` + type wdmd_t, wdmd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an wdmd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`wdmd_admin',` + gen_require(` + type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t; + ') + + allow $1 wdmd_t:process { ptrace signal_perms }; + ps_process_pattern($1, wdmd_t) + + init_startstop_service($1, $2, wdmd_t, wdmd_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, wdmd_var_run_t) +') diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te new file mode 100644 index 000000000..b1a6a4825 --- /dev/null +++ b/policy/modules/services/wdmd.te @@ -0,0 +1,60 @@ +policy_module(wdmd, 1.4.0) + +######################################## +# +# Declarations +# + +type wdmd_t; +type wdmd_exec_t; +init_daemon_domain(wdmd_t, wdmd_exec_t) + +type wdmd_initrc_exec_t; +init_script_file(wdmd_initrc_exec_t) + +type wdmd_tmpfs_t; +files_tmpfs_file(wdmd_tmpfs_t) + +type wdmd_var_run_t; +files_pid_file(wdmd_var_run_t) + +######################################## +# +# Local policy +# + +allow wdmd_t self:capability { chown ipc_lock sys_nice }; +allow wdmd_t self:process { setsched signal }; +allow wdmd_t self:fifo_file rw_fifo_file_perms; +allow wdmd_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) +manage_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) +manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) +files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file }) + +manage_dirs_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t) +manage_files_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t) +fs_tmpfs_filetrans(wdmd_t, wdmd_tmpfs_t, { dir file }) + +kernel_read_system_state(wdmd_t) + +corecmd_exec_bin(wdmd_t) +corecmd_exec_shell(wdmd_t) + +dev_read_watchdog(wdmd_t) +dev_write_watchdog(wdmd_t) + +fs_read_anon_inodefs_files(wdmd_t) + +auth_use_nsswitch(wdmd_t) + +logging_send_syslog_msg(wdmd_t) + +miscfiles_read_localization(wdmd_t) + +optional_policy(` + corosync_initrc_domtrans(wdmd_t) + corosync_stream_connect(wdmd_t) + corosync_rw_tmpfs(wdmd_t) +') diff --git a/policy/modules/services/xfs.fc b/policy/modules/services/xfs.fc new file mode 100644 index 000000000..5702b94ad --- /dev/null +++ b/policy/modules/services/xfs.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/xfs -- gen_context(system_u:object_r:xfs_initrc_exec_t,s0) + +/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0) + +/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) +/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0) + +/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) +/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0) + +/run/xfs.* -- gen_context(system_u:object_r:xfs_var_run_t,s0) diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if new file mode 100644 index 000000000..1aafbbc1a --- /dev/null +++ b/policy/modules/services/xfs.if @@ -0,0 +1,113 @@ +## <summary>X Windows Font Server.</summary> + +######################################## +## <summary> +## Read xfs temporary sock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xfs_read_sockets',` + gen_require(` + type xfs_tmp_t; + ') + + files_search_tmp($1) + read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t) +') + +######################################## +## <summary> +## Connect to xfs with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xfs_stream_connect',` + gen_require(` + type xfs_tmp_t, xfs_t; + ') + + files_search_tmp($1) + stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t) +') + +######################################## +## <summary> +## Execute xfs in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xfs_exec',` + gen_require(` + type xfs_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, xfs_exec_t) +') + +######################################## +## <summary> +## Create xfs temporary dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xfs_create_tmp_dirs',` + gen_require(` + type xfs_tmp_t; + ') + + files_search_tmp($1) + allow $1 xfs_tmp_t:dir create; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an xfs environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`xfs_admin',` + gen_require(` + type xfs_t, xfs_initrc_exec_t, xfs_var_run_t; + type xfs_tmp_t; + ') + + allow $1 xfs_t:process { ptrace signal_perms }; + ps_process_pattern($1, xfs_t) + + init_startstop_service($1, $2, xfs_t, xfs_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, xfs_var_run_t) + + files_search_tmp($1) + admin_pattern($1, xfs_tmp_t) +') diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te new file mode 100644 index 000000000..1469f2fdf --- /dev/null +++ b/policy/modules/services/xfs.te @@ -0,0 +1,86 @@ +policy_module(xfs, 1.10.0) + +######################################## +# +# Declarations +# + +type xfs_t; +type xfs_exec_t; +init_daemon_domain(xfs_t, xfs_exec_t) + +type xfs_initrc_exec_t; +init_script_file(xfs_initrc_exec_t) + +type xfs_tmp_t; +files_tmp_file(xfs_tmp_t) + +type xfs_var_run_t; +files_pid_file(xfs_var_run_t) + +######################################## +# +# Local policy +# + +allow xfs_t self:capability { dac_override setgid setuid }; +dontaudit xfs_t self:capability sys_tty_config; +allow xfs_t self:process { signal_perms setpgid }; +allow xfs_t self:unix_stream_socket { accept listen }; +allow xfs_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) +manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) +files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) + +manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t) +files_pid_filetrans(xfs_t, xfs_var_run_t, file) + +can_exec(xfs_t, xfs_exec_t) + +kernel_read_kernel_sysctls(xfs_t) +kernel_read_system_state(xfs_t) + +corenet_all_recvfrom_unlabeled(xfs_t) +corenet_all_recvfrom_netlabel(xfs_t) +corenet_tcp_sendrecv_generic_if(xfs_t) +corenet_tcp_sendrecv_generic_node(xfs_t) +corenet_tcp_bind_generic_node(xfs_t) + +corenet_sendrecv_xfs_server_packets(xfs_t) +corenet_tcp_bind_xfs_port(xfs_t) +corenet_tcp_sendrecv_xfs_port(xfs_t) + +corecmd_list_bin(xfs_t) + +dev_read_sysfs(xfs_t) +dev_read_urand(xfs_t) +dev_read_rand(xfs_t) + +fs_getattr_all_fs(xfs_t) +fs_search_auto_mountpoints(xfs_t) + +domain_use_interactive_fds(xfs_t) + +files_read_etc_runtime_files(xfs_t) +files_read_usr_files(xfs_t) + +auth_use_nsswitch(xfs_t) + +init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100") + +logging_send_syslog_msg(xfs_t) + +miscfiles_read_localization(xfs_t) +miscfiles_read_fonts(xfs_t) + +userdom_dontaudit_use_unpriv_user_fds(xfs_t) +userdom_dontaudit_search_user_home_dirs(xfs_t) + +optional_policy(` + seutil_sigchld_newrole(xfs_t) +') + +optional_policy(` + udev_read_db(xfs_t) +') diff --git a/policy/modules/services/xprint.fc b/policy/modules/services/xprint.fc new file mode 100644 index 000000000..6a857fff0 --- /dev/null +++ b/policy/modules/services/xprint.fc @@ -0,0 +1 @@ +/usr/bin/Xprt -- gen_context(system_u:object_r:xprint_exec_t,s0) diff --git a/policy/modules/services/xprint.if b/policy/modules/services/xprint.if new file mode 100644 index 000000000..f684288e3 --- /dev/null +++ b/policy/modules/services/xprint.if @@ -0,0 +1 @@ +## <summary>A X11-based print system and API.</summary> diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te new file mode 100644 index 000000000..3c44d8493 --- /dev/null +++ b/policy/modules/services/xprint.te @@ -0,0 +1,82 @@ +policy_module(xprint, 1.7.0) + +######################################## +# +# Declarations +# + +type xprint_t; +type xprint_exec_t; +init_daemon_domain(xprint_t, xprint_exec_t) + +type xprint_var_run_t; +files_pid_file(xprint_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit xprint_t self:capability sys_tty_config; +allow xprint_t self:process signal_perms; +allow xprint_t self:fifo_file rw_fifo_file_perms; +allow xprint_t self:tcp_socket create_stream_socket_perms; +allow xprint_t self:udp_socket create_socket_perms; + +manage_files_pattern(xprint_t, xprint_var_run_t, xprint_var_run_t) +files_pid_filetrans(xprint_t, xprint_var_run_t, file) + +kernel_read_system_state(xprint_t) +kernel_read_kernel_sysctls(xprint_t) + +corecmd_exec_bin(xprint_t) +corecmd_exec_shell(xprint_t) + +corenet_all_recvfrom_unlabeled(xprint_t) +corenet_all_recvfrom_netlabel(xprint_t) +corenet_tcp_sendrecv_generic_if(xprint_t) +corenet_udp_sendrecv_generic_if(xprint_t) +corenet_tcp_sendrecv_generic_node(xprint_t) +corenet_udp_sendrecv_generic_node(xprint_t) +corenet_tcp_sendrecv_all_ports(xprint_t) +corenet_udp_sendrecv_all_ports(xprint_t) + +dev_read_sysfs(xprint_t) +dev_read_urand(xprint_t) + +domain_use_interactive_fds(xprint_t) + +files_read_etc_files(xprint_t) +files_read_etc_runtime_files(xprint_t) +files_read_usr_files(xprint_t) +files_search_var_lib(xprint_t) +files_search_tmp(xprint_t) + +fs_getattr_all_fs(xprint_t) +fs_search_auto_mountpoints(xprint_t) + +logging_send_syslog_msg(xprint_t) + +miscfiles_read_fonts(xprint_t) +miscfiles_read_localization(xprint_t) + +sysnet_read_config(xprint_t) + +userdom_dontaudit_use_unpriv_user_fds(xprint_t) +userdom_dontaudit_search_user_home_dirs(xprint_t) + +optional_policy(` + cups_read_config(xprint_t) +') + +optional_policy(` + nis_use_ypbind(xprint_t) +') + +optional_policy(` + seutil_sigchld_newrole(xprint_t) +') + +optional_policy(` + udev_read_db(xprint_t) +') diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc new file mode 100644 index 000000000..076e85442 --- /dev/null +++ b/policy/modules/services/zabbix.fc @@ -0,0 +1,18 @@ +/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) +/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) + +/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) +/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/bin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/bin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/bin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) + +/usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) +/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) + +/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) + +/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if new file mode 100644 index 000000000..d71bce09d --- /dev/null +++ b/policy/modules/services/zabbix.if @@ -0,0 +1,163 @@ +## <summary>Distributed infrastructure monitoring.</summary> + +######################################## +## <summary> +## Execute a domain transition to run zabbix. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`zabbix_domtrans',` + gen_require(` + type zabbix_t, zabbix_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, zabbix_exec_t, zabbix_t) +') + +######################################## +## <summary> +## Connect to zabbit on the TCP network. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_tcp_connect',` + gen_require(` + type zabbix_t; + ') + + corenet_sendrecv_zabbix_client_packets($1) + corenet_tcp_connect_zabbix_port($1) + corenet_tcp_recvfrom_labeled($1, zabbix_t) + corenet_tcp_sendrecv_zabbix_port($1) +') + +######################################## +## <summary> +## Read zabbix log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`zabbix_read_log',` + gen_require(` + type zabbix_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, zabbix_log_t, zabbix_log_t) +') + +######################################## +## <summary> +## Append zabbix log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_append_log',` + gen_require(` + type zabbix_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, zabbix_log_t, zabbix_log_t) +') + +######################################## +## <summary> +## Read zabbix pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_read_pid_files',` + gen_require(` + type zabbix_var_run_t; + ') + + files_search_pids($1) + allow $1 zabbix_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Connect to zabbix agent on the TCP network. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_agent_tcp_connect',` + gen_require(` + type zabbix_agent_t; + ') + + corenet_sendrecv_zabbix_agent_client_packets($1) + corenet_tcp_connect_zabbix_agent_port($1) + corenet_tcp_recvfrom_labeled($1, zabbix_t) + corenet_tcp_sendrecv_zabbix_agent_port($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an zabbix environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`zabbix_admin',` + gen_require(` + type zabbix_t, zabbix_agent_t, zabbix_log_t, zabbix_var_run_t; + type zabbix_initrc_exec_t, zabbix_agent_initrc_exec_t, zabbix_tmp_t; + type zabbix_tmpfs_t; + ') + + allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { zabbix_t zabbix_agent_t }) + + init_startstop_service($1, $2, zabbix_t, zabbix_initrc_exec_t) + init_startstop_service($1, $2, zabbix_agent_t, zabbix_agent_initrc_exec_t) + + logging_list_logs($1) + admin_pattern($1, zabbix_log_t) + + files_list_pids($1) + admin_pattern($1, zabbix_var_run_t) + + files_list_tmp($1) + admin_pattern($1, zabbix_tmp_t) + + fs_list_tmpfs($1) + admin_pattern($1, zabbix_tmpfs_t) +') diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te new file mode 100644 index 000000000..68b8d99ce --- /dev/null +++ b/policy/modules/services/zabbix.te @@ -0,0 +1,197 @@ +policy_module(zabbix, 1.11.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether zabbix can +## connect to all TCP ports +## </p> +## </desc> +gen_tunable(zabbix_can_network, false) + +type zabbix_t; +type zabbix_exec_t; +init_daemon_domain(zabbix_t, zabbix_exec_t) + +type zabbix_initrc_exec_t; +init_script_file(zabbix_initrc_exec_t) + +type zabbix_agent_t; +type zabbix_agent_exec_t; +init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) + +type zabbix_agent_initrc_exec_t; +init_script_file(zabbix_agent_initrc_exec_t) + +type zabbix_log_t; +logging_log_file(zabbix_log_t) + +type zabbix_tmp_t; +files_tmp_file(zabbix_tmp_t) + +type zabbix_tmpfs_t; +files_tmpfs_file(zabbix_tmpfs_t) + +type zabbix_var_run_t; +files_pid_file(zabbix_var_run_t) + +######################################## +# +# Local policy +# + +allow zabbix_t self:capability { dac_override dac_read_search setgid setuid }; +allow zabbix_t self:process { setsched signal_perms }; +allow zabbix_t self:fifo_file rw_fifo_file_perms; +allow zabbix_t self:unix_stream_socket create_stream_socket_perms; +allow zabbix_t self:sem create_sem_perms; +allow zabbix_t self:shm create_shm_perms; +allow zabbix_t self:tcp_socket create_stream_socket_perms; + +allow zabbix_t zabbix_log_t:dir setattr_dir_perms; +append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +logging_log_filetrans(zabbix_t, zabbix_log_t, file) + +manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) +manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) +files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file }) + +rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) +fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) + +manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) + +kernel_read_system_state(zabbix_t) +kernel_read_kernel_sysctls(zabbix_t) + +corenet_all_recvfrom_unlabeled(zabbix_t) +corenet_all_recvfrom_netlabel(zabbix_t) +corenet_tcp_sendrecv_generic_if(zabbix_t) +corenet_tcp_sendrecv_generic_node(zabbix_t) +corenet_tcp_bind_generic_node(zabbix_t) + +corenet_sendrecv_ftp_client_packets(zabbix_t) +corenet_tcp_connect_ftp_port(zabbix_t) +corenet_tcp_sendrecv_ftp_port(zabbix_t) + +corenet_sendrecv_http_client_packets(zabbix_t) +corenet_tcp_connect_http_port(zabbix_t) +corenet_tcp_sendrecv_http_port(zabbix_t) + +corenet_sendrecv_zabbix_server_packets(zabbix_t) +corenet_tcp_bind_zabbix_port(zabbix_t) +corenet_tcp_sendrecv_zabbix_port(zabbix_t) + +corecmd_exec_bin(zabbix_t) +corecmd_exec_shell(zabbix_t) + +dev_read_urand(zabbix_t) + +files_read_usr_files(zabbix_t) + +auth_use_nsswitch(zabbix_t) + +miscfiles_read_localization(zabbix_t) + +zabbix_agent_tcp_connect(zabbix_t) + +tunable_policy(`zabbix_can_network',` + corenet_sendrecv_all_client_packets(zabbix_t) + corenet_tcp_connect_all_ports(zabbix_t) + corenet_tcp_sendrecv_all_ports(zabbix_t) +') + +optional_policy(` + netutils_domtrans_ping(zabbix_t) +') + +optional_policy(` + mysql_stream_connect(zabbix_t) + mysql_tcp_connect(zabbix_t) +') + +optional_policy(` + postgresql_stream_connect(zabbix_t) + postgresql_tcp_connect(zabbix_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(zabbix_t) +') + +######################################## +# +# Agent local policy +# + +allow zabbix_agent_t self:capability { setgid setuid }; +allow zabbix_agent_t self:process { setsched getsched signal setrlimit }; +allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; +allow zabbix_agent_t self:sem create_sem_perms; +allow zabbix_agent_t self:shm create_shm_perms; +allow zabbix_agent_t self:tcp_socket { accept listen }; +allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; + +append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) +create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) +setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) +filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) + +rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) +fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) + +manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) +files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) + +kernel_read_all_sysctls(zabbix_agent_t) +kernel_read_system_state(zabbix_agent_t) + +corecmd_read_all_executables(zabbix_agent_t) + +corenet_all_recvfrom_unlabeled(zabbix_agent_t) +corenet_all_recvfrom_netlabel(zabbix_agent_t) +corenet_tcp_sendrecv_generic_if(zabbix_agent_t) +corenet_tcp_sendrecv_generic_node(zabbix_agent_t) +corenet_tcp_bind_generic_node(zabbix_agent_t) + +corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) +corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) +corenet_tcp_sendrecv_zabbix_agent_port(zabbix_agent_t) + +corenet_sendrecv_ssh_client_packets(zabbix_agent_t) +corenet_tcp_connect_ssh_port(zabbix_agent_t) +corenet_tcp_sendrecv_ssh_port(zabbix_agent_t) + +corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) +corenet_tcp_connect_zabbix_port(zabbix_agent_t) +corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) + +dev_getattr_all_blk_files(zabbix_agent_t) +dev_getattr_all_chr_files(zabbix_agent_t) + +domain_read_all_domains_state(zabbix_agent_t) + +files_getattr_all_dirs(zabbix_agent_t) +files_getattr_all_files(zabbix_agent_t) +files_read_all_symlinks(zabbix_agent_t) +files_read_etc_files(zabbix_agent_t) + +fs_getattr_all_fs(zabbix_agent_t) + +init_read_utmp(zabbix_agent_t) + +logging_search_logs(zabbix_agent_t) + +miscfiles_read_localization(zabbix_agent_t) + +sysnet_dns_name_resolve(zabbix_agent_t) + +zabbix_tcp_connect(zabbix_agent_t) diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc new file mode 100644 index 000000000..72c6f4594 --- /dev/null +++ b/policy/modules/services/zarafa.fc @@ -0,0 +1,33 @@ +/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) + +/etc/rc\.d/init\.d/zarafa.* -- gen_context(system_u:object_r:zarafa_initrc_exec_t,s0) + +/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) +/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) +/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) +/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) +/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) +/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) +/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) + +/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) + +/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) +/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) +/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) +/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) +/var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) +/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) +/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) + +/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) +/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) +/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) +/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) +/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if new file mode 100644 index 000000000..37a7434e6 --- /dev/null +++ b/policy/modules/services/zarafa.if @@ -0,0 +1,171 @@ +## <summary>Zarafa collaboration platform.</summary> + +####################################### +## <summary> +## The template to define a zarafa domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`zarafa_domain_template',` + gen_require(` + attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; + ') + + ######################################## + # + # Declarations + # + + type zarafa_$1_t, zarafa_domain; + type zarafa_$1_exec_t; + init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) + + type zarafa_$1_log_t, zarafa_logfile; + logging_log_file(zarafa_$1_log_t) + + type zarafa_$1_var_run_t, zarafa_pidfile; + files_pid_file(zarafa_$1_var_run_t) + + ######################################## + # + # Policy + # + + manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) + + append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) + create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) + setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) + logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file) + + auth_use_nsswitch(zarafa_$1_t) +') + +###################################### +## <summary> +## search zarafa configuration directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zarafa_search_config',` + gen_require(` + type zarafa_etc_t; + ') + + files_search_etc($1) + allow $1 zarafa_etc_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Execute a domain transition to run zarafa deliver. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`zarafa_domtrans_deliver',` + gen_require(` + type zarafa_deliver_t, zarafa_deliver_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) +') + +######################################## +## <summary> +## Execute a domain transition to run zarafa server. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`zarafa_domtrans_server',` + gen_require(` + type zarafa_server_t, zarafa_server_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) +') + +####################################### +## <summary> +## Connect to zarafa server with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zarafa_stream_connect_server',` + gen_require(` + type zarafa_server_t, zarafa_server_var_run_t; + ') + + files_search_var_lib($1) + stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an zarafa environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`zarafa_admin',` + gen_require(` + attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; + type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t; + type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t; + type zarafa_var_lib_t; + ') + + allow $1 zarafa_domain:process { ptrace signal_perms }; + ps_process_pattern($1, zarafa_domain) + + init_startstop_service($1, $2, zarafa_t, zarafa_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, zarafa_etc_t) + + files_search_tmp($1) + admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t }) + + logging_search_logs($1) + admin_pattern($1, zarafa_logfile) + + files_search_var_lib($1) + admin_pattern($1, { zarafa_var_lib_t zarafa_share_t }) + + files_search_pids($1) + admin_pattern($1, zarafa_pidfile) +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te new file mode 100644 index 000000000..506952fba --- /dev/null +++ b/policy/modules/services/zarafa.te @@ -0,0 +1,178 @@ +policy_module(zarafa, 1.4.0) + +######################################## +# +# Declarations +# + +attribute zarafa_domain; +attribute zarafa_logfile; +attribute zarafa_pidfile; + +zarafa_domain_template(deliver) + +type zarafa_deliver_tmp_t; +files_tmp_file(zarafa_deliver_tmp_t) + +type zarafa_etc_t; +files_config_file(zarafa_etc_t) + +type zarafa_initrc_exec_t; +init_script_file(zarafa_initrc_exec_t) + +zarafa_domain_template(gateway) +zarafa_domain_template(ical) +zarafa_domain_template(indexer) + +type zarafa_indexer_tmp_t; +files_tmp_file(zarafa_indexer_tmp_t) + +zarafa_domain_template(monitor) +zarafa_domain_template(server) + +type zarafa_server_tmp_t; +files_tmp_file(zarafa_server_tmp_t) + +type zarafa_share_t; +files_type(zarafa_share_t) + +zarafa_domain_template(spooler) + +type zarafa_var_lib_t; +files_tmp_file(zarafa_var_lib_t) + +######################################## +# +# Deliver local policy +# + +manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) +manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) +files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) + +######################################## +# +# Gateway local policy +# + +corenet_all_recvfrom_unlabeled(zarafa_gateway_t) +corenet_all_recvfrom_netlabel(zarafa_gateway_t) +corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) +corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) +corenet_tcp_bind_generic_node(zarafa_gateway_t) + +corenet_sendrecv_pop_server_packets(zarafa_gateway_t) +corenet_tcp_bind_pop_port(zarafa_gateway_t) +corenet_tcp_sendrecv_pop_port(zarafa_gateway_t) + +####################################### +# +# Ical local policy +# + +corenet_all_recvfrom_unlabeled(zarafa_ical_t) +corenet_all_recvfrom_netlabel(zarafa_ical_t) +corenet_tcp_sendrecv_generic_if(zarafa_ical_t) +corenet_tcp_sendrecv_generic_node(zarafa_ical_t) +corenet_tcp_bind_generic_node(zarafa_ical_t) + +corenet_sendrecv_http_cache_client_packets(zarafa_ical_t) +corenet_tcp_bind_http_cache_port(zarafa_ical_t) +corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t) + +###################################### +# +# Indexer local policy +# + +manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) +manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) +files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir }) + +manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) + +######################################## +# +# Server local policy +# + +manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) +manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) +files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) + +manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) +manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) +manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) +files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }) + +stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) + +corenet_all_recvfrom_unlabeled(zarafa_server_t) +corenet_all_recvfrom_netlabel(zarafa_server_t) +corenet_tcp_sendrecv_generic_if(zarafa_server_t) +corenet_tcp_sendrecv_generic_node(zarafa_server_t) +corenet_tcp_bind_generic_node(zarafa_server_t) + +corenet_sendrecv_zarafa_server_packets(zarafa_server_t) +corenet_tcp_bind_zarafa_port(zarafa_server_t) +corenet_tcp_sendrecv_zarafa_port(zarafa_server_t) + +files_read_usr_files(zarafa_server_t) + +logging_send_audit_msgs(zarafa_server_t) + +optional_policy(` + kerberos_use(zarafa_server_t) +') + +optional_policy(` + mysql_stream_connect(zarafa_server_t) + mysql_tcp_connect(zarafa_server_t) +') + +optional_policy(` + postgresql_stream_connect(zarafa_server_t) + postgresql_tcp_connect(zarafa_server_t) +') + +######################################## +# +# Spooler local policy +# + +can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) + +corenet_all_recvfrom_unlabeled(zarafa_spooler_t) +corenet_all_recvfrom_netlabel(zarafa_spooler_t) +corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) +corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) + +corenet_sendrecv_smtp_client_packets(zarafa_spooler_t) +corenet_tcp_connect_smtp_port(zarafa_spooler_t) +corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) + +######################################## +# +# Zarafa domain local policy +# + +allow zarafa_domain self:capability { chown dac_override kill setgid setuid }; +allow zarafa_domain self:process { setrlimit signal }; +allow zarafa_domain self:fifo_file rw_fifo_file_perms; +allow zarafa_domain self:tcp_socket { accept listen }; +allow zarafa_domain self:unix_stream_socket { accept listen }; + +stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) + +read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) + +kernel_read_system_state(zarafa_domain) + +dev_read_rand(zarafa_domain) +dev_read_urand(zarafa_domain) + +logging_send_syslog_msg(zarafa_domain) + +miscfiles_read_localization(zarafa_domain) diff --git a/policy/modules/services/zebra.fc b/policy/modules/services/zebra.fc new file mode 100644 index 000000000..3ded81f8e --- /dev/null +++ b/policy/modules/services/zebra.fc @@ -0,0 +1,26 @@ +/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) +/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) + +/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) + +/usr/bin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/bin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/bin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/bin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) + +/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) + +/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) +/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) + +/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) +/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) +/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if new file mode 100644 index 000000000..21da77a4b --- /dev/null +++ b/policy/modules/services/zebra.if @@ -0,0 +1,85 @@ +## <summary>Zebra border gateway protocol network routing service.</summary> + +######################################## +## <summary> +## Read zebra configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`zebra_read_config',` + gen_require(` + type zebra_conf_t; + ') + + files_search_etc($1) + allow $1 zebra_conf_t:dir list_dir_perms; + allow $1 zebra_conf_t:file read_file_perms; + allow $1 zebra_conf_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Connect to zebra with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zebra_stream_connect',` + gen_require(` + type zebra_t, zebra_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an zebra environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`zebra_admin',` + gen_require(` + type zebra_t, zebra_tmp_t, zebra_log_t; + type zebra_conf_t, zebra_var_run_t; + type zebra_initrc_exec_t; + ') + + allow $1 zebra_t:process { ptrace signal_perms }; + ps_process_pattern($1, zebra_t) + + init_startstop_service($1, $2, zebra_t, zebra_initrc_exec_t) + + files_list_etc($1) + admin_pattern($1, zebra_conf_t) + + logging_list_logs($1) + admin_pattern($1, zebra_log_t) + + files_list_tmp($1) + admin_pattern($1, zebra_tmp_t) + + files_list_pids($1) + admin_pattern($1, zebra_var_run_t) +') diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te new file mode 100644 index 000000000..19bc99432 --- /dev/null +++ b/policy/modules/services/zebra.te @@ -0,0 +1,141 @@ +policy_module(zebra, 1.16.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether zebra daemon can +## manage its configuration files. +## </p> +## </desc> +gen_tunable(allow_zebra_write_config, false) + +type zebra_t; +type zebra_exec_t; +init_daemon_domain(zebra_t, zebra_exec_t) + +type zebra_conf_t; +files_type(zebra_conf_t) + +type zebra_initrc_exec_t; +init_script_file(zebra_initrc_exec_t) + +type zebra_log_t; +logging_log_file(zebra_log_t) + +type zebra_tmp_t; +files_tmp_file(zebra_tmp_t) + +type zebra_var_run_t; +files_pid_file(zebra_var_run_t) + +######################################## +# +# Local policy +# + +allow zebra_t self:capability { net_admin net_raw setgid setuid }; +dontaudit zebra_t self:capability sys_tty_config; +allow zebra_t self:process { signal_perms getcap setcap }; +allow zebra_t self:fifo_file rw_fifo_file_perms; +allow zebra_t self:unix_stream_socket { accept connectto listen }; +allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; +allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; +allow zebra_t self:udp_socket create_socket_perms; +allow zebra_t self:rawip_socket create_socket_perms; + +allow zebra_t zebra_conf_t:dir list_dir_perms; +allow zebra_t zebra_conf_t:file read_file_perms; +allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms; + +allow zebra_t zebra_log_t:dir setattr_dir_perms; +append_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +create_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) + +allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; +files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) + +manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) +manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) +manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) +files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file }) + +kernel_read_system_state(zebra_t) +kernel_read_network_state(zebra_t) +kernel_read_kernel_sysctls(zebra_t) +kernel_rw_net_sysctls(zebra_t) + +corenet_all_recvfrom_unlabeled(zebra_t) +corenet_all_recvfrom_netlabel(zebra_t) +corenet_tcp_sendrecv_generic_if(zebra_t) +corenet_udp_sendrecv_generic_if(zebra_t) +corenet_raw_sendrecv_generic_if(zebra_t) +corenet_tcp_sendrecv_generic_node(zebra_t) +corenet_udp_sendrecv_generic_node(zebra_t) +corenet_raw_sendrecv_generic_node(zebra_t) +corenet_tcp_bind_generic_node(zebra_t) +corenet_udp_bind_generic_node(zebra_t) + +corenet_sendrecv_bgp_server_packets(zebra_t) +corenet_tcp_bind_bgp_port(zebra_t) +corenet_sendrecv_bgp_client_packets(zebra_t) +corenet_tcp_connect_bgp_port(zebra_t) +corenet_tcp_sendrecv_bgp_port(zebra_t) + +corenet_sendrecv_zebra_server_packets(zebra_t) +corenet_tcp_bind_zebra_port(zebra_t) +corenet_tcp_sendrecv_zebra_port(zebra_t) + +corenet_sendrecv_router_server_packets(zebra_t) +corenet_udp_bind_router_port(zebra_t) +corenet_udp_sendrecv_router_port(zebra_t) + +dev_associate_usbfs(zebra_var_run_t) +dev_list_all_dev_nodes(zebra_t) +dev_read_sysfs(zebra_t) +dev_rw_zero(zebra_t) + +domain_use_interactive_fds(zebra_t) + +files_read_etc_files(zebra_t) +files_read_etc_runtime_files(zebra_t) + +fs_getattr_all_fs(zebra_t) +fs_search_auto_mountpoints(zebra_t) + +term_list_ptys(zebra_t) + +logging_send_syslog_msg(zebra_t) + +miscfiles_read_localization(zebra_t) + +sysnet_read_config(zebra_t) + +userdom_dontaudit_use_unpriv_user_fds(zebra_t) +userdom_dontaudit_search_user_home_dirs(zebra_t) + +tunable_policy(`allow_zebra_write_config',` + manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) +') + +optional_policy(` + nis_use_ypbind(zebra_t) +') + +optional_policy(` + rpm_read_pipes(zebra_t) +') + +optional_policy(` + seutil_sigchld_newrole(zebra_t) +') + +optional_policy(` + udev_read_db(zebra_t) +') diff --git a/policy/modules/services/zosremote.fc b/policy/modules/services/zosremote.fc new file mode 100644 index 000000000..ca923534a --- /dev/null +++ b/policy/modules/services/zosremote.fc @@ -0,0 +1,3 @@ +/usr/bin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) + +/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if new file mode 100644 index 000000000..b14698c4f --- /dev/null +++ b/policy/modules/services/zosremote.if @@ -0,0 +1,46 @@ +## <summary>z/OS Remote-services Audit dispatcher plugin.</summary> + +######################################## +## <summary> +## Execute a domain transition to run audispd-zos-remote. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`zosremote_domtrans',` + gen_require(` + type zos_remote_t, zos_remote_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) +') + +######################################## +## <summary> +## Execute zos remote in the zos remote +## domain, and allow the specified role +## the zos remote domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`zosremote_run',` + gen_require(` + attribute_role zos_remote_roles; + ') + + zosremote_domtrans($1) + roleattribute $2 zos_remote_roles; +') diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te new file mode 100644 index 000000000..b4e611065 --- /dev/null +++ b/policy/modules/services/zosremote.te @@ -0,0 +1,29 @@ +policy_module(zosremote, 1.3.0) + +######################################## +# +# Declarations +# + +attribute_role zos_remote_roles; + +type zos_remote_t; +type zos_remote_exec_t; +init_system_domain(zos_remote_t, zos_remote_exec_t) +logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) +role zos_remote_roles types zos_remote_t; + +######################################## +# +# Local policy +# + +allow zos_remote_t self:process signal; +allow zos_remote_t self:fifo_file rw_file_perms; +allow zos_remote_t self:unix_stream_socket { accept listen }; + +auth_use_nsswitch(zos_remote_t) + +miscfiles_read_localization(zos_remote_t) + +logging_send_syslog_msg(zos_remote_t) |