diff options
Diffstat (limited to 'policy/modules/contrib')
934 files changed, 86600 insertions, 0 deletions
diff --git a/policy/modules/contrib/abrt.fc b/policy/modules/contrib/abrt.fc new file mode 100644 index 00000000..1bd5812e --- /dev/null +++ b/policy/modules/contrib/abrt.fc @@ -0,0 +1,20 @@ +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) +/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) + +/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + +/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + +/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) + +/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) + +/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0) + +/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) + +/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if new file mode 100644 index 00000000..0b827c52 --- /dev/null +++ b/policy/modules/contrib/abrt.if @@ -0,0 +1,303 @@ +## <summary>ABRT - automated bug-reporting tool</summary> + +###################################### +## <summary> +## Execute abrt in the abrt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`abrt_domtrans',` + gen_require(` + type abrt_t, abrt_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, abrt_exec_t, abrt_t) +') + +###################################### +## <summary> +## Execute abrt in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_exec',` + gen_require(` + type abrt_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, abrt_exec_t) +') + +######################################## +## <summary> +## Send a null signal to abrt. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_signull',` + gen_require(` + type abrt_t; + ') + + allow $1 abrt_t:process signull; +') + +######################################## +## <summary> +## Allow the domain to read abrt state files in /proc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_read_state',` + gen_require(` + type abrt_t; + ') + + ps_process_pattern($1, abrt_t) +') + +######################################## +## <summary> +## Connect to abrt over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_stream_connect',` + gen_require(` + type abrt_t, abrt_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t) +') + +######################################## +## <summary> +## Send and receive messages from +## abrt over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_dbus_chat',` + gen_require(` + type abrt_t; + class dbus send_msg; + ') + + allow $1 abrt_t:dbus send_msg; + allow abrt_t $1:dbus send_msg; +') + +##################################### +## <summary> +## Execute abrt-helper in the abrt-helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`abrt_domtrans_helper',` + gen_require(` + type abrt_helper_t, abrt_helper_exec_t; + ') + + domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) +') + +######################################## +## <summary> +## Execute abrt helper in the abrt_helper domain, and +## allow the specified role the abrt_helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`abrt_run_helper',` + gen_require(` + type abrt_helper_t; + ') + + abrt_domtrans_helper($1) + role $2 types abrt_helper_t; +') + +######################################## +## <summary> +## Send and receive messages from +## abrt over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_cache_manage',` + gen_require(` + type abrt_var_cache_t; + ') + + manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) +') + +#################################### +## <summary> +## Read abrt configuration file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_read_config',` + gen_require(` + type abrt_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, abrt_etc_t, abrt_etc_t) +') + +###################################### +## <summary> +## Read abrt logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_read_log',` + gen_require(` + type abrt_var_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) +') + +###################################### +## <summary> +## Read abrt PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_read_pid_files',` + gen_require(` + type abrt_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, abrt_var_run_t, abrt_var_run_t) +') + +###################################### +## <summary> +## Create, read, write, and delete abrt PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_manage_pid_files',` + gen_require(` + type abrt_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) +') + +##################################### +## <summary> +## All of the rules required to administrate +## an abrt environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the abrt domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`abrt_admin',` + gen_require(` + type abrt_t, abrt_etc_t; + type abrt_var_cache_t, abrt_var_log_t; + type abrt_var_run_t, abrt_tmp_t; + type abrt_initrc_exec_t; + ') + + allow $1 abrt_t:process { ptrace signal_perms }; + ps_process_pattern($1, abrt_t) + + init_labeled_script_domtrans($1, abrt_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 abrt_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, abrt_etc_t) + + logging_search_logs($1) + admin_pattern($1, abrt_var_log_t) + + files_search_var($1) + admin_pattern($1, abrt_var_cache_t) + + files_search_pids($1) + admin_pattern($1, abrt_var_run_t) + + files_search_tmp($1) + admin_pattern($1, abrt_tmp_t) +') diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te new file mode 100644 index 00000000..30861ec4 --- /dev/null +++ b/policy/modules/contrib/abrt.te @@ -0,0 +1,227 @@ +policy_module(abrt, 1.2.0) + +######################################## +# +# Declarations +# + +type abrt_t; +type abrt_exec_t; +init_daemon_domain(abrt_t, abrt_exec_t) + +type abrt_initrc_exec_t; +init_script_file(abrt_initrc_exec_t) + +# etc files +type abrt_etc_t; +files_config_file(abrt_etc_t) + +# log files +type abrt_var_log_t; +logging_log_file(abrt_var_log_t) + +# tmp files +type abrt_tmp_t; +files_tmp_file(abrt_tmp_t) + +# var/cache files +type abrt_var_cache_t; +files_type(abrt_var_cache_t) + +# pid files +type abrt_var_run_t; +files_pid_file(abrt_var_run_t) + +# type needed to allow all domains +# to handle /var/cache/abrt +type abrt_helper_t; +type abrt_helper_exec_t; +application_domain(abrt_helper_t, abrt_helper_exec_t) +role system_r types abrt_helper_t; + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) +') + +######################################## +# +# abrt local policy +# + +allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; +dontaudit abrt_t self:capability sys_rawio; +allow abrt_t self:process { signal signull setsched getsched }; + +allow abrt_t self:fifo_file rw_fifo_file_perms; +allow abrt_t self:tcp_socket create_stream_socket_perms; +allow abrt_t self:udp_socket create_socket_perms; +allow abrt_t self:unix_dgram_socket create_socket_perms; +allow abrt_t self:netlink_route_socket r_netlink_socket_perms; + +# abrt etc files +rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) + +# log file +manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) +logging_log_filetrans(abrt_t, abrt_var_log_t, file) + +# abrt tmp files +manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) + +# abrt var/cache files +manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) +manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) +manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) +files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) +files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) + +# abrt pid files +manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) + +kernel_read_ring_buffer(abrt_t) +kernel_read_system_state(abrt_t) +kernel_rw_kernel_sysctl(abrt_t) + +corecmd_exec_bin(abrt_t) +corecmd_exec_shell(abrt_t) +corecmd_read_all_executables(abrt_t) + +corenet_all_recvfrom_netlabel(abrt_t) +corenet_all_recvfrom_unlabeled(abrt_t) +corenet_tcp_sendrecv_generic_if(abrt_t) +corenet_tcp_sendrecv_generic_node(abrt_t) +corenet_tcp_sendrecv_generic_port(abrt_t) +corenet_tcp_bind_generic_node(abrt_t) +corenet_tcp_connect_http_port(abrt_t) +corenet_tcp_connect_ftp_port(abrt_t) +corenet_tcp_connect_all_ports(abrt_t) +corenet_sendrecv_http_client_packets(abrt_t) + +dev_getattr_all_chr_files(abrt_t) +dev_read_urand(abrt_t) +dev_rw_sysfs(abrt_t) +dev_dontaudit_read_raw_memory(abrt_t) + +domain_getattr_all_domains(abrt_t) +domain_read_all_domains_state(abrt_t) +domain_signull_all_domains(abrt_t) + +files_getattr_all_files(abrt_t) +files_read_etc_files(abrt_t) +files_read_var_symlinks(abrt_t) +files_read_var_lib_files(abrt_t) +files_read_usr_files(abrt_t) +files_read_generic_tmp_files(abrt_t) +files_read_kernel_modules(abrt_t) +files_dontaudit_list_default(abrt_t) +files_dontaudit_read_default_files(abrt_t) + +fs_list_inotifyfs(abrt_t) +fs_getattr_all_fs(abrt_t) +fs_getattr_all_dirs(abrt_t) +fs_read_fusefs_files(abrt_t) +fs_read_noxattr_fs_files(abrt_t) +fs_read_nfs_files(abrt_t) +fs_read_nfs_symlinks(abrt_t) +fs_search_all(abrt_t) + +sysnet_read_config(abrt_t) + +logging_read_generic_logs(abrt_t) +logging_send_syslog_msg(abrt_t) + +miscfiles_read_generic_certs(abrt_t) +miscfiles_read_localization(abrt_t) + +userdom_dontaudit_read_user_home_content_files(abrt_t) + +optional_policy(` + dbus_system_domain(abrt_t, abrt_exec_t) +') + +optional_policy(` + nis_use_ypbind(abrt_t) +') + +optional_policy(` + policykit_dbus_chat(abrt_t) + policykit_domtrans_auth(abrt_t) + policykit_read_lib(abrt_t) + policykit_read_reload(abrt_t) +') + +optional_policy(` + prelink_exec(abrt_t) + libs_exec_ld_so(abrt_t) + corecmd_exec_all_executables(abrt_t) +') + +# to install debuginfo packages +optional_policy(` + rpm_exec(abrt_t) + rpm_dontaudit_manage_db(abrt_t) + rpm_manage_cache(abrt_t) + rpm_manage_pid_files(abrt_t) + rpm_read_db(abrt_t) + rpm_signull(abrt_t) +') + +# to run mailx plugin +optional_policy(` + sendmail_domtrans(abrt_t) +') + +optional_policy(` + sssd_stream_connect(abrt_t) +') + +######################################## +# +# abrt--helper local policy +# + +allow abrt_helper_t self:capability { chown setgid sys_nice }; +allow abrt_helper_t self:process signal; + +read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) + +files_search_spool(abrt_helper_t) +manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) + +read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) +read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) + +domain_read_all_domains_state(abrt_helper_t) + +files_read_etc_files(abrt_helper_t) + +fs_list_inotifyfs(abrt_helper_t) +fs_getattr_all_fs(abrt_helper_t) + +auth_use_nsswitch(abrt_helper_t) + +logging_send_syslog_msg(abrt_helper_t) + +miscfiles_read_localization(abrt_helper_t) + +term_dontaudit_use_all_ttys(abrt_helper_t) +term_dontaudit_use_all_ptys(abrt_helper_t) + +ifdef(`hide_broken_symptoms', ` + userdom_dontaudit_read_user_home_content_files(abrt_helper_t) + userdom_dontaudit_read_user_tmp_files(abrt_helper_t) + dev_dontaudit_read_all_blk_files(abrt_helper_t) + dev_dontaudit_read_all_chr_files(abrt_helper_t) + dev_dontaudit_write_all_chr_files(abrt_helper_t) + dev_dontaudit_write_all_blk_files(abrt_helper_t) + fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) +') diff --git a/policy/modules/contrib/accountsd.fc b/policy/modules/contrib/accountsd.fc new file mode 100644 index 00000000..1adca53f --- /dev/null +++ b/policy/modules/contrib/accountsd.fc @@ -0,0 +1,3 @@ +/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) + +/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --git a/policy/modules/contrib/accountsd.if b/policy/modules/contrib/accountsd.if new file mode 100644 index 00000000..c0f858de --- /dev/null +++ b/policy/modules/contrib/accountsd.if @@ -0,0 +1,145 @@ +## <summary>AccountsService and daemon for manipulating user account information via D-Bus</summary> + +######################################## +## <summary> +## Execute a domain transition to run accountsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_domtrans',` + gen_require(` + type accountsd_t, accountsd_exec_t; + ') + + domtrans_pattern($1, accountsd_exec_t, accountsd_t) +') + +######################################## +## <summary> +## Do not audit attempts to read and write Accounts Daemon +## fifo file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_dontaudit_rw_fifo_file',` + gen_require(` + type accountsd_t; + ') + + dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Send and receive messages from +## accountsd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_dbus_chat',` + gen_require(` + type accountsd_t; + class dbus send_msg; + ') + + allow $1 accountsd_t:dbus send_msg; + allow accountsd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Search accountsd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_search_lib',` + gen_require(` + type accountsd_var_lib_t; + ') + + allow $1 accountsd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read accountsd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_read_lib_files',` + gen_require(` + type accountsd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## accountsd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_manage_lib_files',` + gen_require(` + type accountsd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an accountsd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`accountsd_admin',` + gen_require(` + type accountsd_t; + ') + + allow $1 accountsd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, accountsd_t) + + accountsd_manage_lib_files($1) +') diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te new file mode 100644 index 00000000..1632f105 --- /dev/null +++ b/policy/modules/contrib/accountsd.te @@ -0,0 +1,57 @@ +policy_module(accountsd, 1.0.0) + +######################################## +# +# Declarations +# + +type accountsd_t; +type accountsd_exec_t; +dbus_system_domain(accountsd_t, accountsd_exec_t) + +type accountsd_var_lib_t; +files_type(accountsd_var_lib_t) + +######################################## +# +# accountsd local policy +# + +allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; +allow accountsd_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) +manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) +files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir }) + +kernel_read_kernel_sysctls(accountsd_t) + +corecmd_exec_bin(accountsd_t) + +files_read_usr_files(accountsd_t) +files_read_mnt_files(accountsd_t) + +fs_list_inotifyfs(accountsd_t) +fs_read_noxattr_fs_files(accountsd_t) + +auth_use_nsswitch(accountsd_t) +auth_read_shadow(accountsd_t) + +miscfiles_read_localization(accountsd_t) + +logging_send_syslog_msg(accountsd_t) +logging_set_loginuid(accountsd_t) + +userdom_read_user_tmp_files(accountsd_t) +userdom_read_user_home_content_files(accountsd_t) + +usermanage_domtrans_useradd(accountsd_t) +usermanage_domtrans_passwd(accountsd_t) + +optional_policy(` + consolekit_read_log(accountsd_t) +') + +optional_policy(` + policykit_dbus_chat(accountsd_t) +') diff --git a/policy/modules/contrib/acct.fc b/policy/modules/contrib/acct.fc new file mode 100644 index 00000000..e81367cc --- /dev/null +++ b/policy/modules/contrib/acct.fc @@ -0,0 +1,9 @@ + +/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0) + +/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) + +/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) + +/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) +/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if new file mode 100644 index 00000000..e66c296e --- /dev/null +++ b/policy/modules/contrib/acct.if @@ -0,0 +1,80 @@ +## <summary>Berkeley process accounting</summary> + +######################################## +## <summary> +## Transition to the accounting management domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`acct_domtrans',` + gen_require(` + type acct_t, acct_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, acct_exec_t, acct_t) +') + +######################################## +## <summary> +## Execute accounting management tools in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acct_exec',` + gen_require(` + type acct_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, acct_exec_t) +') + +######################################## +## <summary> +## Execute accounting management data in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# cjp: this is added for logrotate, and does +# not make sense to me. +interface(`acct_exec_data',` + gen_require(` + type acct_data_t; + ') + + files_search_var($1) + can_exec($1, acct_data_t) +') + +######################################## +## <summary> +## Create, read, write, and delete process accounting data. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acct_manage_data',` + gen_require(` + type acct_data_t; + ') + + files_search_var($1) + manage_files_pattern($1, acct_data_t, acct_data_t) + manage_lnk_files_pattern($1, acct_data_t, acct_data_t) +') diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te new file mode 100644 index 00000000..63ef90ec --- /dev/null +++ b/policy/modules/contrib/acct.te @@ -0,0 +1,89 @@ +policy_module(acct, 1.5.0) + +######################################## +# +# Declarations +# + +type acct_t; +type acct_exec_t; +init_system_domain(acct_t, acct_exec_t) + +type acct_data_t; +logging_log_file(acct_data_t) + +######################################## +# +# Local Policy +# + +# gzip needs chown capability for some reason +allow acct_t self:capability { sys_pacct chown fsetid }; +# not sure why we need kill, the command "last" is reported as using it +dontaudit acct_t self:capability { kill sys_tty_config }; + +allow acct_t self:fifo_file rw_fifo_file_perms; +allow acct_t self:process signal_perms; + +manage_files_pattern(acct_t, acct_data_t, acct_data_t) +manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t) + +can_exec(acct_t, acct_exec_t) + +kernel_list_proc(acct_t) +kernel_read_system_state(acct_t) +kernel_read_kernel_sysctls(acct_t) + +dev_read_sysfs(acct_t) +# for SSP +dev_read_urand(acct_t) + +fs_search_auto_mountpoints(acct_t) +fs_getattr_xattr_fs(acct_t) + +term_dontaudit_use_console(acct_t) +term_dontaudit_use_generic_ptys(acct_t) + +corecmd_exec_bin(acct_t) +corecmd_exec_shell(acct_t) + +domain_use_interactive_fds(acct_t) + +files_read_etc_files(acct_t) +files_read_etc_runtime_files(acct_t) +files_list_usr(acct_t) +# for nscd +files_dontaudit_search_pids(acct_t) + +init_use_fds(acct_t) +init_use_script_ptys(acct_t) +init_exec_script_files(acct_t) + +logging_send_syslog_msg(acct_t) + +miscfiles_read_localization(acct_t) + +userdom_dontaudit_use_unpriv_user_fds(acct_t) +userdom_dontaudit_search_user_home_dirs(acct_t) + +optional_policy(` + optional_policy(` + # for monthly cron job + auth_log_filetrans_login_records(acct_t) + auth_manage_login_records(acct_t) + ') + + cron_system_entry(acct_t, acct_exec_t) +') + +optional_policy(` + nscd_socket_use(acct_t) +') + +optional_policy(` + seutil_sigchld_newrole(acct_t) +') + +optional_policy(` + udev_read_db(acct_t) +') diff --git a/policy/modules/contrib/ada.fc b/policy/modules/contrib/ada.fc new file mode 100644 index 00000000..e802ed56 --- /dev/null +++ b/policy/modules/contrib/ada.fc @@ -0,0 +1,7 @@ +# +# /usr +# +/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0) +/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0) +/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0) +/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0) diff --git a/policy/modules/contrib/ada.if b/policy/modules/contrib/ada.if new file mode 100644 index 00000000..43ba21dc --- /dev/null +++ b/policy/modules/contrib/ada.if @@ -0,0 +1,45 @@ +## <summary>GNAT Ada95 compiler</summary> + +######################################## +## <summary> +## Execute the ada program in the ada domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ada_domtrans',` + gen_require(` + type ada_t, ada_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ada_exec_t, ada_t) +') + +######################################## +## <summary> +## Execute ada in the ada domain, and +## allow the specified role the ada domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`ada_run',` + gen_require(` + type ada_t; + ') + + ada_domtrans($1) + role $2 types ada_t; +') diff --git a/policy/modules/contrib/ada.te b/policy/modules/contrib/ada.te new file mode 100644 index 00000000..39c75fb4 --- /dev/null +++ b/policy/modules/contrib/ada.te @@ -0,0 +1,24 @@ +policy_module(ada, 1.4.0) + +######################################## +# +# Declarations +# + +type ada_t; +type ada_exec_t; +application_domain(ada_t, ada_exec_t) +role system_r types ada_t; + +######################################## +# +# Local policy +# + +allow ada_t self:process { execstack execmem }; + +userdom_use_user_terminals(ada_t) + +optional_policy(` + unconfined_domain(ada_t) +') diff --git a/policy/modules/contrib/afs.fc b/policy/modules/contrib/afs.fc new file mode 100644 index 00000000..eaea1388 --- /dev/null +++ b/policy/modules/contrib/afs.fc @@ -0,0 +1,32 @@ +/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) +/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) + +/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) +/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) +/usr/afs/bin/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0) +/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0) + +/usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0) +/usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0) +/usr/afs/db/ka.* -- gen_context(system_u:object_r:afs_ka_db_t,s0) +/usr/afs/db/vl.* -- gen_context(system_u:object_r:afs_vl_db_t,s0) + +/usr/afs/etc(/.*)? gen_context(system_u:object_r:afs_config_t,s0) + +/usr/afs/local(/.*)? gen_context(system_u:object_r:afs_config_t,s0) + +/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) + +/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) + +/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) +/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) + +/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) + +/vicepa gen_context(system_u:object_r:afs_files_t,s0) +/vicepb gen_context(system_u:object_r:afs_files_t,s0) +/vicepc gen_context(system_u:object_r:afs_files_t,s0) diff --git a/policy/modules/contrib/afs.if b/policy/modules/contrib/afs.if new file mode 100644 index 00000000..8559cdc6 --- /dev/null +++ b/policy/modules/contrib/afs.if @@ -0,0 +1,109 @@ +## <summary>Andrew Filesystem server</summary> + +######################################## +## <summary> +## Execute a domain transition to run the +## afs client. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`afs_domtrans',` + gen_require(` + type afs_t, afs_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, afs_exec_t, afs_t) +') + +######################################## +## <summary> +## Read and write afs client UDP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`afs_rw_udp_sockets',` + gen_require(` + type afs_t; + ') + + allow $1 afs_t:udp_socket { read write }; +') + +######################################## +## <summary> +## read/write afs cache files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`afs_rw_cache',` + gen_require(` + type afs_cache_t; + ') + + files_search_var($1) + allow $1 afs_cache_t:file { read write }; +') + +######################################## +## <summary> +## Execute afs server in the afs domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`afs_initrc_domtrans',` + gen_require(` + type afs_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, afs_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an afs environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the afs domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`afs_admin',` + gen_require(` + type afs_t, afs_initrc_exec_t; + ') + + allow $1 afs_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, afs_t, afs_t) + + # Allow afs_admin to restart the afs service + afs_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 afs_initrc_exec_t system_r; + allow $2 system_r; + +') diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te new file mode 100644 index 00000000..a496fdea --- /dev/null +++ b/policy/modules/contrib/afs.te @@ -0,0 +1,355 @@ +policy_module(afs, 1.7.0) + +######################################## +# +# Declarations +# + +type afs_t; +type afs_exec_t; +init_daemon_domain(afs_t, afs_exec_t) + +type afs_bosserver_t; +type afs_bosserver_exec_t; +init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) + +type afs_cache_t; +files_type(afs_cache_t) + +type afs_config_t; +files_type(afs_config_t) + +type afs_dbdir_t; +files_type(afs_dbdir_t) + +# exported files +type afs_files_t; +files_type(afs_files_t) + +type afs_fsserver_t; +type afs_fsserver_exec_t; +domain_type(afs_fsserver_t) +domain_entry_file(afs_fsserver_t, afs_fsserver_exec_t) +role system_r types afs_fsserver_t; + +type afs_initrc_exec_t; +init_script_file(afs_initrc_exec_t) + +type afs_ka_db_t; +files_type(afs_ka_db_t) + +type afs_kaserver_t; +type afs_kaserver_exec_t; +domain_type(afs_kaserver_t) +domain_entry_file(afs_kaserver_t, afs_kaserver_exec_t) +role system_r types afs_kaserver_t; + +type afs_logfile_t; +logging_log_file(afs_logfile_t) + +type afs_pt_db_t; +files_type(afs_pt_db_t) + +type afs_ptserver_t; +type afs_ptserver_exec_t; +domain_type(afs_ptserver_t) +domain_entry_file(afs_ptserver_t, afs_ptserver_exec_t) +role system_r types afs_ptserver_t; + +type afs_vl_db_t; +files_type(afs_vl_db_t) + +type afs_vlserver_t; +type afs_vlserver_exec_t; +domain_type(afs_vlserver_t) +domain_entry_file(afs_vlserver_t, afs_vlserver_exec_t) +role system_r types afs_vlserver_t; + +######################################## +# +# afs client local policy +# + +allow afs_t self:capability { sys_admin sys_nice sys_tty_config }; +allow afs_t self:process { setsched signal }; +allow afs_t self:udp_socket create_socket_perms; +allow afs_t self:fifo_file rw_file_perms; +allow afs_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(afs_t, afs_cache_t, afs_cache_t) +manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t) +files_var_filetrans(afs_t, afs_cache_t, { file dir }) + +kernel_rw_afs_state(afs_t) + +corenet_all_recvfrom_unlabeled(afs_t) +corenet_all_recvfrom_netlabel(afs_t) +corenet_tcp_sendrecv_generic_if(afs_t) +corenet_udp_sendrecv_generic_if(afs_t) +corenet_tcp_sendrecv_generic_node(afs_t) +corenet_udp_sendrecv_generic_node(afs_t) +corenet_tcp_sendrecv_all_ports(afs_t) +corenet_udp_sendrecv_all_ports(afs_t) +corenet_udp_bind_generic_node(afs_t) + +files_mounton_mnt(afs_t) +files_read_etc_files(afs_t) +files_read_usr_files(afs_t) +files_rw_etc_runtime_files(afs_t) + +fs_getattr_xattr_fs(afs_t) +fs_mount_nfs(afs_t) +fs_read_nfs_symlinks(afs_t) + +logging_send_syslog_msg(afs_t) + +miscfiles_read_localization(afs_t) + +sysnet_dns_name_resolve(afs_t) + +######################################## +# +# AFS bossserver local policy +# + +allow afs_bosserver_t self:process { setsched signal_perms }; +allow afs_bosserver_t self:tcp_socket create_stream_socket_perms; +allow afs_bosserver_t self:udp_socket create_socket_perms; + +can_exec(afs_bosserver_t, afs_bosserver_exec_t) + +manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t) +manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t) + +allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms; + +allow afs_bosserver_t afs_fsserver_t:process signal_perms; +domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t) + +allow afs_bosserver_t afs_kaserver_t:process signal_perms; +domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t) + +allow afs_bosserver_t afs_logfile_t:file manage_file_perms; +allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms; + +allow afs_bosserver_t afs_ptserver_t:process signal_perms; +domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t) + +allow afs_bosserver_t afs_vlserver_t:process signal_perms; +domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) + +kernel_read_kernel_sysctls(afs_bosserver_t) + +corenet_all_recvfrom_unlabeled(afs_bosserver_t) +corenet_all_recvfrom_netlabel(afs_bosserver_t) +corenet_tcp_sendrecv_generic_if(afs_bosserver_t) +corenet_udp_sendrecv_generic_if(afs_bosserver_t) +corenet_tcp_sendrecv_generic_node(afs_bosserver_t) +corenet_udp_sendrecv_generic_node(afs_bosserver_t) +corenet_tcp_sendrecv_all_ports(afs_bosserver_t) +corenet_udp_sendrecv_all_ports(afs_bosserver_t) +corenet_udp_bind_generic_node(afs_bosserver_t) +corenet_udp_bind_afs_bos_port(afs_bosserver_t) +corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) + +files_read_etc_files(afs_bosserver_t) +files_list_home(afs_bosserver_t) +files_read_usr_files(afs_bosserver_t) + +miscfiles_read_localization(afs_bosserver_t) + +seutil_read_config(afs_bosserver_t) + +sysnet_read_config(afs_bosserver_t) + +######################################## +# +# fileserver local policy +# + +allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; +dontaudit afs_fsserver_t self:capability fsetid; +allow afs_fsserver_t self:process { setsched signal_perms }; +allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; +allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; +allow afs_fsserver_t self:udp_socket create_socket_perms; + +read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) +allow afs_fsserver_t afs_config_t:dir list_dir_perms; + +manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t) +manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) + +allow afs_fsserver_t afs_files_t:filesystem getattr; +manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t) +manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) +manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) +manage_fifo_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) +manage_sock_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) +filetrans_pattern(afs_fsserver_t, afs_config_t, afs_files_t, { file lnk_file sock_file fifo_file }) + +can_exec(afs_fsserver_t, afs_fsserver_exec_t) + +manage_dirs_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t) +manage_files_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t) + +kernel_read_system_state(afs_fsserver_t) +kernel_read_kernel_sysctls(afs_fsserver_t) + +corenet_tcp_sendrecv_generic_if(afs_fsserver_t) +corenet_udp_sendrecv_generic_if(afs_fsserver_t) +corenet_tcp_sendrecv_generic_node(afs_fsserver_t) +corenet_udp_sendrecv_generic_node(afs_fsserver_t) +corenet_tcp_sendrecv_all_ports(afs_fsserver_t) +corenet_udp_sendrecv_all_ports(afs_fsserver_t) +corenet_all_recvfrom_unlabeled(afs_fsserver_t) +corenet_all_recvfrom_netlabel(afs_fsserver_t) +corenet_tcp_bind_generic_node(afs_fsserver_t) +corenet_udp_bind_generic_node(afs_fsserver_t) +corenet_tcp_bind_afs_fs_port(afs_fsserver_t) +corenet_udp_bind_afs_fs_port(afs_fsserver_t) +corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) + +files_read_etc_files(afs_fsserver_t) +files_read_etc_runtime_files(afs_fsserver_t) +files_list_home(afs_fsserver_t) +files_read_usr_files(afs_fsserver_t) +files_list_pids(afs_fsserver_t) +files_dontaudit_search_mnt(afs_fsserver_t) + +fs_getattr_xattr_fs(afs_fsserver_t) + +term_dontaudit_use_console(afs_fsserver_t) + +init_dontaudit_use_script_fds(afs_fsserver_t) + +logging_send_syslog_msg(afs_fsserver_t) + +miscfiles_read_localization(afs_fsserver_t) + +seutil_read_config(afs_fsserver_t) + +sysnet_read_config(afs_fsserver_t) + +userdom_dontaudit_use_user_terminals(afs_fsserver_t) + +######################################## +# +# kaserver local policy +# + +allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms; +allow afs_kaserver_t self:tcp_socket create_stream_socket_perms; +allow afs_kaserver_t self:udp_socket create_socket_perms; + +manage_files_pattern(afs_kaserver_t, afs_config_t, afs_config_t) + +manage_files_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t) +filetrans_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t, file) + +manage_dirs_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) +manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) + +kernel_read_kernel_sysctls(afs_kaserver_t) + +corenet_all_recvfrom_unlabeled(afs_kaserver_t) +corenet_all_recvfrom_netlabel(afs_kaserver_t) +corenet_tcp_sendrecv_generic_if(afs_kaserver_t) +corenet_udp_sendrecv_generic_if(afs_kaserver_t) +corenet_tcp_sendrecv_generic_node(afs_kaserver_t) +corenet_udp_sendrecv_generic_node(afs_kaserver_t) +corenet_tcp_sendrecv_all_ports(afs_kaserver_t) +corenet_udp_sendrecv_all_ports(afs_kaserver_t) +corenet_udp_bind_generic_node(afs_kaserver_t) +corenet_udp_bind_afs_ka_port(afs_kaserver_t) +corenet_udp_bind_kerberos_port(afs_kaserver_t) +corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t) +corenet_sendrecv_kerberos_server_packets(afs_kaserver_t) + +files_read_etc_files(afs_kaserver_t) +files_list_home(afs_kaserver_t) +files_read_usr_files(afs_kaserver_t) + +miscfiles_read_localization(afs_kaserver_t) + +seutil_read_config(afs_kaserver_t) + +sysnet_read_config(afs_kaserver_t) + +userdom_dontaudit_use_user_terminals(afs_kaserver_t) + +######################################## +# +# ptserver local policy +# + +allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; +allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; +allow afs_ptserver_t self:udp_socket create_socket_perms; + +read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t) +allow afs_ptserver_t afs_config_t:dir list_dir_perms; + +manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) +manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) + +manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) +filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) + +corenet_all_recvfrom_unlabeled(afs_ptserver_t) +corenet_all_recvfrom_netlabel(afs_ptserver_t) +corenet_tcp_sendrecv_generic_if(afs_ptserver_t) +corenet_udp_sendrecv_generic_if(afs_ptserver_t) +corenet_tcp_sendrecv_generic_node(afs_ptserver_t) +corenet_udp_sendrecv_generic_node(afs_ptserver_t) +corenet_tcp_sendrecv_all_ports(afs_ptserver_t) +corenet_udp_sendrecv_all_ports(afs_ptserver_t) +corenet_udp_bind_generic_node(afs_ptserver_t) +corenet_udp_bind_afs_pt_port(afs_ptserver_t) +corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) + +files_read_etc_files(afs_ptserver_t) + +miscfiles_read_localization(afs_ptserver_t) + +sysnet_read_config(afs_ptserver_t) + +userdom_dontaudit_use_user_terminals(afs_ptserver_t) + +######################################## +# +# vlserver local policy +# + +allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; +allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; +allow afs_vlserver_t self:udp_socket create_socket_perms; + +read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t) +allow afs_vlserver_t afs_config_t:dir list_dir_perms; + +manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) +manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) + +manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) +filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) + +corenet_all_recvfrom_unlabeled(afs_vlserver_t) +corenet_all_recvfrom_netlabel(afs_vlserver_t) +corenet_tcp_sendrecv_generic_if(afs_vlserver_t) +corenet_udp_sendrecv_generic_if(afs_vlserver_t) +corenet_tcp_sendrecv_generic_node(afs_vlserver_t) +corenet_udp_sendrecv_generic_node(afs_vlserver_t) +corenet_tcp_sendrecv_all_ports(afs_vlserver_t) +corenet_udp_sendrecv_all_ports(afs_vlserver_t) +corenet_udp_bind_generic_node(afs_vlserver_t) +corenet_udp_bind_afs_vl_port(afs_vlserver_t) +corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t) + +files_read_etc_files(afs_vlserver_t) + +miscfiles_read_localization(afs_vlserver_t) + +sysnet_read_config(afs_vlserver_t) + +userdom_dontaudit_use_user_terminals(afs_vlserver_t) diff --git a/policy/modules/contrib/aiccu.fc b/policy/modules/contrib/aiccu.fc new file mode 100644 index 00000000..069518f9 --- /dev/null +++ b/policy/modules/contrib/aiccu.fc @@ -0,0 +1,6 @@ +/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0) +/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) + +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) + +/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) diff --git a/policy/modules/contrib/aiccu.if b/policy/modules/contrib/aiccu.if new file mode 100644 index 00000000..184c9a80 --- /dev/null +++ b/policy/modules/contrib/aiccu.if @@ -0,0 +1,95 @@ +## <summary>Automatic IPv6 Connectivity Client Utility.</summary> + +######################################## +## <summary> +## Execute a domain transition to run aiccu. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`aiccu_domtrans',` + gen_require(` + type aiccu_t, aiccu_exec_t; + ') + + domtrans_pattern($1, aiccu_exec_t, aiccu_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute aiccu server in the aiccu domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`aiccu_initrc_domtrans',` + gen_require(` + type aiccu_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, aiccu_initrc_exec_t) +') + +######################################## +## <summary> +## Read aiccu PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aiccu_read_pid_files',` + gen_require(` + type aiccu_var_run_t; + ') + + allow $1 aiccu_var_run_t:file read_file_perms; + files_search_pids($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an aiccu environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`aiccu_admin',` + gen_require(` + type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t; + type aiccu_var_run_t; + ') + + allow $1 aiccu_t:process { ptrace signal_perms }; + ps_process_pattern($1, aiccu_t) + + aiccu_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 aiccu_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, aiccu_etc_t) + files_list_etc($1) + + admin_pattern($1, aiccu_var_run_t) + files_list_pids($1) +') diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te new file mode 100644 index 00000000..6d685baf --- /dev/null +++ b/policy/modules/contrib/aiccu.te @@ -0,0 +1,76 @@ +policy_module(aiccu, 1.0.0) + +######################################## +# +# Declarations +# + +type aiccu_t; +type aiccu_exec_t; +init_daemon_domain(aiccu_t, aiccu_exec_t) + +type aiccu_initrc_exec_t; +init_script_file(aiccu_initrc_exec_t) + +type aiccu_etc_t; +files_config_file(aiccu_etc_t) + +type aiccu_var_run_t; +files_pid_file(aiccu_var_run_t) + +######################################## +# +# aiccu local policy +# + +allow aiccu_t self:capability { kill net_admin net_raw }; +dontaudit aiccu_t self:capability sys_tty_config; +allow aiccu_t self:process signal; +allow aiccu_t self:fifo_file rw_fifo_file_perms; +allow aiccu_t self:netlink_route_socket create_netlink_socket_perms; +allow aiccu_t self:tcp_socket create_stream_socket_perms; +allow aiccu_t self:tun_socket create_socket_perms; +allow aiccu_t self:udp_socket create_stream_socket_perms; +allow aiccu_t self:unix_stream_socket create_stream_socket_perms; + +allow aiccu_t aiccu_etc_t:file read_file_perms; + +manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) + +kernel_read_system_state(aiccu_t) + +corecmd_exec_shell(aiccu_t) + +corenet_all_recvfrom_netlabel(aiccu_t) +corenet_all_recvfrom_unlabeled(aiccu_t) +corenet_tcp_sendrecv_generic_if(aiccu_t) +corenet_tcp_sendrecv_generic_node(aiccu_t) +corenet_tcp_sendrecv_generic_port(aiccu_t) +corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) +corenet_tcp_bind_generic_node(aiccu_t) +corenet_tcp_connect_sixxsconfig_port(aiccu_t) +corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) + +corenet_rw_tun_tap_dev(aiccu_t) + +domain_use_interactive_fds(aiccu_t) + +dev_read_rand(aiccu_t) +dev_read_urand(aiccu_t) + +files_read_etc_files(aiccu_t) + +logging_send_syslog_msg(aiccu_t) + +miscfiles_read_localization(aiccu_t) + +optional_policy(` + modutils_domtrans_insmod(aiccu_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(aiccu_t) + sysnet_dns_name_resolve(aiccu_t) +') diff --git a/policy/modules/contrib/aide.fc b/policy/modules/contrib/aide.fc new file mode 100644 index 00000000..7798464d --- /dev/null +++ b/policy/modules/contrib/aide.fc @@ -0,0 +1,6 @@ +/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh) + +/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh) + +/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh) +/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) diff --git a/policy/modules/contrib/aide.if b/policy/modules/contrib/aide.if new file mode 100644 index 00000000..838d25b3 --- /dev/null +++ b/policy/modules/contrib/aide.if @@ -0,0 +1,71 @@ +## <summary>Aide filesystem integrity checker</summary> + +######################################## +## <summary> +## Execute aide in the aide domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`aide_domtrans',` + gen_require(` + type aide_t, aide_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, aide_exec_t, aide_t) +') + +######################################## +## <summary> +## Execute aide programs in the AIDE domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the AIDE domain. +## </summary> +## </param> +# +interface(`aide_run',` + gen_require(` + type aide_t; + ') + + aide_domtrans($1) + role $2 types aide_t; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an aide environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`aide_admin',` + gen_require(` + type aide_t, aide_db_t, aide_log_t; + ') + + allow $1 aide_t:process { ptrace signal_perms }; + ps_process_pattern($1, aide_t) + + files_list_etc($1) + admin_pattern($1, aide_db_t) + + logging_list_logs($1) + admin_pattern($1, aide_log_t) +') diff --git a/policy/modules/contrib/aide.te b/policy/modules/contrib/aide.te new file mode 100644 index 00000000..2509dd2c --- /dev/null +++ b/policy/modules/contrib/aide.te @@ -0,0 +1,42 @@ +policy_module(aide, 1.6.0) + +######################################## +# +# Declarations +# + +type aide_t; +type aide_exec_t; +application_domain(aide_t, aide_exec_t) + +# log files +type aide_log_t; +logging_log_file(aide_log_t) + +# aide database +type aide_db_t; +files_type(aide_db_t) + +######################################## +# +# aide local policy +# + +allow aide_t self:capability { dac_override fowner }; + +# database actions +manage_files_pattern(aide_t, aide_db_t, aide_db_t) + +# logs +manage_files_pattern(aide_t, aide_log_t, aide_log_t) +logging_log_filetrans(aide_t, aide_log_t, file) + +files_read_all_files(aide_t) + +logging_send_audit_msgs(aide_t) +# AIDE can be configured to log to syslog +logging_send_syslog_msg(aide_t) + +seutil_use_newrole_fds(aide_t) + +userdom_use_user_terminals(aide_t) diff --git a/policy/modules/contrib/aisexec.fc b/policy/modules/contrib/aisexec.fc new file mode 100644 index 00000000..7b4f4b9e --- /dev/null +++ b/policy/modules/contrib/aisexec.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) + +/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0) + +/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0) + +/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) + +/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if new file mode 100644 index 00000000..0370dba1 --- /dev/null +++ b/policy/modules/contrib/aisexec.if @@ -0,0 +1,106 @@ +## <summary>Aisexec Cluster Engine</summary> + +######################################## +## <summary> +## Execute a domain transition to run aisexec. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`aisexec_domtrans',` + gen_require(` + type aisexec_t, aisexec_exec_t; + ') + + domtrans_pattern($1, aisexec_exec_t, aisexec_t) +') + +##################################### +## <summary> +## Connect to aisexec over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aisexec_stream_connect',` + gen_require(` + type aisexec_t, aisexec_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t) +') + +####################################### +## <summary> +## Allow the specified domain to read aisexec's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aisexec_read_log',` + gen_require(` + type aisexec_var_log_t; + ') + + logging_search_logs($1) + list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t) + read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t) +') + +###################################### +## <summary> +## All of the rules required to administrate +## an aisexec environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the aisexecd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`aisexecd_admin',` + gen_require(` + type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t; + type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t; + type aisexec_initrc_exec_t; + ') + + allow $1 aisexec_t:process { ptrace signal_perms }; + ps_process_pattern($1, aisexec_t) + + init_labeled_script_domtrans($1, aisexec_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 aisexec_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var_lib($1) + admin_pattern($1, aisexec_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, aisexec_var_log_t) + + files_list_pids($1) + admin_pattern($1, aisexec_var_run_t) + + files_list_tmp($1) + admin_pattern($1, aisexec_tmp_t) + + admin_pattern($1, aisexec_tmpfs_t) +') diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te new file mode 100644 index 00000000..50b9b48b --- /dev/null +++ b/policy/modules/contrib/aisexec.te @@ -0,0 +1,102 @@ +policy_module(aisexec, 1.1.0) + +######################################## +# +# Declarations +# + +type aisexec_t; +type aisexec_exec_t; +init_daemon_domain(aisexec_t, aisexec_exec_t) + +type aisexec_initrc_exec_t; +init_script_file(aisexec_initrc_exec_t) + +type aisexec_tmp_t; +files_tmp_file(aisexec_tmp_t) + +type aisexec_tmpfs_t; +files_tmpfs_file(aisexec_tmpfs_t) + +type aisexec_var_lib_t; +files_type(aisexec_var_lib_t) + +type aisexec_var_log_t; +logging_log_file(aisexec_var_log_t) + +type aisexec_var_run_t; +files_pid_file(aisexec_var_run_t) + +######################################## +# +# aisexec local policy +# + +allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner }; +allow aisexec_t self:process { setrlimit setsched signal }; +allow aisexec_t self:fifo_file rw_fifo_file_perms; +allow aisexec_t self:sem create_sem_perms; +allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow aisexec_t self:unix_dgram_socket create_socket_perms; +allow aisexec_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) +manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) +files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir }) + +manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) +manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) +fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file }) + +manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) +manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) +manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) +files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file }) + +manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) +manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) +logging_log_filetrans(aisexec_t, aisexec_var_log_t, { sock_file file }) + +manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) +manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) +files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) + +kernel_read_system_state(aisexec_t) + +corecmd_exec_bin(aisexec_t) + +corenet_udp_bind_netsupport_port(aisexec_t) +corenet_tcp_bind_reserved_port(aisexec_t) +corenet_udp_bind_cluster_port(aisexec_t) + +dev_read_urand(aisexec_t) + +files_manage_mounttab(aisexec_t) + +auth_use_nsswitch(aisexec_t) + +init_rw_script_tmp_files(aisexec_t) + +logging_send_syslog_msg(aisexec_t) + +miscfiles_read_localization(aisexec_t) + +userdom_rw_unpriv_user_semaphores(aisexec_t) +userdom_rw_unpriv_user_shared_mem(aisexec_t) + +optional_policy(` + ccs_stream_connect(aisexec_t) +') + +optional_policy(` + # to communication with RHCS + rhcs_rw_dlm_controld_semaphores(aisexec_t) + + rhcs_rw_fenced_semaphores(aisexec_t) + + rhcs_rw_gfs_controld_semaphores(aisexec_t) + rhcs_rw_gfs_controld_shm(aisexec_t) + + rhcs_rw_groupd_semaphores(aisexec_t) + rhcs_rw_groupd_shm(aisexec_t) +') diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc new file mode 100644 index 00000000..d362d9ce --- /dev/null +++ b/policy/modules/contrib/alsa.fc @@ -0,0 +1,20 @@ +HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) + +/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) + +/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) + +/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) +/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) + +/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) + +/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) + +/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) + +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if new file mode 100644 index 00000000..13926793 --- /dev/null +++ b/policy/modules/contrib/alsa.if @@ -0,0 +1,208 @@ +## <summary>Ainit ALSA configuration tool.</summary> + +######################################## +## <summary> +## Execute a domain transition to run Alsa. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`alsa_domtrans',` + gen_require(` + type alsa_t, alsa_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, alsa_exec_t, alsa_t) +') + +######################################## +## <summary> +## Execute a domain transition to run +## Alsa, and allow the specified role +## the Alsa domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`alsa_run',` + gen_require(` + type alsa_t; + ') + + alsa_domtrans($1) + role $2 types alsa_t; +') + +######################################## +## <summary> +## Read and write Alsa semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_rw_semaphores',` + gen_require(` + type alsa_t; + ') + + allow $1 alsa_t:sem rw_sem_perms; +') + +######################################## +## <summary> +## Read and write Alsa shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_rw_shared_mem',` + gen_require(` + type alsa_t; + ') + + allow $1 alsa_t:shm rw_shm_perms; +') + +######################################## +## <summary> +## Read writable Alsa config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_read_rw_config',` + gen_require(` + type alsa_etc_rw_t; + ') + + files_search_etc($1) + allow $1 alsa_etc_rw_t:dir list_dir_perms; + read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + + ifdef(`distro_debian',` + files_search_usr($1) + ') +') + +######################################## +## <summary> +## Manage writable Alsa config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_manage_rw_config',` + gen_require(` + type alsa_etc_rw_t; + ') + + files_search_etc($1) + allow $1 alsa_etc_rw_t:dir list_dir_perms; + manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + + ifdef(`distro_debian',` + files_search_usr($1) + ') +') + +######################################## +## <summary> +## Manage alsa home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_manage_home_files',` + gen_require(` + type alsa_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file manage_file_perms; +') + +######################################## +## <summary> +## Read Alsa home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_read_home_files',` + gen_require(` + type alsa_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file read_file_perms; +') + +######################################## +## <summary> +## Relabel alsa home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_relabel_home_files',` + gen_require(` + type alsa_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file relabel_file_perms; +') + +######################################## +## <summary> +## Read Alsa lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_read_lib',` + gen_require(` + type alsa_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) +') diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te new file mode 100644 index 00000000..dc1b0880 --- /dev/null +++ b/policy/modules/contrib/alsa.te @@ -0,0 +1,84 @@ +policy_module(alsa, 1.11.0) + +######################################## +# +# Declarations +# + +type alsa_t; +type alsa_exec_t; +init_system_domain(alsa_t, alsa_exec_t) +role system_r types alsa_t; + +type alsa_etc_rw_t; +files_config_file(alsa_etc_rw_t) + +type alsa_tmp_t; +files_tmp_file(alsa_tmp_t) + +type alsa_var_lib_t; +files_type(alsa_var_lib_t) + +type alsa_home_t; +userdom_user_home_content(alsa_home_t) + +######################################## +# +# Local policy +# + +allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; +dontaudit alsa_t self:capability sys_admin; +allow alsa_t self:sem create_sem_perms; +allow alsa_t self:shm create_shm_perms; +allow alsa_t self:unix_stream_socket create_stream_socket_perms; +allow alsa_t self:unix_dgram_socket create_socket_perms; + +allow alsa_t alsa_home_t:file read_file_perms; + +manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) +manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) +files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) + +can_exec(alsa_t, alsa_exec_t) + +manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) +manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) +files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) +userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) + +manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) +manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) +files_search_var_lib(alsa_t) + +kernel_read_system_state(alsa_t) + +dev_read_sound(alsa_t) +dev_write_sound(alsa_t) +dev_read_sysfs(alsa_t) + +corecmd_exec_bin(alsa_t) + +files_read_etc_files(alsa_t) +files_read_usr_files(alsa_t) + +term_dontaudit_use_console(alsa_t) +term_dontaudit_use_generic_ptys(alsa_t) +term_dontaudit_use_all_ptys(alsa_t) + +auth_use_nsswitch(alsa_t) + +init_use_fds(alsa_t) + +logging_send_syslog_msg(alsa_t) + +miscfiles_read_localization(alsa_t) + +userdom_manage_unpriv_user_semaphores(alsa_t) +userdom_manage_unpriv_user_shared_mem(alsa_t) +userdom_search_user_home_dirs(alsa_t) + +optional_policy(` + hal_use_fds(alsa_t) + hal_write_log(alsa_t) +') diff --git a/policy/modules/contrib/amanda.fc b/policy/modules/contrib/amanda.fc new file mode 100644 index 00000000..e3e07011 --- /dev/null +++ b/policy/modules/contrib/amanda.fc @@ -0,0 +1,26 @@ +/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) +/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) +/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) +/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0) +# empty m4 string so the index macro is not invoked +/etc/amanda/.*/index`'(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) + +/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) + +/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) +/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + +/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) + +/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0) +/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) +/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) +/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0) +/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0) +# the null string in here because index is a m4 builtin function +/var/lib/amanda/[^/]+/index`'(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0) + +/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) diff --git a/policy/modules/contrib/amanda.if b/policy/modules/contrib/amanda.if new file mode 100644 index 00000000..8498e971 --- /dev/null +++ b/policy/modules/contrib/amanda.if @@ -0,0 +1,161 @@ +## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary> + +######################################## +## <summary> +## Execute a domain transition to run +## Amanda recover. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`amanda_domtrans_recover',` + gen_require(` + type amanda_recover_t, amanda_recover_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) +') + +######################################## +## <summary> +## Execute a domain transition to run +## Amanda recover, and allow the specified +## role the Amanda recover domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`amanda_run_recover',` + gen_require(` + type amanda_recover_t; + ') + + amanda_domtrans_recover($1) + role $2 types amanda_recover_t; +') + +######################################## +## <summary> +## Search Amanda library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amanda_search_lib',` + gen_require(` + type amanda_usr_lib_t; + ') + + files_search_usr($1) + allow $1 amanda_usr_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read /etc/dumpdates. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`amanda_dontaudit_read_dumpdates',` + gen_require(` + type amanda_dumpdates_t; + ') + + dontaudit $1 amanda_dumpdates_t:file { getattr read }; +') + +######################################## +## <summary> +## Read and write /etc/dumpdates. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amanda_rw_dumpdates_files',` + gen_require(` + type amanda_dumpdates_t; + ') + + files_search_etc($1) + allow $1 amanda_dumpdates_t:file rw_file_perms; +') + +######################################## +## <summary> +## Search Amanda library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amanda_manage_lib',` + gen_require(` + type amanda_usr_lib_t; + ') + + files_search_usr($1) + allow $1 amanda_usr_lib_t:dir manage_dir_perms; +') + +######################################## +## <summary> +## Read and append amanda logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amanda_append_log_files',` + gen_require(` + type amanda_log_t; + ') + + logging_search_logs($1) + allow $1 amanda_log_t:file { read_file_perms append_file_perms }; +') + +####################################### +## <summary> +## Search Amanda var library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amanda_search_var_lib',` + gen_require(` + type amanda_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 amanda_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te new file mode 100644 index 00000000..46d467c1 --- /dev/null +++ b/policy/modules/contrib/amanda.te @@ -0,0 +1,211 @@ +policy_module(amanda, 1.13.0) + +####################################### +# +# Declarations +# + +type amanda_t; +type amanda_inetd_exec_t; +inetd_service_domain(amanda_t, amanda_inetd_exec_t) +role system_r types amanda_t; + +type amanda_exec_t; +domain_entry_file(amanda_t, amanda_exec_t) + +type amanda_log_t; +logging_log_file(amanda_log_t) + +type amanda_config_t; +files_type(amanda_config_t) + +type amanda_usr_lib_t; +files_type(amanda_usr_lib_t) + +type amanda_var_lib_t; +files_type(amanda_var_lib_t) + +type amanda_gnutarlists_t; +files_type(amanda_gnutarlists_t) + +type amanda_tmp_t; +files_tmp_file(amanda_tmp_t) + +type amanda_amandates_t; +files_type(amanda_amandates_t) + +type amanda_dumpdates_t; +files_type(amanda_dumpdates_t) + +type amanda_data_t; +files_type(amanda_data_t) + +type amanda_recover_t; +type amanda_recover_exec_t; +application_domain(amanda_recover_t, amanda_recover_exec_t) +role system_r types amanda_recover_t; + +type amanda_recover_dir_t; +files_type(amanda_recover_dir_t) + +optional_policy(` + prelink_object_file(amanda_usr_lib_t) +') + +######################################## +# +# Amanda local policy +# + +allow amanda_t self:capability { chown dac_override setuid kill }; +allow amanda_t self:process { setpgid signal }; +allow amanda_t self:fifo_file rw_fifo_file_perms; +allow amanda_t self:unix_stream_socket create_stream_socket_perms; +allow amanda_t self:unix_dgram_socket create_socket_perms; +allow amanda_t self:tcp_socket create_stream_socket_perms; +allow amanda_t self:udp_socket create_socket_perms; + +allow amanda_t amanda_amandates_t:file rw_file_perms; + +allow amanda_t amanda_config_t:file read_file_perms; + +manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) +manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) +filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) + +allow amanda_t amanda_dumpdates_t:file rw_file_perms; + +can_exec(amanda_t, amanda_exec_t) +can_exec(amanda_t, amanda_inetd_exec_t) + +allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; +allow amanda_t amanda_gnutarlists_t:file manage_file_perms; +allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; + +manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) +manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) + +manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) +manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) +logging_log_filetrans(amanda_t, amanda_log_t, { file dir }) + +manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) +manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) +files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) + +kernel_read_system_state(amanda_t) +kernel_read_kernel_sysctls(amanda_t) +kernel_dontaudit_getattr_unlabeled_files(amanda_t) +kernel_dontaudit_read_proc_symlinks(amanda_t) + +corecmd_exec_shell(amanda_t) +corecmd_exec_bin(amanda_t) + +corenet_all_recvfrom_unlabeled(amanda_t) +corenet_all_recvfrom_netlabel(amanda_t) +corenet_tcp_sendrecv_generic_if(amanda_t) +corenet_udp_sendrecv_generic_if(amanda_t) +corenet_raw_sendrecv_generic_if(amanda_t) +corenet_tcp_sendrecv_generic_node(amanda_t) +corenet_udp_sendrecv_generic_node(amanda_t) +corenet_raw_sendrecv_generic_node(amanda_t) +corenet_tcp_sendrecv_all_ports(amanda_t) +corenet_udp_sendrecv_all_ports(amanda_t) +corenet_tcp_bind_generic_node(amanda_t) +corenet_udp_bind_generic_node(amanda_t) +corenet_tcp_bind_all_rpc_ports(amanda_t) +corenet_tcp_bind_generic_port(amanda_t) +corenet_dontaudit_tcp_bind_all_ports(amanda_t) + +dev_getattr_all_blk_files(amanda_t) +dev_getattr_all_chr_files(amanda_t) + +files_read_etc_files(amanda_t) +files_read_etc_runtime_files(amanda_t) +files_list_all(amanda_t) +files_read_all_files(amanda_t) +files_read_all_symlinks(amanda_t) +files_read_all_blk_files(amanda_t) +files_read_all_chr_files(amanda_t) +files_getattr_all_pipes(amanda_t) +files_getattr_all_sockets(amanda_t) + +fs_getattr_xattr_fs(amanda_t) +fs_list_all(amanda_t) + +storage_raw_read_fixed_disk(amanda_t) +storage_read_tape(amanda_t) +storage_write_tape(amanda_t) + +auth_use_nsswitch(amanda_t) +auth_read_shadow(amanda_t) + +logging_send_syslog_msg(amanda_t) + +######################################## +# +# Amanda recover local policy +# + +allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; +allow amanda_recover_t self:process { sigkill sigstop signal }; +allow amanda_recover_t self:fifo_file rw_fifo_file_perms; +allow amanda_recover_t self:unix_stream_socket { connect create read write }; +allow amanda_recover_t self:tcp_socket create_stream_socket_perms; +allow amanda_recover_t self:udp_socket create_socket_perms; + +manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) +manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) + +manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_system_state(amanda_recover_t) +kernel_read_kernel_sysctls(amanda_recover_t) + +corecmd_exec_shell(amanda_recover_t) +corecmd_exec_bin(amanda_recover_t) + +corenet_all_recvfrom_unlabeled(amanda_recover_t) +corenet_all_recvfrom_netlabel(amanda_recover_t) +corenet_tcp_sendrecv_generic_if(amanda_recover_t) +corenet_udp_sendrecv_generic_if(amanda_recover_t) +corenet_tcp_sendrecv_generic_node(amanda_recover_t) +corenet_udp_sendrecv_generic_node(amanda_recover_t) +corenet_tcp_sendrecv_all_ports(amanda_recover_t) +corenet_udp_sendrecv_all_ports(amanda_recover_t) +corenet_tcp_bind_generic_node(amanda_recover_t) +corenet_udp_bind_generic_node(amanda_recover_t) +corenet_tcp_bind_reserved_port(amanda_recover_t) +corenet_tcp_connect_amanda_port(amanda_recover_t) +corenet_sendrecv_amanda_client_packets(amanda_recover_t) + +domain_use_interactive_fds(amanda_recover_t) + +files_read_etc_files(amanda_recover_t) +files_read_etc_runtime_files(amanda_recover_t) +files_search_tmp(amanda_recover_t) +files_search_pids(amanda_recover_t) + +auth_use_nsswitch(amanda_recover_t) + +fstools_domtrans(amanda_t) +fstools_signal(amanda_t) + +logging_search_logs(amanda_recover_t) + +miscfiles_read_localization(amanda_recover_t) + +userdom_use_user_terminals(amanda_recover_t) +userdom_search_user_home_content(amanda_recover_t) diff --git a/policy/modules/contrib/amavis.fc b/policy/modules/contrib/amavis.fc new file mode 100644 index 00000000..3b669107 --- /dev/null +++ b/policy/modules/contrib/amavis.fc @@ -0,0 +1,18 @@ + +/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) +/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) +/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) + +/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) +/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) + +ifdef(`distro_debian',` +/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) +') + +/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) +/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) +/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0) +/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) +/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) +/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) diff --git a/policy/modules/contrib/amavis.if b/policy/modules/contrib/amavis.if new file mode 100644 index 00000000..e31d92a4 --- /dev/null +++ b/policy/modules/contrib/amavis.if @@ -0,0 +1,261 @@ +## <summary> +## Daemon that interfaces mail transfer agents and content +## checkers, such as virus scanners. +## </summary> + +######################################## +## <summary> +## Execute a domain transition to run amavis. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`amavis_domtrans',` + gen_require(` + type amavis_t, amavis_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, amavis_exec_t, amavis_t) +') + +######################################## +## <summary> +## Execute amavis server in the amavis domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`amavis_initrc_domtrans',` + gen_require(` + type amavis_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, amavis_initrc_exec_t) +') + +######################################## +## <summary> +## Read amavis spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_read_spool_files',` + gen_require(` + type amavis_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, amavis_spool_t, amavis_spool_t) +') + +######################################## +## <summary> +## Manage amavis spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_manage_spool_files',` + gen_require(` + type amavis_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t) + manage_files_pattern($1, amavis_spool_t, amavis_spool_t) +') + +######################################## +## <summary> +## Create objects in the amavis spool directories +## with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## Private file type. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +# +interface(`amavis_spool_filetrans',` + gen_require(` + type amavis_spool_t; + ') + + files_search_spool($1) + filetrans_pattern($1, amavis_spool_t, $2, $3) +') + +######################################## +## <summary> +## Search amavis lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_search_lib',` + gen_require(` + type amavis_var_lib_t; + ') + + allow $1 amavis_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read amavis lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_read_lib_files',` + gen_require(` + type amavis_var_lib_t; + ') + + read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) + allow $1 amavis_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## amavis lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_manage_lib_files',` + gen_require(` + type amavis_var_lib_t; + ') + + manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## Set the attributes of amavis pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_setattr_pid_files',` + gen_require(` + type amavis_var_run_t; + ') + + allow $1 amavis_var_run_t:file setattr_file_perms; + files_search_pids($1) +') + +######################################## +## <summary> +## Create of amavis pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amavis_create_pid_files',` + gen_require(` + type amavis_var_run_t; + ') + + allow $1 amavis_var_run_t:file create_file_perms; + files_search_pids($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an amavis environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`amavis_admin',` + gen_require(` + type amavis_t, amavis_tmp_t, amavis_var_log_t; + type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; + type amavis_etc_t, amavis_quarantine_t; + type amavis_initrc_exec_t; + ') + + allow $1 amavis_t:process { ptrace signal_perms }; + ps_process_pattern($1, amavis_t) + + amavis_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 amavis_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, amavis_etc_t) + + admin_pattern($1, amavis_quarantine_t) + + files_list_spool($1) + admin_pattern($1, amavis_spool_t) + + files_list_tmp($1) + admin_pattern($1, amavis_tmp_t) + + files_list_var_lib($1) + admin_pattern($1, amavis_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, amavis_var_log_t) + + files_list_pids($1) + admin_pattern($1, amavis_var_run_t) +') diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te new file mode 100644 index 00000000..c4f59249 --- /dev/null +++ b/policy/modules/contrib/amavis.te @@ -0,0 +1,194 @@ +policy_module(amavis, 1.13.0) + +######################################## +# +# Declarations +# + +type amavis_t; +type amavis_exec_t; +domain_type(amavis_t) +init_daemon_domain(amavis_t, amavis_exec_t) + +# configuration files +type amavis_etc_t; +files_config_file(amavis_etc_t) + +type amavis_initrc_exec_t; +init_script_file(amavis_initrc_exec_t) + +# pid files +type amavis_var_run_t; +files_pid_file(amavis_var_run_t) + +# var/lib files +type amavis_var_lib_t; +files_type(amavis_var_lib_t) + +# log files +type amavis_var_log_t; +logging_log_file(amavis_var_log_t) + +# tmp files +type amavis_tmp_t; +files_tmp_file(amavis_tmp_t) + +# virus quarantine +type amavis_quarantine_t; +files_type(amavis_quarantine_t) + +type amavis_spool_t; +files_type(amavis_spool_t) + +######################################## +# +# amavis local policy +# + +allow amavis_t self:capability { kill chown dac_override setgid setuid }; +dontaudit amavis_t self:capability sys_tty_config; +allow amavis_t self:process { signal sigchld sigkill signull }; +allow amavis_t self:fifo_file rw_fifo_file_perms; +allow amavis_t self:unix_stream_socket create_stream_socket_perms; +allow amavis_t self:unix_dgram_socket create_socket_perms; +allow amavis_t self:tcp_socket { listen accept }; +allow amavis_t self:netlink_route_socket r_netlink_socket_perms; + +# configuration files +allow amavis_t amavis_etc_t:dir list_dir_perms; +read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) +read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) + +can_exec(amavis_t, amavis_exec_t) + +# mail quarantine +manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) +manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) +manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) + +# Spool Files +manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t) +manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) +manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) +manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) +filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) +files_search_spool(amavis_t) + +# tmp files +manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) +allow amavis_t amavis_tmp_t:dir setattr_dir_perms; +files_tmp_filetrans(amavis_t, amavis_tmp_t, file) + +# var/lib files for amavis +manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) +manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) +manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) +files_search_var_lib(amavis_t) + +# log files +allow amavis_t amavis_var_log_t:dir setattr_dir_perms; +manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) +manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) +logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) + +# pid file +manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) +manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) +manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) +files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file }) + +kernel_read_kernel_sysctls(amavis_t) +# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... +kernel_dontaudit_list_proc(amavis_t) +kernel_dontaudit_read_proc_symlinks(amavis_t) +kernel_dontaudit_read_system_state(amavis_t) + +# find perl +corecmd_exec_bin(amavis_t) +corecmd_exec_shell(amavis_t) + +corenet_all_recvfrom_unlabeled(amavis_t) +corenet_all_recvfrom_netlabel(amavis_t) +corenet_tcp_sendrecv_generic_if(amavis_t) +corenet_tcp_sendrecv_generic_node(amavis_t) +corenet_tcp_bind_generic_node(amavis_t) +corenet_udp_bind_generic_node(amavis_t) +# amavis uses well-defined ports +corenet_tcp_sendrecv_amavisd_recv_port(amavis_t) +corenet_tcp_sendrecv_amavisd_send_port(amavis_t) +# just the other side not. ;-) +corenet_tcp_sendrecv_all_ports(amavis_t) +# connect to backchannel port +corenet_tcp_connect_amavisd_send_port(amavis_t) +# bind to incoming port +corenet_tcp_bind_amavisd_recv_port(amavis_t) +corenet_udp_bind_generic_port(amavis_t) +corenet_dontaudit_udp_bind_all_ports(amavis_t) +corenet_tcp_connect_razor_port(amavis_t) + +dev_read_rand(amavis_t) +dev_read_urand(amavis_t) + +domain_use_interactive_fds(amavis_t) + +files_read_etc_files(amavis_t) +files_read_etc_runtime_files(amavis_t) +files_read_usr_files(amavis_t) + +fs_getattr_xattr_fs(amavis_t) + +auth_dontaudit_read_shadow(amavis_t) + +# uses uptime which reads utmp - redhat bug 561383 +init_read_utmp(amavis_t) +init_stream_connect_script(amavis_t) + +logging_send_syslog_msg(amavis_t) + +miscfiles_read_generic_certs(amavis_t) +miscfiles_read_localization(amavis_t) + +sysnet_dns_name_resolve(amavis_t) +sysnet_use_ldap(amavis_t) + +userdom_dontaudit_search_user_home_dirs(amavis_t) + +# Cron handling +cron_use_fds(amavis_t) +cron_use_system_job_fds(amavis_t) +cron_rw_pipes(amavis_t) + +mta_read_config(amavis_t) + +optional_policy(` + clamav_stream_connect(amavis_t) + clamav_domtrans_clamscan(amavis_t) +') + +optional_policy(` + dcc_domtrans_client(amavis_t) + dcc_stream_connect_dccifd(amavis_t) +') + +optional_policy(` + nslcd_stream_connect(amavis_t) +') + +optional_policy(` + postfix_read_config(amavis_t) +') + +optional_policy(` + pyzor_domtrans(amavis_t) + pyzor_signal(amavis_t) +') + +optional_policy(` + razor_domtrans(amavis_t) +') + +optional_policy(` + spamassassin_exec(amavis_t) + spamassassin_exec_client(amavis_t) + spamassassin_read_lib_files(amavis_t) +') diff --git a/policy/modules/contrib/amtu.fc b/policy/modules/contrib/amtu.fc new file mode 100644 index 00000000..d97160eb --- /dev/null +++ b/policy/modules/contrib/amtu.fc @@ -0,0 +1 @@ +/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0) diff --git a/policy/modules/contrib/amtu.if b/policy/modules/contrib/amtu.if new file mode 100644 index 00000000..be82315d --- /dev/null +++ b/policy/modules/contrib/amtu.if @@ -0,0 +1,46 @@ +## <summary>Abstract Machine Test Utility.</summary> + +######################################## +## <summary> +## Execute a domain transition to run Amtu. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`amtu_domtrans',` + gen_require(` + type amtu_t, amtu_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, amtu_exec_t, amtu_t) +') + +######################################## +## <summary> +## Execute a domain transition to run +## Amtu, and allow the specified role +## the Amtu domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`amtu_run',` + gen_require(` + type amtu_t; + ') + + amtu_domtrans($1) + role $2 types amtu_t; +') diff --git a/policy/modules/contrib/amtu.te b/policy/modules/contrib/amtu.te new file mode 100644 index 00000000..057abb0c --- /dev/null +++ b/policy/modules/contrib/amtu.te @@ -0,0 +1,34 @@ +policy_module(amtu, 1.2.0) + +######################################## +# +# Declarations +# + +type amtu_t; +type amtu_exec_t; +domain_type(amtu_t) +domain_entry_file(amtu_t, amtu_exec_t) + +######################################## +# +# amtu local policy +# + +kernel_read_system_state(amtu_t) + +files_manage_boot_files(amtu_t) +files_read_etc_runtime_files(amtu_t) +files_read_etc_files(amtu_t) + +logging_send_audit_msgs(amtu_t) + +userdom_use_user_terminals(amtu_t) + +optional_policy(` + nscd_dontaudit_search_pid(amtu_t) +') + +optional_policy(` + seutil_use_newrole_fds(amtu_t) +') diff --git a/policy/modules/contrib/anaconda.fc b/policy/modules/contrib/anaconda.fc new file mode 100644 index 00000000..b098089d --- /dev/null +++ b/policy/modules/contrib/anaconda.fc @@ -0,0 +1 @@ +# No file context specifications. diff --git a/policy/modules/contrib/anaconda.if b/policy/modules/contrib/anaconda.if new file mode 100644 index 00000000..14a61b7e --- /dev/null +++ b/policy/modules/contrib/anaconda.if @@ -0,0 +1 @@ +## <summary>Anaconda installer.</summary> diff --git a/policy/modules/contrib/anaconda.te b/policy/modules/contrib/anaconda.te new file mode 100644 index 00000000..e81bdbd7 --- /dev/null +++ b/policy/modules/contrib/anaconda.te @@ -0,0 +1,59 @@ +policy_module(anaconda, 1.6.0) + +######################################## +# +# Declarations +# + +type anaconda_t; +type anaconda_exec_t; +domain_type(anaconda_t) +domain_obj_id_change_exemption(anaconda_t) +role system_r types anaconda_t; + +######################################## +# +# Local policy +# + +allow anaconda_t self:process execmem; + +kernel_domtrans_to(anaconda_t, anaconda_exec_t) + +init_domtrans_script(anaconda_t) + +libs_domtrans_ldconfig(anaconda_t) + +logging_send_syslog_msg(anaconda_t) + +modutils_domtrans_insmod(anaconda_t) +modutils_domtrans_depmod(anaconda_t) + +seutil_domtrans_semanage(anaconda_t) + +userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) + +optional_policy(` + kudzu_domtrans(anaconda_t) +') + +optional_policy(` + rpm_domtrans(anaconda_t) + rpm_domtrans_script(anaconda_t) +') + +optional_policy(` + ssh_domtrans_keygen(anaconda_t) +') + +optional_policy(` + udev_domtrans(anaconda_t) +') + +optional_policy(` + unconfined_domain(anaconda_t) +') + +optional_policy(` + usermanage_domtrans_admin_passwd(anaconda_t) +') diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc new file mode 100644 index 00000000..9e39aa5b --- /dev/null +++ b/policy/modules/contrib/apache.fc @@ -0,0 +1,111 @@ +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) + +/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) +/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) +/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) +/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) + +/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) +/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + +/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) + +/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) + +/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) +/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) + +ifdef(`distro_suse', ` +/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) +') + +/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) + +/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) + +/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + +ifdef(`distro_debian', ` +/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +') + +/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) + +/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) + +/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if new file mode 100644 index 00000000..53b982ed --- /dev/null +++ b/policy/modules/contrib/apache.if @@ -0,0 +1,1324 @@ +## <summary>Apache web server</summary> + +######################################## +## <summary> +## Create a set of derived types for apache +## web content. +## </summary> +## <param name="prefix"> +## <summary> +## The prefix to be used for deriving type names. +## </summary> +## </param> +# +template(`apache_content_template',` + gen_require(` + attribute httpdcontent; + attribute httpd_exec_scripts; + attribute httpd_script_exec_type; + attribute httpd_rw_content; + attribute httpd_ra_content; + type httpd_t, httpd_suexec_t, httpd_log_t; + ') + # allow write access to public file transfer + # services files. + gen_tunable(allow_httpd_$1_script_anon_write, false) + + #This type is for webpages + type httpd_$1_content_t, httpdcontent; # customizable + typealias httpd_$1_content_t alias httpd_$1_script_ro_t; + files_type(httpd_$1_content_t) + + # This type is used for .htaccess files + type httpd_$1_htaccess_t; # customizable; + files_type(httpd_$1_htaccess_t) + + # Type that CGI scripts run as + type httpd_$1_script_t; + domain_type(httpd_$1_script_t) + role system_r types httpd_$1_script_t; + + # This type is used for executable scripts files + type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; + corecmd_shell_entry_type(httpd_$1_script_t) + domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) + + type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable + typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; + files_type(httpd_$1_rw_content_t) + + type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable + typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; + files_type(httpd_$1_ra_content_t) + + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) + + domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) + + allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; + allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; + + allow httpd_$1_script_t self:fifo_file rw_file_perms; + allow httpd_$1_script_t self:unix_stream_socket connectto; + + allow httpd_$1_script_t httpd_t:fifo_file write; + # apache should set close-on-exec + dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; + + # Allow the script process to search the cgi directory, and users directory + allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; + + append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) + logging_search_logs(httpd_$1_script_t) + + can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) + allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; + + allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + + allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; + read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) + read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) + + manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) + + kernel_dontaudit_search_sysctl(httpd_$1_script_t) + kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) + + dev_read_rand(httpd_$1_script_t) + dev_read_urand(httpd_$1_script_t) + + corecmd_exec_all_executables(httpd_$1_script_t) + + files_exec_etc_files(httpd_$1_script_t) + files_read_etc_files(httpd_$1_script_t) + files_search_home(httpd_$1_script_t) + + libs_exec_ld_so(httpd_$1_script_t) + libs_exec_lib_files(httpd_$1_script_t) + + miscfiles_read_fonts(httpd_$1_script_t) + miscfiles_read_public_files(httpd_$1_script_t) + + seutil_dontaudit_search_config(httpd_$1_script_t) + + tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_$1_script_t httpdcontent:file entrypoint; + + manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) + can_exec(httpd_$1_script_t, httpdcontent) + ') + + tunable_policy(`allow_httpd_$1_script_anon_write',` + miscfiles_manage_public_files(httpd_$1_script_t) + ') + + # Allow the web server to run scripts and serve pages + tunable_policy(`httpd_builtin_scripting',` + manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + + allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + + allow httpd_t httpd_$1_content_t:dir list_dir_perms; + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) + read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) + + allow httpd_t httpd_$1_content_t:dir list_dir_perms; + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) + read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) + ') + + tunable_policy(`httpd_enable_cgi',` + allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; + + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) + + # apache runs the script: + domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) + + allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; + allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; + + allow httpd_$1_script_t self:process { setsched signal_perms }; + allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; + + allow httpd_$1_script_t httpd_t:fd use; + allow httpd_$1_script_t httpd_t:process sigchld; + + kernel_read_system_state(httpd_$1_script_t) + + dev_read_urand(httpd_$1_script_t) + + fs_getattr_xattr_fs(httpd_$1_script_t) + + files_read_etc_runtime_files(httpd_$1_script_t) + files_read_usr_files(httpd_$1_script_t) + + libs_read_lib_files(httpd_$1_script_t) + + miscfiles_read_localization(httpd_$1_script_t) + ') + + optional_policy(` + tunable_policy(`httpd_enable_cgi && allow_ypbind',` + nis_use_ypbind_uncond(httpd_$1_script_t) + ') + ') + + optional_policy(` + postgresql_unpriv_client(httpd_$1_script_t) + + tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_$1_script_t) + ') + ') + + optional_policy(` + nscd_socket_use(httpd_$1_script_t) + ') +') + +######################################## +## <summary> +## Role access for apache +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`apache_role',` + gen_require(` + attribute httpdcontent; + type httpd_user_content_t, httpd_user_htaccess_t; + type httpd_user_script_t, httpd_user_script_exec_t; + type httpd_user_ra_content_t, httpd_user_rw_content_t; + ') + + role $1 types httpd_user_script_t; + + allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; + + manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) + manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) + relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + + manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + + manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + + manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + + tunable_policy(`httpd_enable_cgi',` + # If a user starts a script by hand it gets the proper context + domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` + domtrans_pattern($2, httpdcontent, httpd_user_script_t) + ') +') + +######################################## +## <summary> +## Read httpd user scripts executables. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_user_scripts',` + gen_require(` + type httpd_user_script_exec_t; + ') + + allow $1 httpd_user_script_exec_t:dir list_dir_perms; + read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) + read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) +') + +######################################## +## <summary> +## Read user web content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_user_content',` + gen_require(` + type httpd_user_content_t; + ') + + allow $1 httpd_user_content_t:dir list_dir_perms; + read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) + read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) +') + +######################################## +## <summary> +## Transition to apache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apache_domtrans',` + gen_require(` + type httpd_t, httpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, httpd_exec_t, httpd_t) +') + +####################################### +## <summary> +## Send a generic signal to apache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_signal',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:process signal; +') + +######################################## +## <summary> +## Send a null signal to apache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_signull',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:process signull; +') + +######################################## +## <summary> +## Send a SIGCHLD signal to apache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_sigchld',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:process sigchld; +') + +######################################## +## <summary> +## Inherit and use file descriptors from Apache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_use_fds',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to read and write Apache +## unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_rw_fifo_file',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and write Apache +## unix domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_rw_stream_sockets',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Do not audit attempts to read and write Apache +## TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_rw_tcp_sockets',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Read all appendable content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_read_all_ra_content',` + gen_require(` + attribute httpd_ra_content; + ') + + read_files_pattern($1, httpd_ra_content, httpd_ra_content) + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content) +') + +######################################## +## <summary> +## Append to all appendable web content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_append_all_ra_content',` + gen_require(` + attribute httpd_ra_content; + ') + + allow $1 httpd_ra_content:dir { list_dir_perms add_entry_dir_perms }; + append_files_pattern($1, httpd_ra_content, httpd_ra_content) +') + +######################################## +## <summary> +## Read all read/write content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_read_all_rw_content',` + gen_require(` + attribute httpd_rw_content; + ') + + read_files_pattern($1, httpd_rw_content, httpd_rw_content) + read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) +') + +######################################## +## <summary> +## Manage all read/write content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_manage_all_rw_content',` + gen_require(` + attribute httpd_rw_content; + ') + + manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content) + manage_files_pattern($1, httpd_rw_content, httpd_rw_content) + manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) +') + +######################################## +## <summary> +## Read all web content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_read_all_content',` + gen_require(` + attribute httpdcontent, httpd_script_exec_type; + ') + + read_files_pattern($1, httpdcontent, httpdcontent) + read_lnk_files_pattern($1, httpdcontent, httpdcontent) + + read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) + read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) +') + +######################################## +## <summary> +## Create, read, write, and delete all web content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_manage_all_content',` + gen_require(` + attribute httpdcontent, httpd_script_exec_type; + ') + + manage_dirs_pattern($1, httpdcontent, httpdcontent) + manage_files_pattern($1, httpdcontent, httpdcontent) + manage_lnk_files_pattern($1, httpdcontent, httpdcontent) + + manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) + manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) + manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) +') + +######################################## +## <summary> +## Allow domain to set the attributes +## of the APACHE cache directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_setattr_cache_dirs',` + gen_require(` + type httpd_cache_t; + ') + + allow $1 httpd_cache_t:dir setattr; +') + +######################################## +## <summary> +## Allow the specified domain to list +## Apache cache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_list_cache',` + gen_require(` + type httpd_cache_t; + ') + + list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) +') + +######################################## +## <summary> +## Allow the specified domain to read +## and write Apache cache files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_rw_cache_files',` + gen_require(` + type httpd_cache_t; + ') + + allow $1 httpd_cache_t:file rw_file_perms; +') + +######################################## +## <summary> +## Allow the specified domain to delete +## Apache cache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_delete_cache_files',` + gen_require(` + type httpd_cache_t; + ') + + delete_files_pattern($1, httpd_cache_t, httpd_cache_t) +') + +######################################## +## <summary> +## Allow the specified domain to read +## apache configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_read_config',` + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) + allow $1 httpd_config_t:dir list_dir_perms; + read_files_pattern($1, httpd_config_t, httpd_config_t) + read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) +') + +######################################## +## <summary> +## Allow the specified domain to manage +## apache configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_manage_config',` + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, httpd_config_t, httpd_config_t) + manage_files_pattern($1, httpd_config_t, httpd_config_t) + read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) +') + +######################################## +## <summary> +## Execute the Apache helper program with +## a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_domtrans_helper',` + gen_require(` + type httpd_helper_t, httpd_helper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) +') + +######################################## +## <summary> +## Execute the Apache helper program with +## a domain transition, and allow the +## specified role the Apache helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_run_helper',` + gen_require(` + type httpd_helper_t; + ') + + apache_domtrans_helper($1) + role $2 types httpd_helper_t; +') + +######################################## +## <summary> +## Allow the specified domain to read +## apache log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_read_log',` + gen_require(` + type httpd_log_t; + ') + + logging_search_logs($1) + allow $1 httpd_log_t:dir list_dir_perms; + read_files_pattern($1, httpd_log_t, httpd_log_t) + read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) +') + +######################################## +## <summary> +## Allow the specified domain to append +## to apache log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_append_log',` + gen_require(` + type httpd_log_t; + ') + + logging_search_logs($1) + allow $1 httpd_log_t:dir list_dir_perms; + append_files_pattern($1, httpd_log_t, httpd_log_t) +') + +######################################## +## <summary> +## Do not audit attempts to append to the +## Apache logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_append_log',` + gen_require(` + type httpd_log_t; + ') + + dontaudit $1 httpd_log_t:file { getattr append }; +') + +######################################## +## <summary> +## Allow the specified domain to manage +## to apache log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_manage_log',` + gen_require(` + type httpd_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, httpd_log_t, httpd_log_t) + manage_files_pattern($1, httpd_log_t, httpd_log_t) + read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) +') + +######################################## +## <summary> +## Do not audit attempts to search Apache +## module directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_search_modules',` + gen_require(` + type httpd_modules_t; + ') + + dontaudit $1 httpd_modules_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Allow the specified domain to list +## the contents of the apache modules +## directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_list_modules',` + gen_require(` + type httpd_modules_t; + ') + + allow $1 httpd_modules_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Allow the specified domain to execute +## apache modules. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_exec_modules',` + gen_require(` + type httpd_modules_t; + ') + + allow $1 httpd_modules_t:dir list_dir_perms; + allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; + can_exec($1, httpd_modules_t) +') + +######################################## +## <summary> +## Execute a domain transition to run httpd_rotatelogs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apache_domtrans_rotatelogs',` + gen_require(` + type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; + ') + + domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) +') + +######################################## +## <summary> +## Allow the specified domain to list +## apache system content files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_list_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + files_search_var($1) +') + +######################################## +## <summary> +## Allow the specified domain to manage +## apache system content files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr +interface(`apache_manage_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + files_search_var($1) + manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) +') + +######################################## +## <summary> +## Execute all web scripts in the system +## script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +# cjp: this interface specifically added to allow +# sysadm_t to run scripts +interface(`apache_domtrans_sys_script',` + gen_require(` + attribute httpdcontent; + type httpd_sys_script_t; + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` + domtrans_pattern($1, httpdcontent, httpd_sys_script_t) + ') +') + +######################################## +## <summary> +## Do not audit attempts to read and write Apache +## system script unix domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_rw_sys_script_stream_sockets',` + gen_require(` + type httpd_sys_script_t; + ') + + dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Execute all user scripts in the user +## script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apache_domtrans_all_scripts',` + gen_require(` + attribute httpd_exec_scripts; + ') + + typeattribute $1 httpd_exec_scripts; +') + +######################################## +## <summary> +## Execute all user scripts in the user +## script domain. Add user script domains +## to the specified role. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access.. +## </summary> +## </param> +# +interface(`apache_run_all_scripts',` + gen_require(` + attribute httpd_exec_scripts, httpd_script_domains; + ') + + role $2 types httpd_script_domains; + apache_domtrans_all_scripts($1) +') + +######################################## +## <summary> +## Allow the specified domain to read +## apache squirrelmail data. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_squirrelmail_data',` + gen_require(` + type httpd_squirrelmail_t; + ') + + allow $1 httpd_squirrelmail_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow the specified domain to append +## apache squirrelmail data. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_append_squirrelmail_data',` + gen_require(` + type httpd_squirrelmail_t; + ') + + allow $1 httpd_squirrelmail_t:file append_file_perms; +') + +######################################## +## <summary> +## Search apache system content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_search_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + allow $1 httpd_sys_content_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read apache system content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + allow $1 httpd_sys_content_t:dir list_dir_perms; + read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) +') + +######################################## +## <summary> +## Search apache system CGI directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_search_sys_scripts',` + gen_require(` + type httpd_sys_content_t, httpd_sys_script_exec_t; + ') + + search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) +') + +######################################## +## <summary> +## Create, read, write, and delete all user web content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_manage_all_user_content',` + gen_require(` + attribute httpd_user_content_type, httpd_user_script_exec_type; + ') + + manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) + manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) + manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) + + manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) + manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) + manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) +') + +######################################## +## <summary> +## Search system script state directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_search_sys_script_state',` + gen_require(` + type httpd_sys_script_t; + ') + + allow $1 httpd_sys_script_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Allow the specified domain to read +## apache tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_tmp_files',` + gen_require(` + type httpd_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) +') + +######################################## +## <summary> +## Dontaudit attempts to write +## apache tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apache_dontaudit_write_tmp_files',` + gen_require(` + type httpd_tmp_t; + ') + + dontaudit $1 httpd_tmp_t:file write_file_perms; +') + +######################################## +## <summary> +## Execute CGI in the specified domain. +## </summary> +## <desc> +## <p> +## Execute CGI in the specified domain. +## </p> +## <p> +## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain run the cgi script in. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## Type of the executable to enter the cgi domain. +## </summary> +## </param> +# +interface(`apache_cgi_domain',` + gen_require(` + type httpd_t, httpd_sys_script_exec_t; + ') + + domtrans_pattern(httpd_t, $2, $1) + apache_search_sys_scripts($1) + + allow httpd_t $1:process signal; +') + +######################################## +## <summary> +## All of the rules required to administrate an apache environment +## </summary> +## <param name="prefix"> +## <summary> +## Prefix of the domain. Example, user would be +## the prefix for the uder_t domain. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apache_admin',` + gen_require(` + attribute httpdcontent; + attribute httpd_script_exec_type; + + type httpd_t, httpd_config_t, httpd_log_t; + type httpd_modules_t, httpd_lock_t; + type httpd_var_run_t, httpd_php_tmp_t; + type httpd_suexec_tmp_t, httpd_tmp_t; + type httpd_initrc_exec_t; + ') + + allow $1 httpd_t:process { getattr ptrace signal_perms }; + ps_process_pattern($1, httpd_t) + + init_labeled_script_domtrans($1, httpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 httpd_initrc_exec_t system_r; + allow $2 system_r; + + apache_manage_all_content($1) + miscfiles_manage_public_files($1) + + files_search_etc($1) + admin_pattern($1, httpd_config_t) + + logging_search_logs($1) + admin_pattern($1, httpd_log_t) + + admin_pattern($1, httpd_modules_t) + + admin_pattern($1, httpd_lock_t) + files_lock_filetrans($1, httpd_lock_t, file) + + admin_pattern($1, httpd_var_run_t) + files_pid_filetrans($1, httpd_var_run_t, file) + + kernel_search_proc($1) + allow $1 httpd_t:dir list_dir_perms; + + read_lnk_files_pattern($1, httpd_t, httpd_t) + + admin_pattern($1, httpdcontent) + admin_pattern($1, httpd_script_exec_type) + admin_pattern($1, httpd_tmp_t) + admin_pattern($1, httpd_php_tmp_t) + admin_pattern($1, httpd_suexec_tmp_t) +') diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te new file mode 100644 index 00000000..18d44040 --- /dev/null +++ b/policy/modules/contrib/apache.te @@ -0,0 +1,915 @@ +policy_module(apache, 2.3.0) + +# +# NOTES: +# This policy will work with SUEXEC enabled as part of the Apache +# configuration. However, the user CGI scripts will run under the +# system_u:system_r:httpd_user_script_t. +# +# The user CGI scripts must be labeled with the httpd_user_script_exec_t +# type, and the directory containing the scripts should also be labeled +# with these types. This policy allows the user role to perform that +# relabeling. If it is desired that only admin role should be able to relabel +# the user CGI scripts, then relabel rule for user roles should be removed. +# + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow Apache to modify public files +## used for public file transfer services. Directories/Files must +## be labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_httpd_anon_write, false) + +## <desc> +## <p> +## Allow Apache to use mod_auth_pam +## </p> +## </desc> +gen_tunable(allow_httpd_mod_auth_pam, false) + +## <desc> +## <p> +## Allow httpd to use built in scripting (usually php) +## </p> +## </desc> +gen_tunable(httpd_builtin_scripting, false) + +## <desc> +## <p> +## Allow HTTPD scripts and modules to connect to the network using TCP. +## </p> +## </desc> +gen_tunable(httpd_can_network_connect, false) + +## <desc> +## <p> +## Allow HTTPD scripts and modules to connect to databases over the network. +## </p> +## </desc> +gen_tunable(httpd_can_network_connect_db, false) + +## <desc> +## <p> +## Allow httpd to act as a relay +## </p> +## </desc> +gen_tunable(httpd_can_network_relay, false) + +## <desc> +## <p> +## Allow http daemon to send mail +## </p> +## </desc> +gen_tunable(httpd_can_sendmail, false) + +## <desc> +## <p> +## Allow Apache to communicate with avahi service via dbus +## </p> +## </desc> +gen_tunable(httpd_dbus_avahi, false) + +## <desc> +## <p> +## Allow httpd cgi support +## </p> +## </desc> +gen_tunable(httpd_enable_cgi, false) + +## <desc> +## <p> +## Allow httpd to act as a FTP server by +## listening on the ftp port. +## </p> +## </desc> +gen_tunable(httpd_enable_ftp_server, false) + +## <desc> +## <p> +## Allow httpd to read home directories +## </p> +## </desc> +gen_tunable(httpd_enable_homedirs, false) + +## <desc> +## <p> +## Allow httpd daemon to change its resource limits +## </p> +## </desc> +gen_tunable(httpd_setrlimit, false) + +## <desc> +## <p> +## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. +## </p> +## </desc> +gen_tunable(httpd_ssi_exec, false) + +## <desc> +## <p> +## Unify HTTPD to communicate with the terminal. +## Needed for entering the passphrase for certificates at +## the terminal. +## </p> +## </desc> +gen_tunable(httpd_tty_comm, false) + +## <desc> +## <p> +## Unify HTTPD handling of all content files. +## </p> +## </desc> +gen_tunable(httpd_unified, false) + +## <desc> +## <p> +## Allow httpd to access cifs file systems +## </p> +## </desc> +gen_tunable(httpd_use_cifs, false) + +## <desc> +## <p> +## Allow httpd to run gpg +## </p> +## </desc> +gen_tunable(httpd_use_gpg, false) + +## <desc> +## <p> +## Allow httpd to access nfs file systems +## </p> +## </desc> +gen_tunable(httpd_use_nfs, false) + +attribute httpdcontent; +attribute httpd_ra_content; +attribute httpd_rw_content; +attribute httpd_user_content_type; + +# domains that can exec all users scripts +attribute httpd_exec_scripts; + +attribute httpd_script_exec_type; +attribute httpd_user_script_exec_type; + +# user script domains +attribute httpd_script_domains; + +type httpd_t; +type httpd_exec_t; +init_daemon_domain(httpd_t, httpd_exec_t) +role system_r types httpd_t; + +# httpd_cache_t is the type given to the /var/cache/httpd +# directory and the files under that directory +type httpd_cache_t; +files_type(httpd_cache_t) + +# httpd_config_t is the type given to the configuration files +type httpd_config_t; +files_type(httpd_config_t) + +type httpd_helper_t; +type httpd_helper_exec_t; +domain_type(httpd_helper_t) +domain_entry_file(httpd_helper_t, httpd_helper_exec_t) +role system_r types httpd_helper_t; + +type httpd_initrc_exec_t; +init_script_file(httpd_initrc_exec_t) + +type httpd_lock_t; +files_lock_file(httpd_lock_t) + +type httpd_log_t; +logging_log_file(httpd_log_t) + +# httpd_modules_t is the type given to module files (libraries) +# that come with Apache /etc/httpd/modules and /usr/lib/apache +type httpd_modules_t; +files_type(httpd_modules_t) + +type httpd_php_t; +type httpd_php_exec_t; +domain_type(httpd_php_t) +domain_entry_file(httpd_php_t, httpd_php_exec_t) +role system_r types httpd_php_t; + +type httpd_php_tmp_t; +files_tmp_file(httpd_php_tmp_t) + +type httpd_rotatelogs_t; +type httpd_rotatelogs_exec_t; +init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) + +type httpd_squirrelmail_t; +files_type(httpd_squirrelmail_t) + +# SUEXEC runs user scripts as their own user ID +type httpd_suexec_t; #, daemon; +type httpd_suexec_exec_t; +domain_type(httpd_suexec_t) +domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) +role system_r types httpd_suexec_t; + +type httpd_suexec_tmp_t; +files_tmp_file(httpd_suexec_tmp_t) + +# setup the system domain for system CGI scripts +apache_content_template(sys) +typealias httpd_sys_content_t alias ntop_http_content_t; + +type httpd_tmp_t; +files_tmp_file(httpd_tmp_t) + +type httpd_tmpfs_t; +files_tmpfs_file(httpd_tmpfs_t) + +apache_content_template(user) +ubac_constrained(httpd_user_script_t) +userdom_user_home_content(httpd_user_content_t) +userdom_user_home_content(httpd_user_htaccess_t) +userdom_user_home_content(httpd_user_script_exec_t) +userdom_user_home_content(httpd_user_ra_content_t) +userdom_user_home_content(httpd_user_rw_content_t) +typeattribute httpd_user_script_t httpd_script_domains; +typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; +typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; +typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; +typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; +typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; +typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; +typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; +typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; +typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; +typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; +typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; +typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; +typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; +typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; + +# for apache2 memory mapped files +type httpd_var_lib_t; +files_type(httpd_var_lib_t) + +type httpd_var_run_t; +files_pid_file(httpd_var_run_t) + +# File Type of squirrelmail attachments +type squirrelmail_spool_t; +files_tmp_file(squirrelmail_spool_t) + +optional_policy(` + prelink_object_file(httpd_modules_t) +') + +######################################## +# +# Apache server local policy +# + +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; +dontaudit httpd_t self:capability { net_admin sys_tty_config }; +allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow httpd_t self:fd use; +allow httpd_t self:sock_file read_sock_file_perms; +allow httpd_t self:fifo_file rw_fifo_file_perms; +allow httpd_t self:shm create_shm_perms; +allow httpd_t self:sem create_sem_perms; +allow httpd_t self:msgq create_msgq_perms; +allow httpd_t self:msg { send receive }; +allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow httpd_t self:tcp_socket create_stream_socket_perms; +allow httpd_t self:udp_socket create_socket_perms; + +# Allow httpd_t to put files in /var/cache/httpd etc +manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) + +# Allow the httpd_t to read the web servers config files +allow httpd_t httpd_config_t:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) +read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) + +can_exec(httpd_t, httpd_exec_t) + +allow httpd_t httpd_lock_t:file manage_file_perms; +files_lock_filetrans(httpd_t, httpd_lock_t, file) + +allow httpd_t httpd_log_t:dir setattr; +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +# cjp: need to refine create interfaces to +# cut this back to add_name only +logging_log_filetrans(httpd_t, httpd_log_t, file) + +allow httpd_t httpd_modules_t:dir list_dir_perms; +mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + +apache_domtrans_rotatelogs(httpd_t) +# Apache-httpd needs to be able to send signals to the log rotate procs. +allow httpd_t httpd_rotatelogs_t:process signal_perms; + +manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) + +allow httpd_t httpd_suexec_exec_t:file read_file_perms; + +allow httpd_t httpd_sys_content_t:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) + +allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; + +manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) + +manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) +files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) + +setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) + +manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + +kernel_read_kernel_sysctls(httpd_t) +# for modules that want to access /proc/meminfo +kernel_read_system_state(httpd_t) + +corenet_all_recvfrom_unlabeled(httpd_t) +corenet_all_recvfrom_netlabel(httpd_t) +corenet_tcp_sendrecv_generic_if(httpd_t) +corenet_udp_sendrecv_generic_if(httpd_t) +corenet_tcp_sendrecv_generic_node(httpd_t) +corenet_udp_sendrecv_generic_node(httpd_t) +corenet_tcp_sendrecv_all_ports(httpd_t) +corenet_udp_sendrecv_all_ports(httpd_t) +corenet_tcp_bind_generic_node(httpd_t) +corenet_tcp_bind_http_port(httpd_t) +corenet_tcp_bind_http_cache_port(httpd_t) +corenet_sendrecv_http_server_packets(httpd_t) +# Signal self for shutdown +corenet_tcp_connect_http_port(httpd_t) + +dev_read_sysfs(httpd_t) +dev_read_rand(httpd_t) +dev_read_urand(httpd_t) +dev_rw_crypto(httpd_t) + +fs_getattr_all_fs(httpd_t) +fs_search_auto_mountpoints(httpd_t) + +auth_use_nsswitch(httpd_t) + +# execute perl +corecmd_exec_bin(httpd_t) +corecmd_exec_shell(httpd_t) + +domain_use_interactive_fds(httpd_t) + +files_dontaudit_getattr_all_pids(httpd_t) +files_read_usr_files(httpd_t) +files_list_mnt(httpd_t) +files_search_spool(httpd_t) +files_read_var_lib_files(httpd_t) +files_search_home(httpd_t) +files_getattr_home_dir(httpd_t) +# for modules that want to access /etc/mtab +files_read_etc_runtime_files(httpd_t) +# Allow httpd_t to have access to files such as nisswitch.conf +files_read_etc_files(httpd_t) +# for tomcat +files_read_var_lib_symlinks(httpd_t) + +fs_search_auto_mountpoints(httpd_sys_script_t) + +libs_read_lib_files(httpd_t) + +logging_send_syslog_msg(httpd_t) + +miscfiles_read_localization(httpd_t) +miscfiles_read_fonts(httpd_t) +miscfiles_read_public_files(httpd_t) +miscfiles_read_generic_certs(httpd_t) + +seutil_dontaudit_search_config(httpd_t) + +userdom_use_unpriv_users_fds(httpd_t) + +tunable_policy(`allow_httpd_anon_write',` + miscfiles_manage_public_files(httpd_t) +') + +ifdef(`TODO', ` +# +# We need optionals to be able to be within booleans to make this work +# +tunable_policy(`allow_httpd_mod_auth_pam',` + auth_domtrans_chk_passwd(httpd_t) +') +') + +tunable_policy(`httpd_can_network_connect',` + corenet_tcp_connect_all_ports(httpd_t) +') + +tunable_policy(`httpd_can_network_relay',` + # allow httpd to work as a relay + corenet_tcp_connect_gopher_port(httpd_t) + corenet_tcp_connect_ftp_port(httpd_t) + corenet_tcp_connect_http_port(httpd_t) + corenet_tcp_connect_http_cache_port(httpd_t) + corenet_tcp_connect_memcache_port(httpd_t) + corenet_sendrecv_gopher_client_packets(httpd_t) + corenet_sendrecv_ftp_client_packets(httpd_t) + corenet_sendrecv_http_client_packets(httpd_t) + corenet_sendrecv_http_cache_client_packets(httpd_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` + fs_nfs_domtrans(httpd_t, httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` + fs_cifs_domtrans(httpd_t, httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` + domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + + manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) +') + +tunable_policy(`httpd_enable_ftp_server',` + corenet_tcp_bind_ftp_port(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs',` + userdom_read_user_home_content_files(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_t) + fs_read_nfs_symlinks(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_t) + fs_read_cifs_symlinks(httpd_t) +') + +tunable_policy(`httpd_can_sendmail',` + # allow httpd to connect to mail servers + corenet_tcp_connect_smtp_port(httpd_t) + corenet_sendrecv_smtp_client_packets(httpd_t) + mta_send_mail(httpd_t) +') + +tunable_policy(`httpd_setrlimit',` + allow httpd_t self:process setrlimit; + allow httpd_t self:capability sys_resource; +') + +tunable_policy(`httpd_ssi_exec',` + corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) + allow httpd_sys_script_t httpd_t:fd use; + allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; + allow httpd_sys_script_t httpd_t:process sigchld; +') + +# When the admin starts the server, the server wants to access +# the TTY or PTY associated with the session. The httpd appears +# to run correctly without this permission, so the permission +# are dontaudited here. +tunable_policy(`httpd_tty_comm',` + userdom_use_user_terminals(httpd_t) +',` + userdom_dontaudit_use_user_terminals(httpd_t) +') + +optional_policy(` + calamaris_read_www_files(httpd_t) +') + +optional_policy(` + ccs_read_config(httpd_t) +') + +optional_policy(` + cobbler_search_lib(httpd_t) +') + +optional_policy(` + cron_system_entry(httpd_t, httpd_exec_t) +') + +optional_policy(` + cvs_read_data(httpd_t) +') + +optional_policy(` + daemontools_service_domain(httpd_t, httpd_exec_t) +') + + optional_policy(` + dbus_system_bus_client(httpd_t) + + tunable_policy(`httpd_dbus_avahi',` + avahi_dbus_chat(httpd_t) + ') +') + +optional_policy(` + tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` + gpg_domtrans(httpd_t) + ') +') + +optional_policy(` + kerberos_keytab_template(httpd, httpd_t) +') + +optional_policy(` + mailman_signal_cgi(httpd_t) + mailman_domtrans_cgi(httpd_t) + mailman_read_data_files(httpd_t) + # should have separate types for public and private archives + mailman_search_data(httpd_t) + mailman_read_archive(httpd_t) +') + +optional_policy(` + # Allow httpd to work with mysql + mysql_stream_connect(httpd_t) + mysql_rw_db_sockets(httpd_t) + + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_t) + ') +') + +optional_policy(` + nagios_read_config(httpd_t) +') + +optional_policy(` + openca_domtrans(httpd_t) + openca_signal(httpd_t) + openca_sigstop(httpd_t) + openca_kill(httpd_t) +') + +optional_policy(` + # Allow httpd to work with postgresql + postgresql_stream_connect(httpd_t) + postgresql_unpriv_client(httpd_t) + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(httpd_t) +') + +optional_policy(` + snmp_dontaudit_read_snmp_var_lib_files(httpd_t) + snmp_dontaudit_write_snmp_var_lib_files(httpd_t) +') + +optional_policy(` + udev_read_db(httpd_t) +') + +optional_policy(` + yam_read_content(httpd_t) +') + +######################################## +# +# Apache helper local policy +# + +domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) + +allow httpd_helper_t httpd_config_t:file read_file_perms; + +allow httpd_helper_t httpd_log_t:file append_file_perms; + +logging_send_syslog_msg(httpd_helper_t) + +userdom_use_user_terminals(httpd_helper_t) + +######################################## +# +# Apache PHP script local policy +# + +allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow httpd_php_t self:fd use; +allow httpd_php_t self:fifo_file rw_fifo_file_perms; +allow httpd_php_t self:sock_file read_sock_file_perms; +allow httpd_php_t self:unix_dgram_socket create_socket_perms; +allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; +allow httpd_php_t self:unix_dgram_socket sendto; +allow httpd_php_t self:unix_stream_socket connectto; +allow httpd_php_t self:shm create_shm_perms; +allow httpd_php_t self:sem create_sem_perms; +allow httpd_php_t self:msgq create_msgq_perms; +allow httpd_php_t self:msg { send receive }; + +domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) + +# allow php to read and append to apache logfiles +allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; + +manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) +manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) +files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) + +fs_search_auto_mountpoints(httpd_php_t) + +auth_use_nsswitch(httpd_php_t) + +libs_exec_lib_files(httpd_php_t) + +userdom_use_unpriv_users_fds(httpd_php_t) + +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mysqld_port(httpd_t) + corenet_sendrecv_mysqld_client_packets(httpd_t) + corenet_tcp_connect_mysqld_port(httpd_sys_script_t) + corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mysqld_port(httpd_suexec_t) + corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) + + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) +') + +optional_policy(` + mysql_stream_connect(httpd_php_t) + mysql_read_config(httpd_php_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_php_t) +') + +######################################## +# +# Apache suexec local policy +# + +allow httpd_suexec_t self:capability { setuid setgid }; +allow httpd_suexec_t self:process signal_perms; +allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; + +domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) + +create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) +append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) +read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) + +allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; + +manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(httpd_suexec_t) +kernel_list_proc(httpd_suexec_t) +kernel_read_proc_symlinks(httpd_suexec_t) + +dev_read_urand(httpd_suexec_t) + +fs_search_auto_mountpoints(httpd_suexec_t) + +# for shell scripts +corecmd_exec_bin(httpd_suexec_t) +corecmd_exec_shell(httpd_suexec_t) + +files_read_etc_files(httpd_suexec_t) +files_read_usr_files(httpd_suexec_t) +files_dontaudit_search_pids(httpd_suexec_t) +files_search_home(httpd_suexec_t) + +auth_use_nsswitch(httpd_suexec_t) + +logging_search_logs(httpd_suexec_t) +logging_send_syslog_msg(httpd_suexec_t) + +miscfiles_read_localization(httpd_suexec_t) +miscfiles_read_public_files(httpd_suexec_t) + +tunable_policy(`httpd_can_network_connect',` + allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; + allow httpd_suexec_t self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled(httpd_suexec_t) + corenet_all_recvfrom_netlabel(httpd_suexec_t) + corenet_tcp_sendrecv_generic_if(httpd_suexec_t) + corenet_udp_sendrecv_generic_if(httpd_suexec_t) + corenet_tcp_sendrecv_generic_node(httpd_suexec_t) + corenet_udp_sendrecv_generic_node(httpd_suexec_t) + corenet_tcp_sendrecv_all_ports(httpd_suexec_t) + corenet_udp_sendrecv_all_ports(httpd_suexec_t) + corenet_tcp_connect_all_ports(httpd_suexec_t) + corenet_sendrecv_all_client_packets(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpdcontent:file entrypoint; + domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) + +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_suexec_t) + fs_read_nfs_symlinks(httpd_suexec_t) + fs_exec_nfs_files(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_suexec_t) + fs_read_cifs_symlinks(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) +') + +optional_policy(` + mailman_domtrans_cgi(httpd_suexec_t) +') + +optional_policy(` + mta_stub(httpd_suexec_t) + + # apache should set close-on-exec + dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; +') + +######################################## +# +# Apache system script local policy +# + +allow httpd_sys_script_t self:process getsched; + +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; + +dontaudit httpd_sys_script_t httpd_config_t:dir search; + +allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; + +allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; +read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) +read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) + +kernel_read_kernel_sysctls(httpd_sys_script_t) + +files_search_var_lib(httpd_sys_script_t) +files_search_spool(httpd_sys_script_t) + +# Should we add a boolean? +apache_domtrans_rotatelogs(httpd_sys_script_t) + +ifdef(`distro_redhat',` + allow httpd_sys_script_t httpd_log_t:file append_file_perms; +') + +tunable_policy(`httpd_can_sendmail',` + mta_send_mail(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; + + corenet_tcp_bind_all_nodes(httpd_sys_script_t) + corenet_udp_bind_all_nodes(httpd_sys_script_t) + corenet_all_recvfrom_unlabeled(httpd_sys_script_t) + corenet_all_recvfrom_netlabel(httpd_sys_script_t) + corenet_tcp_sendrecv_all_if(httpd_sys_script_t) + corenet_udp_sendrecv_all_if(httpd_sys_script_t) + corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) + corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) + corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) + corenet_udp_sendrecv_all_ports(httpd_sys_script_t) + corenet_tcp_connect_all_ports(httpd_sys_script_t) + corenet_sendrecv_all_client_packets(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs',` + userdom_read_user_home_content_files(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) +') + +optional_policy(` + clamav_domtrans_clamscan(httpd_sys_script_t) +') + +optional_policy(` + mysql_stream_connect(httpd_sys_script_t) + mysql_rw_db_sockets(httpd_sys_script_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_sys_script_t) +') + +######################################## +# +# httpd_rotatelogs local policy +# + +allow httpd_rotatelogs_t self:capability dac_override; + +manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) + +kernel_read_kernel_sysctls(httpd_rotatelogs_t) +kernel_dontaudit_list_proc(httpd_rotatelogs_t) +kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) + +files_read_etc_files(httpd_rotatelogs_t) + +logging_search_logs(httpd_rotatelogs_t) + +miscfiles_read_localization(httpd_rotatelogs_t) + +######################################## +# +# Unconfined script local policy +# + +optional_policy(` + type httpd_unconfined_script_t; + type httpd_unconfined_script_exec_t; + domain_type(httpd_unconfined_script_t) + domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) + domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) + + role system_r types httpd_unconfined_script_t; + allow httpd_t httpd_unconfined_script_t:process signal_perms; +') + +######################################## +# +# User content local policy +# + +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_user_script_t httpdcontent:file entrypoint; +') + +# allow accessing files/dirs below the users home dir +tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_dirs(httpd_t) + userdom_search_user_home_dirs(httpd_suexec_t) + userdom_search_user_home_dirs(httpd_user_script_t) +') diff --git a/policy/modules/contrib/apcupsd.fc b/policy/modules/contrib/apcupsd.fc new file mode 100644 index 00000000..cd07b96e --- /dev/null +++ b/policy/modules/contrib/apcupsd.fc @@ -0,0 +1,15 @@ +/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) + +/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) + +/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) + +/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) +/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) + +/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) + +/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) +/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) diff --git a/policy/modules/contrib/apcupsd.if b/policy/modules/contrib/apcupsd.if new file mode 100644 index 00000000..e342775e --- /dev/null +++ b/policy/modules/contrib/apcupsd.if @@ -0,0 +1,168 @@ +## <summary>APC UPS monitoring daemon</summary> + +######################################## +## <summary> +## Execute a domain transition to run apcupsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apcupsd_domtrans',` + gen_require(` + type apcupsd_t, apcupsd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, apcupsd_exec_t, apcupsd_t) +') + +######################################## +## <summary> +## Execute apcupsd server in the apcupsd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apcupsd_initrc_domtrans',` + gen_require(` + type apcupsd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, apcupsd_initrc_exec_t) +') + +######################################## +## <summary> +## Read apcupsd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apcupsd_read_pid_files',` + gen_require(` + type apcupsd_var_run_t; + ') + + files_search_pids($1) + allow $1 apcupsd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow the specified domain to read apcupsd's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apcupsd_read_log',` + gen_require(` + type apcupsd_log_t; + ') + + logging_search_logs($1) + allow $1 apcupsd_log_t:dir list_dir_perms; + allow $1 apcupsd_log_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow the specified domain to append +## apcupsd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apcupsd_append_log',` + gen_require(` + type apcupsd_log_t; + ') + + logging_search_logs($1) + allow $1 apcupsd_log_t:dir list_dir_perms; + allow $1 apcupsd_log_t:file append_file_perms; +') + +######################################## +## <summary> +## Execute a domain transition to run httpd_apcupsd_cgi_script. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apcupsd_cgi_script_domtrans',` + gen_require(` + type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; + ') + + optional_policy(` + apache_search_sys_content($1) + ') + + files_search_var($1) + domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an apcupsd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the apcupsd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`apcupsd_admin',` + gen_require(` + type apcupsd_t, apcupsd_tmp_t; + type apcupsd_log_t, apcupsd_lock_t; + type apcupsd_var_run_t; + type apcupsd_initrc_exec_t; + ') + + allow $1 apcupsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, apcupsd_t) + + apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 apcupsd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var($1) + admin_pattern($1, apcupsd_lock_t) + + logging_list_logs($1) + admin_pattern($1, apcupsd_log_t) + + files_list_tmp($1) + admin_pattern($1, apcupsd_tmp_t) + + files_list_pids($1) + admin_pattern($1, apcupsd_var_run_t) +') diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te new file mode 100644 index 00000000..d052bf0e --- /dev/null +++ b/policy/modules/contrib/apcupsd.te @@ -0,0 +1,127 @@ +policy_module(apcupsd, 1.8.0) + +######################################## +# +# Declarations +# + +type apcupsd_t; +type apcupsd_exec_t; +init_daemon_domain(apcupsd_t, apcupsd_exec_t) + +type apcupsd_lock_t; +files_lock_file(apcupsd_lock_t) + +type apcupsd_initrc_exec_t; +init_script_file(apcupsd_initrc_exec_t) + +type apcupsd_log_t; +logging_log_file(apcupsd_log_t) + +type apcupsd_tmp_t; +files_tmp_file(apcupsd_tmp_t) + +type apcupsd_var_run_t; +files_pid_file(apcupsd_var_run_t) + +######################################## +# +# apcupsd local policy +# + +allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; +allow apcupsd_t self:process signal; +allow apcupsd_t self:fifo_file rw_file_perms; +allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; +allow apcupsd_t self:tcp_socket create_stream_socket_perms; + +allow apcupsd_t apcupsd_lock_t:file manage_file_perms; +files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) + +allow apcupsd_t apcupsd_log_t:dir setattr; +manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) +logging_log_filetrans(apcupsd_t, apcupsd_log_t, { file dir }) + +manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) +files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file) + +manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t) +files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file) + +kernel_read_system_state(apcupsd_t) + +corecmd_exec_bin(apcupsd_t) +corecmd_exec_shell(apcupsd_t) + +corenet_all_recvfrom_unlabeled(apcupsd_t) +corenet_all_recvfrom_netlabel(apcupsd_t) +corenet_tcp_sendrecv_generic_if(apcupsd_t) +corenet_tcp_sendrecv_generic_node(apcupsd_t) +corenet_tcp_sendrecv_all_ports(apcupsd_t) +corenet_tcp_bind_generic_node(apcupsd_t) +corenet_tcp_bind_apcupsd_port(apcupsd_t) +corenet_sendrecv_apcupsd_server_packets(apcupsd_t) +corenet_tcp_connect_apcupsd_port(apcupsd_t) + +dev_rw_generic_usb_dev(apcupsd_t) + +# Init script handling +domain_use_interactive_fds(apcupsd_t) + +files_read_etc_files(apcupsd_t) +files_search_locks(apcupsd_t) +# Creates /etc/nologin +files_manage_etc_runtime_files(apcupsd_t) +files_etc_filetrans_etc_runtime(apcupsd_t, file) + +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805 +term_use_unallocated_ttys(apcupsd_t) + +#apcupsd runs shutdown, probably need a shutdown domain +init_rw_utmp(apcupsd_t) +init_telinit(apcupsd_t) + +logging_send_syslog_msg(apcupsd_t) + +miscfiles_read_localization(apcupsd_t) + +sysnet_dns_name_resolve(apcupsd_t) + +userdom_use_user_ttys(apcupsd_t) + +optional_policy(` + hostname_exec(apcupsd_t) +') + +optional_policy(` + mta_send_mail(apcupsd_t) + mta_system_content(apcupsd_tmp_t) +') + +optional_policy(` + shutdown_domtrans(apcupsd_t) +') + +######################################## +# +# apcupsd_cgi Declarations +# + +optional_policy(` + apache_content_template(apcupsd_cgi) + + allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t) + corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) + corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) + corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) + corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) + corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t) + corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) + corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) + corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) + + sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t) +') diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc new file mode 100644 index 00000000..01237771 --- /dev/null +++ b/policy/modules/contrib/apm.fc @@ -0,0 +1,23 @@ + +# +# /usr +# +/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0) + +/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0) +/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0) +/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0) + +# +# /var +# +/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0) + +/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) +/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) +/var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) +/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) + +ifdef(`distro_suse',` +/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) +') diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/apm.if new file mode 100644 index 00000000..1ea99b29 --- /dev/null +++ b/policy/modules/contrib/apm.if @@ -0,0 +1,113 @@ +## <summary>Advanced power management daemon</summary> + +######################################## +## <summary> +## Execute APM in the apm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apm_domtrans_client',` + gen_require(` + type apm_t, apm_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, apm_exec_t, apm_t) +') + +######################################## +## <summary> +## Use file descriptors for apmd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apm_use_fds',` + gen_require(` + type apmd_t; + ') + + allow $1 apmd_t:fd use; +') + +######################################## +## <summary> +## Write to apmd unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apm_write_pipes',` + gen_require(` + type apmd_t; + ') + + allow $1 apmd_t:fifo_file write; +') + +######################################## +## <summary> +## Read and write to an apm unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apm_rw_stream_sockets',` + gen_require(` + type apmd_t; + ') + + allow $1 apmd_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Append to apm's log file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apm_append_log',` + gen_require(` + type apmd_log_t; + ') + + logging_search_logs($1) + allow $1 apmd_log_t:file append; +') + +######################################## +## <summary> +## Connect to apmd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apm_stream_connect',` + gen_require(` + type apmd_t, apmd_var_run_t; + ') + + files_search_pids($1) + allow $1 apmd_var_run_t:sock_file write; + allow $1 apmd_t:unix_stream_socket connectto; +') diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te new file mode 100644 index 00000000..1c8c27e4 --- /dev/null +++ b/policy/modules/contrib/apm.te @@ -0,0 +1,232 @@ +policy_module(apm, 1.11.0) + +######################################## +# +# Declarations +# +type apmd_t; +type apmd_exec_t; +init_daemon_domain(apmd_t, apmd_exec_t) + +type apm_t; +type apm_exec_t; +application_domain(apm_t, apm_exec_t) +role system_r types apm_t; + +type apmd_log_t; +logging_log_file(apmd_log_t) + +type apmd_tmp_t; +files_tmp_file(apmd_tmp_t) + +type apmd_var_run_t; +files_pid_file(apmd_var_run_t) + +ifdef(`distro_redhat',` + type apmd_lock_t; + files_lock_file(apmd_lock_t) +') + +ifdef(`distro_suse',` + type apmd_var_lib_t; + files_type(apmd_var_lib_t) +') + +######################################## +# +# apm client Local policy +# + +allow apm_t self:capability { dac_override sys_admin }; + +kernel_read_system_state(apm_t) + +dev_rw_apm_bios(apm_t) + +fs_getattr_xattr_fs(apm_t) + +term_use_all_terms(apm_t) + +domain_use_interactive_fds(apm_t) + +logging_send_syslog_msg(apm_t) + +######################################## +# +# apm daemon Local policy +# + +# mknod: controlling an orderly resume of PCMCIA requires creating device +# nodes 254,{0,1,2} for some reason. +allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; +dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; +allow apmd_t self:process { signal_perms getsession }; +allow apmd_t self:fifo_file rw_fifo_file_perms; +allow apmd_t self:unix_dgram_socket create_socket_perms; +allow apmd_t self:unix_stream_socket create_stream_socket_perms; + +allow apmd_t apmd_log_t:file manage_file_perms; +logging_log_filetrans(apmd_t, apmd_log_t, file) + +manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) +manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) +files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir }) + +manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t) +manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t) +files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(apmd_t) +kernel_rw_all_sysctls(apmd_t) +kernel_read_system_state(apmd_t) +kernel_write_proc_files(apmd_t) + +dev_read_realtime_clock(apmd_t) +dev_read_urand(apmd_t) +dev_rw_apm_bios(apmd_t) +dev_rw_sysfs(apmd_t) +dev_dontaudit_getattr_all_chr_files(apmd_t) # Excessive? +dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive? + +fs_dontaudit_list_tmpfs(apmd_t) +fs_getattr_all_fs(apmd_t) +fs_search_auto_mountpoints(apmd_t) +fs_dontaudit_getattr_all_files(apmd_t) # Excessive? +fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? +fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive? +fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive? + +selinux_search_fs(apmd_t) + +corecmd_exec_all_executables(apmd_t) + +domain_read_all_domains_state(apmd_t) +domain_dontaudit_ptrace_all_domains(apmd_t) +domain_use_interactive_fds(apmd_t) +domain_dontaudit_getattr_all_sockets(apmd_t) +domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive? +domain_dontaudit_list_all_domains_state(apmd_t) # Excessive? + +files_exec_etc_files(apmd_t) +files_read_etc_runtime_files(apmd_t) +files_dontaudit_getattr_all_files(apmd_t) # Excessive? +files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? +files_dontaudit_getattr_all_pipes(apmd_t) # Excessive? +files_dontaudit_getattr_all_sockets(apmd_t) # Excessive? + +init_domtrans_script(apmd_t) +init_rw_utmp(apmd_t) +init_telinit(apmd_t) + +libs_exec_ld_so(apmd_t) +libs_exec_lib_files(apmd_t) + +logging_send_syslog_msg(apmd_t) +logging_send_audit_msgs(apmd_t) + +miscfiles_read_localization(apmd_t) +miscfiles_read_hwdata(apmd_t) + +modutils_domtrans_insmod(apmd_t) +modutils_read_module_config(apmd_t) + +seutil_dontaudit_read_config(apmd_t) + +userdom_dontaudit_use_unpriv_user_fds(apmd_t) +userdom_dontaudit_search_user_home_dirs(apmd_t) +userdom_dontaudit_search_user_home_content(apmd_t) # Excessive? + +ifdef(`distro_redhat',` + allow apmd_t apmd_lock_t:file manage_file_perms; + files_lock_filetrans(apmd_t, apmd_lock_t, file) + + can_exec(apmd_t, apmd_var_run_t) + + # ifconfig_exec_t needs to be run in its own domain for Red Hat + optional_policy(` + sysnet_domtrans_ifconfig(apmd_t) + ') + + optional_policy(` + iptables_domtrans(apmd_t) + ') + + optional_policy(` + netutils_domtrans(apmd_t) + ') + +',` + # for ifconfig which is run all the time + kernel_dontaudit_search_sysctl(apmd_t) +') + +ifdef(`distro_suse',` + manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) + manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) + files_var_lib_filetrans(apmd_t, apmd_var_lib_t, file) +') + +optional_policy(` + automount_domtrans(apmd_t) +') + +optional_policy(` + clock_domtrans(apmd_t) + clock_rw_adjtime(apmd_t) +') + +optional_policy(` + cron_system_entry(apmd_t, apmd_exec_t) + cron_anacron_domtrans_system_job(apmd_t) +') + +optional_policy(` + dbus_system_bus_client(apmd_t) + + optional_policy(` + consolekit_dbus_chat(apmd_t) + ') + + optional_policy(` + networkmanager_dbus_chat(apmd_t) + ') +') + +optional_policy(` + logrotate_use_fds(apmd_t) +') + +optional_policy(` + mta_send_mail(apmd_t) +') + +optional_policy(` + nscd_socket_use(apmd_t) +') + +optional_policy(` + pcmcia_domtrans_cardmgr(apmd_t) + pcmcia_domtrans_cardctl(apmd_t) +') + +optional_policy(` + seutil_sigchld_newrole(apmd_t) +') + +optional_policy(` + udev_read_db(apmd_t) + udev_read_state(apmd_t) #necessary? +') + +optional_policy(` + unconfined_domain(apmd_t) +') + +optional_policy(` + vbetool_domtrans(apmd_t) +') + +# cjp: related to sleep/resume (?) +optional_policy(` + xserver_domtrans(apmd_t) +') diff --git a/policy/modules/contrib/apt.fc b/policy/modules/contrib/apt.fc new file mode 100644 index 00000000..0a29b893 --- /dev/null +++ b/policy/modules/contrib/apt.fc @@ -0,0 +1,21 @@ +/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) +# apt-shell is redhat specific +/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) +# other package managers +/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) + +# package cache repository +/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) + +# package list repository +/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) +/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) + +# aptitude lock +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) +# aptitude log +/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0) + +# dpkg terminal log +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if new file mode 100644 index 00000000..e696b80c --- /dev/null +++ b/policy/modules/contrib/apt.if @@ -0,0 +1,225 @@ +## <summary>APT advanced package tool.</summary> + +######################################## +## <summary> +## Execute apt programs in the apt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apt_domtrans',` + gen_require(` + type apt_t, apt_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, apt_exec_t, apt_t) +') + +######################################## +## <summary> +## Execute apt programs in the apt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the apt domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`apt_run',` + gen_require(` + type apt_t; + ') + + apt_domtrans($1) + role $2 types apt_t; + # TODO: likely have to add dpkg_run here. +') + +######################################## +## <summary> +## Inherit and use file descriptors from apt. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_use_fds',` + gen_require(` + type apt_t; + ') + + allow $1 apt_t:fd use; + # TODO: enforce dpkg_use_fd? +') + +######################################## +## <summary> +## Do not audit attempts to use file descriptors from apt. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apt_dontaudit_use_fds',` + gen_require(` + type apt_t; + ') + + dontaudit $1 apt_t:fd use; +') + +######################################## +## <summary> +## Read from an unnamed apt pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_read_pipes',` + gen_require(` + type apt_t; + ') + + allow $1 apt_t:fifo_file read_fifo_file_perms; + # TODO: enforce dpkg_read_pipes? +') + +######################################## +## <summary> +## Read and write an unnamed apt pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_rw_pipes',` + gen_require(` + type apt_t; + ') + + allow $1 apt_t:fifo_file rw_file_perms; + # TODO: enforce dpkg_rw_pipes? +') + +######################################## +## <summary> +## Read from and write to apt ptys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_use_ptys',` + gen_require(` + type apt_devpts_t; + ') + + allow $1 apt_devpts_t:chr_file rw_term_perms; +') + +######################################## +## <summary> +## Read the apt package cache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_read_cache',` + gen_require(` + type apt_var_cache_t; + ') + + files_search_var($1) + allow $1 apt_var_cache_t:dir list_dir_perms; + dontaudit $1 apt_var_cache_t:dir write; + allow $1 apt_var_cache_t:file read_file_perms; +') + +######################################## +## <summary> +## Read the apt package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_read_db',` + gen_require(` + type apt_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 apt_var_lib_t:dir list_dir_perms; + read_files_pattern($1, apt_var_lib_t, apt_var_lib_t) + read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete the apt package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_manage_db',` + gen_require(` + type apt_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t) + # cjp: shouldnt this be manage_lnk_files? + rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) + delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) +') + +######################################## +## <summary> +## Do not audit attempts to create, read, +## write, and delete the apt package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apt_dontaudit_manage_db',` + gen_require(` + type apt_var_lib_t; + ') + + dontaudit $1 apt_var_lib_t:dir rw_dir_perms; + dontaudit $1 apt_var_lib_t:file manage_file_perms; + dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; +') diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te new file mode 100644 index 00000000..8555315d --- /dev/null +++ b/policy/modules/contrib/apt.te @@ -0,0 +1,162 @@ +policy_module(apt, 1.7.0) + +######################################## +# +# Declarations +# + +type apt_t; +type apt_exec_t; +init_system_domain(apt_t, apt_exec_t) +domain_system_change_exemption(apt_t) +role system_r types apt_t; + +# pseudo terminal for running dpkg +type apt_devpts_t; +term_pty(apt_devpts_t) + +# aptitude lock file +type apt_lock_t; +files_lock_file(apt_lock_t) + +type apt_tmp_t; +files_tmp_file(apt_tmp_t) + +type apt_tmpfs_t; +files_tmpfs_file(apt_tmpfs_t) + +# package cache +type apt_var_cache_t alias var_cache_apt_t; +files_type(apt_var_cache_t) + +# status files +type apt_var_lib_t alias var_lib_apt_t; +files_type(apt_var_lib_t) + +# aptitude log file +type apt_var_log_t; +logging_log_file(apt_var_log_t) + +######################################## +# +# apt Local policy +# + +allow apt_t self:capability { chown dac_override fowner fsetid }; +allow apt_t self:process { signal setpgid fork }; +allow apt_t self:fd use; +allow apt_t self:fifo_file rw_fifo_file_perms; +allow apt_t self:unix_dgram_socket create_socket_perms; +allow apt_t self:unix_stream_socket rw_stream_socket_perms; +allow apt_t self:unix_dgram_socket sendto; +allow apt_t self:unix_stream_socket connectto; +allow apt_t self:udp_socket { connect create_socket_perms }; +allow apt_t self:tcp_socket create_stream_socket_perms; +allow apt_t self:shm create_shm_perms; +allow apt_t self:sem create_sem_perms; +allow apt_t self:msgq create_msgq_perms; +allow apt_t self:msg { send receive }; +# Run update +allow apt_t self:netlink_route_socket r_netlink_socket_perms; + +# lock files +allow apt_t apt_lock_t:dir manage_dir_perms; +allow apt_t apt_lock_t:file manage_file_perms; +files_lock_filetrans(apt_t, apt_lock_t, {dir file}) + +manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t) +manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t) +files_tmp_filetrans(apt_t, apt_tmp_t, { file dir }) + +manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) +manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) +manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) +manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) +manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) +fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +# Access /var/cache/apt files +manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) +files_var_filetrans(apt_t, apt_var_cache_t, dir) + +# Access /var/lib/apt files +manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) +files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) + +# log files +allow apt_t apt_var_log_t:file manage_file_perms; +logging_log_filetrans(apt_t, apt_var_log_t, file) + +kernel_read_system_state(apt_t) +kernel_read_kernel_sysctls(apt_t) + +# to launch dpkg-preconfigure +corecmd_exec_bin(apt_t) +corecmd_exec_shell(apt_t) + +corenet_all_recvfrom_unlabeled(apt_t) +corenet_all_recvfrom_netlabel(apt_t) +corenet_tcp_sendrecv_generic_if(apt_t) +corenet_udp_sendrecv_generic_if(apt_t) +corenet_tcp_sendrecv_generic_node(apt_t) +corenet_udp_sendrecv_generic_node(apt_t) +corenet_tcp_sendrecv_all_ports(apt_t) +corenet_udp_sendrecv_all_ports(apt_t) +# TODO: really allow all these? +corenet_tcp_bind_generic_node(apt_t) +corenet_udp_bind_generic_node(apt_t) +corenet_tcp_connect_all_ports(apt_t) +corenet_sendrecv_all_client_packets(apt_t) + +dev_read_urand(apt_t) + +domain_getattr_all_domains(apt_t) +domain_use_interactive_fds(apt_t) + +files_exec_usr_files(apt_t) +files_read_etc_files(apt_t) +files_read_etc_runtime_files(apt_t) + +fs_getattr_all_fs(apt_t) + +term_create_pty(apt_t, apt_devpts_t) +term_list_ptys(apt_t) +term_use_all_terms(apt_t) + +libs_exec_ld_so(apt_t) +libs_exec_lib_files(apt_t) + +logging_send_syslog_msg(apt_t) + +miscfiles_read_localization(apt_t) + +seutil_use_newrole_fds(apt_t) + +sysnet_read_config(apt_t) + +userdom_use_user_terminals(apt_t) + +# with boolean, for cron-apt and such? +#optional_policy(` +# cron_system_entry(apt_t,apt_exec_t) +#') + +optional_policy(` + # dpkg interaction + dpkg_read_db(apt_t) + dpkg_domtrans(apt_t) + dpkg_lock_db(apt_t) +') + +optional_policy(` + nis_use_ypbind(apt_t) +') + +optional_policy(` + rpm_read_db(apt_t) + rpm_domtrans(apt_t) +') + +optional_policy(` + unconfined_domain(apt_t) +') diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc new file mode 100644 index 00000000..a86a6c71 --- /dev/null +++ b/policy/modules/contrib/arpwatch.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) + +# +# /usr +# +/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) + +# +# /var +# +/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) +/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if new file mode 100644 index 00000000..c804110a --- /dev/null +++ b/policy/modules/contrib/arpwatch.if @@ -0,0 +1,156 @@ +## <summary>Ethernet activity monitor.</summary> + +######################################## +## <summary> +## Execute arpwatch server in the arpwatch domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`arpwatch_initrc_domtrans',` + gen_require(` + type arpwatch_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) +') + +######################################## +## <summary> +## Search arpwatch's data file directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`arpwatch_search_data',` + gen_require(` + type arpwatch_data_t; + ') + + files_search_var_lib($1) + allow $1 arpwatch_data_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create arpwatch data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`arpwatch_manage_data_files',` + gen_require(` + type arpwatch_data_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t) +') + +######################################## +## <summary> +## Read and write arpwatch temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`arpwatch_rw_tmp_files',` + gen_require(` + type arpwatch_tmp_t; + ') + + files_search_tmp($1) + allow $1 arpwatch_tmp_t:file rw_file_perms; +') + +######################################## +## <summary> +## Read and write arpwatch temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`arpwatch_manage_tmp_files',` + gen_require(` + type arpwatch_tmp_t; + ') + + files_search_tmp($1) + allow $1 arpwatch_tmp_t:file manage_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## arpwatch packet sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`arpwatch_dontaudit_rw_packet_sockets',` + gen_require(` + type arpwatch_t; + ') + + dontaudit $1 arpwatch_t:packet_socket { read write }; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an arpwatch environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the arpwatch domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`arpwatch_admin',` + gen_require(` + type arpwatch_t, arpwatch_tmp_t; + type arpwatch_data_t, arpwatch_var_run_t; + type arpwatch_initrc_exec_t; + ') + + allow $1 arpwatch_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, arpwatch_t) + + arpwatch_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 arpwatch_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, arpwatch_tmp_t) + + files_list_var($1) + admin_pattern($1, arpwatch_data_t) + + files_list_pids($1) + admin_pattern($1, arpwatch_var_run_t) +') diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te new file mode 100644 index 00000000..804135f9 --- /dev/null +++ b/policy/modules/contrib/arpwatch.te @@ -0,0 +1,98 @@ +policy_module(arpwatch, 1.10.0) + +######################################## +# +# Declarations +# + +type arpwatch_t; +type arpwatch_exec_t; +init_daemon_domain(arpwatch_t, arpwatch_exec_t) + +type arpwatch_data_t; +files_type(arpwatch_data_t) + +type arpwatch_initrc_exec_t; +init_script_file(arpwatch_initrc_exec_t) + +type arpwatch_tmp_t; +files_tmp_file(arpwatch_tmp_t) + +type arpwatch_var_run_t; +files_pid_file(arpwatch_var_run_t) + +######################################## +# +# Local policy +# +allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; +dontaudit arpwatch_t self:capability sys_tty_config; +allow arpwatch_t self:process signal_perms; +allow arpwatch_t self:unix_dgram_socket create_socket_perms; +allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; +allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; +allow arpwatch_t self:udp_socket create_socket_perms; +allow arpwatch_t self:packet_socket create_socket_perms; +allow arpwatch_t self:socket create_socket_perms; + +manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) +manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) +manage_lnk_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) + +manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) +manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) +files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) + +manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) +files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) + +kernel_read_network_state(arpwatch_t) +kernel_read_kernel_sysctls(arpwatch_t) +kernel_list_proc(arpwatch_t) +kernel_read_proc_symlinks(arpwatch_t) +kernel_request_load_module(arpwatch_t) + +corenet_all_recvfrom_unlabeled(arpwatch_t) +corenet_all_recvfrom_netlabel(arpwatch_t) +corenet_tcp_sendrecv_generic_if(arpwatch_t) +corenet_udp_sendrecv_generic_if(arpwatch_t) +corenet_raw_sendrecv_generic_if(arpwatch_t) +corenet_tcp_sendrecv_generic_node(arpwatch_t) +corenet_udp_sendrecv_generic_node(arpwatch_t) +corenet_raw_sendrecv_generic_node(arpwatch_t) +corenet_tcp_sendrecv_all_ports(arpwatch_t) +corenet_udp_sendrecv_all_ports(arpwatch_t) + +dev_read_sysfs(arpwatch_t) +dev_read_usbmon_dev(arpwatch_t) +dev_rw_generic_usb_dev(arpwatch_t) + +fs_getattr_all_fs(arpwatch_t) +fs_search_auto_mountpoints(arpwatch_t) + +corecmd_read_bin_symlinks(arpwatch_t) + +domain_use_interactive_fds(arpwatch_t) + +files_read_etc_files(arpwatch_t) +files_read_usr_files(arpwatch_t) +files_search_var_lib(arpwatch_t) + +auth_use_nsswitch(arpwatch_t) + +logging_send_syslog_msg(arpwatch_t) + +miscfiles_read_localization(arpwatch_t) + +userdom_dontaudit_search_user_home_dirs(arpwatch_t) +userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) + +mta_send_mail(arpwatch_t) + +optional_policy(` + seutil_sigchld_newrole(arpwatch_t) +') + +optional_policy(` + udev_read_db(arpwatch_t) +') diff --git a/policy/modules/contrib/asterisk.fc b/policy/modules/contrib/asterisk.fc new file mode 100644 index 00000000..b4889d40 --- /dev/null +++ b/policy/modules/contrib/asterisk.fc @@ -0,0 +1,9 @@ +/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0) +/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0) + +/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0) + +/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0) +/var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0) +/var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0) +/var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0) diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if new file mode 100644 index 00000000..bd6273f1 --- /dev/null +++ b/policy/modules/contrib/asterisk.if @@ -0,0 +1,135 @@ +## <summary>Asterisk IP telephony server</summary> + +###################################### +## <summary> +## Execute asterisk in the asterisk domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`asterisk_domtrans',` + gen_require(` + type asterisk_t, asterisk_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, asterisk_exec_t, asterisk_t) +') + +##################################### +## <summary> +## Connect to asterisk over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`asterisk_stream_connect',` + gen_require(` + type asterisk_t, asterisk_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an asterisk environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the asterisk domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`asterisk_admin',` + gen_require(` + type asterisk_t, asterisk_var_run_t, asterisk_spool_t; + type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t; + type asterisk_var_lib_t; + type asterisk_initrc_exec_t; + ') + + allow $1 asterisk_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, asterisk_t) + + init_labeled_script_domtrans($1, asterisk_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 asterisk_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, asterisk_tmp_t) + + files_list_etc($1) + admin_pattern($1, asterisk_etc_t) + + logging_list_logs($1) + admin_pattern($1, asterisk_log_t) + + files_list_spool($1) + admin_pattern($1, asterisk_spool_t) + + files_list_var_lib($1) + admin_pattern($1, asterisk_var_lib_t) + + files_list_pids($1) + admin_pattern($1, asterisk_var_run_t) +') + +####################################### +## <summary> +## Allow changing the attributes of the asterisk log files and directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to change the attributes of the asterisk log files and +## directories +## </summary> +## </param> +# +interface(`asterisk_setattr_logs',` + gen_require(` + type asterisk_log_t; + ') + + setattr_files_pattern($1, asterisk_log_t, asterisk_log_t) + setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t) + + logging_search_logs($1) +') + +####################################### +## <summary> +## Allow changing the attributes of the asterisk PID files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to change the attributes of the asterisk PID files +## </summary> +## </param> +# +interface(`asterisk_setattr_pid_files',` + gen_require(` + type asterisk_var_run_t; + ') + + setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t) + setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t) + + files_search_pids($1) +') diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te new file mode 100644 index 00000000..dda6c5e5 --- /dev/null +++ b/policy/modules/contrib/asterisk.te @@ -0,0 +1,172 @@ +policy_module(asterisk, 1.10.0) + +######################################## +# +# Declarations +# + +type asterisk_t; +type asterisk_exec_t; +init_daemon_domain(asterisk_t, asterisk_exec_t) +application_executable_file(asterisk_exec_t) + +type asterisk_etc_t; +files_config_file(asterisk_etc_t) + +type asterisk_initrc_exec_t; +init_script_file(asterisk_initrc_exec_t) + +type asterisk_log_t; +logging_log_file(asterisk_log_t) + +type asterisk_spool_t; +files_type(asterisk_spool_t) + +type asterisk_tmp_t; +files_tmp_file(asterisk_tmp_t) + +type asterisk_tmpfs_t; +files_tmpfs_file(asterisk_tmpfs_t) + +type asterisk_var_lib_t; +files_type(asterisk_var_lib_t) + +type asterisk_var_run_t; +files_pid_file(asterisk_var_run_t) + +######################################## +# +# Local policy +# + +# dac_override for /var/run/asterisk +allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin chown }; +dontaudit asterisk_t self:capability sys_tty_config; +allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; +allow asterisk_t self:fifo_file rw_fifo_file_perms; +allow asterisk_t self:sem create_sem_perms; +allow asterisk_t self:shm create_shm_perms; +allow asterisk_t self:unix_stream_socket { connectto listen accept }; +allow asterisk_t self:tcp_socket create_stream_socket_perms; +allow asterisk_t self:udp_socket create_socket_perms; + +allow asterisk_t asterisk_etc_t:dir list_dir_perms; +read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) +read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) +files_search_etc(asterisk_t) + +can_exec(asterisk_t, asterisk_exec_t) + +manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) +logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir }) + +manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) +manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) +manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) + +manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) +manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) +files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir }) + +manage_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) +manage_lnk_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) +manage_fifo_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) +manage_sock_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) +fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) +files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) + +manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) +manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) +manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) +files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) + +kernel_read_system_state(asterisk_t) +kernel_read_kernel_sysctls(asterisk_t) +kernel_request_load_module(asterisk_t) + +corecmd_exec_bin(asterisk_t) +corecmd_exec_shell(asterisk_t) + +corenet_all_recvfrom_unlabeled(asterisk_t) +corenet_all_recvfrom_netlabel(asterisk_t) +corenet_tcp_sendrecv_generic_if(asterisk_t) +corenet_udp_sendrecv_generic_if(asterisk_t) +corenet_tcp_sendrecv_generic_node(asterisk_t) +corenet_udp_sendrecv_generic_node(asterisk_t) +corenet_tcp_sendrecv_all_ports(asterisk_t) +corenet_udp_sendrecv_all_ports(asterisk_t) +corenet_tcp_bind_generic_node(asterisk_t) +corenet_udp_bind_generic_node(asterisk_t) +corenet_tcp_bind_asterisk_port(asterisk_t) +corenet_tcp_bind_sip_port(asterisk_t) +corenet_udp_bind_asterisk_port(asterisk_t) +corenet_udp_bind_sip_port(asterisk_t) +corenet_sendrecv_asterisk_server_packets(asterisk_t) +# for VOIP voice channels. +corenet_tcp_bind_generic_port(asterisk_t) +corenet_udp_bind_generic_port(asterisk_t) +corenet_dontaudit_udp_bind_all_ports(asterisk_t) +corenet_sendrecv_generic_server_packets(asterisk_t) +corenet_tcp_connect_postgresql_port(asterisk_t) +corenet_tcp_connect_snmp_port(asterisk_t) +corenet_tcp_connect_sip_port(asterisk_t) + +dev_rw_generic_usb_dev(asterisk_t) +dev_read_sysfs(asterisk_t) +dev_read_sound(asterisk_t) +dev_write_sound(asterisk_t) +dev_read_rand(asterisk_t) +dev_read_urand(asterisk_t) + +domain_use_interactive_fds(asterisk_t) + +files_read_etc_files(asterisk_t) +files_search_spool(asterisk_t) +# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm +# are labeled usr_t +files_read_usr_files(asterisk_t) + +fs_getattr_all_fs(asterisk_t) +fs_list_inotifyfs(asterisk_t) +fs_read_anon_inodefs_files(asterisk_t) +fs_search_auto_mountpoints(asterisk_t) + +auth_use_nsswitch(asterisk_t) + +logging_send_syslog_msg(asterisk_t) + +miscfiles_read_localization(asterisk_t) + +userdom_dontaudit_use_unpriv_user_fds(asterisk_t) +userdom_dontaudit_search_user_home_dirs(asterisk_t) + +optional_policy(` + mysql_stream_connect(asterisk_t) +') + +optional_policy(` + mta_send_mail(asterisk_t) +') + +optional_policy(` + postfix_domtrans_postdrop(asterisk_t) +') + +optional_policy(` + postgresql_stream_connect(asterisk_t) +') + +optional_policy(` + seutil_sigchld_newrole(asterisk_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(asterisk_t) + snmp_stream_connect(asterisk_t) +') + +optional_policy(` + udev_read_db(asterisk_t) +') diff --git a/policy/modules/contrib/authbind.fc b/policy/modules/contrib/authbind.fc new file mode 100644 index 00000000..48cf11b4 --- /dev/null +++ b/policy/modules/contrib/authbind.fc @@ -0,0 +1,3 @@ +/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0) + +/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0) diff --git a/policy/modules/contrib/authbind.if b/policy/modules/contrib/authbind.if new file mode 100644 index 00000000..d28020f1 --- /dev/null +++ b/policy/modules/contrib/authbind.if @@ -0,0 +1,20 @@ +## <summary>Tool for non-root processes to bind to reserved ports</summary> + +######################################## +## <summary> +## Use authbind to bind to a reserved port. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`authbind_domtrans',` + gen_require(` + type authbind_t, authbind_exec_t; + ') + + domtrans_pattern($1, authbind_exec_t, authbind_t) + allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; +') diff --git a/policy/modules/contrib/authbind.te b/policy/modules/contrib/authbind.te new file mode 100644 index 00000000..b4285f76 --- /dev/null +++ b/policy/modules/contrib/authbind.te @@ -0,0 +1,31 @@ +policy_module(authbind, 1.1.0) + +######################################## +# +# Declarations +# + +type authbind_t; +type authbind_exec_t; +application_domain(authbind_t, authbind_exec_t) +role system_r types authbind_t; + +type authbind_etc_t; +files_config_file(authbind_etc_t) + +######################################## +# +# Local policy +# + +allow authbind_t self:capability net_bind_service; + +allow authbind_t authbind_etc_t:dir list_dir_perms; +exec_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t) +read_lnk_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t) + +files_list_etc(authbind_t) + +term_use_console(authbind_t) + +logging_send_syslog_msg(authbind_t) diff --git a/policy/modules/contrib/automount.fc b/policy/modules/contrib/automount.fc new file mode 100644 index 00000000..f16ab681 --- /dev/null +++ b/policy/modules/contrib/automount.fc @@ -0,0 +1,16 @@ +# +# /etc +# +/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) +/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0) + +# +# /usr +# +/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) + +# +# /var +# + +/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if new file mode 100644 index 00000000..d80a16b8 --- /dev/null +++ b/policy/modules/contrib/automount.if @@ -0,0 +1,168 @@ +## <summary>Filesystem automounter service.</summary> + +######################################## +## <summary> +## Execute automount in the automount domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`automount_domtrans',` + gen_require(` + type automount_t, automount_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, automount_exec_t, automount_t) +') + +######################################## +## <summary> +## Send automount a signal +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`automount_signal',` + gen_require(` + type automount_t; + ') + + allow $1 automount_t:process signal; +') + +######################################## +## <summary> +## Execute automount in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`automount_exec_config',` + refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.') + files_exec_etc_files($1) +') + +######################################## +## <summary> +## Allow the domain to read state files in /proc. +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow access. +## </summary> +## </param> +# +interface(`automount_read_state',` + gen_require(` + type automount_t; + ') + + read_files_pattern($1, automount_t, automount_t) +') + +######################################## +## <summary> +## Do not audit attempts to file descriptors for automount. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`automount_dontaudit_use_fds',` + gen_require(` + type automount_t; + ') + + dontaudit $1 automount_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to write automount daemon unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`automount_dontaudit_write_pipes',` + gen_require(` + type automount_t; + ') + + dontaudit $1 automount_t:fifo_file write; +') + +######################################## +## <summary> +## Do not audit attempts to get the attributes +## of automount temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`automount_dontaudit_getattr_tmp_dirs',` + gen_require(` + type automount_tmp_t; + ') + + dontaudit $1 automount_tmp_t:dir getattr; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an automount environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the automount domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`automount_admin',` + gen_require(` + type automount_t, automount_lock_t, automount_tmp_t; + type automount_var_run_t, automount_initrc_exec_t; + ') + + allow $1 automount_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, automount_t) + + init_labeled_script_domtrans($1, automount_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 automount_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var($1) + admin_pattern($1, automount_lock_t) + + files_list_tmp($1) + admin_pattern($1, automount_tmp_t) + + files_list_pids($1) + admin_pattern($1, automount_var_run_t) +') diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te new file mode 100644 index 00000000..39799dba --- /dev/null +++ b/policy/modules/contrib/automount.te @@ -0,0 +1,182 @@ +policy_module(automount, 1.13.0) + +######################################## +# +# Declarations +# + +type automount_t; +type automount_exec_t; +init_daemon_domain(automount_t, automount_exec_t) + +type automount_initrc_exec_t; +init_script_file(automount_initrc_exec_t) + +type automount_var_run_t; +files_pid_file(automount_var_run_t) + +type automount_lock_t; +files_lock_file(automount_lock_t) + +type automount_tmp_t; +files_tmp_file(automount_tmp_t) +files_mountpoint(automount_tmp_t) + +######################################## +# +# Local policy +# + +allow automount_t self:capability { net_bind_service setgid setuid sys_nice sys_resource dac_override sys_admin }; +dontaudit automount_t self:capability sys_tty_config; +allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; +allow automount_t self:fifo_file rw_fifo_file_perms; +allow automount_t self:unix_stream_socket create_socket_perms; +allow automount_t self:unix_dgram_socket create_socket_perms; +allow automount_t self:tcp_socket create_stream_socket_perms; +allow automount_t self:udp_socket create_socket_perms; +allow automount_t self:rawip_socket create_socket_perms; + +can_exec(automount_t, automount_exec_t) + +allow automount_t automount_lock_t:file manage_file_perms; +files_lock_filetrans(automount_t, automount_lock_t, file) + +manage_dirs_pattern(automount_t, automount_tmp_t, automount_tmp_t) +manage_files_pattern(automount_t, automount_tmp_t, automount_tmp_t) +files_tmp_filetrans(automount_t, automount_tmp_t, { file dir }) + +# Allow automount to create and delete directories in / and /home +allow automount_t automount_tmp_t:dir manage_dir_perms; +files_home_filetrans(automount_t, automount_tmp_t, dir) +files_root_filetrans(automount_t, automount_tmp_t, dir) + +manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) +manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) +files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file }) + +kernel_read_kernel_sysctls(automount_t) +kernel_read_irq_sysctls(automount_t) +kernel_read_fs_sysctls(automount_t) +kernel_read_proc_symlinks(automount_t) +kernel_read_system_state(automount_t) +kernel_read_network_state(automount_t) +kernel_list_proc(automount_t) +kernel_dontaudit_search_xen_state(automount_t) + +files_search_boot(automount_t) +# Automount is slowly adding all mount functionality internally +files_search_all(automount_t) +files_mounton_all_mountpoints(automount_t) +files_mount_all_file_type_fs(automount_t) +files_unmount_all_file_type_fs(automount_t) +files_manage_non_security_dirs(automount_t) + +fs_mount_all_fs(automount_t) +fs_unmount_all_fs(automount_t) +fs_search_all(automount_t) + +corecmd_exec_bin(automount_t) +corecmd_exec_shell(automount_t) + +corenet_all_recvfrom_unlabeled(automount_t) +corenet_all_recvfrom_netlabel(automount_t) +corenet_tcp_sendrecv_generic_if(automount_t) +corenet_udp_sendrecv_generic_if(automount_t) +corenet_tcp_sendrecv_generic_node(automount_t) +corenet_udp_sendrecv_generic_node(automount_t) +corenet_tcp_sendrecv_all_ports(automount_t) +corenet_udp_sendrecv_all_ports(automount_t) +corenet_tcp_bind_generic_node(automount_t) +corenet_udp_bind_generic_node(automount_t) +corenet_tcp_connect_portmap_port(automount_t) +corenet_tcp_connect_all_ports(automount_t) +corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t) +corenet_sendrecv_all_client_packets(automount_t) +# Automount execs showmount when you browse /net. This is required until +# Someone writes a showmount policy +corenet_tcp_bind_reserved_port(automount_t) +corenet_tcp_bind_all_rpc_ports(automount_t) +corenet_udp_bind_reserved_port(automount_t) +corenet_udp_bind_all_rpc_ports(automount_t) + +dev_read_sysfs(automount_t) +dev_rw_autofs(automount_t) +# for SSP +dev_read_rand(automount_t) +dev_read_urand(automount_t) + +domain_use_interactive_fds(automount_t) +domain_dontaudit_read_all_domains_state(automount_t) + +files_dontaudit_write_var_dirs(automount_t) +files_getattr_all_dirs(automount_t) +files_list_mnt(automount_t) +files_getattr_home_dir(automount_t) +files_read_etc_files(automount_t) +files_read_etc_runtime_files(automount_t) +# for if the mount point is not labelled +files_getattr_isid_type_dirs(automount_t) +files_getattr_default_dirs(automount_t) +# because config files can be shell scripts +files_exec_etc_files(automount_t) +files_mounton_mnt(automount_t) + +fs_getattr_all_fs(automount_t) +fs_getattr_all_dirs(automount_t) +fs_search_auto_mountpoints(automount_t) +fs_manage_auto_mountpoints(automount_t) +fs_unmount_autofs(automount_t) +fs_mount_autofs(automount_t) +fs_manage_autofs_symlinks(automount_t) +fs_read_nfs_files(automount_t) + +storage_rw_fuse(automount_t) + +term_dontaudit_getattr_pty_dirs(automount_t) + +auth_use_nsswitch(automount_t) + +logging_send_syslog_msg(automount_t) +logging_search_logs(automount_t) + +miscfiles_read_localization(automount_t) +miscfiles_read_generic_certs(automount_t) + +# Run mount in the mount_t domain. +mount_domtrans(automount_t) +mount_signal(automount_t) + +userdom_dontaudit_use_unpriv_user_fds(automount_t) +userdom_dontaudit_search_user_home_dirs(automount_t) + +optional_policy(` + bind_search_cache(automount_t) +') + +optional_policy(` + fstools_domtrans(automount_t) +') + +optional_policy(` + kerberos_keytab_template(automount, automount_t) + kerberos_read_config(automount_t) + kerberos_dontaudit_write_config(automount_t) +') + +optional_policy(` + rpc_search_nfs_state_data(automount_t) +') + +optional_policy(` + samba_read_config(automount_t) + samba_manage_var_files(automount_t) +') + +optional_policy(` + seutil_sigchld_newrole(automount_t) +') + +optional_policy(` + udev_read_db(automount_t) +') diff --git a/policy/modules/contrib/avahi.fc b/policy/modules/contrib/avahi.fc new file mode 100644 index 00000000..7e365494 --- /dev/null +++ b/policy/modules/contrib/avahi.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) + +/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) +/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) +/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) + +/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) + +/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if new file mode 100644 index 00000000..61c74bcc --- /dev/null +++ b/policy/modules/contrib/avahi.if @@ -0,0 +1,166 @@ +## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary> + +######################################## +## <summary> +## Execute avahi server in the avahi domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`avahi_domtrans',` + gen_require(` + type avahi_exec_t, avahi_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, avahi_exec_t, avahi_t) +') + +######################################## +## <summary> +## Send avahi a signal +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_signal',` + gen_require(` + type avahi_t; + ') + + allow $1 avahi_t:process signal; +') + +######################################## +## <summary> +## Send avahi a kill signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_kill',` + gen_require(` + type avahi_t; + ') + + allow $1 avahi_t:process sigkill; +') + +######################################## +## <summary> +## Send avahi a signull +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_signull',` + gen_require(` + type avahi_t; + ') + + allow $1 avahi_t:process signull; +') + +######################################## +## <summary> +## Send and receive messages from +## avahi over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_dbus_chat',` + gen_require(` + type avahi_t; + class dbus send_msg; + ') + + allow $1 avahi_t:dbus send_msg; + allow avahi_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Connect to avahi using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`avahi_stream_connect',` + gen_require(` + type avahi_t, avahi_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t) +') + +######################################## +## <summary> +## Do not audit attempts to search the avahi pid directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`avahi_dontaudit_search_pid',` + gen_require(` + type avahi_var_run_t; + ') + + dontaudit $1 avahi_var_run_t:dir search_dir_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an avahi environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the avahi domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`avahi_admin',` + gen_require(` + type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; + ') + + allow $1 avahi_t:process { ptrace signal_perms }; + ps_process_pattern($1, avahi_t) + + init_labeled_script_domtrans($1, avahi_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 avahi_initrc_exec_t system_r; + allow $2 system_r; + + files_list_pids($1) + admin_pattern($1, avahi_var_run_t) +') diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te new file mode 100644 index 00000000..a7a0e71a --- /dev/null +++ b/policy/modules/contrib/avahi.te @@ -0,0 +1,112 @@ +policy_module(avahi, 1.13.0) + +######################################## +# +# Declarations +# + +type avahi_t; +type avahi_exec_t; +init_daemon_domain(avahi_t, avahi_exec_t) + +type avahi_initrc_exec_t; +init_script_file(avahi_initrc_exec_t) + +type avahi_var_lib_t; +files_pid_file(avahi_var_lib_t) + +type avahi_var_run_t; +files_pid_file(avahi_var_run_t) + +######################################## +# +# Local policy +# + +allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; +dontaudit avahi_t self:capability sys_tty_config; +allow avahi_t self:process { setrlimit signal_perms getcap setcap }; +allow avahi_t self:fifo_file rw_fifo_file_perms; +allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow avahi_t self:unix_dgram_socket create_socket_perms; +allow avahi_t self:tcp_socket create_stream_socket_perms; +allow avahi_t self:udp_socket create_socket_perms; +allow avahi_t self:packet_socket create_socket_perms; + +manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) +manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) +files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) + +manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) +manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) +manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) +allow avahi_t avahi_var_run_t:dir setattr_dir_perms; +files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) + +kernel_read_system_state(avahi_t) +kernel_read_kernel_sysctls(avahi_t) +kernel_read_network_state(avahi_t) + +corecmd_exec_bin(avahi_t) +corecmd_exec_shell(avahi_t) + +corenet_all_recvfrom_unlabeled(avahi_t) +corenet_all_recvfrom_netlabel(avahi_t) +corenet_tcp_sendrecv_generic_if(avahi_t) +corenet_udp_sendrecv_generic_if(avahi_t) +corenet_tcp_sendrecv_generic_node(avahi_t) +corenet_udp_sendrecv_generic_node(avahi_t) +corenet_tcp_sendrecv_all_ports(avahi_t) +corenet_udp_sendrecv_all_ports(avahi_t) +corenet_tcp_bind_generic_node(avahi_t) +corenet_udp_bind_generic_node(avahi_t) +corenet_tcp_bind_howl_port(avahi_t) +corenet_udp_bind_howl_port(avahi_t) +corenet_send_howl_client_packets(avahi_t) +corenet_receive_howl_server_packets(avahi_t) + +dev_read_sysfs(avahi_t) +dev_read_urand(avahi_t) + +fs_getattr_all_fs(avahi_t) +fs_search_auto_mountpoints(avahi_t) +fs_list_inotifyfs(avahi_t) + +domain_use_interactive_fds(avahi_t) + +files_read_etc_files(avahi_t) +files_read_etc_runtime_files(avahi_t) +files_read_usr_files(avahi_t) + +auth_use_nsswitch(avahi_t) + +init_signal_script(avahi_t) +init_signull_script(avahi_t) + +logging_send_syslog_msg(avahi_t) + +miscfiles_read_localization(avahi_t) +miscfiles_read_generic_certs(avahi_t) + +sysnet_domtrans_ifconfig(avahi_t) +sysnet_manage_config(avahi_t) +sysnet_etc_filetrans_config(avahi_t) + +userdom_dontaudit_use_unpriv_user_fds(avahi_t) +userdom_dontaudit_search_user_home_dirs(avahi_t) + +optional_policy(` + dbus_system_domain(avahi_t, avahi_exec_t) + dbus_system_bus_client(avahi_t) + dbus_connect_system_bus(avahi_t) + + init_dbus_chat_script(avahi_t) +') + +optional_policy(` + seutil_sigchld_newrole(avahi_t) +') + +optional_policy(` + udev_read_db(avahi_t) +') diff --git a/policy/modules/contrib/awstats.fc b/policy/modules/contrib/awstats.fc new file mode 100644 index 00000000..5f0fa49d --- /dev/null +++ b/policy/modules/contrib/awstats.fc @@ -0,0 +1,5 @@ +/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0) +/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0) +/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0) + +/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0) diff --git a/policy/modules/contrib/awstats.if b/policy/modules/contrib/awstats.if new file mode 100644 index 00000000..283ff0d1 --- /dev/null +++ b/policy/modules/contrib/awstats.if @@ -0,0 +1,42 @@ +## <summary> +## AWStats is a free powerful and featureful tool that generates advanced +## web, streaming, ftp or mail server statistics, graphically. +## </summary> + +######################################## +## <summary> +## Read and write awstats unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`awstats_rw_pipes',` + gen_require(` + type awstats_t; + ') + + allow $1 awstats_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Execute awstats cgi scripts in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`awstats_cgi_exec',` + gen_require(` + type httpd_awstats_script_exec_t, httpd_awstats_content_t; + ') + + allow $1 httpd_awstats_content_t:dir search_dir_perms; + allow $1 httpd_awstats_script_exec_t:dir search_dir_perms; + can_exec($1, httpd_awstats_script_exec_t) +') diff --git a/policy/modules/contrib/awstats.te b/policy/modules/contrib/awstats.te new file mode 100644 index 00000000..6bd3ad3c --- /dev/null +++ b/policy/modules/contrib/awstats.te @@ -0,0 +1,85 @@ +policy_module(awstats, 1.4.0) + +######################################## +# +# Declarations +# + +type awstats_t; +type awstats_exec_t; +domain_type(awstats_t) +domain_entry_file(awstats_t, awstats_exec_t) +role system_r types awstats_t; + +type awstats_tmp_t; +files_tmp_file(awstats_tmp_t) + +type awstats_var_lib_t; +files_type(awstats_var_lib_t) + +apache_content_template(awstats) + +######################################## +# +# awstats policy +# + +awstats_rw_pipes(awstats_t) +awstats_cgi_exec(awstats_t) + +can_exec(awstats_t, awstats_exec_t) + +manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) +manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) +files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file }) + +manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t) +files_var_lib_filetrans(awstats_t, awstats_var_lib_t, file) + +# dontaudit access to /proc/meminfo +kernel_dontaudit_read_system_state(awstats_t) + +corecmd_exec_bin(awstats_t) +corecmd_exec_shell(awstats_t) + +dev_read_urand(awstats_t) + +files_read_etc_files(awstats_t) +# e.g. /usr/share/awstats/lang/awstats-en.txt +files_read_usr_files(awstats_t) +files_dontaudit_search_all_mountpoints(awstats_t) + +fs_list_inotifyfs(awstats_t) + +libs_read_lib_files(awstats_t) + +logging_read_generic_logs(awstats_t) + +miscfiles_read_localization(awstats_t) + +sysnet_dns_name_resolve(awstats_t) + +apache_read_log(awstats_t) + +optional_policy(` + cron_system_entry(awstats_t, awstats_exec_t) +') + +optional_policy(` + # dontaudit searching nscd pid directory + nscd_dontaudit_search_pid(awstats_t) +') + +optional_policy(` + squid_read_log(awstats_t) +') + +######################################## +# +# awstats cgi script policy +# + +allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; + +read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) +files_search_var_lib(httpd_awstats_script_t) diff --git a/policy/modules/contrib/backup.fc b/policy/modules/contrib/backup.fc new file mode 100644 index 00000000..223b7f20 --- /dev/null +++ b/policy/modules/contrib/backup.fc @@ -0,0 +1,13 @@ +# backup +# label programs that do backups to other files on disk (IE a cron job that +# calls tar) in backup_exec_t and label the directory for storing them as +# backup_store_t, Debian uses /var/backups + +#/usr/local/bin/backup-script -- gen_context(system_u:object_r:backup_exec_t,s0) + +ifdef(`distro_debian',` +/etc/cron.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0) +/etc/cron.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0) +') + +/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0) diff --git a/policy/modules/contrib/backup.if b/policy/modules/contrib/backup.if new file mode 100644 index 00000000..1017b7aa --- /dev/null +++ b/policy/modules/contrib/backup.if @@ -0,0 +1,45 @@ +## <summary>System backup scripts</summary> + +######################################## +## <summary> +## Execute backup in the backup domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`backup_domtrans',` + gen_require(` + type backup_t, backup_exec_t; + ') + + domtrans_pattern($1, backup_exec_t, backup_t) +') + +######################################## +## <summary> +## Execute backup in the backup domain, and +## allow the specified role the backup domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`backup_run',` + gen_require(` + type backup_t; + ') + + backup_domtrans($1) + role $2 types backup_t; +') diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te new file mode 100644 index 00000000..0bfc9588 --- /dev/null +++ b/policy/modules/contrib/backup.te @@ -0,0 +1,85 @@ +policy_module(backup, 1.5.0) + +######################################## +# +# Declarations +# + +type backup_t; +type backup_exec_t; +domain_type(backup_t) +domain_entry_file(backup_t, backup_exec_t) +role system_r types backup_t; + +type backup_store_t; +files_type(backup_store_t) + +######################################## +# +# Local policy +# + +allow backup_t self:capability dac_override; +allow backup_t self:process signal; +allow backup_t self:fifo_file rw_fifo_file_perms; +allow backup_t self:tcp_socket create_socket_perms; +allow backup_t self:udp_socket create_socket_perms; + +allow backup_t backup_store_t:file setattr; +manage_files_pattern(backup_t, backup_store_t, backup_store_t) +rw_files_pattern(backup_t, backup_store_t, backup_store_t) +read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t) + +kernel_read_system_state(backup_t) +kernel_read_kernel_sysctls(backup_t) + +corecmd_exec_bin(backup_t) +corecmd_exec_shell(backup_t) + +corenet_all_recvfrom_unlabeled(backup_t) +corenet_all_recvfrom_netlabel(backup_t) +corenet_tcp_sendrecv_generic_if(backup_t) +corenet_udp_sendrecv_generic_if(backup_t) +corenet_raw_sendrecv_generic_if(backup_t) +corenet_tcp_sendrecv_generic_node(backup_t) +corenet_udp_sendrecv_generic_node(backup_t) +corenet_raw_sendrecv_generic_node(backup_t) +corenet_tcp_sendrecv_all_ports(backup_t) +corenet_udp_sendrecv_all_ports(backup_t) +corenet_tcp_connect_all_ports(backup_t) +corenet_sendrecv_all_client_packets(backup_t) + +dev_getattr_all_blk_files(backup_t) +dev_getattr_all_chr_files(backup_t) +# for SSP +dev_read_urand(backup_t) + +domain_use_interactive_fds(backup_t) + +files_read_all_files(backup_t) +files_read_all_symlinks(backup_t) +files_getattr_all_pipes(backup_t) +files_getattr_all_sockets(backup_t) + +fs_getattr_xattr_fs(backup_t) +fs_list_all(backup_t) + +auth_read_shadow(backup_t) + +logging_send_syslog_msg(backup_t) + +sysnet_read_config(backup_t) + +userdom_use_user_terminals(backup_t) + +optional_policy(` + cron_system_entry(backup_t, backup_exec_t) +') + +optional_policy(` + hostname_exec(backup_t) +') + +optional_policy(` + nis_use_ypbind(backup_t) +') diff --git a/policy/modules/contrib/bacula.fc b/policy/modules/contrib/bacula.fc new file mode 100644 index 00000000..b70b6d29 --- /dev/null +++ b/policy/modules/contrib/bacula.fc @@ -0,0 +1,20 @@ +# +# /usr +# +/usr/sbin/bacula-(.*)? -- gen_context(system_u:object_r:bacula_exec_t,s0) +/usr/sbin/bat gen_context(system_u:object_r:bacula_admin_exec_t,s0) +/usr/sbin/bconsole gen_context(system_u:object_r:bacula_admin_exec_t,s0) + +# +# /etc +# +/etc/bacula(/.*)? gen_context(system_u:object_r:bacula_etc_t,s0) + +# +# /var +# +/var/lib/bacula(/.*)? gen_context(system_u:object_r:bacula_var_lib_t,s0) + +# A separate disk for backups mounted at /bacula or beginning with +# /bacula also matches a restore directory like /bacula-restores +/bacula(.*)? gen_context(system_u:object_r:bacula_store_t,s0) diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if new file mode 100644 index 00000000..6b1722e2 --- /dev/null +++ b/policy/modules/contrib/bacula.if @@ -0,0 +1,45 @@ +## <summary>bacula backup program</summary> + +######################################## +## <summary> +## Execute user interfaces in the bacula_admin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bacula_domtrans_admin',` + gen_require(` + type bacula_admin_t, bacula_admin_exec_t; + ') + + domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t) +') + +######################################## +## <summary> +## Execute user interfaces in the bacula_admin domain, and +## allow the specified role to transition to the bacula_admin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bacula_run_admin',` + gen_require(` + type bacula_admin_t; + ') + + bacula_domtrans_admin($1) + role $2 types bacula_admin_t; +') diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te new file mode 100644 index 00000000..f2ad3642 --- /dev/null +++ b/policy/modules/contrib/bacula.te @@ -0,0 +1,122 @@ +policy_module(bacula, 1.0.0) + +######################################## +# +# Declarations +# + +type bacula_t; +type bacula_exec_t; +init_daemon_domain(bacula_t, bacula_exec_t) + +type bacula_etc_t; +files_type(bacula_etc_t) + +type bacula_store_t; +files_type(bacula_store_t) +files_mountpoint(bacula_store_t) + +type bacula_var_lib_t; +files_type(bacula_var_lib_t) + +type bacula_var_run_t; +files_pid_file(bacula_var_run_t) + +type bacula_admin_t; +type bacula_admin_exec_t; +application_domain(bacula_admin_t, bacula_admin_exec_t) + +######################################## +# +# Local policy - bacula daemon +# + +allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid}; +allow bacula_t self:process signal; +allow bacula_t self:fifo_file rw_fifo_file_perms; +allow bacula_t self:tcp_socket create_stream_socket_perms; +allow bacula_t self:udp_socket create_socket_perms; +allow bacula_t self:netlink_route_socket create_netlink_socket_perms; + +read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t) + +manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t) +manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t) +manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t) + +manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t) +files_var_lib_filetrans(bacula_t, bacula_var_lib_t, file) + +allow bacula_t bacula_var_run_t:file { create_file_perms write_file_perms unlink}; +files_pid_filetrans(bacula_t, bacula_var_run_t, file) + +kernel_read_kernel_sysctls(bacula_t) +kernel_read_system_state(bacula_t) + +corecmd_exec_bin(bacula_t) +corecmd_exec_shell(bacula_t) + +corenet_tcp_bind_generic_node(bacula_t) +corenet_udp_bind_generic_node(bacula_t) +corenet_tcp_bind_generic_port(bacula_t) +corenet_udp_bind_generic_port(bacula_t) +corenet_tcp_bind_hplip_port(bacula_t) +corenet_udp_bind_hplip_port(bacula_t) +corenet_tcp_connect_all_ports(bacula_t) +corenet_tcp_connect_smtp_port(bacula_t) +# Bacula's default port are listed already under hplip + +dev_getattr_all_blk_files(bacula_t) +dev_getattr_all_chr_files(bacula_t) + +files_dontaudit_getattr_all_sockets(bacula_t) +files_read_all_files(bacula_t) +files_read_all_symlinks(bacula_t) + +fs_getattr_xattr_fs(bacula_t) +fs_list_all(bacula_t) + +auth_read_shadow(bacula_t) + +logging_send_syslog_msg(bacula_t) + +optional_policy(` + mysql_stream_connect(bacula_t) + mysql_tcp_connect(bacula_t) +') + +optional_policy(` + nis_use_ypbind(bacula_t) +') + +optional_policy(` + sysnet_use_ldap(bacula_t) + ldap_stream_connect(bacula_t) +') + + +######################################## +# +# Local policy - bacula admin client +# +allow bacula_admin_t self:process signal; +allow bacula_admin_t self:tcp_socket create_stream_socket_perms; +allow bacula_admin_t self:dgram_socket_class_set create_socket_perms; + +read_files_pattern(bacula_admin_t, bacula_etc_t, bacula_etc_t) + +corenet_tcp_connect_hplip_port(bacula_admin_t) +corenet_udp_sendrecv_hplip_port(bacula_admin_t) + +domain_use_interactive_fds(bacula_admin_t) + +files_read_etc_files(bacula_admin_t) + +miscfiles_read_localization(bacula_admin_t) + +sysnet_dns_name_resolve(bacula_admin_t) + +userdom_dontaudit_search_user_home_dirs(bacula_admin_t) +userdom_use_user_ptys(bacula_admin_t) + + diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc new file mode 100644 index 00000000..59aa54f9 --- /dev/null +++ b/policy/modules/contrib/bind.fc @@ -0,0 +1,63 @@ +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) + +/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) + +/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) +/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) + +/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) + +/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) +/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) + +ifdef(`distro_debian',` +/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +') + +ifdef(`distro_gentoo',` +/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +') + +ifdef(`distro_redhat',` +/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/proc(/.*)? <<none>> +/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) +/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) +/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +') diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if new file mode 100644 index 00000000..44a1e3d1 --- /dev/null +++ b/policy/modules/contrib/bind.if @@ -0,0 +1,399 @@ +## <summary>Berkeley internet name domain DNS server.</summary> + +######################################## +## <summary> +## Execute bind server in the bind domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bind_initrc_domtrans',` + gen_require(` + type named_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, named_initrc_exec_t) +') + +######################################## +## <summary> +## Execute ndc in the ndc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bind_domtrans_ndc',` + gen_require(` + type ndc_t, ndc_exec_t; + ') + + domtrans_pattern($1, ndc_exec_t, ndc_t) +') + +######################################## +## <summary> +## Send generic signals to BIND. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_signal',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process signal; +') + +######################################## +## <summary> +## Send null sigals to BIND. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_signull',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process signull; +') + +######################################## +## <summary> +## Send BIND the kill signal +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_kill',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process sigkill; +') + +######################################## +## <summary> +## Execute ndc in the ndc domain, and +## allow the specified role the ndc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bind_run_ndc',` + gen_require(` + type ndc_t; + ') + + bind_domtrans_ndc($1) + role $2 types ndc_t; +') + +######################################## +## <summary> +## Execute bind in the named domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bind_domtrans',` + gen_require(` + type named_t, named_exec_t; + ') + + domtrans_pattern($1, named_exec_t, named_t) +') + +######################################## +## <summary> +## Read DNSSEC keys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_read_dnssec_keys',` + gen_require(` + type named_conf_t, named_zone_t, dnssec_t; + ') + + read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t) +') + +######################################## +## <summary> +## Read BIND named configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_read_config',` + gen_require(` + type named_conf_t; + ') + + read_files_pattern($1, named_conf_t, named_conf_t) +') + +######################################## +## <summary> +## Write BIND named configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_write_config',` + gen_require(` + type named_conf_t; + ') + + write_files_pattern($1, named_conf_t, named_conf_t) + allow $1 named_conf_t:file setattr; +') + +######################################## +## <summary> +## Create, read, write, and delete +## BIND configuration directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_manage_config_dirs',` + gen_require(` + type named_conf_t; + ') + + manage_dirs_pattern($1, named_conf_t, named_conf_t) +') + +######################################## +## <summary> +## Search the BIND cache directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_search_cache',` + gen_require(` + type named_conf_t, named_cache_t, named_zone_t; + ') + + files_search_var($1) + allow $1 named_conf_t:dir search_dir_perms; + allow $1 named_zone_t:dir search_dir_perms; + allow $1 named_cache_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## BIND cache files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_manage_cache',` + gen_require(` + type named_cache_t, named_zone_t; + ') + + files_search_var($1) + allow $1 named_zone_t:dir search_dir_perms; + manage_files_pattern($1, named_cache_t, named_cache_t) + manage_lnk_files_pattern($1, named_cache_t, named_cache_t) +') + +######################################## +## <summary> +## Set the attributes of the BIND pid directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_setattr_pid_dirs',` + gen_require(` + type named_var_run_t; + ') + + allow $1 named_var_run_t:dir setattr; +') + +######################################## +## <summary> +## Set the attributes of the BIND zone directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_setattr_zone_dirs',` + gen_require(` + type named_zone_t; + ') + + allow $1 named_zone_t:dir setattr; +') + +######################################## +## <summary> +## Read BIND zone files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_read_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + read_files_pattern($1, named_zone_t, named_zone_t) +') + +######################################## +## <summary> +## Manage BIND zone files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_manage_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + manage_files_pattern($1, named_zone_t, named_zone_t) +') + +######################################## +## <summary> +## Send and receive datagrams to and from named. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_udp_chat_named',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## All of the rules required to administrate +## an bind environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the bind domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`bind_admin',` + gen_require(` + type named_t, named_tmp_t, named_log_t; + type named_conf_t, named_var_lib_t, named_var_run_t; + type named_cache_t, named_zone_t; + type dnssec_t, ndc_t; + type named_initrc_exec_t; + ') + + allow $1 named_t:process { ptrace signal_perms }; + ps_process_pattern($1, named_t) + + allow $1 ndc_t:process { ptrace signal_perms }; + ps_process_pattern($1, ndc_t) + + bind_run_ndc($1, $2) + + init_labeled_script_domtrans($1, named_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 named_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, named_tmp_t) + + logging_list_logs($1) + admin_pattern($1, named_log_t) + + files_list_etc($1) + admin_pattern($1, named_conf_t) + + admin_pattern($1, named_cache_t) + admin_pattern($1, named_zone_t) + admin_pattern($1, dnssec_t) + + files_list_var_lib($1) + admin_pattern($1, named_var_lib_t) + + files_list_pids($1) + admin_pattern($1, named_var_run_t) +') diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te new file mode 100644 index 00000000..4deca04f --- /dev/null +++ b/policy/modules/contrib/bind.te @@ -0,0 +1,260 @@ +policy_module(bind, 1.11.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow BIND to write the master zone files. +## Generally this is used for dynamic DNS or zone transfers. +## </p> +## </desc> +gen_tunable(named_write_master_zones, false) + +# for DNSSEC key files +type dnssec_t; +files_security_file(dnssec_t) + +type named_t; +type named_exec_t; +init_daemon_domain(named_t, named_exec_t) +role system_r types named_t; + +type named_checkconf_exec_t; +init_system_domain(named_t, named_checkconf_exec_t) + +# A type for configuration files of named. +type named_conf_t; +files_type(named_conf_t) +files_mountpoint(named_conf_t) + +# for secondary zone files +type named_cache_t; +files_type(named_cache_t) + +type named_initrc_exec_t; +init_script_file(named_initrc_exec_t) + +type named_log_t; +logging_log_file(named_log_t) + +type named_tmp_t; +files_tmp_file(named_tmp_t) + +type named_var_run_t; +files_pid_file(named_var_run_t) + +# for primary zone files +type named_zone_t; +files_type(named_zone_t) + +type ndc_t; +type ndc_exec_t; +init_system_domain(ndc_t, ndc_exec_t) +role system_r types ndc_t; + +######################################## +# +# Named local policy +# + +allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; +dontaudit named_t self:capability sys_tty_config; +allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; +allow named_t self:fifo_file rw_fifo_file_perms; +allow named_t self:unix_stream_socket create_stream_socket_perms; +allow named_t self:unix_dgram_socket create_socket_perms; +allow named_t self:tcp_socket create_stream_socket_perms; +allow named_t self:udp_socket create_socket_perms; + +allow named_t dnssec_t:file read_file_perms; + +# read configuration +allow named_t named_conf_t:dir list_dir_perms; +read_files_pattern(named_t, named_conf_t, named_conf_t) +read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) + +# write cache for secondary zones +manage_files_pattern(named_t, named_cache_t, named_cache_t) +manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) + +can_exec(named_t, named_exec_t) + +manage_files_pattern(named_t, named_log_t, named_log_t) +logging_log_filetrans(named_t, named_log_t, { file dir }) + +manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) +manage_files_pattern(named_t, named_tmp_t, named_tmp_t) +files_tmp_filetrans(named_t, named_tmp_t, { file dir }) + +manage_files_pattern(named_t, named_var_run_t, named_var_run_t) +manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) +files_pid_filetrans(named_t, named_var_run_t, { file sock_file }) + +# read zone files +allow named_t named_zone_t:dir list_dir_perms; +read_files_pattern(named_t, named_zone_t, named_zone_t) +read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) + +kernel_read_kernel_sysctls(named_t) +kernel_read_system_state(named_t) +kernel_read_network_state(named_t) + +corecmd_search_bin(named_t) + +corenet_all_recvfrom_unlabeled(named_t) +corenet_all_recvfrom_netlabel(named_t) +corenet_tcp_sendrecv_generic_if(named_t) +corenet_udp_sendrecv_generic_if(named_t) +corenet_tcp_sendrecv_generic_node(named_t) +corenet_udp_sendrecv_generic_node(named_t) +corenet_tcp_sendrecv_all_ports(named_t) +corenet_udp_sendrecv_all_ports(named_t) +corenet_tcp_bind_generic_node(named_t) +corenet_udp_bind_generic_node(named_t) +corenet_tcp_bind_dns_port(named_t) +corenet_udp_bind_dns_port(named_t) +corenet_tcp_bind_rndc_port(named_t) +corenet_tcp_connect_all_ports(named_t) +corenet_sendrecv_dns_server_packets(named_t) +corenet_sendrecv_dns_client_packets(named_t) +corenet_sendrecv_rndc_server_packets(named_t) +corenet_sendrecv_rndc_client_packets(named_t) +corenet_dontaudit_udp_bind_all_reserved_ports(named_t) +corenet_udp_bind_all_unreserved_ports(named_t) + +dev_read_sysfs(named_t) +dev_read_rand(named_t) +dev_read_urand(named_t) + +domain_use_interactive_fds(named_t) + +files_read_etc_files(named_t) +files_read_etc_runtime_files(named_t) + +fs_getattr_all_fs(named_t) +fs_search_auto_mountpoints(named_t) + +auth_use_nsswitch(named_t) + +logging_send_syslog_msg(named_t) + +miscfiles_read_localization(named_t) +miscfiles_read_generic_certs(named_t) + +userdom_dontaudit_use_unpriv_user_fds(named_t) +userdom_dontaudit_search_user_home_dirs(named_t) + +tunable_policy(`named_write_master_zones',` + manage_dirs_pattern(named_t, named_zone_t, named_zone_t) + manage_files_pattern(named_t, named_zone_t, named_zone_t) + manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t) +') + +optional_policy(` + init_dbus_chat_script(named_t) + + sysnet_dbus_chat_dhcpc(named_t) + + dbus_system_bus_client(named_t) + dbus_connect_system_bus(named_t) + + optional_policy(` + networkmanager_dbus_chat(named_t) + ') +') + +optional_policy(` + kerberos_keytab_template(named, named_t) +') + +optional_policy(` + # this seems like fds that arent being + # closed. these should probably be + # dontaudits instead. + networkmanager_rw_udp_sockets(named_t) + networkmanager_rw_packet_sockets(named_t) + networkmanager_rw_routing_sockets(named_t) +') + +optional_policy(` + seutil_sigchld_newrole(named_t) +') + +optional_policy(` + udev_read_db(named_t) +') + +######################################## +# +# NDC local policy +# + +# cjp: why net_admin?! +allow ndc_t self:capability { dac_override net_admin }; +allow ndc_t self:process { fork signal_perms }; +allow ndc_t self:fifo_file rw_fifo_file_perms; +allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; +allow ndc_t self:tcp_socket create_socket_perms; +allow ndc_t self:netlink_route_socket r_netlink_socket_perms; + +allow ndc_t dnssec_t:file read_file_perms; +allow ndc_t dnssec_t:lnk_file { getattr read }; + +stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) + +allow ndc_t named_conf_t:file read_file_perms; +allow ndc_t named_conf_t:lnk_file { getattr read }; + +allow ndc_t named_zone_t:dir search_dir_perms; + +kernel_read_kernel_sysctls(ndc_t) + +corenet_all_recvfrom_unlabeled(ndc_t) +corenet_all_recvfrom_netlabel(ndc_t) +corenet_tcp_sendrecv_generic_if(ndc_t) +corenet_tcp_sendrecv_generic_node(ndc_t) +corenet_tcp_sendrecv_all_ports(ndc_t) +corenet_tcp_bind_generic_node(ndc_t) +corenet_tcp_connect_rndc_port(ndc_t) +corenet_sendrecv_rndc_client_packets(ndc_t) + +domain_use_interactive_fds(ndc_t) + +files_read_etc_files(ndc_t) +files_search_pids(ndc_t) + +fs_getattr_xattr_fs(ndc_t) + +init_use_fds(ndc_t) +init_use_script_ptys(ndc_t) + +logging_send_syslog_msg(ndc_t) + +miscfiles_read_localization(ndc_t) + +sysnet_read_config(ndc_t) +sysnet_dns_name_resolve(ndc_t) + +userdom_use_user_terminals(ndc_t) + +term_dontaudit_use_console(ndc_t) + +# for /etc/rndc.key +ifdef(`distro_redhat',` + allow ndc_t named_conf_t:dir search; +') + +optional_policy(` + nis_use_ypbind(ndc_t) +') + +optional_policy(` + nscd_socket_use(ndc_t) +') + +optional_policy(` + ppp_dontaudit_use_fds(ndc_t) +') diff --git a/policy/modules/contrib/bitlbee.fc b/policy/modules/contrib/bitlbee.fc new file mode 100644 index 00000000..0197980d --- /dev/null +++ b/policy/modules/contrib/bitlbee.fc @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0) +/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) + +/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) + +/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) diff --git a/policy/modules/contrib/bitlbee.if b/policy/modules/contrib/bitlbee.if new file mode 100644 index 00000000..de0bd679 --- /dev/null +++ b/policy/modules/contrib/bitlbee.if @@ -0,0 +1,59 @@ +## <summary>Bitlbee service</summary> + +######################################## +## <summary> +## Read bitlbee configuration files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed accesss. +## </summary> +## </param> +# +interface(`bitlbee_read_config',` + gen_require(` + type bitlbee_conf_t; + ') + + files_search_etc($1) + allow $1 bitlbee_conf_t:dir list_dir_perms; + allow $1 bitlbee_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an bitlbee environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the bitlbee domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`bitlbee_admin',` + gen_require(` + type bitlbee_t, bitlbee_conf_t, bitlbee_var_t; + type bitlbee_initrc_exec_t; + ') + + allow $1 bitlbee_t:process { ptrace signal_perms }; + ps_process_pattern($1, bitlbee_t) + + init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bitlbee_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, bitlbee_conf_t) + + files_list_var($1) + admin_pattern($1, bitlbee_var_t) +') diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te new file mode 100644 index 00000000..f4e7ad3d --- /dev/null +++ b/policy/modules/contrib/bitlbee.te @@ -0,0 +1,94 @@ +policy_module(bitlbee, 1.4.0) + +######################################## +# +# Declarations +# + +type bitlbee_t; +type bitlbee_exec_t; +init_daemon_domain(bitlbee_t, bitlbee_exec_t) +inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) + +type bitlbee_conf_t; +files_config_file(bitlbee_conf_t) + +type bitlbee_initrc_exec_t; +init_script_file(bitlbee_initrc_exec_t) + +type bitlbee_tmp_t; +files_tmp_file(bitlbee_tmp_t) + +type bitlbee_var_t; +files_type(bitlbee_var_t) + +######################################## +# +# Local policy +# + +allow bitlbee_t self:capability { setgid setuid }; +allow bitlbee_t self:process signal; +allow bitlbee_t self:udp_socket create_socket_perms; +allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; +allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; +allow bitlbee_t self:fifo_file rw_fifo_file_perms; + +bitlbee_read_config(bitlbee_t) + +# tmp files +manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) +files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) + +# user account information is read and edited at runtime; give the usual +# r/w access to bitlbee_var_t +manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) +files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) + +kernel_read_system_state(bitlbee_t) + +corenet_all_recvfrom_unlabeled(bitlbee_t) +corenet_udp_sendrecv_generic_if(bitlbee_t) +corenet_udp_sendrecv_generic_node(bitlbee_t) +corenet_tcp_sendrecv_generic_if(bitlbee_t) +corenet_tcp_sendrecv_generic_node(bitlbee_t) +# Allow bitlbee to connect to jabber servers +corenet_tcp_connect_jabber_client_port(bitlbee_t) +corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) +# to AIM servers: +corenet_tcp_connect_aol_port(bitlbee_t) +corenet_tcp_sendrecv_aol_port(bitlbee_t) +# and to MMCC (Yahoo IM) servers: +corenet_tcp_connect_mmcc_port(bitlbee_t) +corenet_tcp_sendrecv_mmcc_port(bitlbee_t) +# and to MSNP (MSN Messenger) servers: +corenet_tcp_connect_msnp_port(bitlbee_t) +corenet_tcp_sendrecv_msnp_port(bitlbee_t) +# MSN can use passport auth, which is over http: +corenet_tcp_connect_http_port(bitlbee_t) +corenet_tcp_sendrecv_http_port(bitlbee_t) +corenet_tcp_connect_http_cache_port(bitlbee_t) +corenet_tcp_sendrecv_http_cache_port(bitlbee_t) + +dev_read_rand(bitlbee_t) +dev_read_urand(bitlbee_t) + +files_read_etc_files(bitlbee_t) +files_search_pids(bitlbee_t) +# grant read-only access to the user help files +files_read_usr_files(bitlbee_t) + +libs_legacy_use_shared_libs(bitlbee_t) + +auth_use_nsswitch(bitlbee_t) + +logging_send_syslog_msg(bitlbee_t) + +miscfiles_read_localization(bitlbee_t) + +sysnet_dns_name_resolve(bitlbee_t) + +optional_policy(` + # normally started from inetd using tcpwrappers, so use those entry points + tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) +') diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc new file mode 100644 index 00000000..dc687e6d --- /dev/null +++ b/policy/modules/contrib/bluetooth.fc @@ -0,0 +1,30 @@ +# +# /etc +# +/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) +/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0) +/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) +/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) + +# +# /usr +# +/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) +/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + +/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + +# +# /var +# +/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) + +/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) +/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if new file mode 100644 index 00000000..3e454314 --- /dev/null +++ b/policy/modules/contrib/bluetooth.if @@ -0,0 +1,228 @@ +## <summary>Bluetooth tools and system services.</summary> + +######################################## +## <summary> +## Role access for bluetooth +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`bluetooth_role',` + gen_require(` + type bluetooth_helper_t, bluetooth_helper_exec_t; + type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t; + ') + + role $1 types bluetooth_helper_t; + + domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) + + # allow ps to show cdrecord and allow the user to kill it + ps_process_pattern($2, bluetooth_helper_t) + allow $2 bluetooth_helper_t:process signal; + + manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) + manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) + manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) + + manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) + manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) +') + +##################################### +## <summary> +## Connect to bluetooth over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bluetooth_stream_connect',` + gen_require(` + type bluetooth_t, bluetooth_var_run_t; + ') + + files_search_pids($1) + allow $1 bluetooth_t:socket rw_socket_perms; + stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) +') + +######################################## +## <summary> +## Execute bluetooth in the bluetooth domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bluetooth_domtrans',` + gen_require(` + type bluetooth_t, bluetooth_exec_t; + ') + + domtrans_pattern($1, bluetooth_exec_t, bluetooth_t) +') + +######################################## +## <summary> +## Read bluetooth daemon configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bluetooth_read_config',` + gen_require(` + type bluetooth_conf_t; + ') + + allow $1 bluetooth_conf_t:file { getattr read ioctl }; +') + +######################################## +## <summary> +## Send and receive messages from +## bluetooth over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bluetooth_dbus_chat',` + gen_require(` + type bluetooth_t; + class dbus send_msg; + ') + + allow $1 bluetooth_t:dbus send_msg; + allow bluetooth_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bluetooth_domtrans_helper',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Execute bluetooth_helper in the bluetooth_helper domain, and +## allow the specified role the bluetooth_helper domain. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the terminal allow the bluetooth_helper domain to use. +## </summary> +## </param> +## <rolecap/> +# +interface(`bluetooth_run_helper',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Read bluetooth helper state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`bluetooth_dontaudit_read_helper_state',` + gen_require(` + type bluetooth_helper_t; + ') + + dontaudit $1 bluetooth_helper_t:dir search; + dontaudit $1 bluetooth_helper_t:file { read getattr }; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an bluetooth environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the bluetooth domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`bluetooth_admin',` + gen_require(` + type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; + type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_conf_t, bluetooth_conf_rw_t; + type bluetooth_initrc_exec_t; + ') + + allow $1 bluetooth_t:process { ptrace signal_perms }; + ps_process_pattern($1, bluetooth_t) + + init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bluetooth_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, bluetooth_tmp_t) + + files_list_var($1) + admin_pattern($1, bluetooth_lock_t) + + files_list_etc($1) + admin_pattern($1, bluetooth_conf_t) + admin_pattern($1, bluetooth_conf_rw_t) + + files_list_spool($1) + admin_pattern($1, bluetooth_spool_t) + + files_list_var_lib($1) + admin_pattern($1, bluetooth_var_lib_t) + + files_list_pids($1) + admin_pattern($1, bluetooth_var_run_t) +') diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te new file mode 100644 index 00000000..d3019b31 --- /dev/null +++ b/policy/modules/contrib/bluetooth.te @@ -0,0 +1,241 @@ +policy_module(bluetooth, 3.4.0) + +######################################## +# +# Declarations +# +type bluetooth_t; +type bluetooth_exec_t; +init_daemon_domain(bluetooth_t, bluetooth_exec_t) + +type bluetooth_conf_t; +files_type(bluetooth_conf_t) + +type bluetooth_conf_rw_t; +files_type(bluetooth_conf_rw_t) + +type bluetooth_helper_t; +type bluetooth_helper_exec_t; +typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t }; +typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t }; +userdom_user_application_domain(bluetooth_helper_t, bluetooth_helper_exec_t) + +type bluetooth_helper_tmp_t; +typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t }; +typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t }; +userdom_user_tmp_file(bluetooth_helper_tmp_t) + +type bluetooth_helper_tmpfs_t; +typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t }; +typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t }; +userdom_user_tmpfs_file(bluetooth_helper_tmpfs_t) + +type bluetooth_initrc_exec_t; +init_script_file(bluetooth_initrc_exec_t) + +type bluetooth_lock_t; +files_lock_file(bluetooth_lock_t) + +type bluetooth_tmp_t; +files_tmp_file(bluetooth_tmp_t) + +type bluetooth_var_lib_t; +files_type(bluetooth_var_lib_t) + +type bluetooth_var_run_t; +files_pid_file(bluetooth_var_run_t) + +######################################## +# +# Bluetooth services local policy +# + +#sys_admin capability - redhat bug 573015 +allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; +dontaudit bluetooth_t self:capability sys_tty_config; +allow bluetooth_t self:process { getcap setcap getsched signal_perms }; +allow bluetooth_t self:fifo_file rw_fifo_file_perms; +allow bluetooth_t self:shm create_shm_perms; +allow bluetooth_t self:socket create_stream_socket_perms; +allow bluetooth_t self:unix_dgram_socket create_socket_perms; +allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow bluetooth_t self:tcp_socket create_stream_socket_perms; +allow bluetooth_t self:udp_socket create_socket_perms; +allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; + +read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) + +manage_dirs_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) +manage_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) +manage_lnk_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) +manage_fifo_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) +manage_sock_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) +filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file lnk_file sock_file fifo_file }) + +can_exec(bluetooth_t, bluetooth_helper_exec_t) + +allow bluetooth_t bluetooth_lock_t:file manage_file_perms; +files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) + +manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) +manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) +files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir }) + +manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) +manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) +files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } ) + +manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) +manage_sock_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) +files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(bluetooth_t) +kernel_read_system_state(bluetooth_t) +kernel_read_network_state(bluetooth_t) +kernel_request_load_module(bluetooth_t) +#search debugfs - redhat bug 548206 +kernel_search_debugfs(bluetooth_t) + +corenet_all_recvfrom_unlabeled(bluetooth_t) +corenet_all_recvfrom_netlabel(bluetooth_t) +corenet_tcp_sendrecv_generic_if(bluetooth_t) +corenet_udp_sendrecv_generic_if(bluetooth_t) +corenet_raw_sendrecv_generic_if(bluetooth_t) +corenet_tcp_sendrecv_generic_node(bluetooth_t) +corenet_udp_sendrecv_generic_node(bluetooth_t) +corenet_raw_sendrecv_generic_node(bluetooth_t) +corenet_tcp_sendrecv_all_ports(bluetooth_t) +corenet_udp_sendrecv_all_ports(bluetooth_t) + +dev_read_sysfs(bluetooth_t) +dev_rw_usbfs(bluetooth_t) +dev_rw_generic_usb_dev(bluetooth_t) +dev_read_urand(bluetooth_t) +dev_rw_input_dev(bluetooth_t) +dev_rw_wireless(bluetooth_t) + +fs_getattr_all_fs(bluetooth_t) +fs_search_auto_mountpoints(bluetooth_t) +fs_list_inotifyfs(bluetooth_t) + +#Handle bluetooth serial devices +term_use_unallocated_ttys(bluetooth_t) + +corecmd_exec_bin(bluetooth_t) +corecmd_exec_shell(bluetooth_t) + +domain_use_interactive_fds(bluetooth_t) +domain_dontaudit_search_all_domains_state(bluetooth_t) + +files_read_etc_files(bluetooth_t) +files_read_etc_runtime_files(bluetooth_t) +files_read_usr_files(bluetooth_t) + +auth_use_nsswitch(bluetooth_t) + +logging_send_syslog_msg(bluetooth_t) + +miscfiles_read_localization(bluetooth_t) +miscfiles_read_fonts(bluetooth_t) +miscfiles_read_hwdata(bluetooth_t) + +userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) +userdom_dontaudit_use_user_terminals(bluetooth_t) +userdom_dontaudit_search_user_home_dirs(bluetooth_t) + +optional_policy(` + dbus_system_bus_client(bluetooth_t) + dbus_connect_system_bus(bluetooth_t) + + optional_policy(` + cups_dbus_chat(bluetooth_t) + ') + + optional_policy(` + hal_dbus_chat(bluetooth_t) + ') + + optional_policy(` + networkmanager_dbus_chat(bluetooth_t) + ') + + optional_policy(` + pulseaudio_dbus_chat(bluetooth_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(bluetooth_t) +') + +optional_policy(` + udev_read_db(bluetooth_t) +') + +optional_policy(` + ppp_domtrans(bluetooth_t) +') + +######################################## +# +# Bluetooth helper programs local policy +# + +allow bluetooth_helper_t self:capability sys_nice; +allow bluetooth_helper_t self:process getsched; +allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; +allow bluetooth_helper_t self:shm create_shm_perms; +allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow bluetooth_helper_t self:tcp_socket create_socket_perms; +allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms; + +allow bluetooth_helper_t bluetooth_t:socket { read write }; + +manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) +manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) +manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) +files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file }) + +manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) +manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) +fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file }) + +kernel_read_system_state(bluetooth_helper_t) +kernel_read_kernel_sysctls(bluetooth_helper_t) + +dev_read_urand(bluetooth_helper_t) + +term_dontaudit_use_all_ttys(bluetooth_helper_t) + +corecmd_exec_bin(bluetooth_helper_t) +corecmd_exec_shell(bluetooth_helper_t) + +domain_read_all_domains_state(bluetooth_helper_t) + +files_read_etc_files(bluetooth_helper_t) +files_read_etc_runtime_files(bluetooth_helper_t) +files_read_usr_files(bluetooth_helper_t) +files_dontaudit_list_default(bluetooth_helper_t) + +locallogin_dontaudit_use_fds(bluetooth_helper_t) + +logging_send_syslog_msg(bluetooth_helper_t) + +miscfiles_read_localization(bluetooth_helper_t) + +sysnet_read_config(bluetooth_helper_t) + +optional_policy(` + bluetooth_dbus_chat(bluetooth_helper_t) + + dbus_system_bus_client(bluetooth_helper_t) + dbus_connect_system_bus(bluetooth_helper_t) +') + +optional_policy(` + nscd_socket_use(bluetooth_helper_t) +') + +optional_policy(` + xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t) +') diff --git a/policy/modules/contrib/brctl.fc b/policy/modules/contrib/brctl.fc new file mode 100644 index 00000000..642f67e0 --- /dev/null +++ b/policy/modules/contrib/brctl.fc @@ -0,0 +1 @@ +/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) diff --git a/policy/modules/contrib/brctl.if b/policy/modules/contrib/brctl.if new file mode 100644 index 00000000..2c2cdb62 --- /dev/null +++ b/policy/modules/contrib/brctl.if @@ -0,0 +1,20 @@ +## <summary>Utilities for configuring the linux ethernet bridge</summary> + +######################################## +## <summary> +## Execute a domain transition to run brctl. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`brctl_domtrans',` + gen_require(` + type brctl_t, brctl_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, brctl_exec_t, brctl_t) +') diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te new file mode 100644 index 00000000..9a62a1d0 --- /dev/null +++ b/policy/modules/contrib/brctl.te @@ -0,0 +1,44 @@ +policy_module(brctl, 1.6.0) + +######################################## +# +# Declarations +# + +type brctl_t; +type brctl_exec_t; +init_system_domain(brctl_t, brctl_exec_t) + +######################################## +# +# brctl local policy +# + +allow brctl_t self:capability net_admin; +allow brctl_t self:fifo_file rw_fifo_file_perms; +allow brctl_t self:unix_stream_socket create_stream_socket_perms; +allow brctl_t self:unix_dgram_socket create_socket_perms; +allow brctl_t self:tcp_socket create_socket_perms; + +kernel_request_load_module(brctl_t) +kernel_read_network_state(brctl_t) +kernel_read_sysctl(brctl_t) + +corenet_rw_tun_tap_dev(brctl_t) + +dev_rw_sysfs(brctl_t) +dev_write_sysfs_dirs(brctl_t) + +# Init script handling +domain_use_interactive_fds(brctl_t) + +files_read_etc_files(brctl_t) + +term_dontaudit_use_console(brctl_t) + +miscfiles_read_localization(brctl_t) + +optional_policy(` + xen_append_log(brctl_t) + xen_dontaudit_rw_unix_stream_sockets(brctl_t) +') diff --git a/policy/modules/contrib/bugzilla.fc b/policy/modules/contrib/bugzilla.fc new file mode 100644 index 00000000..8c840634 --- /dev/null +++ b/policy/modules/contrib/bugzilla.fc @@ -0,0 +1,4 @@ +/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) +/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) + +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) diff --git a/policy/modules/contrib/bugzilla.if b/policy/modules/contrib/bugzilla.if new file mode 100644 index 00000000..de89d0f1 --- /dev/null +++ b/policy/modules/contrib/bugzilla.if @@ -0,0 +1,77 @@ +## <summary>Bugzilla server</summary> + +######################################## +## <summary> +## Allow the specified domain to search +## bugzilla directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bugzilla_search_content',` + gen_require(` + type httpd_bugzilla_content_t; + ') + + allow $1 httpd_bugzilla_content_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## bugzilla script unix domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`bugzilla_dontaudit_rw_stream_sockets',` + gen_require(` + type httpd_bugzilla_script_t; + ') + + dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an bugzilla environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the bugzilla domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`bugzilla_admin',` + gen_require(` + type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; + type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; + type httpd_bugzilla_htaccess_t; + ') + + allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; + ps_process_pattern($1, httpd_bugzilla_script_t) + + files_list_var_lib(httpd_bugzilla_script_t) + + apache_list_sys_content($1) + admin_pattern($1, httpd_bugzilla_script_exec_t) + admin_pattern($1, httpd_bugzilla_script_t) + admin_pattern($1, httpd_bugzilla_content_t) + admin_pattern($1, httpd_bugzilla_htaccess_t) + admin_pattern($1, httpd_bugzilla_rw_content_t) + admin_pattern($1, httpd_bugzilla_ra_content_t) +') diff --git a/policy/modules/contrib/bugzilla.te b/policy/modules/contrib/bugzilla.te new file mode 100644 index 00000000..048abbf7 --- /dev/null +++ b/policy/modules/contrib/bugzilla.te @@ -0,0 +1,50 @@ +policy_module(bugzilla, 1.0.0) + +######################################## +# +# Declarations +# + +apache_content_template(bugzilla) + +######################################## +# +# bugzilla local policy +# + +allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; +allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; +allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; + +corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) +corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) +corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) +corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) +corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) +corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) +corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) +corenet_tcp_connect_http_port(httpd_bugzilla_script_t) +corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) +corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) +corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) + +files_search_var_lib(httpd_bugzilla_script_t) + +sysnet_read_config(httpd_bugzilla_script_t) +sysnet_use_ldap(httpd_bugzilla_script_t) + +optional_policy(` + mta_send_mail(httpd_bugzilla_script_t) +') + +optional_policy(` + mysql_search_db(httpd_bugzilla_script_t) + mysql_stream_connect(httpd_bugzilla_script_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') diff --git a/policy/modules/contrib/calamaris.fc b/policy/modules/contrib/calamaris.fc new file mode 100644 index 00000000..9cbd0a06 --- /dev/null +++ b/policy/modules/contrib/calamaris.fc @@ -0,0 +1,10 @@ +# +# /etc +# +/etc/cron\.daily/calamaris -- gen_context(system_u:object_r:calamaris_exec_t,s0) + +# +# /var +# +/var/log/calamaris(/.*)? gen_context(system_u:object_r:calamaris_log_t,s0) +/var/www/calamaris(/.*)? gen_context(system_u:object_r:calamaris_www_t,s0) diff --git a/policy/modules/contrib/calamaris.if b/policy/modules/contrib/calamaris.if new file mode 100644 index 00000000..df183be2 --- /dev/null +++ b/policy/modules/contrib/calamaris.if @@ -0,0 +1,21 @@ +## <summary>Squid log analysis</summary> + +####################################### +## <summary> +## Allow domain to read calamaris www files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`calamaris_read_www_files',` + gen_require(` + type calamaris_www_t; + ') + + allow $1 calamaris_www_t:dir list_dir_perms; + read_files_pattern($1, calamaris_www_t, calamaris_www_t) + read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t) +') diff --git a/policy/modules/contrib/calamaris.te b/policy/modules/contrib/calamaris.te new file mode 100644 index 00000000..b13fb66c --- /dev/null +++ b/policy/modules/contrib/calamaris.te @@ -0,0 +1,83 @@ +policy_module(calamaris, 1.7.0) + +######################################## +# +# Declarations +# + +type calamaris_t; +type calamaris_exec_t; +init_system_domain(calamaris_t, calamaris_exec_t) + +type calamaris_www_t; +files_type(calamaris_www_t) + +type calamaris_log_t; +logging_log_file(calamaris_log_t) + +######################################## +# +# Local policy +# + +# for when squid has a different UID +allow calamaris_t self:capability dac_override; +allow calamaris_t self:process { fork signal_perms setsched }; +allow calamaris_t self:fifo_file rw_fifo_file_perms; +allow calamaris_t self:unix_stream_socket create_stream_socket_perms; +allow calamaris_t self:tcp_socket create_stream_socket_perms; +allow calamaris_t self:udp_socket create_socket_perms; + +manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t) +manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t) + +manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t) +logging_log_filetrans(calamaris_t, calamaris_log_t, { file dir }) + +kernel_read_all_sysctls(calamaris_t) +kernel_read_system_state(calamaris_t) + +corecmd_exec_bin(calamaris_t) + +corenet_all_recvfrom_unlabeled(calamaris_t) +corenet_all_recvfrom_netlabel(calamaris_t) +corenet_tcp_sendrecv_generic_if(calamaris_t) +corenet_udp_sendrecv_generic_if(calamaris_t) +corenet_tcp_sendrecv_generic_node(calamaris_t) +corenet_udp_sendrecv_generic_node(calamaris_t) +corenet_tcp_sendrecv_all_ports(calamaris_t) +corenet_udp_sendrecv_all_ports(calamaris_t) + +dev_read_urand(calamaris_t) + +files_search_pids(calamaris_t) +files_read_etc_files(calamaris_t) +files_read_usr_files(calamaris_t) +files_read_var_files(calamaris_t) +files_read_etc_runtime_files(calamaris_t) + +libs_read_lib_files(calamaris_t) + +auth_use_nsswitch(calamaris_t) + +logging_send_syslog_msg(calamaris_t) + +miscfiles_read_localization(calamaris_t) + +userdom_dontaudit_list_user_home_dirs(calamaris_t) + +optional_policy(` + apache_search_sys_content(calamaris_t) +') + +optional_policy(` + cron_system_entry(calamaris_t, calamaris_exec_t) +') + +optional_policy(` + mta_send_mail(calamaris_t) +') + +optional_policy(` + squid_read_log(calamaris_t) +') diff --git a/policy/modules/contrib/canna.fc b/policy/modules/contrib/canna.fc new file mode 100644 index 00000000..5432d0e5 --- /dev/null +++ b/policy/modules/contrib/canna.fc @@ -0,0 +1,23 @@ +/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0) + +# +# /usr +# +/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0) +/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0) + +/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0) +/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0) + +# +# /var +# +/var/lib/canna/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0) +/var/lib/wnn/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0) + +/var/log/canna(/.*)? gen_context(system_u:object_r:canna_log_t,s0) +/var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0) + +/var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) +/var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) +/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) diff --git a/policy/modules/contrib/canna.if b/policy/modules/contrib/canna.if new file mode 100644 index 00000000..4a26b0cb --- /dev/null +++ b/policy/modules/contrib/canna.if @@ -0,0 +1,61 @@ +## <summary>Canna - kana-kanji conversion server</summary> + +######################################## +## <summary> +## Connect to Canna using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`canna_stream_connect',` + gen_require(` + type canna_t, canna_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an canna environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the canna domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`canna_admin',` + gen_require(` + type canna_t, canna_log_t, canna_var_lib_t; + type canna_var_run_t, canna_initrc_exec_t; + ') + + allow $1 canna_t:process { ptrace signal_perms }; + ps_process_pattern($1, canna_t) + + init_labeled_script_domtrans($1, canna_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 canna_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, canna_log_t) + + files_list_var_lib($1) + admin_pattern($1, canna_var_lib_t) + + files_list_pids($1) + admin_pattern($1, canna_var_run_t) +') diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te new file mode 100644 index 00000000..1d25efe3 --- /dev/null +++ b/policy/modules/contrib/canna.te @@ -0,0 +1,93 @@ +policy_module(canna, 1.11.0) + +######################################## +# +# Declarations +# + +type canna_t; +type canna_exec_t; +init_daemon_domain(canna_t, canna_exec_t) + +type canna_initrc_exec_t; +init_script_file(canna_initrc_exec_t) + +type canna_log_t; +logging_log_file(canna_log_t) + +type canna_var_lib_t; +files_type(canna_var_lib_t) + +type canna_var_run_t; +files_pid_file(canna_var_run_t) + +######################################## +# +# Local policy +# + +allow canna_t self:capability { setgid setuid net_bind_service }; +dontaudit canna_t self:capability sys_tty_config; +allow canna_t self:process signal_perms; +allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms}; +allow canna_t self:unix_dgram_socket create_stream_socket_perms; +allow canna_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(canna_t, canna_log_t, canna_log_t) +allow canna_t canna_log_t:dir setattr; +logging_log_filetrans(canna_t, canna_log_t, { file dir }) + +manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) +manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) +manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) +files_var_lib_filetrans(canna_t, canna_var_lib_t, file) + +manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t) +manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) +manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) +files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file }) + +kernel_read_kernel_sysctls(canna_t) +kernel_read_system_state(canna_t) + +corenet_all_recvfrom_unlabeled(canna_t) +corenet_all_recvfrom_netlabel(canna_t) +corenet_tcp_sendrecv_generic_if(canna_t) +corenet_tcp_sendrecv_generic_node(canna_t) +corenet_tcp_sendrecv_all_ports(canna_t) +corenet_tcp_connect_all_ports(canna_t) +corenet_sendrecv_all_client_packets(canna_t) + +dev_read_sysfs(canna_t) + +fs_getattr_all_fs(canna_t) +fs_search_auto_mountpoints(canna_t) + +domain_use_interactive_fds(canna_t) + +files_read_etc_files(canna_t) +files_read_etc_runtime_files(canna_t) +files_read_usr_files(canna_t) +files_search_tmp(canna_t) +files_dontaudit_read_root_files(canna_t) + +logging_send_syslog_msg(canna_t) + +miscfiles_read_localization(canna_t) + +sysnet_read_config(canna_t) + +userdom_dontaudit_use_unpriv_user_fds(canna_t) +userdom_dontaudit_search_user_home_dirs(canna_t) + +optional_policy(` + nis_use_ypbind(canna_t) +') + +optional_policy(` + seutil_sigchld_newrole(canna_t) +') + +optional_policy(` + udev_read_db(canna_t) +') diff --git a/policy/modules/contrib/ccs.fc b/policy/modules/contrib/ccs.fc new file mode 100644 index 00000000..8a7177d4 --- /dev/null +++ b/policy/modules/contrib/ccs.fc @@ -0,0 +1,6 @@ +/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0) + +/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) + +/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) +/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if new file mode 100644 index 00000000..6ee2cc8c --- /dev/null +++ b/policy/modules/contrib/ccs.if @@ -0,0 +1,75 @@ +## <summary>Cluster Configuration System</summary> + +######################################## +## <summary> +## Execute a domain transition to run ccs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ccs_domtrans',` + gen_require(` + type ccs_t, ccs_exec_t; + ') + + domtrans_pattern($1, ccs_exec_t, ccs_t) +') + +######################################## +## <summary> +## Connect to ccs over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ccs_stream_connect',` + gen_require(` + type ccs_t, ccs_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, ccs_var_run_t, ccs_var_run_t, ccs_t) +') + +######################################## +## <summary> +## Read cluster configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ccs_read_config',` + gen_require(` + type cluster_conf_t; + ') + + read_files_pattern($1, cluster_conf_t, cluster_conf_t) +') + +######################################## +## <summary> +## Manage cluster configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ccs_manage_config',` + gen_require(` + type cluster_conf_t; + ') + + manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t) + manage_files_pattern($1, cluster_conf_t, cluster_conf_t) +') diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te new file mode 100644 index 00000000..4c90b57e --- /dev/null +++ b/policy/modules/contrib/ccs.te @@ -0,0 +1,122 @@ +policy_module(ccs, 1.5.0) + +######################################## +# +# Declarations +# + +type ccs_t; +type ccs_exec_t; +init_daemon_domain(ccs_t, ccs_exec_t) + +type cluster_conf_t; +files_type(cluster_conf_t) + +type ccs_tmp_t; +files_tmp_file(ccs_tmp_t) + +type ccs_tmpfs_t; +files_tmpfs_file(ccs_tmpfs_t) + +type ccs_var_lib_t; +logging_log_file(ccs_var_lib_t) + +type ccs_var_log_t; +logging_log_file(ccs_var_log_t) + +type ccs_var_run_t; +files_pid_file(ccs_var_run_t) + +######################################## +# +# ccs local policy +# + +allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; +allow ccs_t self:process { signal setrlimit setsched }; +dontaudit ccs_t self:process ptrace; +allow ccs_t self:fifo_file rw_fifo_file_perms; +allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow ccs_t self:unix_dgram_socket create_socket_perms; +allow ccs_t self:netlink_route_socket r_netlink_socket_perms; +allow ccs_t self:tcp_socket create_stream_socket_perms; +allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg }; +# cjp: this needs to be fixed to be specific +allow ccs_t self:socket create_socket_perms; + +manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t) + +# tmp file +allow ccs_t ccs_tmp_t:dir manage_dir_perms; +manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) +manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) +files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir }) + +manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) +manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) +fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file }) + +# var lib files +manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) +manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) +files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) + +allow ccs_t ccs_var_log_t:dir setattr; +manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) +manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) +logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) + +# pid file +manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) +manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) +manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) +files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file }) + +kernel_read_kernel_sysctls(ccs_t) + +corecmd_list_bin(ccs_t) +corecmd_exec_bin(ccs_t) + +corenet_all_recvfrom_unlabeled(ccs_t) +corenet_all_recvfrom_netlabel(ccs_t) +corenet_tcp_sendrecv_generic_if(ccs_t) +corenet_udp_sendrecv_generic_if(ccs_t) +corenet_tcp_sendrecv_generic_node(ccs_t) +corenet_udp_sendrecv_generic_node(ccs_t) +corenet_tcp_sendrecv_all_ports(ccs_t) +corenet_udp_sendrecv_all_ports(ccs_t) +corenet_tcp_bind_generic_node(ccs_t) +corenet_udp_bind_generic_node(ccs_t) +corenet_tcp_bind_cluster_port(ccs_t) +corenet_udp_bind_cluster_port(ccs_t) +corenet_udp_bind_netsupport_port(ccs_t) + +dev_read_urand(ccs_t) + +files_read_etc_files(ccs_t) +files_read_etc_runtime_files(ccs_t) + +init_rw_script_tmp_files(ccs_t) + +logging_send_syslog_msg(ccs_t) + +miscfiles_read_localization(ccs_t) + +sysnet_dns_name_resolve(ccs_t) + +userdom_manage_unpriv_user_shared_mem(ccs_t) +userdom_manage_unpriv_user_semaphores(ccs_t) + +ifdef(`hide_broken_symptoms', ` + corecmd_dontaudit_write_bin_dirs(ccs_t) + files_manage_isid_type_files(ccs_t) +') + +optional_policy(` + aisexec_stream_connect(ccs_t) + corosync_stream_connect(ccs_t) +') + +optional_policy(` + unconfined_use_fds(ccs_t) +') diff --git a/policy/modules/contrib/cdrecord.fc b/policy/modules/contrib/cdrecord.fc new file mode 100644 index 00000000..91697ccd --- /dev/null +++ b/policy/modules/contrib/cdrecord.fc @@ -0,0 +1,6 @@ +# +# /usr +# +/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +/usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +/usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0) diff --git a/policy/modules/contrib/cdrecord.if b/policy/modules/contrib/cdrecord.if new file mode 100644 index 00000000..1582faff --- /dev/null +++ b/policy/modules/contrib/cdrecord.if @@ -0,0 +1,33 @@ +## <summary>Policy for cdrecord</summary> + +######################################## +## <summary> +## Role access for cdrecord +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`cdrecord_role',` + gen_require(` + type cdrecord_t, cdrecord_exec_t; + ') + + role $1 types cdrecord_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, cdrecord_exec_t, cdrecord_t) + + allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl }; + + # allow ps to show cdrecord and allow the user to kill it + ps_process_pattern($2, cdrecord_t) + allow $2 cdrecord_t:process signal; +') diff --git a/policy/modules/contrib/cdrecord.te b/policy/modules/contrib/cdrecord.te new file mode 100644 index 00000000..4626931d --- /dev/null +++ b/policy/modules/contrib/cdrecord.te @@ -0,0 +1,119 @@ +policy_module(cdrecord, 2.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow cdrecord to read various content. +## nfs, samba, removable devices, user temp +## and untrusted content files +## </p> +## </desc> +gen_tunable(cdrecord_read_content, false) + +type cdrecord_t; +type cdrecord_exec_t; +typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t }; +typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t }; +userdom_user_application_domain(cdrecord_t, cdrecord_exec_t) + +######################################## +# +# Local policy +# + +allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; +allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill }; +allow cdrecord_t self:unix_dgram_socket create_socket_perms; +allow cdrecord_t self:unix_stream_socket create_stream_socket_perms; + +# growisofs uses mkisofs +corecmd_exec_bin(cdrecord_t) + +# allow searching for cdrom-drive +dev_list_all_dev_nodes(cdrecord_t) +dev_read_sysfs(cdrecord_t) + +domain_interactive_fd(cdrecord_t) +domain_use_interactive_fds(cdrecord_t) + +files_read_etc_files(cdrecord_t) + +term_use_controlling_term(cdrecord_t) +term_list_ptys(cdrecord_t) + +# allow cdrecord to write the CD +storage_raw_read_removable_device(cdrecord_t) +storage_raw_write_removable_device(cdrecord_t) +storage_write_scsi_generic(cdrecord_t) + +logging_send_syslog_msg(cdrecord_t) + +miscfiles_read_localization(cdrecord_t) + +# write to the user domain tty. +userdom_use_user_terminals(cdrecord_t) +userdom_read_user_home_content_files(cdrecord_t) + +# Handle nfs home dirs +tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` + fs_list_auto_mountpoints(cdrecord_t) + files_list_home(cdrecord_t) + fs_read_nfs_files(cdrecord_t) + fs_read_nfs_symlinks(cdrecord_t) + +',` + files_dontaudit_list_home(cdrecord_t) + fs_dontaudit_list_auto_mountpoints(cdrecord_t) + fs_dontaudit_read_nfs_files(cdrecord_t) + fs_dontaudit_list_nfs(cdrecord_t) +') +# Handle samba home dirs +tunable_policy(`cdrecord_read_content && use_samba_home_dirs',` + fs_list_auto_mountpoints(cdrecord_t) + files_list_home(cdrecord_t) + fs_read_cifs_files(cdrecord_t) + fs_read_cifs_symlinks(cdrecord_t) +',` + files_dontaudit_list_home(cdrecord_t) + fs_dontaudit_list_auto_mountpoints(cdrecord_t) + fs_dontaudit_read_cifs_files(cdrecord_t) + fs_dontaudit_list_cifs(cdrecord_t) +') + +# Handle removable media, /tmp, and /home +tunable_policy(`cdrecord_read_content',` + userdom_list_user_tmp(cdrecord_t) + userdom_read_user_tmp_files(cdrecord_t) + userdom_read_user_tmp_symlinks(cdrecord_t) + userdom_read_user_home_content_files(cdrecord_t) + userdom_read_user_home_content_symlinks(cdrecord_t) + + ifndef(`enable_mls',` + fs_search_removable(cdrecord_t) + fs_read_removable_files(cdrecord_t) + fs_read_removable_symlinks(cdrecord_t) + ') +',` + files_dontaudit_list_tmp(cdrecord_t) + files_dontaudit_list_home(cdrecord_t) + fs_dontaudit_list_removable(cdrecord_t) + fs_dontaudit_read_removable_files(cdrecord_t) + userdom_dontaudit_list_user_tmp(cdrecord_t) + userdom_dontaudit_read_user_tmp_files(cdrecord_t) + userdom_dontaudit_list_user_home_dirs(cdrecord_t) + userdom_dontaudit_read_user_home_content_files(cdrecord_t) +') + +tunable_policy(`use_nfs_home_dirs',` + files_search_mnt(cdrecord_t) + fs_read_nfs_files(cdrecord_t) + fs_read_nfs_symlinks(cdrecord_t) +') + +optional_policy(` + resmgr_stream_connect(cdrecord_t) +') diff --git a/policy/modules/contrib/certmaster.fc b/policy/modules/contrib/certmaster.fc new file mode 100644 index 00000000..79295d60 --- /dev/null +++ b/policy/modules/contrib/certmaster.fc @@ -0,0 +1,8 @@ +/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) +/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) + +/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) + +/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) +/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) +/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) diff --git a/policy/modules/contrib/certmaster.if b/policy/modules/contrib/certmaster.if new file mode 100644 index 00000000..fa627873 --- /dev/null +++ b/policy/modules/contrib/certmaster.if @@ -0,0 +1,145 @@ +## <summary>Certmaster SSL certificate distribution service</summary> + +######################################## +## <summary> +## Execute a domain transition to run certmaster. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`certmaster_domtrans',` + gen_require(` + type certmaster_t, certmaster_exec_t; + ') + + domtrans_pattern($1, certmaster_exec_t, certmaster_t) +') + +#################################### +## <summary> +## Execute certmaster in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmaster_exec',` + gen_require(` + type certmaster_exec_t; + ') + + can_exec($1, certmaster_exec_t) + corecmd_search_bin($1) +') + +####################################### +## <summary> +## read certmaster logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmaster_read_log',` + gen_require(` + type certmaster_var_log_t; + ') + + read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + logging_search_logs($1) +') + +####################################### +## <summary> +## Append to certmaster logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmaster_append_log',` + gen_require(` + type certmaster_var_log_t; + ') + + append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + logging_search_logs($1) +') + +####################################### +## <summary> +## Create, read, write, and delete +## certmaster logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmaster_manage_log',` + gen_require(` + type certmaster_var_log_t; + ') + + manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an snort environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`certmaster_admin',` + gen_require(` + type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; + type certmaster_etc_rw_t, certmaster_var_log_t; + type certmaster_initrc_exec_t; + ') + + allow $1 certmaster_t:process { ptrace signal_perms }; + ps_process_pattern($1, certmaster_t) + + init_labeled_script_domtrans($1, certmaster_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 certmaster_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + miscfiles_manage_generic_cert_dirs($1) + miscfiles_manage_generic_cert_files($1) + + admin_pattern($1, certmaster_etc_rw_t) + + files_list_pids($1) + admin_pattern($1, certmaster_var_run_t) + + logging_list_logs($1) + admin_pattern($1, certmaster_var_log_t) + + files_list_var_lib($1) + admin_pattern($1, certmaster_var_lib_t) +') diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te new file mode 100644 index 00000000..33841321 --- /dev/null +++ b/policy/modules/contrib/certmaster.te @@ -0,0 +1,71 @@ +policy_module(certmaster, 1.2.0) + +######################################## +# +# Declarations +# + +type certmaster_t; +type certmaster_exec_t; +init_daemon_domain(certmaster_t, certmaster_exec_t) + +type certmaster_initrc_exec_t; +init_script_file(certmaster_initrc_exec_t) + +type certmaster_etc_rw_t; +files_type(certmaster_etc_rw_t) + +type certmaster_var_lib_t; +files_type(certmaster_var_lib_t) + +type certmaster_var_log_t; +logging_log_file(certmaster_var_log_t) + +type certmaster_var_run_t; +files_pid_file(certmaster_var_run_t) + +########################################### +# +# certmaster local policy +# + +allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config }; +allow certmaster_t self:tcp_socket create_stream_socket_perms; + +# config files +list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) +manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) + +# var/lib files for certmaster +manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) +manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) +files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) + +# log files +manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) +logging_log_filetrans(certmaster_t, certmaster_var_log_t, file ) + +# pid file +manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) +manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) +files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file }) + +# read meminfo +kernel_read_system_state(certmaster_t) + +corecmd_search_bin(certmaster_t) +corecmd_getattr_bin_files(certmaster_t) + +corenet_tcp_bind_generic_node(certmaster_t) +corenet_tcp_bind_certmaster_port(certmaster_t) + +files_search_etc(certmaster_t) +files_list_var(certmaster_t) +files_search_var_lib(certmaster_t) + +auth_use_nsswitch(certmaster_t) + +miscfiles_read_localization(certmaster_t) + +miscfiles_manage_generic_cert_dirs(certmaster_t) +miscfiles_manage_generic_cert_files(certmaster_t) diff --git a/policy/modules/contrib/certmonger.fc b/policy/modules/contrib/certmonger.fc new file mode 100644 index 00000000..5ad1a526 --- /dev/null +++ b/policy/modules/contrib/certmonger.fc @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) + +/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) + +/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) +/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) diff --git a/policy/modules/contrib/certmonger.if b/policy/modules/contrib/certmonger.if new file mode 100644 index 00000000..7a6e5bae --- /dev/null +++ b/policy/modules/contrib/certmonger.if @@ -0,0 +1,174 @@ +## <summary>Certificate status monitor and PKI enrollment client</summary> + +######################################## +## <summary> +## Execute a domain transition to run certmonger. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`certmonger_domtrans',` + gen_require(` + type certmonger_t, certmonger_exec_t; + ') + + domtrans_pattern($1, certmonger_exec_t, certmonger_t) +') + +######################################## +## <summary> +## Send and receive messages from +## certmonger over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmonger_dbus_chat',` + gen_require(` + type certmonger_t; + class dbus send_msg; + ') + + allow $1 certmonger_t:dbus send_msg; + allow certmonger_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute certmonger server in the certmonger domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`certmonger_initrc_domtrans',` + gen_require(` + type certmonger_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, certmonger_initrc_exec_t) +') + +######################################## +## <summary> +## Read certmonger PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmonger_read_pid_files',` + gen_require(` + type certmonger_var_run_t; + ') + + files_search_pids($1) + allow $1 certmonger_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Search certmonger lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmonger_search_lib',` + gen_require(` + type certmonger_var_lib_t; + ') + + allow $1 certmonger_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read certmonger lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmonger_read_lib_files',` + gen_require(` + type certmonger_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## certmonger lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`certmonger_manage_lib_files',` + gen_require(` + type certmonger_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an certmonger environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`certmonger_admin',` + gen_require(` + type certmonger_t, certmonger_initrc_exec_t; + type certmonger_var_lib_t, certmonger_var_run_t; + ') + + ps_process_pattern($1, certmonger_t) + allow $1 certmonger_t:process { ptrace signal_perms }; + + # Allow certmonger_t to restart the apache service + certmonger_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 certmonger_initrc_exec_t system_r; + allow $2 system_r; + + files_search_var_lib($1) + admin_pattern($1, certmonger_var_lib_t) + + files_search_pids($1) + admin_pattern($1, certmonger_var_run_t) +') diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te new file mode 100644 index 00000000..c3e3f79d --- /dev/null +++ b/policy/modules/contrib/certmonger.te @@ -0,0 +1,72 @@ +policy_module(certmonger, 1.1.0) + +######################################## +# +# Declarations +# + +type certmonger_t; +type certmonger_exec_t; +init_daemon_domain(certmonger_t, certmonger_exec_t) + +type certmonger_initrc_exec_t; +init_script_file(certmonger_initrc_exec_t) + +type certmonger_var_run_t; +files_pid_file(certmonger_var_run_t) + +type certmonger_var_lib_t; +files_type(certmonger_var_lib_t) + +######################################## +# +# certmonger local policy +# + +allow certmonger_t self:capability { kill sys_nice }; +allow certmonger_t self:process { getsched setsched sigkill }; +allow certmonger_t self:fifo_file rw_file_perms; +allow certmonger_t self:unix_stream_socket create_stream_socket_perms; +allow certmonger_t self:tcp_socket create_stream_socket_perms; +allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; + +manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) +manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) +files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } ) + +manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) +manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) +files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir }) + +corenet_tcp_sendrecv_generic_if(certmonger_t) +corenet_tcp_sendrecv_generic_node(certmonger_t) +corenet_tcp_sendrecv_all_ports(certmonger_t) +corenet_tcp_connect_certmaster_port(certmonger_t) + +dev_read_urand(certmonger_t) + +domain_use_interactive_fds(certmonger_t) + +files_read_etc_files(certmonger_t) +files_read_usr_files(certmonger_t) +files_list_tmp(certmonger_t) + +logging_send_syslog_msg(certmonger_t) + +miscfiles_read_localization(certmonger_t) +miscfiles_manage_generic_cert_files(certmonger_t) + +sysnet_dns_name_resolve(certmonger_t) + +optional_policy(` + dbus_system_bus_client(certmonger_t) + dbus_connect_system_bus(certmonger_t) +') + +optional_policy(` + kerberos_use(certmonger_t) +') + +optional_policy(` + pcscd_stream_connect(certmonger_t) +') diff --git a/policy/modules/contrib/certwatch.fc b/policy/modules/contrib/certwatch.fc new file mode 100644 index 00000000..b8a3414b --- /dev/null +++ b/policy/modules/contrib/certwatch.fc @@ -0,0 +1 @@ +/usr/bin/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0) diff --git a/policy/modules/contrib/certwatch.if b/policy/modules/contrib/certwatch.if new file mode 100644 index 00000000..953451a4 --- /dev/null +++ b/policy/modules/contrib/certwatch.if @@ -0,0 +1,78 @@ +## <summary>Digital Certificate Tracking</summary> + +######################################## +## <summary> +## Domain transition to certwatch. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`certwatch_domtrans',` + gen_require(` + type certwatch_exec_t, certwatch_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, certwatch_exec_t, certwatch_t) +') + +######################################## +## <summary> +## Execute certwatch in the certwatch domain, and +## allow the specified role the certwatch domain, +## and use the caller's terminal. Has a sigchld +## backchannel. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`certwatch_run',` + gen_require(` + type certwatch_t; + ') + + certwatch_domtrans($1) + role $2 types certwatch_t; +') + +######################################## +## <summary> +## Execute certwatch in the certwatch domain, and +## allow the specified role the certwatch domain, +## and use the caller's terminal. Has a sigchld +## backchannel. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the terminal allow the certwatch domain to use. +## </summary> +## </param> +## <rolecap/> +# +interface(`certwatach_run',` + refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.') + certwatch_run($*) +') diff --git a/policy/modules/contrib/certwatch.te b/policy/modules/contrib/certwatch.te new file mode 100644 index 00000000..e07cef5d --- /dev/null +++ b/policy/modules/contrib/certwatch.te @@ -0,0 +1,53 @@ +policy_module(certwatch, 1.7.0) + +######################################## +# +# Declarations +# + +type certwatch_t; +type certwatch_exec_t; +application_domain(certwatch_t, certwatch_exec_t) +role system_r types certwatch_t; + +######################################## +# +# Local policy +# +allow certwatch_t self:capability sys_nice; +allow certwatch_t self:process { setsched getsched }; + +dev_read_urand(certwatch_t) + +files_read_etc_files(certwatch_t) +files_read_usr_files(certwatch_t) +files_read_usr_symlinks(certwatch_t) +files_list_tmp(certwatch_t) + +fs_list_inotifyfs(certwatch_t) + +auth_manage_cache(certwatch_t) +auth_var_filetrans_cache(certwatch_t) + +logging_send_syslog_msg(certwatch_t) + +miscfiles_read_all_certs(certwatch_t) +miscfiles_read_localization(certwatch_t) + +userdom_use_user_terminals(certwatch_t) +userdom_dontaudit_list_user_home_dirs(certwatch_t) + +optional_policy(` + apache_exec_modules(certwatch_t) + apache_read_config(certwatch_t) +') + +optional_policy(` + cron_system_entry(certwatch_t, certwatch_exec_t) +') + +optional_policy(` + pcscd_domtrans(certwatch_t) + pcscd_stream_connect(certwatch_t) + pcscd_read_pub_files(certwatch_t) +') diff --git a/policy/modules/contrib/cgroup.fc b/policy/modules/contrib/cgroup.fc new file mode 100644 index 00000000..b6bb46cf --- /dev/null +++ b/policy/modules/contrib/cgroup.fc @@ -0,0 +1,15 @@ +/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0) +/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) + +/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0) +/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) + +/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0) +/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0) + +/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) +/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) +/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) + +/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/policy/modules/contrib/cgroup.if b/policy/modules/contrib/cgroup.if new file mode 100644 index 00000000..33facaf2 --- /dev/null +++ b/policy/modules/contrib/cgroup.if @@ -0,0 +1,199 @@ +## <summary>libcg is a library that abstracts the control group file system in Linux.</summary> + +######################################## +## <summary> +## Execute a domain transition to run +## CG Clear. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_domtrans_cgclear',` + gen_require(` + type cgclear_t, cgclear_exec_t; + ') + + domtrans_pattern($1, cgclear_exec_t, cgclear_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute a domain transition to run +## CG config parser. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_domtrans_cgconfig',` + gen_require(` + type cgconfig_t, cgconfig_exec_t; + ') + + domtrans_pattern($1, cgconfig_exec_t, cgconfig_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute a domain transition to run +## CG config parser. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_initrc_domtrans_cgconfig',` + gen_require(` + type cgconfig_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run +## CG rules engine daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_domtrans_cgred',` + gen_require(` + type cgred_t, cgred_exec_t; + ') + + domtrans_pattern($1, cgred_exec_t, cgred_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute a domain transition to run +## CG rules engine daemon. +## domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_initrc_domtrans_cgred',` + gen_require(` + type cgred_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cgred_initrc_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run CG Clear and allow the +## specified role the CG Clear +## domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cgroup_run_cgclear',` + gen_require(` + type cgclear_t; + ') + + cgroup_domtrans_cgclear($1) + role $2 types cgclear_t; +') + +######################################## +## <summary> +## Connect to CG rules engine daemon +## over unix stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cgroup_stream_connect_cgred', ` + gen_require(` + type cgred_var_run_t, cgred_t; + ') + + stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) + files_search_pids($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an cgroup environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cgroup_admin',` + gen_require(` + type cgred_t, cgconfig_t, cgred_var_run_t; + type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; + type cgrules_etc_t, cgclear_t; + ') + + allow $1 cgclear_t:process { ptrace signal_perms }; + ps_process_pattern($1, cgclear_t) + + allow $1 cgconfig_t:process { ptrace signal_perms }; + ps_process_pattern($1, cgconfig_t) + + allow $1 cgred_t:process { ptrace signal_perms }; + ps_process_pattern($1, cgred_t) + + admin_pattern($1, cgconfig_etc_t) + admin_pattern($1, cgrules_etc_t) + files_list_etc($1) + + admin_pattern($1, cgred_var_run_t) + files_list_pids($1) + + cgroup_initrc_domtrans_cgconfig($1) + domain_system_change_exemption($1) + role_transition $2 cgconfig_initrc_exec_t system_r; + allow $2 system_r; + + cgroup_initrc_domtrans_cgred($1) + role_transition $2 cgred_initrc_exec_t system_r; + + cgroup_run_cgclear($1, $2) +') diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te new file mode 100644 index 00000000..806191ad --- /dev/null +++ b/policy/modules/contrib/cgroup.te @@ -0,0 +1,109 @@ +policy_module(cgroup, 1.1.0) + +######################################## +# +# Declarations +# + +type cgclear_t; +type cgclear_exec_t; +init_daemon_domain(cgclear_t, cgclear_exec_t) + +type cgred_t; +type cgred_exec_t; +init_daemon_domain(cgred_t, cgred_exec_t) + +type cgred_initrc_exec_t; +init_script_file(cgred_initrc_exec_t) + +type cgred_log_t; +logging_log_file(cgred_log_t) + +type cgred_var_run_t; +files_pid_file(cgred_var_run_t) + +type cgrules_etc_t; +files_config_file(cgrules_etc_t) + +type cgconfig_t; +type cgconfig_exec_t; +init_daemon_domain(cgconfig_t, cgconfig_exec_t) + +type cgconfig_initrc_exec_t; +init_script_file(cgconfig_initrc_exec_t) + +type cgconfig_etc_t; +files_config_file(cgconfig_etc_t) + +######################################## +# +# cgclear personal policy. +# + +allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; + +kernel_read_system_state(cgclear_t) + +domain_setpriority_all_domains(cgclear_t) + +fs_manage_cgroup_dirs(cgclear_t) +fs_manage_cgroup_files(cgclear_t) +fs_unmount_cgroup(cgclear_t) + +######################################## +# +# cgconfig personal policy. +# + +allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config }; + +allow cgconfig_t cgconfig_etc_t:file read_file_perms; + +# search will do. +kernel_list_unlabeled(cgconfig_t) +kernel_read_system_state(cgconfig_t) + +# /etc/nsswitch.conf, /etc/passwd +files_read_etc_files(cgconfig_t) + +fs_manage_cgroup_dirs(cgconfig_t) +fs_manage_cgroup_files(cgconfig_t) +fs_mount_cgroup(cgconfig_t) +fs_mounton_cgroup(cgconfig_t) +fs_unmount_cgroup(cgconfig_t) + +######################################## +# +# cgred personal policy. +# + +allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; +allow cgred_t self:netlink_socket { write bind create read }; +allow cgred_t self:unix_dgram_socket { write create connect }; + +manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t) +logging_log_filetrans(cgred_t, cgred_log_t, file) + +allow cgred_t cgrules_etc_t:file read_file_perms; + +# rc script creates pid file +manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) +manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) +files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) + +kernel_read_system_state(cgred_t) + +domain_read_all_domains_state(cgred_t) +domain_setpriority_all_domains(cgred_t) + +files_getattr_all_files(cgred_t) +files_getattr_all_sockets(cgred_t) +files_read_all_symlinks(cgred_t) +# /etc/group +files_read_etc_files(cgred_t) + +fs_write_cgroup_files(cgred_t) + +logging_send_syslog_msg(cgred_t) + +miscfiles_read_localization(cgred_t) diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc new file mode 100644 index 00000000..fd8cd0b3 --- /dev/null +++ b/policy/modules/contrib/chronyd.fc @@ -0,0 +1,9 @@ +/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) + +/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) + +/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) + +/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) +/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0) +/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if new file mode 100644 index 00000000..9a0da946 --- /dev/null +++ b/policy/modules/contrib/chronyd.if @@ -0,0 +1,105 @@ +## <summary>Chrony NTP background daemon</summary> + +##################################### +## <summary> +## Execute chronyd in the chronyd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`chronyd_domtrans',` + gen_require(` + type chronyd_t, chronyd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chronyd_exec_t, chronyd_t) +') + +#################################### +## <summary> +## Execute chronyd +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_exec',` + gen_require(` + type chronyd_exec_t; + ') + + can_exec($1, chronyd_exec_t) +') + +##################################### +## <summary> +## Read chronyd logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_read_log',` + gen_require(` + type chronyd_var_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) +') + +#################################### +## <summary> +## All of the rules required to administrate +## an chronyd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the chronyd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`chronyd_admin',` + gen_require(` + type chronyd_t, chronyd_var_log_t; + type chronyd_var_run_t, chronyd_var_lib_t; + type chronyd_initrc_exec_t, chronyd_keys_t; + ') + + allow $1 chronyd_t:process { ptrace signal_perms }; + ps_process_pattern($1, chronyd_t) + + init_labeled_script_domtrans($1, chronyd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 chronyd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, chronyd_keys_t) + + logging_search_logs($1) + admin_pattern($1, chronyd_var_log_t) + + files_search_var_lib($1) + admin_pattern($1, chronyd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, chronyd_var_run_t) + + files_search_tmp($1) + admin_pattern($1, chronyd_tmp_t) +') diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te new file mode 100644 index 00000000..fa82327a --- /dev/null +++ b/policy/modules/contrib/chronyd.te @@ -0,0 +1,68 @@ +policy_module(chronyd, 1.1.0) + +######################################## +# +# Declarations +# + +type chronyd_t; +type chronyd_exec_t; +init_daemon_domain(chronyd_t, chronyd_exec_t) + +type chronyd_initrc_exec_t; +init_script_file(chronyd_initrc_exec_t) + +type chronyd_keys_t; +files_type(chronyd_keys_t) + +type chronyd_var_lib_t; +files_type(chronyd_var_lib_t) + +type chronyd_var_log_t; +logging_log_file(chronyd_var_log_t) + +type chronyd_var_run_t; +files_pid_file(chronyd_var_run_t) + +######################################## +# +# Local policy +# + +allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; +allow chronyd_t self:process { getcap setcap setrlimit }; +allow chronyd_t self:shm create_shm_perms; +allow chronyd_t self:udp_socket create_socket_perms; +allow chronyd_t self:unix_dgram_socket create_socket_perms; + +allow chronyd_t chronyd_keys_t:file read_file_perms; + +manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) +manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) +manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) +files_var_lib_filetrans(chronyd_t, chronyd_var_lib_t, { file dir }) + +manage_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) +manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) +logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir }) + +manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) +manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) +files_pid_filetrans(chronyd_t, chronyd_var_run_t, file) + +corenet_udp_bind_ntp_port(chronyd_t) +# bind to udp/323 +corenet_udp_bind_chronyd_port(chronyd_t) + +# real time clock option +dev_rw_realtime_clock(chronyd_t) + +auth_use_nsswitch(chronyd_t) + +logging_send_syslog_msg(chronyd_t) + +miscfiles_read_localization(chronyd_t) + +optional_policy(` + gpsd_rw_shm(chronyd_t) +') diff --git a/policy/modules/contrib/cipe.fc b/policy/modules/contrib/cipe.fc new file mode 100644 index 00000000..afcdf02b --- /dev/null +++ b/policy/modules/contrib/cipe.fc @@ -0,0 +1,4 @@ +# +# /usr +# +/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0) diff --git a/policy/modules/contrib/cipe.if b/policy/modules/contrib/cipe.if new file mode 100644 index 00000000..b5fd6689 --- /dev/null +++ b/policy/modules/contrib/cipe.if @@ -0,0 +1 @@ +## <summary>Encrypted tunnel daemon</summary> diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te new file mode 100644 index 00000000..8e1ef38b --- /dev/null +++ b/policy/modules/contrib/cipe.te @@ -0,0 +1,72 @@ +policy_module(cipe, 1.5.0) + +######################################## +# +# Declarations +# + +type ciped_t; +type ciped_exec_t; +init_daemon_domain(ciped_t, ciped_exec_t) + +######################################## +# +# Local policy +# + +allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; +dontaudit ciped_t self:capability sys_tty_config; +allow ciped_t self:process signal_perms; +allow ciped_t self:fifo_file rw_fifo_file_perms; +allow ciped_t self:unix_dgram_socket create_socket_perms; +allow ciped_t self:unix_stream_socket create_socket_perms; +allow ciped_t self:udp_socket create_socket_perms; + +kernel_read_kernel_sysctls(ciped_t) +kernel_read_system_state(ciped_t) + +corecmd_exec_shell(ciped_t) +corecmd_exec_bin(ciped_t) + +corenet_all_recvfrom_unlabeled(ciped_t) +corenet_all_recvfrom_netlabel(ciped_t) +corenet_udp_sendrecv_generic_if(ciped_t) +corenet_udp_sendrecv_generic_node(ciped_t) +corenet_udp_sendrecv_all_ports(ciped_t) +corenet_udp_bind_generic_node(ciped_t) +# cipe uses the afs3-bos port (udp 7007) +corenet_udp_bind_afs_bos_port(ciped_t) +corenet_sendrecv_afs_bos_server_packets(ciped_t) + +dev_read_sysfs(ciped_t) +dev_read_rand(ciped_t) +# for SSP +dev_read_urand(ciped_t) + +domain_use_interactive_fds(ciped_t) + +files_read_etc_files(ciped_t) +files_read_etc_runtime_files(ciped_t) +files_dontaudit_search_var(ciped_t) + +fs_search_auto_mountpoints(ciped_t) + +logging_send_syslog_msg(ciped_t) + +miscfiles_read_localization(ciped_t) + +sysnet_read_config(ciped_t) + +userdom_dontaudit_use_unpriv_user_fds(ciped_t) + +optional_policy(` + nis_use_ypbind(ciped_t) +') + +optional_policy(` + seutil_sigchld_newrole(ciped_t) +') + +optional_policy(` + udev_read_db(ciped_t) +') diff --git a/policy/modules/contrib/clamav.fc b/policy/modules/contrib/clamav.fc new file mode 100644 index 00000000..e8e9a213 --- /dev/null +++ b/policy/modules/contrib/clamav.fc @@ -0,0 +1,20 @@ +/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) + +/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) +/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) +/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) + +/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) +/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) + +/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) +/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) +/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) +/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) +/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) +/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) diff --git a/policy/modules/contrib/clamav.if b/policy/modules/contrib/clamav.if new file mode 100644 index 00000000..cf81277f --- /dev/null +++ b/policy/modules/contrib/clamav.if @@ -0,0 +1,192 @@ +## <summary>ClamAV Virus Scanner</summary> + +######################################## +## <summary> +## Execute a domain transition to run clamd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`clamav_domtrans',` + gen_require(` + type clamd_t, clamd_exec_t; + ') + + domtrans_pattern($1, clamd_exec_t, clamd_t) +') + +######################################## +## <summary> +## Connect to run clamd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_stream_connect',` + gen_require(` + type clamd_t, clamd_var_run_t; + ') + + stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) +') + +######################################## +## <summary> +## Allow the specified domain to append +## to clamav log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_append_log',` + gen_require(` + type clamav_var_log_t; + ') + + logging_search_logs($1) + allow $1 clamav_var_log_t:dir list_dir_perms; + append_files_pattern($1, clamav_var_log_t, clamav_var_log_t) +') + +######################################## +## <summary> +## Read clamav configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_read_config',` + gen_require(` + type clamd_etc_t; + ') + + files_search_etc($1) + allow $1 clamd_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Search clamav libraries directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_search_lib',` + gen_require(` + type clamd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 clamd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Execute a domain transition to run clamscan. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`clamav_domtrans_clamscan',` + gen_require(` + type clamscan_t, clamscan_exec_t; + ') + + domtrans_pattern($1, clamscan_exec_t, clamscan_t) +') + +######################################## +## <summary> +## Execute clamscan without a transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_exec_clamscan',` + gen_require(` + type clamscan_exec_t; + ') + + can_exec($1, clamscan_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an clamav environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the clamav domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`clamav_admin',` + gen_require(` + type clamd_t, clamd_etc_t, clamd_tmp_t; + type clamd_var_log_t, clamd_var_lib_t; + type clamd_var_run_t, clamscan_t, clamscan_tmp_t; + type clamd_initrc_exec_t; + type freshclam_t, freshclam_var_log_t; + ') + + allow $1 clamd_t:process { ptrace signal_perms }; + ps_process_pattern($1, clamd_t) + + allow $1 clamscan_t:process { ptrace signal_perms }; + ps_process_pattern($1, clamscan_t) + + allow $1 freshclam_t:process { ptrace signal_perms }; + ps_process_pattern($1, freshclam_t) + + init_labeled_script_domtrans($1, clamd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 clamd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, clamd_etc_t) + + files_list_var_lib($1) + admin_pattern($1, clamd_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, clamd_var_log_t) + + files_list_pids($1) + admin_pattern($1, clamd_var_run_t) + + files_list_tmp($1) + admin_pattern($1, clamd_tmp_t) + + admin_pattern($1, clamscan_tmp_t) + + admin_pattern($1, freshclam_var_log_t) +') diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te new file mode 100644 index 00000000..f7583237 --- /dev/null +++ b/policy/modules/contrib/clamav.te @@ -0,0 +1,275 @@ +policy_module(clamav, 1.9.0) + +## <desc> +## <p> +## Allow clamd to use JIT compiler +## </p> +## </desc> +gen_tunable(clamd_use_jit, false) + +######################################## +# +# Declarations +# + +# Main clamd domain +type clamd_t; +type clamd_exec_t; +init_daemon_domain(clamd_t, clamd_exec_t) + +# configuration files +type clamd_etc_t; +files_config_file(clamd_etc_t) + +type clamd_initrc_exec_t; +init_script_file(clamd_initrc_exec_t) + +# tmp files +type clamd_tmp_t; +files_tmp_file(clamd_tmp_t) + +# log files +type clamd_var_log_t; +logging_log_file(clamd_var_log_t) + +# var/lib files +type clamd_var_lib_t; +files_type(clamd_var_lib_t) + +# pid files +type clamd_var_run_t; +files_pid_file(clamd_var_run_t) +typealias clamd_var_run_t alias clamd_sock_t; + +type clamscan_t; +type clamscan_exec_t; +init_daemon_domain(clamscan_t, clamscan_exec_t) + +# tmp files +type clamscan_tmp_t; +files_tmp_file(clamscan_tmp_t) + +type freshclam_t; +type freshclam_exec_t; +init_daemon_domain(freshclam_t, freshclam_exec_t) + +# log files +type freshclam_var_log_t; +logging_log_file(freshclam_var_log_t) + +######################################## +# +# clamd local policy +# + +allow clamd_t self:capability { kill setgid setuid dac_override }; +dontaudit clamd_t self:capability sys_tty_config; +allow clamd_t self:fifo_file rw_fifo_file_perms; +allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow clamd_t self:unix_dgram_socket create_socket_perms; +allow clamd_t self:tcp_socket { listen accept }; + +# configuration files +allow clamd_t clamd_etc_t:dir list_dir_perms; +read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) +read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) + +# tmp files +manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) +manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) +files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) + +# var/lib files for clamd +manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) +manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) + +# log files +manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) +manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) +logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) + +# pid file +manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) +manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) +files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir }) + +kernel_dontaudit_list_proc(clamd_t) +kernel_read_sysctl(clamd_t) +kernel_read_kernel_sysctls(clamd_t) +kernel_read_system_state(clamd_t) + +corecmd_exec_shell(clamd_t) + +corenet_all_recvfrom_unlabeled(clamd_t) +corenet_all_recvfrom_netlabel(clamd_t) +corenet_tcp_sendrecv_generic_if(clamd_t) +corenet_tcp_sendrecv_generic_node(clamd_t) +corenet_tcp_sendrecv_all_ports(clamd_t) +corenet_tcp_sendrecv_clamd_port(clamd_t) +corenet_tcp_bind_generic_node(clamd_t) +corenet_tcp_bind_clamd_port(clamd_t) +corenet_tcp_bind_generic_port(clamd_t) +corenet_tcp_connect_generic_port(clamd_t) +corenet_sendrecv_clamd_server_packets(clamd_t) + +dev_read_rand(clamd_t) +dev_read_urand(clamd_t) + +domain_use_interactive_fds(clamd_t) + +files_read_etc_files(clamd_t) +files_read_etc_runtime_files(clamd_t) +files_search_spool(clamd_t) + +auth_use_nsswitch(clamd_t) + +logging_send_syslog_msg(clamd_t) + +miscfiles_read_localization(clamd_t) + +cron_use_fds(clamd_t) +cron_use_system_job_fds(clamd_t) +cron_rw_pipes(clamd_t) + +mta_read_config(clamd_t) +mta_send_mail(clamd_t) + +optional_policy(` + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) + amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) + amavis_create_pid_files(clamd_t) +') + +optional_policy(` + exim_read_spool_files(clamd_t) +') + +tunable_policy(`clamd_use_jit',` + allow clamd_t self:process execmem; +', ` + dontaudit clamd_t self:process execmem; +') + +######################################## +# +# Freshclam local policy +# + +allow freshclam_t self:capability { setgid setuid dac_override }; +allow freshclam_t self:fifo_file rw_fifo_file_perms; +allow freshclam_t self:unix_stream_socket create_stream_socket_perms; +allow freshclam_t self:unix_dgram_socket create_socket_perms; +allow freshclam_t self:tcp_socket { listen accept }; + +# configuration files +allow freshclam_t clamd_etc_t:dir list_dir_perms; +read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) +read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) + +# var/lib files together with clamd +manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) +manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) + +# pidfiles- var/run together with clamd +manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) +manage_sock_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) +files_pid_filetrans(freshclam_t, clamd_var_run_t, file) + +# log files (own logfiles only) +manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) +allow freshclam_t freshclam_var_log_t:dir setattr; +allow freshclam_t clamd_var_log_t:dir search_dir_perms; +logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) + +corenet_all_recvfrom_unlabeled(freshclam_t) +corenet_all_recvfrom_netlabel(freshclam_t) +corenet_tcp_sendrecv_generic_if(freshclam_t) +corenet_tcp_sendrecv_generic_node(freshclam_t) +corenet_tcp_sendrecv_all_ports(freshclam_t) +corenet_tcp_sendrecv_clamd_port(freshclam_t) +corenet_tcp_connect_http_port(freshclam_t) +corenet_sendrecv_http_client_packets(freshclam_t) + +dev_read_rand(freshclam_t) +dev_read_urand(freshclam_t) + +domain_use_interactive_fds(freshclam_t) + +files_read_etc_files(freshclam_t) +files_read_etc_runtime_files(freshclam_t) + +auth_use_nsswitch(freshclam_t) + +logging_send_syslog_msg(freshclam_t) + +miscfiles_read_localization(freshclam_t) + +clamav_stream_connect(freshclam_t) + +optional_policy(` + cron_system_entry(freshclam_t, freshclam_exec_t) +') + +tunable_policy(`clamd_use_jit',` + allow freshclam_t self:process execmem; +', ` + dontaudit freshclam_t self:process execmem; +') + +######################################## +# +# clamscam local policy +# + +allow clamscan_t self:capability { setgid setuid dac_override }; +allow clamscan_t self:fifo_file rw_file_perms; +allow clamscan_t self:unix_stream_socket create_stream_socket_perms; +allow clamscan_t self:unix_dgram_socket create_socket_perms; +allow clamscan_t self:tcp_socket create_stream_socket_perms; + +# configuration files +allow clamscan_t clamd_etc_t:dir list_dir_perms; +read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) +read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) + +# tmp files +manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) +manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) +files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) + +# var/lib files together with clamd +manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) +allow clamscan_t clamd_var_lib_t:dir list_dir_perms; + +corenet_all_recvfrom_unlabeled(clamscan_t) +corenet_all_recvfrom_netlabel(clamscan_t) +corenet_tcp_sendrecv_generic_if(clamscan_t) +corenet_tcp_sendrecv_generic_node(clamscan_t) +corenet_tcp_sendrecv_all_ports(clamscan_t) +corenet_tcp_sendrecv_clamd_port(clamscan_t) +corenet_tcp_connect_clamd_port(clamscan_t) + +kernel_read_kernel_sysctls(clamscan_t) + +files_read_etc_files(clamscan_t) +files_read_etc_runtime_files(clamscan_t) +files_search_var_lib(clamscan_t) + +init_read_utmp(clamscan_t) +init_dontaudit_write_utmp(clamscan_t) + +miscfiles_read_localization(clamscan_t) +miscfiles_read_public_files(clamscan_t) + +clamav_stream_connect(clamscan_t) + +mta_send_mail(clamscan_t) + +optional_policy(` + amavis_read_spool_files(clamscan_t) +') + +optional_policy(` + apache_read_sys_content(clamscan_t) +') diff --git a/policy/modules/contrib/clockspeed.fc b/policy/modules/contrib/clockspeed.fc new file mode 100644 index 00000000..a7aa3858 --- /dev/null +++ b/policy/modules/contrib/clockspeed.fc @@ -0,0 +1,14 @@ + +# +# /usr +# +/usr/bin/clockadd -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) +/usr/bin/clockspeed -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) +/usr/bin/sntpclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) +/usr/bin/taiclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) +/usr/bin/taiclockd -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) + +# +# /var +# +/var/lib/clockspeed(/.*)? gen_context(system_u:object_r:clockspeed_var_lib_t,s0) diff --git a/policy/modules/contrib/clockspeed.if b/policy/modules/contrib/clockspeed.if new file mode 100644 index 00000000..07976176 --- /dev/null +++ b/policy/modules/contrib/clockspeed.if @@ -0,0 +1,44 @@ +## <summary>Clockspeed simple network time protocol client</summary> + +######################################## +## <summary> +## Execute clockspeed utilities in the clockspeed_cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`clockspeed_domtrans_cli',` + gen_require(` + type clockspeed_cli_t, clockspeed_cli_exec_t; + ') + + domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t) +') + +######################################## +## <summary> +## Allow the specified role the clockspeed_cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`clockspeed_run_cli',` + gen_require(` + type clockspeed_cli_t; + ') + + role $2 types clockspeed_cli_t; + clockspeed_domtrans_cli($1) +') diff --git a/policy/modules/contrib/clockspeed.te b/policy/modules/contrib/clockspeed.te new file mode 100644 index 00000000..b40f3f7b --- /dev/null +++ b/policy/modules/contrib/clockspeed.te @@ -0,0 +1,72 @@ +policy_module(clockspeed, 1.5.0) + +######################################## +# +# Declarations +# + +type clockspeed_cli_t; +type clockspeed_cli_exec_t; +application_domain(clockspeed_cli_t, clockspeed_cli_exec_t) + +type clockspeed_srv_t; +type clockspeed_srv_exec_t; +init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t) + +type clockspeed_var_lib_t; +files_type(clockspeed_var_lib_t) + +######################################## +# +# Client local policy +# + +allow clockspeed_cli_t self:capability sys_time; +allow clockspeed_cli_t self:udp_socket create_socket_perms; + +read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + +corenet_all_recvfrom_unlabeled(clockspeed_cli_t) +corenet_all_recvfrom_netlabel(clockspeed_cli_t) +corenet_udp_sendrecv_generic_if(clockspeed_cli_t) +corenet_udp_sendrecv_generic_node(clockspeed_cli_t) +corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) +corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) + +files_list_var_lib(clockspeed_cli_t) +files_read_etc_files(clockspeed_cli_t) + +miscfiles_read_localization(clockspeed_cli_t) + +userdom_use_user_terminals(clockspeed_cli_t) + +######################################## +# +# Server local policy +# + +allow clockspeed_srv_t self:capability { sys_time net_bind_service }; +allow clockspeed_srv_t self:udp_socket create_socket_perms; +allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms; +allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; + +manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) +manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + +corenet_all_recvfrom_unlabeled(clockspeed_srv_t) +corenet_all_recvfrom_netlabel(clockspeed_srv_t) +corenet_udp_sendrecv_generic_if(clockspeed_srv_t) +corenet_udp_sendrecv_generic_node(clockspeed_srv_t) +corenet_udp_sendrecv_ntp_port(clockspeed_srv_t) +corenet_udp_bind_generic_node(clockspeed_srv_t) +corenet_udp_bind_clockspeed_port(clockspeed_srv_t) +corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t) + +files_read_etc_files(clockspeed_srv_t) +files_list_var_lib(clockspeed_srv_t) + +miscfiles_read_localization(clockspeed_srv_t) + +optional_policy(` + daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) +') diff --git a/policy/modules/contrib/clogd.fc b/policy/modules/contrib/clogd.fc new file mode 100644 index 00000000..6793948a --- /dev/null +++ b/policy/modules/contrib/clogd.fc @@ -0,0 +1,3 @@ +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) diff --git a/policy/modules/contrib/clogd.if b/policy/modules/contrib/clogd.if new file mode 100644 index 00000000..c0a66a41 --- /dev/null +++ b/policy/modules/contrib/clogd.if @@ -0,0 +1,79 @@ +## <summary>clogd - Clustered Mirror Log Server</summary> + +###################################### +## <summary> +## Execute a domain transition to run clogd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`clogd_domtrans',` + gen_require(` + type clogd_t, clogd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, clogd_exec_t, clogd_t) +') + +##################################### +## <summary> +## Connect to clogd over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clogd_stream_connect',` + gen_require(` + type clogd_t, clogd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, clogd_var_run_t, clogd_var_run_t, clogd_t) +') + +##################################### +## <summary> +## Allow read and write access to clogd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clogd_rw_semaphores',` + gen_require(` + type clogd_t; + ') + + allow $1 clogd_t:sem rw_sem_perms; +') + +######################################## +## <summary> +## Read and write to group shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clogd_rw_shm',` + gen_require(` + type clogd_t, clogd_tmpfs_t; + ') + + allow $1 clogd_t:shm rw_shm_perms; + allow $1 clogd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) + fs_search_tmpfs($1) +') diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te new file mode 100644 index 00000000..60773390 --- /dev/null +++ b/policy/modules/contrib/clogd.te @@ -0,0 +1,54 @@ +policy_module(clogd, 1.0.0) + +######################################## +# +# Declarations +# + +type clogd_t; +type clogd_exec_t; +init_daemon_domain(clogd_t, clogd_exec_t) + +type clogd_tmpfs_t; +files_tmpfs_file(clogd_tmpfs_t) + +# pid files +type clogd_var_run_t; +files_pid_file(clogd_var_run_t) + +######################################## +# +# clogd local policy +# + +allow clogd_t self:capability { net_admin mknod }; +allow clogd_t self:process signal; + +allow clogd_t self:sem create_sem_perms; +allow clogd_t self:shm create_shm_perms; +allow clogd_t self:netlink_socket create_socket_perms; +allow clogd_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) +manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) +fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file }) + +# pid files +manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) +manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) +files_pid_filetrans(clogd_t, clogd_var_run_t, { file }) + +dev_read_lvm_control(clogd_t) +dev_manage_generic_blk_files(clogd_t) + +storage_raw_read_fixed_disk(clogd_t) +storage_raw_write_fixed_disk(clogd_t) + +logging_send_syslog_msg(clogd_t) + +miscfiles_read_localization(clogd_t) + +optional_policy(` + aisexec_stream_connect(clogd_t) + corosync_stream_connect(clogd_t) +') diff --git a/policy/modules/contrib/cmirrord.fc b/policy/modules/contrib/cmirrord.fc new file mode 100644 index 00000000..049e2b61 --- /dev/null +++ b/policy/modules/contrib/cmirrord.fc @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0) + +/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) + +/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if new file mode 100644 index 00000000..f8463c0f --- /dev/null +++ b/policy/modules/contrib/cmirrord.if @@ -0,0 +1,113 @@ +## <summary>Cluster mirror log daemon</summary> + +######################################## +## <summary> +## Execute a domain transition to run cmirrord. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cmirrord_domtrans',` + gen_require(` + type cmirrord_t, cmirrord_exec_t; + ') + + domtrans_pattern($1, cmirrord_exec_t, cmirrord_t) +') + +######################################## +## <summary> +## Execute cmirrord server in the cmirrord domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cmirrord_initrc_domtrans',` + gen_require(` + type cmirrord_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cmirrord_initrc_exec_t) +') + +######################################## +## <summary> +## Read cmirrord PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cmirrord_read_pid_files',` + gen_require(` + type cmirrord_var_run_t; + ') + + files_search_pids($1) + allow $1 cmirrord_var_run_t:file read_file_perms; +') + +####################################### +## <summary> +## Read and write to cmirrord shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cmirrord_rw_shm',` + gen_require(` + type cmirrord_t, cmirrord_tmpfs_t; + ') + + allow $1 cmirrord_t:shm rw_shm_perms; + + allow $1 cmirrord_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an cmirrord environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cmirrord_admin',` + gen_require(` + type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; + ') + + allow $1 cmirrord_t:process { ptrace signal_perms }; + ps_process_pattern($1, cmirrord_t) + + cmirrord_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cmirrord_initrc_exec_t system_r; + allow $2 system_r; + + files_list_pids($1) + admin_pattern($1, cmirrord_var_run_t) +') diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te new file mode 100644 index 00000000..28fdd8ad --- /dev/null +++ b/policy/modules/contrib/cmirrord.te @@ -0,0 +1,58 @@ +policy_module(cmirrord, 1.0.0) + +######################################## +# +# Declarations +# + +type cmirrord_t; +type cmirrord_exec_t; +init_daemon_domain(cmirrord_t, cmirrord_exec_t) + +type cmirrord_initrc_exec_t; +init_script_file(cmirrord_initrc_exec_t) + +type cmirrord_tmpfs_t; +files_tmpfs_file(cmirrord_tmpfs_t) + +type cmirrord_var_run_t; +files_pid_file(cmirrord_var_run_t) + +######################################## +# +# cmirrord local policy +# + +allow cmirrord_t self:capability { net_admin kill }; +dontaudit cmirrord_t self:capability sys_tty_config; +allow cmirrord_t self:process { setfscreate signal}; +allow cmirrord_t self:fifo_file rw_fifo_file_perms; +allow cmirrord_t self:sem create_sem_perms; +allow cmirrord_t self:shm create_shm_perms; +allow cmirrord_t self:netlink_socket create_socket_perms; +allow cmirrord_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) +manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) +fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file }) + +manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) +manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) +files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) + +domain_use_interactive_fds(cmirrord_t) +domain_obj_id_change_exemption(cmirrord_t) + +files_read_etc_files(cmirrord_t) + +storage_create_fixed_disk_dev(cmirrord_t) + +seutil_read_file_contexts(cmirrord_t) + +logging_send_syslog_msg(cmirrord_t) + +miscfiles_read_localization(cmirrord_t) + +optional_policy(` + corosync_stream_connect(cmirrord_t) +') diff --git a/policy/modules/contrib/cobbler.fc b/policy/modules/contrib/cobbler.fc new file mode 100644 index 00000000..1cf6c4e4 --- /dev/null +++ b/policy/modules/contrib/cobbler.fc @@ -0,0 +1,7 @@ +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) + +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) + +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if new file mode 100644 index 00000000..116d60f5 --- /dev/null +++ b/policy/modules/contrib/cobbler.if @@ -0,0 +1,185 @@ +## <summary>Cobbler installation server.</summary> +## <desc> +## <p> +## Cobbler is a Linux installation server that allows for +## rapid setup of network installation environments. It +## glues together and automates many associated Linux +## tasks so you do not have to hop between lots of various +## commands and applications when rolling out new systems, +## and, in some cases, changing existing ones. +## </p> +## </desc> + +######################################## +## <summary> +## Execute a domain transition to run cobblerd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cobblerd_domtrans',` + gen_require(` + type cobblerd_t, cobblerd_exec_t; + ') + + domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) +') + +######################################## +## <summary> +## Execute cobblerd server in the cobblerd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cobblerd_initrc_domtrans',` + gen_require(` + type cobblerd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) +') + +######################################## +## <summary> +## Read Cobbler content in /etc +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_read_config',` + gen_require(` + type cobbler_etc_t; + ') + + read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) + files_search_etc($1) +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## Cobbler log files (leaked fd). +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cobbler_dontaudit_rw_log',` + gen_require(` + type cobbler_var_log_t; + ') + + dontaudit $1 cobbler_var_log_t:file rw_file_perms; +') + +######################################## +## <summary> +## Search cobbler dirs in /var/lib +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_search_lib',` + gen_require(` + type cobbler_var_lib_t; + ') + + search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read cobbler files in /var/lib +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_read_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## Manage cobbler files in /var/lib +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_manage_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an cobblerd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cobblerd_admin',` + gen_require(` + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; + type cobbler_etc_t, cobblerd_initrc_exec_t; + ') + + allow $1 cobblerd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, cobblerd_t, cobblerd_t) + + files_search_etc($1) + admin_pattern($1, cobbler_etc_t) + + files_list_var_lib($1) + admin_pattern($1, cobbler_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, cobbler_var_log_t) + + admin_pattern($1, httpd_cobbler_content_rw_t) + + cobblerd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cobblerd_initrc_exec_t system_r; + allow $2 system_r; +') diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te new file mode 100644 index 00000000..0258b481 --- /dev/null +++ b/policy/modules/contrib/cobbler.te @@ -0,0 +1,128 @@ +policy_module(cobbler, 1.1.0) + +######################################## +# +# Cobbler personal declarations. +# + +## <desc> +## <p> +## Allow Cobbler to modify public files +## used for public file transfer services. +## </p> +## </desc> +gen_tunable(cobbler_anon_write, false) + +type cobblerd_t; +type cobblerd_exec_t; +init_daemon_domain(cobblerd_t, cobblerd_exec_t) + +type cobblerd_initrc_exec_t; +init_script_file(cobblerd_initrc_exec_t) + +type cobbler_etc_t; +files_config_file(cobbler_etc_t) + +type cobbler_var_log_t; +logging_log_file(cobbler_var_log_t) + +type cobbler_var_lib_t; +files_type(cobbler_var_lib_t) + +######################################## +# +# Cobbler personal policy. +# + +allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; +allow cobblerd_t self:process { getsched setsched signal }; +allow cobblerd_t self:fifo_file rw_fifo_file_perms; +allow cobblerd_t self:tcp_socket create_stream_socket_perms; + +list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) +read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) + +manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) + +append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) + +kernel_read_system_state(cobblerd_t) + +corecmd_exec_bin(cobblerd_t) +corecmd_exec_shell(cobblerd_t) + +corenet_all_recvfrom_netlabel(cobblerd_t) +corenet_all_recvfrom_unlabeled(cobblerd_t) +corenet_sendrecv_cobbler_server_packets(cobblerd_t) +corenet_tcp_bind_cobbler_port(cobblerd_t) +corenet_tcp_bind_generic_node(cobblerd_t) +corenet_tcp_sendrecv_generic_if(cobblerd_t) +corenet_tcp_sendrecv_generic_node(cobblerd_t) +corenet_tcp_sendrecv_generic_port(cobblerd_t) + +dev_read_urand(cobblerd_t) + +files_read_usr_files(cobblerd_t) +files_list_boot(cobblerd_t) +files_list_tmp(cobblerd_t) +# read /etc/nsswitch.conf +files_read_etc_files(cobblerd_t) + +miscfiles_read_localization(cobblerd_t) +miscfiles_read_public_files(cobblerd_t) + +sysnet_read_config(cobblerd_t) +sysnet_rw_dhcp_config(cobblerd_t) +sysnet_write_config(cobblerd_t) + +tunable_policy(`cobbler_anon_write',` + miscfiles_manage_public_files(cobblerd_t) +') + +optional_policy(` + bind_read_config(cobblerd_t) + bind_write_config(cobblerd_t) + bind_domtrans_ndc(cobblerd_t) + bind_domtrans(cobblerd_t) + bind_initrc_domtrans(cobblerd_t) + bind_manage_zone(cobblerd_t) +') + +optional_policy(` + dhcpd_domtrans(cobblerd_t) + dhcpd_initrc_domtrans(cobblerd_t) +') + +optional_policy(` + dnsmasq_domtrans(cobblerd_t) + dnsmasq_initrc_domtrans(cobblerd_t) + dnsmasq_write_config(cobblerd_t) +') + +optional_policy(` + rpm_exec(cobblerd_t) +') + +optional_policy(` + rsync_read_config(cobblerd_t) + rsync_write_config(cobblerd_t) +') + +optional_policy(` + tftp_manage_rw_content(cobblerd_t) +') + +######################################## +# +# Cobbler web local policy. +# + +apache_content_template(cobbler) +manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff --git a/policy/modules/contrib/colord.fc b/policy/modules/contrib/colord.fc new file mode 100644 index 00000000..78b2fea2 --- /dev/null +++ b/policy/modules/contrib/colord.fc @@ -0,0 +1,4 @@ +/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) + +/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) +/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) diff --git a/policy/modules/contrib/colord.if b/policy/modules/contrib/colord.if new file mode 100644 index 00000000..733e4e63 --- /dev/null +++ b/policy/modules/contrib/colord.if @@ -0,0 +1,59 @@ +## <summary>GNOME color manager</summary> + +######################################## +## <summary> +## Execute a domain transition to run colord. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_domtrans',` + gen_require(` + type colord_t, colord_exec_t; + ') + + domtrans_pattern($1, colord_exec_t, colord_t) +') + +######################################## +## <summary> +## Send and receive messages from +## colord over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_dbus_chat',` + gen_require(` + type colord_t; + class dbus send_msg; + ') + + allow $1 colord_t:dbus send_msg; + allow colord_t $1:dbus send_msg; +') + +###################################### +## <summary> +## Read colord lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`colord_read_lib_files',` + gen_require(` + type colord_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) +') diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te new file mode 100644 index 00000000..74505cca --- /dev/null +++ b/policy/modules/contrib/colord.te @@ -0,0 +1,100 @@ +policy_module(colord, 1.0.0) + +######################################## +# +# Declarations +# + +type colord_t; +type colord_exec_t; +dbus_system_domain(colord_t, colord_exec_t) + +type colord_tmp_t; +files_tmp_file(colord_tmp_t) + +type colord_tmpfs_t; +files_tmpfs_file(colord_tmpfs_t) + +type colord_var_lib_t; +files_type(colord_var_lib_t) + +######################################## +# +# colord local policy +# +allow colord_t self:capability { dac_read_search dac_override }; +allow colord_t self:process signal; +allow colord_t self:fifo_file rw_fifo_file_perms; +allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; +allow colord_t self:udp_socket create_socket_perms; +allow colord_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) +manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) +files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) + +manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) +manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) +fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file }) + +manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) + +kernel_getattr_proc_files(colord_t) +kernel_read_device_sysctls(colord_t) + +corenet_all_recvfrom_unlabeled(colord_t) +corenet_all_recvfrom_netlabel(colord_t) +corenet_udp_bind_generic_node(colord_t) +corenet_udp_bind_ipp_port(colord_t) +corenet_tcp_connect_ipp_port(colord_t) + +dev_read_video_dev(colord_t) +dev_write_video_dev(colord_t) +dev_rw_printer(colord_t) +dev_read_rand(colord_t) +dev_read_sysfs(colord_t) +dev_read_urand(colord_t) +dev_list_sysfs(colord_t) +dev_rw_generic_usb_dev(colord_t) + +domain_use_interactive_fds(colord_t) + +files_list_mnt(colord_t) +files_read_etc_files(colord_t) +files_read_usr_files(colord_t) + +fs_read_noxattr_fs_files(colord_t) + +logging_send_syslog_msg(colord_t) + +miscfiles_read_localization(colord_t) + +sysnet_dns_name_resolve(colord_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(colord_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(colord_t) +') + +optional_policy(` + cups_read_config(colord_t) + cups_read_rw_config(colord_t) + cups_stream_connect(colord_t) + cups_dbus_chat(colord_t) +') + +optional_policy(` + policykit_dbus_chat(colord_t) + policykit_domtrans_auth(colord_t) + policykit_read_lib(colord_t) + policykit_read_reload(colord_t) +') + +optional_policy(` + udev_read_db(colord_t) +') diff --git a/policy/modules/contrib/comsat.fc b/policy/modules/contrib/comsat.fc new file mode 100644 index 00000000..e7633fa2 --- /dev/null +++ b/policy/modules/contrib/comsat.fc @@ -0,0 +1,2 @@ + +/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0) diff --git a/policy/modules/contrib/comsat.if b/policy/modules/contrib/comsat.if new file mode 100644 index 00000000..afc4dfe7 --- /dev/null +++ b/policy/modules/contrib/comsat.if @@ -0,0 +1 @@ +## <summary>Comsat, a biff server.</summary> diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te new file mode 100644 index 00000000..3d121fda --- /dev/null +++ b/policy/modules/contrib/comsat.te @@ -0,0 +1,74 @@ +policy_module(comsat, 1.7.0) + +######################################## +# +# Declarations +# + +type comsat_t; +type comsat_exec_t; +inetd_udp_service_domain(comsat_t, comsat_exec_t) +role system_r types comsat_t; + +type comsat_tmp_t; +files_tmp_file(comsat_tmp_t) + +type comsat_var_run_t; +files_pid_file(comsat_var_run_t) + +######################################## +# +# Local policy +# + +allow comsat_t self:capability { setuid setgid }; +allow comsat_t self:process signal_perms; +allow comsat_t self:fifo_file rw_fifo_file_perms; +allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow comsat_t self:tcp_socket connected_stream_socket_perms; +allow comsat_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) +manage_files_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) +files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir }) + +manage_files_pattern(comsat_t, comsat_var_run_t, comsat_var_run_t) +files_pid_filetrans(comsat_t, comsat_var_run_t, file) + +kernel_read_kernel_sysctls(comsat_t) +kernel_read_network_state(comsat_t) +kernel_read_system_state(comsat_t) + +corenet_all_recvfrom_unlabeled(comsat_t) +corenet_all_recvfrom_netlabel(comsat_t) +corenet_tcp_sendrecv_generic_if(comsat_t) +corenet_udp_sendrecv_generic_if(comsat_t) +corenet_tcp_sendrecv_generic_node(comsat_t) +corenet_udp_sendrecv_generic_node(comsat_t) +corenet_udp_sendrecv_all_ports(comsat_t) + +dev_read_urand(comsat_t) + +fs_getattr_xattr_fs(comsat_t) + +files_read_etc_files(comsat_t) +files_list_usr(comsat_t) +files_search_spool(comsat_t) +files_search_home(comsat_t) + +auth_use_nsswitch(comsat_t) + +init_read_utmp(comsat_t) +init_dontaudit_write_utmp(comsat_t) + +logging_send_syslog_msg(comsat_t) + +miscfiles_read_localization(comsat_t) + +userdom_dontaudit_getattr_user_ttys(comsat_t) + +mta_getattr_spool(comsat_t) + +optional_policy(` + kerberos_use(comsat_t) +') diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc new file mode 100644 index 00000000..32233abf --- /dev/null +++ b/policy/modules/contrib/consolekit.fc @@ -0,0 +1,7 @@ +/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) + +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) + +/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) diff --git a/policy/modules/contrib/consolekit.if b/policy/modules/contrib/consolekit.if new file mode 100644 index 00000000..fd15dfe1 --- /dev/null +++ b/policy/modules/contrib/consolekit.if @@ -0,0 +1,98 @@ +## <summary>Framework for facilitating multiple user sessions on desktops.</summary> + +######################################## +## <summary> +## Execute a domain transition to run consolekit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`consolekit_domtrans',` + gen_require(` + type consolekit_t, consolekit_exec_t; + ') + + domtrans_pattern($1, consolekit_exec_t, consolekit_t) +') + +######################################## +## <summary> +## Send and receive messages from +## consolekit over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`consolekit_dbus_chat',` + gen_require(` + type consolekit_t; + class dbus send_msg; + ') + + allow $1 consolekit_t:dbus send_msg; + allow consolekit_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Read consolekit log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`consolekit_read_log',` + gen_require(` + type consolekit_log_t; + ') + + read_files_pattern($1, consolekit_log_t, consolekit_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## Manage consolekit log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`consolekit_manage_log',` + gen_require(` + type consolekit_log_t; + ') + + manage_files_pattern($1, consolekit_log_t, consolekit_log_t) + files_search_pids($1) +') + +######################################## +## <summary> +## Read consolekit PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`consolekit_read_pid_files',` + gen_require(` + type consolekit_var_run_t; + ') + + files_search_pids($1) + allow $1 consolekit_var_run_t:dir list_dir_perms; + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te new file mode 100644 index 00000000..6f2896db --- /dev/null +++ b/policy/modules/contrib/consolekit.te @@ -0,0 +1,131 @@ +policy_module(consolekit, 1.8.0) + +######################################## +# +# Declarations +# + +type consolekit_t; +type consolekit_exec_t; +init_daemon_domain(consolekit_t, consolekit_exec_t) + +type consolekit_log_t; +logging_log_file(consolekit_log_t) + +type consolekit_var_run_t; +files_pid_file(consolekit_var_run_t) + +######################################## +# +# consolekit local policy +# + +allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; +allow consolekit_t self:process { getsched signal }; +allow consolekit_t self:fifo_file rw_fifo_file_perms; +allow consolekit_t self:unix_stream_socket create_stream_socket_perms; +allow consolekit_t self:unix_dgram_socket create_socket_perms; + +manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +logging_log_filetrans(consolekit_t, consolekit_log_t, file) + +manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) +manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) +files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) + +kernel_read_system_state(consolekit_t) + +corecmd_exec_bin(consolekit_t) +corecmd_exec_shell(consolekit_t) + +dev_read_urand(consolekit_t) +dev_read_sysfs(consolekit_t) + +domain_read_all_domains_state(consolekit_t) +domain_use_interactive_fds(consolekit_t) +domain_dontaudit_ptrace_all_domains(consolekit_t) + +files_read_etc_files(consolekit_t) +files_read_usr_files(consolekit_t) +# needs to read /var/lib/dbus/machine-id +files_read_var_lib_files(consolekit_t) +files_search_all_mountpoints(consolekit_t) + +fs_list_inotifyfs(consolekit_t) + +mcs_ptrace_all(consolekit_t) + +term_use_all_terms(consolekit_t) + +auth_use_nsswitch(consolekit_t) +auth_manage_pam_console_data(consolekit_t) +auth_write_login_records(consolekit_t) + +init_telinit(consolekit_t) +init_rw_utmp(consolekit_t) + +logging_send_syslog_msg(consolekit_t) +logging_send_audit_msgs(consolekit_t) + +miscfiles_read_localization(consolekit_t) + +userdom_dontaudit_read_user_home_content_files(consolekit_t) +userdom_read_user_tmp_files(consolekit_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(consolekit_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(consolekit_t) +') + +optional_policy(` + dbus_system_domain(consolekit_t, consolekit_exec_t) + + optional_policy(` + hal_dbus_chat(consolekit_t) + ') + + optional_policy(` + rpm_dbus_chat(consolekit_t) + ') + + optional_policy(` + unconfined_dbus_chat(consolekit_t) + ') +') + +optional_policy(` + hal_ptrace(consolekit_t) +') + +optional_policy(` + policykit_dbus_chat(consolekit_t) + policykit_domtrans_auth(consolekit_t) + policykit_read_lib(consolekit_t) + policykit_read_reload(consolekit_t) +') + +optional_policy(` + type consolekit_tmpfs_t; + files_tmpfs_file(consolekit_tmpfs_t) + + xserver_read_xdm_pid(consolekit_t) + xserver_read_user_xauth(consolekit_t) + xserver_non_drawing_client(consolekit_t) + corenet_tcp_connect_xserver_port(consolekit_t) + xserver_stream_connect(consolekit_t) + xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t) +') + +optional_policy(` + udev_domtrans(consolekit_t) + udev_read_db(consolekit_t) + udev_signal(consolekit_t) +') + +optional_policy(` + #reading .Xauthity + unconfined_stream_connect(consolekit_t) +') diff --git a/policy/modules/contrib/corosync.fc b/policy/modules/contrib/corosync.fc new file mode 100644 index 00000000..3a6d7eb2 --- /dev/null +++ b/policy/modules/contrib/corosync.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) + +/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) + +/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) + +/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) + +/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) + +/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if new file mode 100644 index 00000000..5220c9d5 --- /dev/null +++ b/policy/modules/contrib/corosync.if @@ -0,0 +1,106 @@ +## <summary>Corosync Cluster Engine</summary> + +######################################## +## <summary> +## Execute a domain transition to run corosync. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`corosync_domtrans',` + gen_require(` + type corosync_t, corosync_exec_t; + ') + + domtrans_pattern($1, corosync_exec_t, corosync_t) +') + +####################################### +## <summary> +## Allow the specified domain to read corosync's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corosync_read_log',` + gen_require(` + type corosync_var_log_t; + ') + + logging_search_logs($1) + list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t) + read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) +') + +##################################### +## <summary> +## Connect to corosync over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corosync_stream_connect',` + gen_require(` + type corosync_t, corosync_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) +') + +###################################### +## <summary> +## All of the rules required to administrate +## an corosync environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the corosyncd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`corosyncd_admin',` + gen_require(` + type corosync_t, corosync_var_lib_t, corosync_var_log_t; + type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; + type corosync_initrc_exec_t; + ') + + allow $1 corosync_t:process { ptrace signal_perms }; + ps_process_pattern($1, corosync_t) + + init_labeled_script_domtrans($1, corosync_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 corosync_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, corosync_tmp_t) + + admin_pattern($1, corosync_tmpfs_t) + + files_list_var_lib($1) + admin_pattern($1, corosync_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, corosync_var_log_t) + + files_list_pids($1) + admin_pattern($1, corosync_var_run_t) +') diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te new file mode 100644 index 00000000..04969e59 --- /dev/null +++ b/policy/modules/contrib/corosync.te @@ -0,0 +1,103 @@ +policy_module(corosync, 1.0.0) + +######################################## +# +# Declarations +# + +type corosync_t; +type corosync_exec_t; +init_daemon_domain(corosync_t, corosync_exec_t) + +type corosync_initrc_exec_t; +init_script_file(corosync_initrc_exec_t) + +type corosync_tmp_t; +files_tmp_file(corosync_tmp_t) + +type corosync_tmpfs_t; +files_tmpfs_file(corosync_tmpfs_t) + +type corosync_var_lib_t; +files_type(corosync_var_lib_t) + +type corosync_var_log_t; +logging_log_file(corosync_var_log_t) + +type corosync_var_run_t; +files_pid_file(corosync_var_run_t) + +######################################## +# +# corosync local policy +# + +allow corosync_t self:capability { sys_nice sys_resource ipc_lock }; +allow corosync_t self:process { setrlimit setsched signal }; + +allow corosync_t self:fifo_file rw_fifo_file_perms; +allow corosync_t self:sem create_sem_perms; +allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow corosync_t self:unix_dgram_socket create_socket_perms; +allow corosync_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) +manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) +files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir }) + +manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) +manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) +fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file }) + +manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) +manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) +manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) +files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file }) + +manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) +manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) +logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file }) + +manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) +manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) +files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) + +kernel_read_system_state(corosync_t) + +corecmd_exec_bin(corosync_t) + +corenet_udp_bind_netsupport_port(corosync_t) + +dev_read_urand(corosync_t) + +domain_read_all_domains_state(corosync_t) + +files_manage_mounttab(corosync_t) + +auth_use_nsswitch(corosync_t) + +init_read_script_state(corosync_t) +init_rw_script_tmp_files(corosync_t) + +logging_send_syslog_msg(corosync_t) + +miscfiles_read_localization(corosync_t) + +userdom_rw_user_tmpfs_files(corosync_t) + +optional_policy(` + ccs_read_config(corosync_t) +') + +optional_policy(` + # to communication with RHCS + rhcs_rw_dlm_controld_semaphores(corosync_t) + + rhcs_rw_fenced_semaphores(corosync_t) + + rhcs_rw_gfs_controld_semaphores(corosync_t) +') + +optional_policy(` + rgmanager_manage_tmpfs_files(corosync_t) +') diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc new file mode 100644 index 00000000..5e591fa5 --- /dev/null +++ b/policy/modules/contrib/courier.fc @@ -0,0 +1,33 @@ +/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/etc/courier-imap(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) + +/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + +/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) +/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) + +/usr/lib(64)?/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) +/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) + +ifdef(`distro_gentoo',` +/usr/lib(64)?/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) +') + +/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) +/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) + +/var/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) + +/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) +/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if new file mode 100644 index 00000000..459763f2 --- /dev/null +++ b/policy/modules/contrib/courier.if @@ -0,0 +1,255 @@ +## <summary>Courier IMAP and POP3 email servers</summary> + +######################################## +## <summary> +## Template for creating courier server processes. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix name of the server process. +## </summary> +## </param> +# +template(`courier_domain_template',` + + ############################## + # + # Declarations + # + + type courier_$1_t; + type courier_$1_exec_t; + init_daemon_domain(courier_$1_t, courier_$1_exec_t) + + ############################## + # + # Declarations + # + + allow courier_$1_t self:capability dac_override; + dontaudit courier_$1_t self:capability sys_tty_config; + allow courier_$1_t self:process { setpgid signal_perms }; + allow courier_$1_t self:fifo_file { read write getattr }; + allow courier_$1_t self:tcp_socket create_stream_socket_perms; + allow courier_$1_t self:udp_socket create_socket_perms; + + can_exec(courier_$1_t, courier_$1_exec_t) + + read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t) + allow courier_$1_t courier_etc_t:dir list_dir_perms; + + manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) + manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) + manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) + manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) + files_search_pids(courier_$1_t) + files_pid_filetrans(courier_$1_t, courier_var_run_t, dir) + + kernel_read_system_state(courier_$1_t) + kernel_read_kernel_sysctls(courier_$1_t) + + corecmd_exec_bin(courier_$1_t) + corecmd_exec_shell(courier_$1_t) + + corenet_all_recvfrom_unlabeled(courier_$1_t) + corenet_all_recvfrom_netlabel(courier_$1_t) + corenet_tcp_sendrecv_generic_if(courier_$1_t) + corenet_udp_sendrecv_generic_if(courier_$1_t) + corenet_tcp_sendrecv_generic_node(courier_$1_t) + corenet_udp_sendrecv_generic_node(courier_$1_t) + corenet_tcp_sendrecv_all_ports(courier_$1_t) + corenet_udp_sendrecv_all_ports(courier_$1_t) + + dev_read_sysfs(courier_$1_t) + + domain_use_interactive_fds(courier_$1_t) + + files_read_etc_files(courier_$1_t) + files_read_etc_runtime_files(courier_$1_t) + files_read_usr_files(courier_$1_t) + + fs_getattr_xattr_fs(courier_$1_t) + fs_search_auto_mountpoints(courier_$1_t) + + logging_send_syslog_msg(courier_$1_t) + + sysnet_read_config(courier_$1_t) + + userdom_dontaudit_use_unpriv_user_fds(courier_$1_t) + + optional_policy(` + seutil_sigchld_newrole(courier_$1_t) + ') + + optional_policy(` + udev_read_db(courier_$1_t) + ') +') + +######################################## +## <summary> +## Execute the courier authentication daemon with +## a domain transition. +## </summary> +## <param name="prefix"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`courier_domtrans_authdaemon',` + gen_require(` + type courier_authdaemon_t, courier_authdaemon_exec_t; + ') + + domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) +') + +######################################## +## <summary> +## Allow read/write operations on an inherited stream socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`courier_authdaemon_rw_inherited_stream_sockets',` + gen_require(` + type courier_authdaemon_t; + ') + allow $1 courier_authdaemon_t:unix_stream_socket { read write }; +') + + +######################################## +## <summary> +## Connect to Authdaemon using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`courier_authdaemon_stream_connect',` + gen_require(` + type courier_authdaemon_t, courier_var_run_t; + ') + + stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t) +') + +######################################## +## <summary> +## Execute the courier POP3 and IMAP server with +## a domain transition. +## </summary> +## <param name="prefix"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`courier_domtrans_pop',` + gen_require(` + type courier_pop_t, courier_pop_exec_t; + ') + + domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) +') + +######################################## +## <summary> +## Read courier config files +## </summary> +## <param name="prefix"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_read_config',` + gen_require(` + type courier_etc_t; + ') + + read_files_pattern($1, courier_etc_t, courier_etc_t) +') + +######################################## +## <summary> +## Create, read, write, and delete courier +## spool directories. +## </summary> +## <param name="prefix"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_manage_spool_dirs',` + gen_require(` + type courier_spool_t; + ') + + manage_dirs_pattern($1, courier_spool_t, courier_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete courier +## spool files. +## </summary> +## <param name="prefix"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_manage_spool_files',` + gen_require(` + type courier_spool_t; + ') + + manage_files_pattern($1, courier_spool_t, courier_spool_t) +') + +######################################## +## <summary> +## Read courier spool files. +## </summary> +## <param name="prefix"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_read_spool',` + gen_require(` + type courier_spool_t; + ') + + read_files_pattern($1, courier_spool_t, courier_spool_t) +') + +######################################## +## <summary> +## Read and write to courier spool pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`courier_rw_spool_pipes',` + gen_require(` + type courier_spool_t; + ') + + allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; +') diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te new file mode 100644 index 00000000..98c31225 --- /dev/null +++ b/policy/modules/contrib/courier.te @@ -0,0 +1,161 @@ +policy_module(courier, 1.12.0) + +######################################## +# +# Declarations +# + +courier_domain_template(authdaemon) + +type courier_etc_t; +files_config_file(courier_etc_t) + +courier_domain_template(pcp) + +courier_domain_template(pop) + +type courier_spool_t; +files_type(courier_spool_t) + +courier_domain_template(tcpd) + +type courier_var_lib_t; +files_type(courier_var_lib_t) + +type courier_var_run_t; +files_pid_file(courier_var_run_t) + +type courier_exec_t; +mta_agent_executable(courier_exec_t) + +courier_domain_template(sqwebmail) +typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; + +######################################## +# +# Authdaemon local policy +# + +allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; +allow courier_authdaemon_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +can_exec(courier_authdaemon_t, courier_exec_t) + +allow courier_authdaemon_t courier_tcpd_t:fd use; +allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; + +allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:process sigchld; +allow courier_authdaemon_t courier_tcpd_t:fd use; +allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; + +read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) + +create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) +manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) +manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) +files_search_spool(courier_authdaemon_t) + +corecmd_search_bin(courier_authdaemon_t) + +# for SSP +dev_read_urand(courier_authdaemon_t) + +files_getattr_tmp_dirs(courier_authdaemon_t) + +auth_domtrans_chk_passwd(courier_authdaemon_t) + +libs_read_lib_files(courier_authdaemon_t) + +miscfiles_read_localization(courier_authdaemon_t) + +# should not be needed! +userdom_search_user_home_dirs(courier_authdaemon_t) + +courier_domtrans_pop(courier_authdaemon_t) + +######################################## +# +# Calendar (PCP) local policy +# + +allow courier_pcp_t self:capability { setuid setgid }; + +dev_read_rand(courier_pcp_t) + +######################################## +# +# POP3/IMAP local policy +# + +allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; +allow courier_pop_t courier_authdaemon_t:process sigchld; + +allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; + +# inherits file handle - should it? +allow courier_pop_t courier_var_lib_t:file { read write }; + +# TODO Correct this, mentioning "var_lib_t" here is not done. +search_dirs_pattern(courier_pop_t, var_lib_t, courier_var_lib_t) +read_lnk_files_pattern(courier_pop_t, var_lib_t, courier_var_lib_t) + +miscfiles_read_localization(courier_pop_t) + +courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) +courier_domtrans_authdaemon(courier_pop_t) + +# do the actual work (read the Maildir) +userdom_manage_user_home_content_files(courier_pop_t) +# cjp: the fact that this is different for pop vs imap means that +# there should probably be a courier_pop_t and courier_imap_t +# this should also probably be a separate type too instead of +# the regular home dir +userdom_manage_user_home_content_dirs(courier_pop_t) + +######################################## +# +# TCPd local policy +# + +allow courier_tcpd_t self:capability kill; + +can_exec(courier_tcpd_t, courier_exec_t) + +manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) +manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) +files_search_var_lib(courier_tcpd_t) + +corecmd_search_bin(courier_tcpd_t) + +corenet_tcp_bind_generic_node(courier_tcpd_t) +corenet_tcp_bind_pop_port(courier_tcpd_t) +corenet_sendrecv_pop_server_packets(courier_tcpd_t) + +# for TLS +dev_read_rand(courier_tcpd_t) +dev_read_urand(courier_tcpd_t) + +miscfiles_read_localization(courier_tcpd_t) + +courier_domtrans_pop(courier_tcpd_t) +courier_authdaemon_stream_connect(courier_tcpd_t) +courier_domtrans_authdaemon(courier_tcpd_t) + +######################################## +# +# Webmail local policy +# + +kernel_read_kernel_sysctls(courier_sqwebmail_t) + +optional_policy(` + cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) +') + +optional_policy(` + mysql_stream_connect(courier_authdaemon_t) +') diff --git a/policy/modules/contrib/cpucontrol.fc b/policy/modules/contrib/cpucontrol.fc new file mode 100644 index 00000000..789c8c7d --- /dev/null +++ b/policy/modules/contrib/cpucontrol.fc @@ -0,0 +1,10 @@ + +/etc/firmware/.* -- gen_context(system_u:object_r:cpucontrol_conf_t,s0) + +/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) + +/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) +/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) +/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) + +/var/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0) diff --git a/policy/modules/contrib/cpucontrol.if b/policy/modules/contrib/cpucontrol.if new file mode 100644 index 00000000..ff6310d4 --- /dev/null +++ b/policy/modules/contrib/cpucontrol.if @@ -0,0 +1,17 @@ +## <summary>Services for loading CPU microcode and CPU frequency scaling.</summary> + +######################################## +## <summary> +## CPUcontrol stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cpucontrol_stub',` + gen_require(` + type cpucontrol_t; + ') +') diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te new file mode 100644 index 00000000..13d2f636 --- /dev/null +++ b/policy/modules/contrib/cpucontrol.te @@ -0,0 +1,122 @@ +policy_module(cpucontrol, 1.3.0) + +######################################## +# +# Declarations +# + +type cpucontrol_t; +type cpucontrol_exec_t; +init_system_domain(cpucontrol_t, cpucontrol_exec_t) + +type cpucontrol_conf_t; +files_type(cpucontrol_conf_t) + +type cpuspeed_t; +type cpuspeed_exec_t; +init_system_domain(cpuspeed_t, cpuspeed_exec_t) + +type cpuspeed_var_run_t; +files_pid_file(cpuspeed_var_run_t) + +######################################## +# +# CPU microcode loader local policy +# + +allow cpucontrol_t self:capability { ipc_lock sys_rawio }; +dontaudit cpucontrol_t self:capability sys_tty_config; +allow cpucontrol_t self:process signal_perms; + +allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms; +read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) +read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) + +kernel_list_proc(cpucontrol_t) +kernel_read_proc_symlinks(cpucontrol_t) +kernel_read_kernel_sysctls(cpucontrol_t) + +dev_read_sysfs(cpucontrol_t) +dev_rw_cpu_microcode(cpucontrol_t) + +fs_search_auto_mountpoints(cpucontrol_t) + +term_dontaudit_use_console(cpucontrol_t) + +domain_use_interactive_fds(cpucontrol_t) + +files_list_usr(cpucontrol_t) + +init_use_fds(cpucontrol_t) +init_use_script_ptys(cpucontrol_t) + +logging_send_syslog_msg(cpucontrol_t) + +userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t) + +optional_policy(` + nscd_socket_use(cpucontrol_t) +') + +optional_policy(` + rhgb_use_ptys(cpucontrol_t) +') + +optional_policy(` + seutil_sigchld_newrole(cpucontrol_t) +') + +optional_policy(` + udev_read_db(cpucontrol_t) +') + +######################################## +# +# CPU frequency scaling daemons +# + +dontaudit cpuspeed_t self:capability sys_tty_config; +allow cpuspeed_t self:process { signal_perms setsched }; +allow cpuspeed_t self:unix_dgram_socket create_socket_perms; + +allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms; +files_pid_filetrans(cpuspeed_t, cpuspeed_var_run_t, file) + +kernel_read_system_state(cpuspeed_t) +kernel_read_kernel_sysctls(cpuspeed_t) + +dev_write_sysfs_dirs(cpuspeed_t) +dev_rw_sysfs(cpuspeed_t) + +domain_use_interactive_fds(cpuspeed_t) +# for demand/load-based scaling: +domain_read_all_domains_state(cpuspeed_t) + +files_read_etc_files(cpuspeed_t) +files_read_etc_runtime_files(cpuspeed_t) +files_list_usr(cpuspeed_t) + +fs_search_auto_mountpoints(cpuspeed_t) + +term_dontaudit_use_console(cpuspeed_t) + +init_use_fds(cpuspeed_t) +init_use_script_ptys(cpuspeed_t) + +logging_send_syslog_msg(cpuspeed_t) + +miscfiles_read_localization(cpuspeed_t) + +userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t) + +optional_policy(` + nscd_socket_use(cpuspeed_t) +') + +optional_policy(` + seutil_sigchld_newrole(cpuspeed_t) +') + +optional_policy(` + udev_read_db(cpuspeed_t) +') diff --git a/policy/modules/contrib/cpufreqselector.fc b/policy/modules/contrib/cpufreqselector.fc new file mode 100644 index 00000000..b187f0f7 --- /dev/null +++ b/policy/modules/contrib/cpufreqselector.fc @@ -0,0 +1 @@ +/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0) diff --git a/policy/modules/contrib/cpufreqselector.if b/policy/modules/contrib/cpufreqselector.if new file mode 100644 index 00000000..932fa532 --- /dev/null +++ b/policy/modules/contrib/cpufreqselector.if @@ -0,0 +1,22 @@ +## <summary>Command-line CPU frequency settings.</summary> + +######################################## +## <summary> +## Send and receive messages from +## cpufreq-selector over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cpufreqselector_dbus_chat',` + gen_require(` + type cpufreqselector_t; + class dbus send_msg; + ') + + allow $1 cpufreqselector_t:dbus send_msg; + allow cpufreqselector_t $1:dbus send_msg; +') diff --git a/policy/modules/contrib/cpufreqselector.te b/policy/modules/contrib/cpufreqselector.te new file mode 100644 index 00000000..f77d58a4 --- /dev/null +++ b/policy/modules/contrib/cpufreqselector.te @@ -0,0 +1,55 @@ +policy_module(cpufreqselector, 1.3.0) + +######################################## +# +# Declarations +# + +type cpufreqselector_t; +type cpufreqselector_exec_t; +application_domain(cpufreqselector_t, cpufreqselector_exec_t) + +######################################## +# +# cpufreq-selector local policy +# + +allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; +allow cpufreqselector_t self:process getsched; +allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; + +kernel_read_system_state(cpufreqselector_t) + +files_read_etc_files(cpufreqselector_t) +files_read_usr_files(cpufreqselector_t) + +corecmd_search_bin(cpufreqselector_t) + +dev_rw_sysfs(cpufreqselector_t) + +miscfiles_read_localization(cpufreqselector_t) + +userdom_read_all_users_state(cpufreqselector_t) +userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) + +optional_policy(` + dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) + + optional_policy(` + consolekit_dbus_chat(cpufreqselector_t) + ') + + optional_policy(` + policykit_dbus_chat(cpufreqselector_t) + ') +') + +optional_policy(` + nscd_dontaudit_search_pid(cpufreqselector_t) +') + +optional_policy(` + policykit_domtrans_auth(cpufreqselector_t) + policykit_read_lib(cpufreqselector_t) + policykit_read_reload(cpufreqselector_t) +') diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc new file mode 100644 index 00000000..3559a052 --- /dev/null +++ b/policy/modules/contrib/cron.fc @@ -0,0 +1,56 @@ +/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) + +/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) +/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + +/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) +/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) + +/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) +/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) + +/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) + +/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) + +/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) +#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) +/var/spool/cron/[^/]* -- <<none>> + +/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/crontabs/.* -- <<none>> +#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) + +/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/fcron/.* <<none>> +/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + +ifdef(`distro_debian',` +/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0) + +/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/atjobs/[^/]* -- <<none>> +/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) +') + +ifdef(`distro_gentoo',` +/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +/var/spool/cron/lastrun/[^/]* -- <<none>> +') + +ifdef(`distro_suse', ` +/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +/var/spool/cron/lastrun/[^/]* -- <<none>> +/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) +') diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if new file mode 100644 index 00000000..6e12dc75 --- /dev/null +++ b/policy/modules/contrib/cron.if @@ -0,0 +1,632 @@ +## <summary>Periodic execution of scheduled commands.</summary> + +####################################### +## <summary> +## The common rules for a crontab domain. +## </summary> +## <param name="userdomain_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +# +template(`cron_common_crontab_template',` + ############################## + # + # Declarations + # + + type $1_t; + userdom_user_application_domain($1_t, crontab_exec_t) + + type $1_tmp_t; + userdom_user_tmp_file($1_tmp_t) + + ############################## + # + # Local policy + # + + # dac_override is to create the file in the directory under /tmp + allow $1_t self:capability { fowner setuid setgid chown dac_override }; + allow $1_t self:process { setsched signal_perms }; + allow $1_t self:fifo_file rw_fifo_file_perms; + + allow $1_t $1_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_t, $1_tmp_t, file) + + # create files in /var/spool/cron + manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) + filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) + files_list_spool($1_t) + + # crontab signals crond by updating the mtime on the spooldir + allow $1_t cron_spool_t:dir setattr; + + kernel_read_system_state($1_t) + + # for the checks used by crontab -u + selinux_dontaudit_search_fs($1_t) + + fs_getattr_xattr_fs($1_t) + + domain_use_interactive_fds($1_t) + + files_read_etc_files($1_t) + files_read_usr_files($1_t) + files_dontaudit_search_pids($1_t) + + auth_domtrans_chk_passwd($1_t) + + logging_send_syslog_msg($1_t) + logging_send_audit_msgs($1_t) + + init_dontaudit_write_utmp($1_t) + init_read_utmp($1_t) + + miscfiles_read_localization($1_t) + + seutil_read_config($1_t) + + userdom_manage_user_tmp_dirs($1_t) + userdom_manage_user_tmp_files($1_t) + # Access terminals. + userdom_use_user_terminals($1_t) + # Read user crontabs + userdom_read_user_home_content_files($1_t) + + tunable_policy(`fcron_crond',` + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u + dontaudit $1_t crond_t:process signal; + ') + + optional_policy(` + nscd_socket_use($1_t) + ') +') + +######################################## +## <summary> +## Role access for cron +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`cron_role',` + gen_require(` + type cronjob_t, crontab_t, crontab_exec_t; + ') + + role $1 types { cronjob_t crontab_t }; + + # cronjob shows up in user ps + ps_process_pattern($2, cronjob_t) + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, crontab_t) + + # crontab shows up in user ps + ps_process_pattern($2, crontab_t) + allow $2 crontab_t:process signal; + + # Run helper programs as the user domain + #corecmd_bin_domtrans(crontab_t, $2) + #corecmd_shell_domtrans(crontab_t, $2) + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) + + optional_policy(` + gen_require(` + class dbus send_msg; + ') + + dbus_stub(cronjob_t) + + allow cronjob_t $2:dbus send_msg; + ') +') + +######################################## +## <summary> +## Role access for unconfined cronjobs +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`cron_unconfined_role',` + gen_require(` + type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; + ') + + role $1 types { unconfined_cronjob_t crontab_t }; + + # cronjob shows up in user ps + ps_process_pattern($2, unconfined_cronjob_t) + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, crontab_t) + + # crontab shows up in user ps + ps_process_pattern($2, crontab_t) + allow $2 crontab_t:process signal; + + # Run helper programs as the user domain + #corecmd_bin_domtrans(crontab_t, $2) + #corecmd_shell_domtrans(crontab_t, $2) + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) + + optional_policy(` + gen_require(` + class dbus send_msg; + ') + + dbus_stub(unconfined_cronjob_t) + + allow unconfined_cronjob_t $2:dbus send_msg; + ') +') + +######################################## +## <summary> +## Role access for cron +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`cron_admin_role',` + gen_require(` + type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; + class passwd crontab; + ') + + role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; + + # cronjob shows up in user ps + ps_process_pattern($2, cronjob_t) + + # Manipulate other users crontab. + allow $2 self:passwd crontab; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + + # crontab shows up in user ps + ps_process_pattern($2, admin_crontab_t) + allow $2 admin_crontab_t:process signal; + + # Run helper programs as the user domain + #corecmd_bin_domtrans(admin_crontab_t, $2) + #corecmd_shell_domtrans(admin_crontab_t, $2) + corecmd_exec_bin(admin_crontab_t) + corecmd_exec_shell(admin_crontab_t) + + optional_policy(` + gen_require(` + class dbus send_msg; + ') + + dbus_stub(admin_cronjob_t) + + allow cronjob_t $2:dbus send_msg; + ') +') + +######################################## +## <summary> +## Make the specified program domain accessable +## from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process to transition to. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type of the file used as an entrypoint to this domain. +## </summary> +## </param> +# +interface(`cron_system_entry',` + gen_require(` + type crond_t, system_cronjob_t; + ') + + domtrans_pattern(system_cronjob_t, $2, $1) + domtrans_pattern(crond_t, $2, $1) + + role system_r types $1; +') + +######################################## +## <summary> +## Execute cron in the cron system domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cron_domtrans',` + gen_require(` + type system_cronjob_t, crond_exec_t; + ') + + domtrans_pattern($1, crond_exec_t, system_cronjob_t) +') + +######################################## +## <summary> +## Execute crond_exec_t +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_exec',` + gen_require(` + type crond_exec_t; + ') + + can_exec($1, crond_exec_t) +') + +######################################## +## <summary> +## Execute crond server in the nscd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cron_initrc_domtrans',` + gen_require(` + type crond_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, crond_initrc_exec_t) +') + +######################################## +## <summary> +## Inherit and use a file descriptor +## from the cron daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_use_fds',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:fd use; +') + +######################################## +## <summary> +## Send a SIGCHLD signal to the cron daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_sigchld',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:process sigchld; +') + +######################################## +## <summary> +## Read a cron daemon unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_read_pipes',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:fifo_file read_fifo_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to write cron daemon unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_write_pipes',` + gen_require(` + type crond_t; + ') + + dontaudit $1 crond_t:fifo_file write; +') + +######################################## +## <summary> +## Read and write a cron daemon unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_pipes',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:fifo_file { getattr read write }; +') + +######################################## +## <summary> +## Read, and write cron daemon TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_tcp_sockets',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Dontaudit Read, and write cron daemon TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_rw_tcp_sockets',` + gen_require(` + type crond_t; + ') + + dontaudit $1 crond_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Search the directory containing user cron tables. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_search_spool',` + gen_require(` + type cron_spool_t; + ') + + files_search_spool($1) + allow $1 cron_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Manage pid files used by cron +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_manage_pid_files',` + gen_require(` + type crond_var_run_t; + ') + + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) +') + +######################################## +## <summary> +## Execute anacron in the cron system domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cron_anacron_domtrans_system_job',` + gen_require(` + type system_cronjob_t, anacron_exec_t; + ') + + domtrans_pattern($1, anacron_exec_t, system_cronjob_t) +') + +######################################## +## <summary> +## Inherit and use a file descriptor +## from system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_use_system_job_fds',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:fd use; +') + +######################################## +## <summary> +## Write a system cron job unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_write_system_job_pipes',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:file write; +') + +######################################## +## <summary> +## Read and write a system cron job unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_system_job_pipes',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Allow read/write unix stream sockets from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_system_job_stream_sockets',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Read temporary files from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_read_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + files_search_tmp($1) + allow $1 system_cronjob_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to append temporary +## files from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_append_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + dontaudit $1 system_cronjob_tmp_t:file append_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to write temporary +## files from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_write_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + dontaudit $1 system_cronjob_tmp_t:file write_file_perms; +') diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te new file mode 100644 index 00000000..f25d9d14 --- /dev/null +++ b/policy/modules/contrib/cron.te @@ -0,0 +1,631 @@ +policy_module(cron, 2.4.0) + +gen_require(` + class passwd rootok; +') + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow system cron jobs to relabel filesystem +## for restoring file contexts. +## </p> +## </desc> +gen_tunable(cron_can_relabel, false) + +## <desc> +## <p> +## Enable extra rules in the cron domain +## to support fcron. +## </p> +## </desc> +gen_tunable(fcron_crond, false) + +attribute cron_spool_type; + +type anacron_exec_t; +application_executable_file(anacron_exec_t) + +type cron_spool_t; +files_type(cron_spool_t) + +# var/lib files +type cron_var_lib_t; +files_type(cron_var_lib_t) + +type cron_var_run_t; +files_type(cron_var_run_t) + +# var/log files +type cron_log_t; +logging_log_file(cron_log_t) + +type cronjob_t; +typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t }; +typealias cronjob_t alias { auditadm_crond_t secadm_crond_t }; +domain_type(cronjob_t) +domain_cron_exemption_target(cronjob_t) +domain_interactive_fd(cronjob_t) +corecmd_shell_entry_type(cronjob_t) +ubac_constrained(cronjob_t) + +type crond_t; +type crond_exec_t; +init_daemon_domain(crond_t, crond_exec_t) +domain_interactive_fd(crond_t) +domain_cron_exemption_source(crond_t) + +type crond_initrc_exec_t; +init_script_file(crond_initrc_exec_t) + +type crond_tmp_t; +files_tmp_file(crond_tmp_t) + +type crond_var_run_t; +files_pid_file(crond_var_run_t) + +type crontab_exec_t; +application_executable_file(crontab_exec_t) + +cron_common_crontab_template(admin_crontab) +typealias admin_crontab_t alias sysadm_crontab_t; +typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; + +cron_common_crontab_template(crontab) +typealias crontab_t alias { user_crontab_t staff_crontab_t }; +typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; +typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; +typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; + +type system_cron_spool_t, cron_spool_type; +files_type(system_cron_spool_t) + +type system_cronjob_t alias system_crond_t; +init_daemon_domain(system_cronjob_t, anacron_exec_t) +corecmd_shell_entry_type(system_cronjob_t) +domain_interactive_fd(system_cronjob_t) +role system_r types system_cronjob_t; + +type system_cronjob_lock_t alias system_crond_lock_t; +files_lock_file(system_cronjob_lock_t) + +type system_cronjob_tmp_t alias system_crond_tmp_t; +files_tmp_file(system_cronjob_tmp_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) +') + +type unconfined_cronjob_t; +domain_type(unconfined_cronjob_t) +domain_cron_exemption_target(unconfined_cronjob_t) + +# Type of user crontabs once moved to cron spool. +type user_cron_spool_t, cron_spool_type; +typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; +typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; +files_type(user_cron_spool_t) +ubac_constrained(user_cron_spool_t) + +######################################## +# +# Admin crontab local policy +# + +# Allow our crontab domain to unlink a user cron spool file. +allow admin_crontab_t user_cron_spool_t:file { getattr read unlink }; + +# Manipulate other users crontab. +selinux_get_fs_mount(admin_crontab_t) +selinux_validate_context(admin_crontab_t) +selinux_compute_access_vector(admin_crontab_t) +selinux_compute_create_context(admin_crontab_t) +selinux_compute_relabel_context(admin_crontab_t) +selinux_compute_user_contexts(admin_crontab_t) + +tunable_policy(`fcron_crond', ` + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u + allow admin_crontab_t self:process setfscreate; +') + +######################################## +# +# Cron daemon local policy +# + +allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; +dontaudit crond_t self:capability { sys_resource sys_tty_config }; +allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow crond_t self:process { setexec setfscreate }; +allow crond_t self:fd use; +allow crond_t self:fifo_file rw_fifo_file_perms; +allow crond_t self:unix_dgram_socket create_socket_perms; +allow crond_t self:unix_stream_socket create_stream_socket_perms; +allow crond_t self:unix_dgram_socket sendto; +allow crond_t self:unix_stream_socket connectto; +allow crond_t self:shm create_shm_perms; +allow crond_t self:sem create_sem_perms; +allow crond_t self:msgq create_msgq_perms; +allow crond_t self:msg { send receive }; +allow crond_t self:key { search write link }; + +manage_files_pattern(crond_t, cron_log_t, cron_log_t) +logging_log_filetrans(crond_t, cron_log_t, file) + +manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) +files_pid_filetrans(crond_t, crond_var_run_t, file) + +manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) + +manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) +manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) +files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) + +list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) + +kernel_read_kernel_sysctls(crond_t) +kernel_read_fs_sysctls(crond_t) +kernel_search_key(crond_t) + +dev_read_sysfs(crond_t) +selinux_get_fs_mount(crond_t) +selinux_validate_context(crond_t) +selinux_compute_access_vector(crond_t) +selinux_compute_create_context(crond_t) +selinux_compute_relabel_context(crond_t) +selinux_compute_user_contexts(crond_t) + +dev_read_urand(crond_t) + +fs_getattr_all_fs(crond_t) +fs_search_auto_mountpoints(crond_t) +fs_list_inotifyfs(crond_t) + +# need auth_chkpwd to check for locked accounts. +auth_domtrans_chk_passwd(crond_t) + +corecmd_exec_shell(crond_t) +corecmd_list_bin(crond_t) +corecmd_read_bin_symlinks(crond_t) + +domain_use_interactive_fds(crond_t) + +files_read_usr_files(crond_t) +files_read_etc_runtime_files(crond_t) +files_read_etc_files(crond_t) +files_read_generic_spool(crond_t) +files_list_usr(crond_t) +# Read from /var/spool/cron. +files_search_var_lib(crond_t) +files_search_default(crond_t) + +init_rw_utmp(crond_t) +init_spec_domtrans_script(crond_t) + +auth_use_nsswitch(crond_t) + +logging_send_syslog_msg(crond_t) +logging_set_loginuid(crond_t) + +seutil_read_config(crond_t) +seutil_read_default_contexts(crond_t) +seutil_sigchld_newrole(crond_t) + +miscfiles_read_localization(crond_t) + +userdom_use_unpriv_users_fds(crond_t) +# Not sure why this is needed +userdom_list_user_home_dirs(crond_t) + +mta_send_mail(crond_t) + +ifdef(`distro_debian',` + # pam_limits is used + allow crond_t self:process setrlimit; + + optional_policy(` + # Debian logcheck has the home dir set to its cache + logwatch_search_cache_dir(crond_t) + ') +') + +ifdef(`distro_redhat', ` + # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + # via redirection of standard out. + optional_policy(` + rpm_manage_log(crond_t) + ') +') + +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(crond_t) +') + +tunable_policy(`fcron_crond', ` + allow crond_t system_cron_spool_t:file manage_file_perms; +') + +optional_policy(` + locallogin_search_keys(crond_t) + locallogin_link_keys(crond_t) +') + +optional_policy(` + amanda_search_var_lib(crond_t) +') + +optional_policy(` + amavis_search_lib(crond_t) +') + +optional_policy(` + hal_dbus_chat(crond_t) +') + +optional_policy(` + # cjp: why? + munin_search_lib(crond_t) +') + +optional_policy(` + rpc_search_nfs_state_data(crond_t) +') + +optional_policy(` + # Commonly used from postinst scripts + rpm_read_pipes(crond_t) +') + +optional_policy(` + # allow crond to find /usr/lib/postgresql/bin/do.maintenance + postgresql_search_db(crond_t) +') + +optional_policy(` + udev_read_db(crond_t) +') + +######################################## +# +# System cron process domain +# + +allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; +allow system_cronjob_t self:process { signal_perms getsched setsched }; +allow system_cronjob_t self:fifo_file rw_fifo_file_perms; +allow system_cronjob_t self:passwd rootok; + +# This is to handle creation of files in /var/log directory. +# Used currently by rpm script log files +allow system_cronjob_t cron_log_t:file manage_file_perms; +logging_log_filetrans(system_cronjob_t, cron_log_t, file) + +# This is to handle /var/lib/misc directory. Used currently +# by prelink var/lib files for cron +allow system_cronjob_t cron_var_lib_t:file manage_file_perms; +files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) + +allow system_cronjob_t system_cron_spool_t:file read_file_perms; +# The entrypoint interface is not used as this is not +# a regular entrypoint. Since crontab files are +# not directly executed, crond must ensure that +# the crontab file has a type that is appropriate +# for the domain of the user cron job. It +# performs an entrypoint permission check +# for this purpose. +allow system_cronjob_t system_cron_spool_t:file entrypoint; + +# Permit a transition from the crond_t domain to this domain. +# The transition is requested explicitly by the modified crond +# via setexeccon. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +allow crond_t system_cronjob_t:process transition; +dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; +allow crond_t system_cronjob_t:fd use; +allow system_cronjob_t crond_t:fd use; +allow system_cronjob_t crond_t:fifo_file rw_file_perms; +allow system_cronjob_t crond_t:process sigchld; + +# Write /var/lock/makewhatis.lock. +allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; +files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) + +# write temporary files +manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) + +# Read from /var/spool/cron. +allow system_cronjob_t cron_spool_t:dir list_dir_perms; +allow system_cronjob_t cron_spool_t:file read_file_perms; + +kernel_read_kernel_sysctls(system_cronjob_t) +kernel_read_system_state(system_cronjob_t) +kernel_read_software_raid_state(system_cronjob_t) + +# ps does not need to access /boot when run from cron +files_dontaudit_search_boot(system_cronjob_t) + +corecmd_exec_all_executables(system_cronjob_t) + +corenet_all_recvfrom_unlabeled(system_cronjob_t) +corenet_all_recvfrom_netlabel(system_cronjob_t) +corenet_tcp_sendrecv_generic_if(system_cronjob_t) +corenet_udp_sendrecv_generic_if(system_cronjob_t) +corenet_tcp_sendrecv_generic_node(system_cronjob_t) +corenet_udp_sendrecv_generic_node(system_cronjob_t) +corenet_tcp_sendrecv_all_ports(system_cronjob_t) +corenet_udp_sendrecv_all_ports(system_cronjob_t) + +dev_getattr_all_blk_files(system_cronjob_t) +dev_getattr_all_chr_files(system_cronjob_t) +dev_read_urand(system_cronjob_t) + +fs_getattr_all_fs(system_cronjob_t) +fs_getattr_all_files(system_cronjob_t) +fs_getattr_all_symlinks(system_cronjob_t) +fs_getattr_all_pipes(system_cronjob_t) +fs_getattr_all_sockets(system_cronjob_t) + +# quiet other ps operations +domain_dontaudit_read_all_domains_state(system_cronjob_t) + +files_exec_etc_files(system_cronjob_t) +files_read_etc_files(system_cronjob_t) +files_read_etc_runtime_files(system_cronjob_t) +files_list_all(system_cronjob_t) +files_getattr_all_dirs(system_cronjob_t) +files_getattr_all_files(system_cronjob_t) +files_getattr_all_symlinks(system_cronjob_t) +files_getattr_all_pipes(system_cronjob_t) +files_getattr_all_sockets(system_cronjob_t) +files_read_usr_files(system_cronjob_t) +files_read_var_files(system_cronjob_t) +# for nscd: +files_dontaudit_search_pids(system_cronjob_t) +# Access other spool directories like +# /var/spool/anacron and /var/spool/slrnpull. +files_manage_generic_spool(system_cronjob_t) + +init_use_script_fds(system_cronjob_t) +init_read_utmp(system_cronjob_t) +init_dontaudit_rw_utmp(system_cronjob_t) +# prelink tells init to restart it self, we either need to allow or dontaudit +init_telinit(system_cronjob_t) +init_domtrans_script(system_cronjob_t) + +auth_use_nsswitch(system_cronjob_t) + +libs_exec_lib_files(system_cronjob_t) +libs_exec_ld_so(system_cronjob_t) + +logging_read_generic_logs(system_cronjob_t) +logging_send_audit_msgs(system_cronjob_t) +logging_send_syslog_msg(system_cronjob_t) + +miscfiles_read_localization(system_cronjob_t) +miscfiles_manage_man_pages(system_cronjob_t) + +seutil_read_config(system_cronjob_t) + +ifdef(`distro_redhat', ` + # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + # via redirection of standard out. + optional_policy(` + rpm_manage_log(system_cronjob_t) + ') +') + +tunable_policy(`cron_can_relabel',` + seutil_domtrans_setfiles(system_cronjob_t) +',` + selinux_get_fs_mount(system_cronjob_t) + selinux_validate_context(system_cronjob_t) + selinux_compute_access_vector(system_cronjob_t) + selinux_compute_create_context(system_cronjob_t) + selinux_compute_relabel_context(system_cronjob_t) + selinux_compute_user_contexts(system_cronjob_t) + seutil_read_file_contexts(system_cronjob_t) +') + +optional_policy(` + # Needed for certwatch + apache_exec_modules(system_cronjob_t) + apache_read_config(system_cronjob_t) + apache_read_log(system_cronjob_t) + apache_read_sys_content(system_cronjob_t) +') + +optional_policy(` + cyrus_manage_data(system_cronjob_t) +') + +optional_policy(` + ftp_read_log(system_cronjob_t) +') + +optional_policy(` + inn_manage_log(system_cronjob_t) + inn_manage_pid(system_cronjob_t) + inn_read_config(system_cronjob_t) +') + +optional_policy(` + lpd_list_spool(system_cronjob_t) +') + +optional_policy(` + mrtg_append_create_logs(system_cronjob_t) +') + +optional_policy(` + mta_send_mail(system_cronjob_t) +') + +optional_policy(` + mysql_read_config(system_cronjob_t) +') + +optional_policy(` + postfix_read_config(system_cronjob_t) +') + +optional_policy(` + prelink_delete_cache(system_cronjob_t) + prelink_manage_lib(system_cronjob_t) + prelink_manage_log(system_cronjob_t) + prelink_read_cache(system_cronjob_t) + prelink_relabelfrom_lib(system_cronjob_t) +') + +optional_policy(` + samba_read_config(system_cronjob_t) + samba_read_log(system_cronjob_t) + #samba_read_secrets(system_cronjob_t) +') + +optional_policy(` + slocate_create_append_log(system_cronjob_t) +') + +optional_policy(` + spamassassin_manage_lib_files(system_cronjob_t) +') + +optional_policy(` + sysstat_manage_log(system_cronjob_t) +') + +optional_policy(` + unconfined_domain(system_cronjob_t) + userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) +') + +######################################## +# +# User cronjobs local policy +# + +allow cronjob_t self:process { signal_perms setsched }; +allow cronjob_t self:fifo_file rw_fifo_file_perms; +allow cronjob_t self:unix_stream_socket create_stream_socket_perms; +allow cronjob_t self:unix_dgram_socket create_socket_perms; + +# The entrypoint interface is not used as this is not +# a regular entrypoint. Since crontab files are +# not directly executed, crond must ensure that +# the crontab file has a type that is appropriate +# for the domain of the user cron job. It +# performs an entrypoint permission check +# for this purpose. +allow cronjob_t user_cron_spool_t:file entrypoint; + +# Permit a transition from the crond_t domain to this domain. +# The transition is requested explicitly by the modified crond +# via setexeccon. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +allow crond_t cronjob_t:process transition; +dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; +allow crond_t cronjob_t:fd use; +allow crond_t cronjob_t:key create; +allow cronjob_t crond_t:fd use; +allow cronjob_t crond_t:fifo_file rw_file_perms; +allow cronjob_t crond_t:process sigchld; + +kernel_read_system_state(cronjob_t) +kernel_read_kernel_sysctls(cronjob_t) + +# ps does not need to access /boot when run from cron +files_dontaudit_search_boot(cronjob_t) + +corenet_all_recvfrom_unlabeled(cronjob_t) +corenet_all_recvfrom_netlabel(cronjob_t) +corenet_tcp_sendrecv_generic_if(cronjob_t) +corenet_udp_sendrecv_generic_if(cronjob_t) +corenet_tcp_sendrecv_generic_node(cronjob_t) +corenet_udp_sendrecv_generic_node(cronjob_t) +corenet_tcp_sendrecv_all_ports(cronjob_t) +corenet_udp_sendrecv_all_ports(cronjob_t) +corenet_tcp_connect_all_ports(cronjob_t) +corenet_sendrecv_all_client_packets(cronjob_t) + +dev_read_urand(cronjob_t) + +fs_getattr_all_fs(cronjob_t) + +corecmd_exec_all_executables(cronjob_t) + +# quiet other ps operations +domain_dontaudit_read_all_domains_state(cronjob_t) +domain_dontaudit_getattr_all_domains(cronjob_t) + +files_read_usr_files(cronjob_t) +files_exec_etc_files(cronjob_t) +# for nscd: +files_dontaudit_search_pids(cronjob_t) + +libs_exec_lib_files(cronjob_t) +libs_exec_ld_so(cronjob_t) + +files_read_etc_runtime_files(cronjob_t) +files_read_var_files(cronjob_t) +files_search_spool(cronjob_t) + +logging_search_logs(cronjob_t) + +seutil_read_config(cronjob_t) + +miscfiles_read_localization(cronjob_t) + +userdom_manage_user_tmp_files(cronjob_t) +userdom_manage_user_tmp_symlinks(cronjob_t) +userdom_manage_user_tmp_pipes(cronjob_t) +userdom_manage_user_tmp_sockets(cronjob_t) +# Run scripts in user home directory and access shared libs. +userdom_exec_user_home_content_files(cronjob_t) +# Access user files and dirs. +userdom_manage_user_home_content_files(cronjob_t) +userdom_manage_user_home_content_symlinks(cronjob_t) +userdom_manage_user_home_content_pipes(cronjob_t) +userdom_manage_user_home_content_sockets(cronjob_t) +#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) + +list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) + +tunable_policy(`fcron_crond', ` + allow crond_t user_cron_spool_t:file manage_file_perms; +') + +# need a per-role version of this: +#optional_policy(` +# mono_domtrans(cronjob_t) +#') + +optional_policy(` + nis_use_ypbind(cronjob_t) +') + +######################################## +# +# Unconfined cronjobs local policy +# + +optional_policy(` + # Permit a transition from the crond_t domain to this domain. + # The transition is requested explicitly by the modified crond + # via setexeccon. There is no way to set up an automatic + # transition, since crontabs are configuration files, not executables. + allow crond_t unconfined_cronjob_t:process transition; + dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; + allow crond_t unconfined_cronjob_t:fd use; + + unconfined_domain(unconfined_cronjob_t) +') diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc new file mode 100644 index 00000000..1b492eda --- /dev/null +++ b/policy/modules/contrib/cups.fc @@ -0,0 +1,73 @@ + +/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) +/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) + +/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) + +/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) + +/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + +/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) + +# keep as separate lines to ensure proper sorting +/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) +/usr/lib64/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) +/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) + +/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + +/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) +/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) +/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) +/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) + +/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) +/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) + +/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) + +/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) + +/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) +/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) + +/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) +/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) +/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) +/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if new file mode 100644 index 00000000..305ddf46 --- /dev/null +++ b/policy/modules/contrib/cups.if @@ -0,0 +1,358 @@ +## <summary>Common UNIX printing system</summary> + +######################################## +## <summary> +## Setup cups to transtion to the cups backend domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_backend',` + gen_require(` + type cupsd_t; + ') + + domain_type($1) + domain_entry_file($1, $2) + role system_r types $1; + + domtrans_pattern(cupsd_t, $2, $1) + allow cupsd_t $1:process signal; + allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; + + cups_read_config($1) + cups_append_log($1) +') + +######################################## +## <summary> +## Execute cups in the cups domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cups_domtrans',` + gen_require(` + type cupsd_t, cupsd_exec_t; + ') + + domtrans_pattern($1, cupsd_exec_t, cupsd_t) +') + +######################################## +## <summary> +## Connect to cupsd over an unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_stream_connect',` + gen_require(` + type cupsd_t, cupsd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +') + +######################################## +## <summary> +## Connect to cups over TCP. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Send and receive messages from +## cups over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_dbus_chat',` + gen_require(` + type cupsd_t; + class dbus send_msg; + ') + + allow $1 cupsd_t:dbus send_msg; + allow cupsd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Read cups PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_read_pid_files',` + gen_require(` + type cupsd_var_run_t; + ') + + files_search_pids($1) + allow $1 cupsd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute cups_config in the cups_config domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cups_domtrans_config',` + gen_require(` + type cupsd_config_t, cupsd_config_exec_t; + ') + + domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t) +') + +######################################## +## <summary> +## Send generic signals to the cups +## configuration daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_signal_config',` + gen_require(` + type cupsd_config_t; + ') + + allow $1 cupsd_config_t:process signal; +') + +######################################## +## <summary> +## Send and receive messages from +## cupsd_config over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_dbus_chat_config',` + gen_require(` + type cupsd_config_t; + class dbus send_msg; + ') + + allow $1 cupsd_config_t:dbus send_msg; + allow cupsd_config_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Read cups configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cups_read_config',` + gen_require(` + type cupsd_etc_t, cupsd_rw_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) + read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) +') + +######################################## +## <summary> +## Read cups-writable configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cups_read_rw_config',` + gen_require(` + type cupsd_etc_t, cupsd_rw_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) +') + +######################################## +## <summary> +## Read cups log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cups_read_log',` + gen_require(` + type cupsd_log_t; + ') + + logging_search_logs($1) + allow $1 cupsd_log_t:file read_file_perms; +') + +######################################## +## <summary> +## Append cups log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_append_log',` + gen_require(` + type cupsd_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, cupsd_log_t, cupsd_log_t) +') + +######################################## +## <summary> +## Write cups log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_write_log',` + gen_require(` + type cupsd_log_t; + ') + + logging_search_logs($1) + allow $1 cupsd_log_t:file write_file_perms; +') + +######################################## +## <summary> +## Connect to ptal over an unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cups_stream_connect_ptal',` + gen_require(` + type ptal_t, ptal_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an cups environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the cups domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`cups_admin',` + gen_require(` + type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; + type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; + type cupsd_config_var_run_t, cupsd_lpd_var_run_t; + type cupsd_var_run_t, ptal_etc_t; + type ptal_var_run_t, hplip_var_run_t; + type cupsd_initrc_exec_t; + ') + + allow $1 cupsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, cupsd_t) + + init_labeled_script_domtrans($1, cupsd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cupsd_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, cupsd_etc_t) + files_list_etc($1) + + admin_pattern($1, cupsd_config_var_run_t) + + admin_pattern($1, cupsd_log_t) + logging_list_logs($1) + + admin_pattern($1, cupsd_lpd_tmp_t) + + admin_pattern($1, cupsd_lpd_var_run_t) + + admin_pattern($1, cupsd_spool_t) + files_list_spool($1) + + admin_pattern($1, cupsd_tmp_t) + files_list_tmp($1) + + admin_pattern($1, cupsd_var_run_t) + files_list_pids($1) + + admin_pattern($1, hplip_var_run_t) + + admin_pattern($1, ptal_etc_t) + + admin_pattern($1, ptal_var_run_t) +') diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te new file mode 100644 index 00000000..0f28095a --- /dev/null +++ b/policy/modules/contrib/cups.te @@ -0,0 +1,781 @@ +policy_module(cups, 1.14.0) + +######################################## +# +# Declarations +# + +type cupsd_config_t; +type cupsd_config_exec_t; +init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) + +type cupsd_config_var_run_t; +files_pid_file(cupsd_config_var_run_t) + +type cupsd_t; +type cupsd_exec_t; +init_daemon_domain(cupsd_t, cupsd_exec_t) + +type cupsd_etc_t; +files_config_file(cupsd_etc_t) + +type cupsd_initrc_exec_t; +init_script_file(cupsd_initrc_exec_t) + +type cupsd_interface_t; +files_type(cupsd_interface_t) + +type cupsd_rw_etc_t; +files_config_file(cupsd_rw_etc_t) + +type cupsd_lock_t; +files_lock_file(cupsd_lock_t) + +type cupsd_log_t; +logging_log_file(cupsd_log_t) + +type cupsd_lpd_t; +type cupsd_lpd_exec_t; +domain_type(cupsd_lpd_t) +domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) +role system_r types cupsd_lpd_t; + +type cupsd_lpd_tmp_t; +files_tmp_file(cupsd_lpd_tmp_t) + +type cupsd_lpd_var_run_t; +files_pid_file(cupsd_lpd_var_run_t) + +type cups_pdf_t; +type cups_pdf_exec_t; +cups_backend(cups_pdf_t, cups_pdf_exec_t) + +type cups_pdf_tmp_t; +files_tmp_file(cups_pdf_tmp_t) + +type cupsd_tmp_t; +files_tmp_file(cupsd_tmp_t) + +type cupsd_var_run_t; +files_pid_file(cupsd_var_run_t) +mls_trusted_object(cupsd_var_run_t) + +type hplip_t; +type hplip_exec_t; +init_daemon_domain(hplip_t, hplip_exec_t) +# For CUPS to run as a backend +cups_backend(hplip_t, hplip_exec_t) + +type hplip_etc_t; +files_config_file(hplip_etc_t) + +type hplip_tmp_t; +files_tmp_file(hplip_tmp_t) + +type hplip_var_lib_t; +files_type(hplip_var_lib_t) + +type hplip_var_run_t; +files_pid_file(hplip_var_run_t) + +type ptal_t; +type ptal_exec_t; +init_daemon_domain(ptal_t, ptal_exec_t) + +type ptal_etc_t; +files_config_file(ptal_etc_t) + +type ptal_var_run_t; +files_pid_file(ptal_var_run_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) +') + +######################################## +# +# Cups local policy +# + +# /usr/lib/cups/backend/serial needs sys_admin(?!) +allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; +dontaudit cupsd_t self:capability { sys_tty_config net_admin }; +allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; +allow cupsd_t self:fifo_file rw_fifo_file_perms; +allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow cupsd_t self:unix_dgram_socket create_socket_perms; +allow cupsd_t self:netlink_selinux_socket create_socket_perms; +allow cupsd_t self:shm create_shm_perms; +allow cupsd_t self:sem create_sem_perms; +allow cupsd_t self:tcp_socket create_stream_socket_perms; +allow cupsd_t self:udp_socket create_socket_perms; +allow cupsd_t self:appletalk_socket create_socket_perms; +# generic socket here until appletalk socket is available in kernels +allow cupsd_t self:socket create_socket_perms; + +allow cupsd_t cupsd_etc_t:{ dir file } setattr; +read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +files_search_etc(cupsd_t) + +manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) + +manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) +manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) +filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) +files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) + +# allow cups to execute its backend scripts +can_exec(cupsd_t, cupsd_exec_t) +allow cupsd_t cupsd_exec_t:dir search_dir_perms; +allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; + +allow cupsd_t cupsd_lock_t:file manage_file_perms; +files_lock_filetrans(cupsd_t, cupsd_lock_t, file) + +manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +allow cupsd_t cupsd_log_t:dir setattr; +logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) + +manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) +manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) +manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) +files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) + +allow cupsd_t cupsd_var_run_t:dir setattr; +manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file }) + +allow cupsd_t hplip_t:process { signal sigkill }; + +read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) + +allow cupsd_t hplip_var_run_t:file read_file_perms; + +stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) +allow cupsd_t ptal_var_run_t : sock_file setattr; + +kernel_read_system_state(cupsd_t) +kernel_read_network_state(cupsd_t) +kernel_read_all_sysctls(cupsd_t) +kernel_request_load_module(cupsd_t) + +corenet_all_recvfrom_unlabeled(cupsd_t) +corenet_all_recvfrom_netlabel(cupsd_t) +corenet_tcp_sendrecv_generic_if(cupsd_t) +corenet_udp_sendrecv_generic_if(cupsd_t) +corenet_raw_sendrecv_generic_if(cupsd_t) +corenet_tcp_sendrecv_generic_node(cupsd_t) +corenet_udp_sendrecv_generic_node(cupsd_t) +corenet_raw_sendrecv_generic_node(cupsd_t) +corenet_tcp_sendrecv_all_ports(cupsd_t) +corenet_udp_sendrecv_all_ports(cupsd_t) +corenet_tcp_bind_generic_node(cupsd_t) +corenet_udp_bind_generic_node(cupsd_t) +corenet_tcp_bind_ipp_port(cupsd_t) +corenet_udp_bind_ipp_port(cupsd_t) +corenet_udp_bind_howl_port(cupsd_t) +corenet_tcp_bind_reserved_port(cupsd_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +corenet_tcp_bind_all_rpc_ports(cupsd_t) +corenet_tcp_connect_all_ports(cupsd_t) +corenet_sendrecv_hplip_client_packets(cupsd_t) +corenet_sendrecv_ipp_client_packets(cupsd_t) +corenet_sendrecv_ipp_server_packets(cupsd_t) + +dev_rw_printer(cupsd_t) +dev_read_urand(cupsd_t) +dev_read_sysfs(cupsd_t) +dev_rw_input_dev(cupsd_t) #447878 +dev_rw_generic_usb_dev(cupsd_t) +dev_rw_usbfs(cupsd_t) +dev_getattr_printer_dev(cupsd_t) + +domain_read_all_domains_state(cupsd_t) + +fs_getattr_all_fs(cupsd_t) +fs_search_auto_mountpoints(cupsd_t) +fs_search_fusefs(cupsd_t) +fs_read_anon_inodefs_files(cupsd_t) + +mls_file_downgrade(cupsd_t) +mls_file_write_all_levels(cupsd_t) +mls_file_read_all_levels(cupsd_t) +mls_rangetrans_target(cupsd_t) +mls_socket_write_all_levels(cupsd_t) +mls_fd_use_all_levels(cupsd_t) + +term_use_unallocated_ttys(cupsd_t) +term_search_ptys(cupsd_t) + +# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp +corecmd_exec_shell(cupsd_t) +corecmd_exec_bin(cupsd_t) + +domain_use_interactive_fds(cupsd_t) + +files_list_spool(cupsd_t) +files_read_etc_files(cupsd_t) +files_read_etc_runtime_files(cupsd_t) +# read python modules +files_read_usr_files(cupsd_t) +# for /var/lib/defoma +files_read_var_lib_files(cupsd_t) +files_list_world_readable(cupsd_t) +files_read_world_readable_files(cupsd_t) +files_read_world_readable_symlinks(cupsd_t) +# Satisfy readahead +files_read_var_files(cupsd_t) +files_read_var_symlinks(cupsd_t) +# for /etc/printcap +files_dontaudit_write_etc_files(cupsd_t) +# smbspool seems to be iterating through all existing tmp files. +# redhat bug #214953 +# cjp: this might be a broken behavior +files_dontaudit_getattr_all_tmp_files(cupsd_t) + +selinux_compute_access_vector(cupsd_t) +selinux_validate_context(cupsd_t) + +init_exec_script_files(cupsd_t) +init_read_utmp(cupsd_t) + +auth_domtrans_chk_passwd(cupsd_t) +auth_dontaudit_read_pam_pid(cupsd_t) +auth_rw_faillog(cupsd_t) +auth_use_nsswitch(cupsd_t) + +# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* +libs_read_lib_files(cupsd_t) +libs_exec_lib_files(cupsd_t) + +logging_send_audit_msgs(cupsd_t) +logging_send_syslog_msg(cupsd_t) + +miscfiles_read_localization(cupsd_t) +# invoking ghostscript needs to read fonts +miscfiles_read_fonts(cupsd_t) +miscfiles_setattr_fonts_cache_dirs(cupsd_t) + +seutil_read_config(cupsd_t) +sysnet_exec_ifconfig(cupsd_t) + +files_dontaudit_list_home(cupsd_t) +userdom_dontaudit_use_unpriv_user_fds(cupsd_t) +userdom_dontaudit_search_user_home_content(cupsd_t) + +# Write to /var/spool/cups. +lpd_manage_spool(cupsd_t) +lpd_read_config(cupsd_t) +lpd_exec_lpr(cupsd_t) +lpd_relabel_spool(cupsd_t) + +optional_policy(` + apm_domtrans_client(cupsd_t) +') + +optional_policy(` + cron_system_entry(cupsd_t, cupsd_exec_t) +') + +optional_policy(` + dbus_system_bus_client(cupsd_t) + + userdom_dbus_send_all_users(cupsd_t) + + optional_policy(` + avahi_dbus_chat(cupsd_t) + ') + + optional_policy(` + hal_dbus_chat(cupsd_t) + ') + + optional_policy(` + unconfined_dbus_chat(cupsd_t) + ') +') + +optional_policy(` + hostname_exec(cupsd_t) +') + +optional_policy(` + inetd_core_service_domain(cupsd_t, cupsd_exec_t) +') + +optional_policy(` + logrotate_domtrans(cupsd_t) +') + +optional_policy(` + mta_send_mail(cupsd_t) +') + +optional_policy(` + # cups execs smbtool which reads samba_etc_t files + samba_read_config(cupsd_t) + samba_rw_var_files(cupsd_t) +') + +optional_policy(` + seutil_sigchld_newrole(cupsd_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(cupsd_t) +') + +optional_policy(` + udev_read_db(cupsd_t) +') + +######################################## +# +# Cups configuration daemon local policy +# + +allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; +dontaudit cupsd_config_t self:capability sys_tty_config; +allow cupsd_config_t self:process { getsched signal_perms }; +allow cupsd_config_t self:fifo_file rw_fifo_file_perms; +allow cupsd_config_t self:unix_stream_socket create_socket_perms; +allow cupsd_config_t self:unix_dgram_socket create_socket_perms; +allow cupsd_config_t self:tcp_socket create_stream_socket_perms; + +allow cupsd_config_t cupsd_t:process signal; +ps_process_pattern(cupsd_config_t, cupsd_t) + +manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) +manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) +filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) + +manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) +manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) +files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file) + +can_exec(cupsd_config_t, cupsd_config_exec_t) + +allow cupsd_config_t cupsd_log_t:file rw_file_perms; + +manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) + +allow cupsd_config_t cupsd_var_run_t:file read_file_perms; + +manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) +files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) + +domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) + +read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) + +kernel_read_system_state(cupsd_config_t) +kernel_read_all_sysctls(cupsd_config_t) + +corenet_all_recvfrom_unlabeled(cupsd_config_t) +corenet_all_recvfrom_netlabel(cupsd_config_t) +corenet_tcp_sendrecv_generic_if(cupsd_config_t) +corenet_tcp_sendrecv_generic_node(cupsd_config_t) +corenet_tcp_sendrecv_all_ports(cupsd_config_t) +corenet_tcp_connect_all_ports(cupsd_config_t) +corenet_sendrecv_all_client_packets(cupsd_config_t) + +dev_read_sysfs(cupsd_config_t) +dev_read_urand(cupsd_config_t) +dev_read_rand(cupsd_config_t) +dev_rw_generic_usb_dev(cupsd_config_t) + +files_search_all_mountpoints(cupsd_config_t) + +fs_getattr_all_fs(cupsd_config_t) +fs_search_auto_mountpoints(cupsd_config_t) + +corecmd_exec_bin(cupsd_config_t) +corecmd_exec_shell(cupsd_config_t) + +domain_use_interactive_fds(cupsd_config_t) +# killall causes the following +domain_dontaudit_search_all_domains_state(cupsd_config_t) + +files_read_usr_files(cupsd_config_t) +files_read_etc_files(cupsd_config_t) +files_read_etc_runtime_files(cupsd_config_t) +files_read_var_symlinks(cupsd_config_t) + +# Alternatives asks for this +init_getattr_all_script_files(cupsd_config_t) + +auth_use_nsswitch(cupsd_config_t) + +logging_send_syslog_msg(cupsd_config_t) + +miscfiles_read_localization(cupsd_config_t) +miscfiles_read_hwdata(cupsd_config_t) + +seutil_dontaudit_search_config(cupsd_config_t) + +userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) +userdom_dontaudit_search_user_home_dirs(cupsd_config_t) + +cups_stream_connect(cupsd_config_t) + +lpd_read_config(cupsd_config_t) + +ifdef(`distro_redhat',` + optional_policy(` + rpm_read_db(cupsd_config_t) + ') +') + +optional_policy(` + term_use_generic_ptys(cupsd_config_t) +') + +optional_policy(` + cron_system_entry(cupsd_config_t, cupsd_config_exec_t) +') + +optional_policy(` + dbus_system_domain(cupsd_config_t, cupsd_config_exec_t) + + optional_policy(` + hal_dbus_chat(cupsd_config_t) + ') +') + +optional_policy(` + hal_domtrans(cupsd_config_t) + hal_read_tmp_files(cupsd_config_t) + hal_dontaudit_use_fds(hplip_t) +') + +optional_policy(` + hostname_exec(cupsd_config_t) +') + +optional_policy(` + logrotate_use_fds(cupsd_config_t) +') + +optional_policy(` + policykit_dbus_chat(cupsd_config_t) + userdom_read_all_users_state(cupsd_config_t) +') + +optional_policy(` + rpm_read_db(cupsd_config_t) +') + +optional_policy(` + seutil_sigchld_newrole(cupsd_config_t) +') + +optional_policy(` + udev_read_db(cupsd_config_t) +') + +optional_policy(` + unconfined_stream_connect(cupsd_config_t) +') + +######################################## +# +# Cups lpd support +# + +allow cupsd_lpd_t self:process signal_perms; +allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; +allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms; +allow cupsd_lpd_t self:udp_socket create_socket_perms; + +# for identd +# cjp: this should probably only be inetd_child rules? +allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow cupsd_lpd_t self:capability { setuid setgid }; +files_search_home(cupsd_lpd_t) +optional_policy(` + kerberos_use(cupsd_lpd_t) +') +#end for identd + +allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms; +read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t) +read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t) + +allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms; +read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t) +read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t) + +manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) +manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) +files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir }) + +manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t) +files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file) + +kernel_read_kernel_sysctls(cupsd_lpd_t) +kernel_read_system_state(cupsd_lpd_t) +kernel_read_network_state(cupsd_lpd_t) + +corenet_all_recvfrom_unlabeled(cupsd_lpd_t) +corenet_all_recvfrom_netlabel(cupsd_lpd_t) +corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) +corenet_udp_sendrecv_generic_if(cupsd_lpd_t) +corenet_tcp_sendrecv_generic_node(cupsd_lpd_t) +corenet_udp_sendrecv_generic_node(cupsd_lpd_t) +corenet_tcp_sendrecv_all_ports(cupsd_lpd_t) +corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +corenet_tcp_bind_generic_node(cupsd_lpd_t) +corenet_udp_bind_generic_node(cupsd_lpd_t) +corenet_tcp_connect_ipp_port(cupsd_lpd_t) + +dev_read_urand(cupsd_lpd_t) +dev_read_rand(cupsd_lpd_t) + +fs_getattr_xattr_fs(cupsd_lpd_t) + +files_read_etc_files(cupsd_lpd_t) + +auth_use_nsswitch(cupsd_lpd_t) + +logging_send_syslog_msg(cupsd_lpd_t) + +miscfiles_read_localization(cupsd_lpd_t) +miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) + +cups_stream_connect(cupsd_lpd_t) + +optional_policy(` + inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) +') + +######################################## +# +# cups_pdf local policy +# + +allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; +allow cups_pdf_t self:fifo_file rw_file_perms; +allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) + +manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) +manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) +files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) + +fs_rw_anon_inodefs_files(cups_pdf_t) + +kernel_read_system_state(cups_pdf_t) + +files_read_etc_files(cups_pdf_t) +files_read_usr_files(cups_pdf_t) + +corecmd_exec_shell(cups_pdf_t) +corecmd_exec_bin(cups_pdf_t) + +auth_use_nsswitch(cups_pdf_t) + +miscfiles_read_localization(cups_pdf_t) +miscfiles_read_fonts(cups_pdf_t) + +userdom_home_filetrans_user_home_dir(cups_pdf_t) +userdom_manage_user_home_content_dirs(cups_pdf_t) +userdom_manage_user_home_content_files(cups_pdf_t) + +lpd_manage_spool(cups_pdf_t) + + +tunable_policy(`use_nfs_home_dirs',` + fs_search_auto_mountpoints(cups_pdf_t) + fs_manage_nfs_dirs(cups_pdf_t) + fs_manage_nfs_files(cups_pdf_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(cups_pdf_t) + fs_manage_cifs_files(cups_pdf_t) +') + +######################################## +# +# HPLIP local policy +# + +# Needed for USB Scanneer and xsane +allow hplip_t self:capability { dac_override dac_read_search net_raw }; +dontaudit hplip_t self:capability sys_tty_config; +allow hplip_t self:fifo_file rw_fifo_file_perms; +allow hplip_t self:process signal_perms; +allow hplip_t self:unix_dgram_socket create_socket_perms; +allow hplip_t self:unix_stream_socket create_socket_perms; +allow hplip_t self:netlink_route_socket r_netlink_socket_perms; +allow hplip_t self:tcp_socket create_stream_socket_perms; +allow hplip_t self:udp_socket create_socket_perms; +allow hplip_t self:rawip_socket create_socket_perms; + +allow hplip_t cupsd_etc_t:dir search_dir_perms; +manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) + +cups_stream_connect(hplip_t) + +allow hplip_t hplip_etc_t:dir list_dir_perms; +read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) +read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) +files_search_etc(hplip_t) + +manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) + +manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) +files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) + +manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) +files_pid_filetrans(hplip_t, hplip_var_run_t, file) + +kernel_read_system_state(hplip_t) +kernel_read_kernel_sysctls(hplip_t) + +corenet_all_recvfrom_unlabeled(hplip_t) +corenet_all_recvfrom_netlabel(hplip_t) +corenet_tcp_sendrecv_generic_if(hplip_t) +corenet_udp_sendrecv_generic_if(hplip_t) +corenet_raw_sendrecv_generic_if(hplip_t) +corenet_tcp_sendrecv_generic_node(hplip_t) +corenet_udp_sendrecv_generic_node(hplip_t) +corenet_raw_sendrecv_generic_node(hplip_t) +corenet_tcp_sendrecv_all_ports(hplip_t) +corenet_udp_sendrecv_all_ports(hplip_t) +corenet_tcp_bind_generic_node(hplip_t) +corenet_udp_bind_generic_node(hplip_t) +corenet_tcp_bind_hplip_port(hplip_t) +corenet_tcp_connect_hplip_port(hplip_t) +corenet_tcp_connect_ipp_port(hplip_t) +corenet_sendrecv_hplip_client_packets(hplip_t) +corenet_receive_hplip_server_packets(hplip_t) +corenet_udp_bind_howl_port(hplip_t) + +dev_read_sysfs(hplip_t) +dev_rw_printer(hplip_t) +dev_read_urand(hplip_t) +dev_read_rand(hplip_t) +dev_rw_generic_usb_dev(hplip_t) +dev_rw_usbfs(hplip_t) + +fs_getattr_all_fs(hplip_t) +fs_search_auto_mountpoints(hplip_t) +fs_rw_anon_inodefs_files(hplip_t) + +# for python +corecmd_exec_bin(hplip_t) + +domain_use_interactive_fds(hplip_t) + +files_read_etc_files(hplip_t) +files_read_etc_runtime_files(hplip_t) +files_read_usr_files(hplip_t) + +logging_send_syslog_msg(hplip_t) + +miscfiles_read_localization(hplip_t) + +sysnet_read_config(hplip_t) + +userdom_dontaudit_use_unpriv_user_fds(hplip_t) +userdom_dontaudit_search_user_home_dirs(hplip_t) +userdom_dontaudit_search_user_home_content(hplip_t) + +lpd_read_config(hplip_t) +lpd_manage_spool(hplip_t) + +optional_policy(` + dbus_system_bus_client(hplip_t) +') + +optional_policy(` + seutil_sigchld_newrole(hplip_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(hplip_t) +') + +optional_policy(` + udev_read_db(hplip_t) +') + +######################################## +# +# PTAL local policy +# + +allow ptal_t self:capability { chown sys_rawio }; +dontaudit ptal_t self:capability sys_tty_config; +allow ptal_t self:fifo_file rw_fifo_file_perms; +allow ptal_t self:unix_dgram_socket create_socket_perms; +allow ptal_t self:unix_stream_socket create_stream_socket_perms; +allow ptal_t self:tcp_socket create_stream_socket_perms; + +allow ptal_t ptal_etc_t:dir list_dir_perms; +read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) +read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) +files_search_etc(ptal_t) + +manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(ptal_t) +kernel_list_proc(ptal_t) +kernel_read_proc_symlinks(ptal_t) + +corenet_all_recvfrom_unlabeled(ptal_t) +corenet_all_recvfrom_netlabel(ptal_t) +corenet_tcp_sendrecv_generic_if(ptal_t) +corenet_tcp_sendrecv_generic_node(ptal_t) +corenet_tcp_sendrecv_all_ports(ptal_t) +corenet_tcp_bind_generic_node(ptal_t) +corenet_tcp_bind_ptal_port(ptal_t) + +dev_read_sysfs(ptal_t) +dev_read_usbfs(ptal_t) +dev_rw_printer(ptal_t) + +fs_getattr_all_fs(ptal_t) +fs_search_auto_mountpoints(ptal_t) + +domain_use_interactive_fds(ptal_t) + +files_read_etc_files(ptal_t) +files_read_etc_runtime_files(ptal_t) + +logging_send_syslog_msg(ptal_t) + +miscfiles_read_localization(ptal_t) + +sysnet_read_config(ptal_t) + +userdom_dontaudit_use_unpriv_user_fds(ptal_t) +userdom_dontaudit_search_user_home_content(ptal_t) + +optional_policy(` + seutil_sigchld_newrole(ptal_t) +') + +optional_policy(` + udev_read_db(ptal_t) +') diff --git a/policy/modules/contrib/cvs.fc b/policy/modules/contrib/cvs.fc new file mode 100644 index 00000000..48a30de1 --- /dev/null +++ b/policy/modules/contrib/cvs.fc @@ -0,0 +1,10 @@ + +/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) + +/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0) + +/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) + +#CVSWeb file context +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if new file mode 100644 index 00000000..c43ff4c1 --- /dev/null +++ b/policy/modules/contrib/cvs.if @@ -0,0 +1,82 @@ +## <summary>Concurrent versions system</summary> + +######################################## +## <summary> +## Read the CVS data and metadata. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cvs_read_data',` + gen_require(` + type cvs_data_t; + ') + + list_dirs_pattern($1, cvs_data_t, cvs_data_t) + read_files_pattern($1, cvs_data_t, cvs_data_t) + read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) +') + +######################################## +## <summary> +## Allow the specified domain to execute cvs +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cvs_exec',` + gen_require(` + type cvs_exec_t; + ') + + can_exec($1, cvs_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an cvs environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the cvs domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`cvs_admin',` + gen_require(` + type cvs_t, cvs_tmp_t; + type cvs_data_t, cvs_var_run_t; + type cvs_initrc_exec_t; + ') + + allow $1 cvs_t:process { ptrace signal_perms }; + ps_process_pattern($1, cvs_t) + + # Allow cvs_t to restart the apache service + init_labeled_script_domtrans($1, cvs_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cvs_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, cvs_tmp_t) + + admin_pattern($1, cvs_data_t) + + files_list_pids($1) + admin_pattern($1, cvs_var_run_t) +') diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te new file mode 100644 index 00000000..88e7e97f --- /dev/null +++ b/policy/modules/contrib/cvs.te @@ -0,0 +1,115 @@ +policy_module(cvs, 1.9.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow cvs daemon to read shadow +## </p> +## </desc> +gen_tunable(allow_cvs_read_shadow, false) + +type cvs_t; +type cvs_exec_t; +inetd_tcp_service_domain(cvs_t, cvs_exec_t) +application_executable_file(cvs_exec_t) +role system_r types cvs_t; + +type cvs_data_t; # customizable +files_type(cvs_data_t) + +type cvs_initrc_exec_t; +init_script_file(cvs_initrc_exec_t) + +type cvs_tmp_t; +files_tmp_file(cvs_tmp_t) + +type cvs_var_run_t; +files_pid_file(cvs_var_run_t) + +######################################## +# +# Local policy +# + +allow cvs_t self:process signal_perms; +allow cvs_t self:fifo_file rw_fifo_file_perms; +allow cvs_t self:tcp_socket connected_stream_socket_perms; +# for identd; cjp: this should probably only be inetd_child rules? +allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow cvs_t self:capability { setuid setgid }; + +manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) +manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) +manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t) + +manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) +manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) +files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir }) + +manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t) +files_pid_filetrans(cvs_t, cvs_var_run_t, file) + +kernel_read_kernel_sysctls(cvs_t) +kernel_read_system_state(cvs_t) +kernel_read_network_state(cvs_t) + +corenet_all_recvfrom_unlabeled(cvs_t) +corenet_all_recvfrom_netlabel(cvs_t) +corenet_tcp_sendrecv_generic_if(cvs_t) +corenet_udp_sendrecv_generic_if(cvs_t) +corenet_tcp_sendrecv_generic_node(cvs_t) +corenet_udp_sendrecv_generic_node(cvs_t) +corenet_tcp_sendrecv_all_ports(cvs_t) +corenet_udp_sendrecv_all_ports(cvs_t) + +dev_read_urand(cvs_t) + +fs_getattr_xattr_fs(cvs_t) + +auth_domtrans_chk_passwd(cvs_t) +auth_use_nsswitch(cvs_t) + +corecmd_exec_bin(cvs_t) +corecmd_exec_shell(cvs_t) + +files_read_etc_files(cvs_t) +files_read_etc_runtime_files(cvs_t) +# for identd; cjp: this should probably only be inetd_child rules? +files_search_home(cvs_t) + +logging_send_syslog_msg(cvs_t) +logging_send_audit_msgs(cvs_t) + +miscfiles_read_localization(cvs_t) + +mta_send_mail(cvs_t) + +# cjp: typeattribute doesnt work in conditionals yet +auth_can_read_shadow_passwords(cvs_t) +tunable_policy(`allow_cvs_read_shadow',` + allow cvs_t self:capability dac_override; + auth_tunable_read_shadow(cvs_t) +') + +optional_policy(` + kerberos_keytab_template(cvs, cvs_t) + kerberos_read_config(cvs_t) + kerberos_dontaudit_write_config(cvs_t) +') + +######################################## +# +# CVSWeb policy +# + +optional_policy(` + apache_content_template(cvs) + + read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) + manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) +') diff --git a/policy/modules/contrib/cyphesis.fc b/policy/modules/contrib/cyphesis.fc new file mode 100644 index 00000000..c47a7722 --- /dev/null +++ b/policy/modules/contrib/cyphesis.fc @@ -0,0 +1,5 @@ +/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) + +/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0) + +/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) diff --git a/policy/modules/contrib/cyphesis.if b/policy/modules/contrib/cyphesis.if new file mode 100644 index 00000000..9d445386 --- /dev/null +++ b/policy/modules/contrib/cyphesis.if @@ -0,0 +1,19 @@ +## <summary>Cyphesis WorldForge game server</summary> + +######################################## +## <summary> +## Execute a domain transition to run cyphesis. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cyphesis_domtrans',` + gen_require(` + type cyphesis_t, cyphesis_exec_t; + ') + + domtrans_pattern($1, cyphesis_exec_t, cyphesis_t) +') diff --git a/policy/modules/contrib/cyphesis.te b/policy/modules/contrib/cyphesis.te new file mode 100644 index 00000000..25897c94 --- /dev/null +++ b/policy/modules/contrib/cyphesis.te @@ -0,0 +1,85 @@ +policy_module(cyphesis, 1.2.0) + +######################################## +# +# Declarations +# + +type cyphesis_t; +type cyphesis_exec_t; +init_daemon_domain(cyphesis_t, cyphesis_exec_t) + +type cyphesis_log_t; +logging_log_file(cyphesis_log_t) + +type cyphesis_tmp_t; +files_tmp_file(cyphesis_tmp_t) + +type cyphesis_var_run_t; +files_pid_file(cyphesis_var_run_t) + +######################################## +# +# cyphesis local policy +# + +allow cyphesis_t self:process { setfscreate setsched signal }; +allow cyphesis_t self:fifo_file rw_fifo_file_perms; +allow cyphesis_t self:tcp_socket create_stream_socket_perms; +allow cyphesis_t self:unix_stream_socket create_stream_socket_perms; +allow cyphesis_t self:unix_dgram_socket create_socket_perms; + +manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) +logging_log_filetrans(cyphesis_t, cyphesis_log_t, file) + +# DAN > Does cyphesis really create a sock_file in /tmp? Why? +allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms; +files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file) + +manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) +manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) +manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) +files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file }) + +kernel_read_system_state(cyphesis_t) +kernel_read_kernel_sysctls(cyphesis_t) + +# DAN> What is cyphesis looking for in /bin? +corecmd_search_bin(cyphesis_t) +corecmd_getattr_bin_files(cyphesis_t) + +corenet_all_recvfrom_unlabeled(cyphesis_t) +corenet_tcp_sendrecv_generic_if(cyphesis_t) +corenet_tcp_sendrecv_generic_node(cyphesis_t) +corenet_tcp_sendrecv_all_ports(cyphesis_t) +corenet_tcp_bind_generic_node(cyphesis_t) +corenet_tcp_bind_cyphesis_port(cyphesis_t) +corenet_sendrecv_cyphesis_server_packets(cyphesis_t) + +dev_read_urand(cyphesis_t) + +# Init script handling +domain_use_interactive_fds(cyphesis_t) + +files_read_etc_files(cyphesis_t) +files_read_usr_files(cyphesis_t) + +logging_send_syslog_msg(cyphesis_t) + +miscfiles_read_localization(cyphesis_t) + +sysnet_dns_name_resolve(cyphesis_t) + +# cyphesis wants to talk to avahi via dbus +optional_policy(` + avahi_dbus_chat(cyphesis_t) + dbus_system_bus_client(cyphesis_t) +') + +optional_policy(` + kerberos_use(cyphesis_t) +') + +optional_policy(` + postgresql_stream_connect(cyphesis_t) +') diff --git a/policy/modules/contrib/cyrus.fc b/policy/modules/contrib/cyrus.fc new file mode 100644 index 00000000..25546bca --- /dev/null +++ b/policy/modules/contrib/cyrus.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0) + +/usr/lib(64)?/cyrus/master -- gen_context(system_u:object_r:cyrus_exec_t,s0) +/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) + +/var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) +/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if new file mode 100644 index 00000000..e4e86d0a --- /dev/null +++ b/policy/modules/contrib/cyrus.if @@ -0,0 +1,81 @@ +## <summary>Cyrus is an IMAP service intended to be run on sealed servers</summary> + +######################################## +## <summary> +## Allow caller to create, read, write, +## and delete cyrus data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cyrus_manage_data',` + gen_require(` + type cyrus_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) +') + +######################################## +## <summary> +## Connect to Cyrus using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cyrus_stream_connect',` + gen_require(` + type cyrus_t, cyrus_var_lib_t; + ') + + files_search_var_lib($1) + stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an cyrus environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the cyrus domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`cyrus_admin',` + gen_require(` + type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; + type cyrus_var_run_t, cyrus_initrc_exec_t; + ') + + allow $1 cyrus_t:process { ptrace signal_perms }; + ps_process_pattern($1, cyrus_t) + + init_labeled_script_domtrans($1, cyrus_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cyrus_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, cyrus_tmp_t) + + files_list_var_lib($1) + admin_pattern($1, cyrus_var_lib_t) + + files_list_pids($1) + admin_pattern($1, cyrus_var_run_t) +') diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te new file mode 100644 index 00000000..2ced0233 --- /dev/null +++ b/policy/modules/contrib/cyrus.te @@ -0,0 +1,145 @@ +policy_module(cyrus, 1.11.0) + +######################################## +# +# Declarations +# + +type cyrus_t; +type cyrus_exec_t; +init_daemon_domain(cyrus_t, cyrus_exec_t) + +type cyrus_initrc_exec_t; +init_script_file(cyrus_initrc_exec_t) + +type cyrus_tmp_t; +files_tmp_file(cyrus_tmp_t) + +type cyrus_var_lib_t; +files_type(cyrus_var_lib_t) + +type cyrus_var_run_t; +files_pid_file(cyrus_var_run_t) + +######################################## +# +# Local policy +# + +allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; +dontaudit cyrus_t self:capability sys_tty_config; +allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow cyrus_t self:process setrlimit; +allow cyrus_t self:fd use; +allow cyrus_t self:fifo_file rw_fifo_file_perms; +allow cyrus_t self:sock_file read_sock_file_perms; +allow cyrus_t self:shm create_shm_perms; +allow cyrus_t self:sem create_sem_perms; +allow cyrus_t self:msgq create_msgq_perms; +allow cyrus_t self:msg { send receive }; +allow cyrus_t self:unix_dgram_socket create_socket_perms; +allow cyrus_t self:unix_stream_socket create_stream_socket_perms; +allow cyrus_t self:unix_dgram_socket sendto; +allow cyrus_t self:unix_stream_socket connectto; +allow cyrus_t self:tcp_socket create_stream_socket_perms; +allow cyrus_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) +manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) +files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir }) + +manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) +manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) +manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) +manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) +files_pid_filetrans(cyrus_t, cyrus_var_run_t, file) + +manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) +manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) +files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(cyrus_t) +kernel_read_system_state(cyrus_t) +kernel_read_all_sysctls(cyrus_t) + +corenet_all_recvfrom_unlabeled(cyrus_t) +corenet_all_recvfrom_netlabel(cyrus_t) +corenet_tcp_sendrecv_generic_if(cyrus_t) +corenet_udp_sendrecv_generic_if(cyrus_t) +corenet_tcp_sendrecv_generic_node(cyrus_t) +corenet_udp_sendrecv_generic_node(cyrus_t) +corenet_tcp_sendrecv_all_ports(cyrus_t) +corenet_udp_sendrecv_all_ports(cyrus_t) +corenet_tcp_bind_generic_node(cyrus_t) +corenet_tcp_bind_mail_port(cyrus_t) +corenet_tcp_bind_lmtp_port(cyrus_t) +corenet_tcp_bind_pop_port(cyrus_t) +corenet_tcp_bind_sieve_port(cyrus_t) +corenet_tcp_connect_all_ports(cyrus_t) +corenet_sendrecv_mail_server_packets(cyrus_t) +corenet_sendrecv_pop_server_packets(cyrus_t) +corenet_sendrecv_lmtp_server_packets(cyrus_t) +corenet_sendrecv_all_client_packets(cyrus_t) + +dev_read_rand(cyrus_t) +dev_read_urand(cyrus_t) +dev_read_sysfs(cyrus_t) + +fs_getattr_all_fs(cyrus_t) +fs_search_auto_mountpoints(cyrus_t) + +corecmd_exec_bin(cyrus_t) + +domain_use_interactive_fds(cyrus_t) + +files_list_var_lib(cyrus_t) +files_read_etc_files(cyrus_t) +files_read_etc_runtime_files(cyrus_t) +files_read_usr_files(cyrus_t) + +auth_use_nsswitch(cyrus_t) + +libs_exec_lib_files(cyrus_t) + +logging_send_syslog_msg(cyrus_t) + +miscfiles_read_localization(cyrus_t) +miscfiles_read_generic_certs(cyrus_t) + +sysnet_read_config(cyrus_t) + +userdom_use_unpriv_users_fds(cyrus_t) +userdom_dontaudit_search_user_home_dirs(cyrus_t) + +mta_manage_spool(cyrus_t) +mta_send_mail(cyrus_t) + +optional_policy(` + cron_system_entry(cyrus_t, cyrus_exec_t) +') + +optional_policy(` + kerberos_keytab_template(cyrus, cyrus_t) +') + +optional_policy(` + ldap_stream_connect(cyrus_t) +') + +optional_policy(` + sasl_connect(cyrus_t) +') + +optional_policy(` + seutil_sigchld_newrole(cyrus_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(cyrus_t) + snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) + snmp_stream_connect(cyrus_t) +') + +optional_policy(` + udev_read_db(cyrus_t) +') diff --git a/policy/modules/contrib/daemontools.fc b/policy/modules/contrib/daemontools.fc new file mode 100644 index 00000000..26df050b --- /dev/null +++ b/policy/modules/contrib/daemontools.fc @@ -0,0 +1,53 @@ +# +# /service +# + +/service -d gen_context(system_u:object_r:svc_svc_t,s0) +/service/.* gen_context(system_u:object_r:svc_svc_t,s0) + +# +# /usr +# + +/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0) +/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0) +/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0) +/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0) +/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0) +/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0) + +# +# /var +# + +/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) +/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) + +/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) +/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) +/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) + +/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) +/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) + +/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0) +/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) +/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0) +/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0) + +/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) +/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) +/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) diff --git a/policy/modules/contrib/daemontools.if b/policy/modules/contrib/daemontools.if new file mode 100644 index 00000000..ce3e6761 --- /dev/null +++ b/policy/modules/contrib/daemontools.if @@ -0,0 +1,212 @@ +## <summary>Collection of tools for managing UNIX services</summary> +## <desc> +## <p> +## Policy for DJB's daemontools +## </p> +## </desc> + +######################################## +## <summary> +## An ipc channel between the supervised domain and svc_start_t +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`daemontools_ipc_domain',` + gen_require(` + type svc_start_t; + ') + + allow $1 svc_start_t:process sigchld; + allow $1 svc_start_t:fd use; + allow $1 svc_start_t:fifo_file { read write getattr }; + allow svc_start_t $1:process signal; +') + +######################################## +## <summary> +## Define a specified domain as a supervised service. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`daemontools_service_domain',` + gen_require(` + type svc_run_t; + ') + + domain_auto_trans(svc_run_t, $2, $1) + daemontools_ipc_domain($1) + + allow svc_run_t $1:process signal; + allow $1 svc_run_t:fd use; +') + +######################################## +## <summary> +## Execute in the svc_start_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`daemontools_domtrans_start',` + gen_require(` + type svc_start_t, svc_start_exec_t; + ') + + domtrans_pattern($1, svc_start_exec_t, svc_start_t) +') + +###################################### +## <summary> +## Execute svc_start in the svc_start domain, and +## allow the specified role the svc_start domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the svc_start domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`daemonstools_run_start',` + gen_require(` + type svc_start_t; + ') + + daemontools_domtrans_start($1) + role $2 types svc_start_t; +') + +######################################## +## <summary> +## Execute in the svc_run_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`daemontools_domtrans_run',` + gen_require(` + type svc_run_t, svc_run_exec_t; + ') + + domtrans_pattern($1, svc_run_exec_t, svc_run_t) +') + +###################################### +## <summary> +## Send a SIGCHLD signal to svc_run domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`daemontools_sigchld_run',` + gen_require(` + type svc_run_t; + ') + + allow $1 svc_run_t:process sigchld; +') + +######################################## +## <summary> +## Execute in the svc_multilog_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`daemontools_domtrans_multilog',` + gen_require(` + type svc_multilog_t, svc_multilog_exec_t; + ') + + domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t) +') + +###################################### +## <summary> +## Search svc_svc_t directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`daemontools_search_svc_dir',` + gen_require(` + type svc_svc_t; + ') + + allow $1 svc_svc_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Allow a domain to read svc_svc_t files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`daemontools_read_svc',` + gen_require(` + type svc_svc_t; + ') + + allow $1 svc_svc_t:dir list_dir_perms; + allow $1 svc_svc_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow a domain to create svc_svc_t files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`daemontools_manage_svc',` + gen_require(` + type svc_svc_t; + ') + + allow $1 svc_svc_t:dir manage_dir_perms; + allow $1 svc_svc_t:fifo_file manage_fifo_file_perms; + allow $1 svc_svc_t:file manage_file_perms; + allow $1 svc_svc_t:lnk_file { read create }; +') diff --git a/policy/modules/contrib/daemontools.te b/policy/modules/contrib/daemontools.te new file mode 100644 index 00000000..dcc5f1c3 --- /dev/null +++ b/policy/modules/contrib/daemontools.te @@ -0,0 +1,118 @@ +policy_module(daemontools, 1.2.0) + +######################################## +# +# Declarations +# + +type svc_conf_t; +files_config_file(svc_conf_t) + +type svc_log_t; +files_type(svc_log_t) + +type svc_multilog_t; +type svc_multilog_exec_t; +application_domain(svc_multilog_t, svc_multilog_exec_t) +role system_r types svc_multilog_t; + +type svc_run_t; +type svc_run_exec_t; +application_domain(svc_run_t, svc_run_exec_t) +role system_r types svc_run_t; + +type svc_start_t; +type svc_start_exec_t; +init_domain(svc_start_t, svc_start_exec_t) +init_system_domain(svc_start_t, svc_start_exec_t) +role system_r types svc_start_t; + +type svc_svc_t; +files_type(svc_svc_t) + +######################################## +# +# multilog local policy +# + +# multilog creates /service/*/log/status +manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) + +init_use_fds(svc_multilog_t) + +# writes to /var/log/*/* +logging_manage_generic_logs(svc_multilog_t) + +daemontools_ipc_domain(svc_multilog_t) + +######################################## +# +# local policy for binaries that impose +# a given environment to supervised daemons +# ie. softlimit, setuidgid, envuidgid, envdir, fghack .. +# + +allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource }; +allow svc_run_t self:process setrlimit; +allow svc_run_t self:fifo_file rw_fifo_file_perms; +allow svc_run_t self:unix_stream_socket create_stream_socket_perms; + +allow svc_run_t svc_conf_t:dir list_dir_perms; +allow svc_run_t svc_conf_t:file read_file_perms; + +can_exec(svc_run_t, svc_run_exec_t) + +kernel_read_system_state(svc_run_t) + +dev_read_urand(svc_run_t) + +corecmd_exec_bin(svc_run_t) +corecmd_exec_shell(svc_run_t) + +files_read_etc_files(svc_run_t) +files_read_etc_runtime_files(svc_run_t) +files_search_pids(svc_run_t) +files_search_var_lib(svc_run_t) + +init_use_script_fds(svc_run_t) +init_use_fds(svc_run_t) + +daemontools_domtrans_multilog(svc_run_t) +daemontools_read_svc(svc_run_t) + +optional_policy(` + qmail_read_config(svc_run_t) +') + +######################################## +# +# local policy for service monitoring programs +# ie svc, svscan, supervise ... +# + +allow svc_start_t svc_run_t:process { signal setrlimit }; + +allow svc_start_t self:fifo_file rw_fifo_file_perms; +allow svc_start_t self:capability kill; +allow svc_start_t self:tcp_socket create_stream_socket_perms; +allow svc_start_t self:unix_stream_socket create_socket_perms; + +can_exec(svc_start_t, svc_start_exec_t) + +kernel_read_kernel_sysctls(svc_start_t) +kernel_read_system_state(svc_start_t) + +corecmd_exec_bin(svc_start_t) +corecmd_exec_shell(svc_start_t) + +files_read_etc_files(svc_start_t) +files_read_etc_runtime_files(svc_start_t) +files_search_var(svc_start_t) +files_search_pids(svc_start_t) + +daemontools_domtrans_run(svc_start_t) +daemontools_manage_svc(svc_start_t) + +logging_send_syslog_msg(svc_start_t) + +miscfiles_read_localization(svc_start_t) diff --git a/policy/modules/contrib/dante.fc b/policy/modules/contrib/dante.fc new file mode 100644 index 00000000..139171dc --- /dev/null +++ b/policy/modules/contrib/dante.fc @@ -0,0 +1,6 @@ + +/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0) + +/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0) + +/var/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) diff --git a/policy/modules/contrib/dante.if b/policy/modules/contrib/dante.if new file mode 100644 index 00000000..704661c6 --- /dev/null +++ b/policy/modules/contrib/dante.if @@ -0,0 +1 @@ +## <summary>Dante msproxy and socks4/5 proxy server</summary> diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te new file mode 100644 index 00000000..9636326b --- /dev/null +++ b/policy/modules/contrib/dante.te @@ -0,0 +1,78 @@ +policy_module(dante, 1.8.0) + +######################################## +# +# Declarations +# + +type dante_t; +type dante_exec_t; +init_daemon_domain(dante_t, dante_exec_t) + +type dante_conf_t; +files_type(dante_conf_t) + +type dante_var_run_t; +files_pid_file(dante_var_run_t) + +######################################## +# +# Local policy +# + +allow dante_t self:capability { setuid setgid }; +dontaudit dante_t self:capability sys_tty_config; +allow dante_t self:process signal_perms; +allow dante_t self:fifo_file rw_fifo_file_perms; +allow dante_t self:tcp_socket create_stream_socket_perms; +allow dante_t self:udp_socket create_socket_perms; + +allow dante_t dante_conf_t:dir list_dir_perms; +allow dante_t dante_conf_t:file read_file_perms; + +manage_files_pattern(dante_t, dante_var_run_t, dante_var_run_t) +files_pid_filetrans(dante_t, dante_var_run_t, file) + +kernel_read_kernel_sysctls(dante_t) +kernel_list_proc(dante_t) +kernel_read_proc_symlinks(dante_t) + +corenet_all_recvfrom_unlabeled(dante_t) +corenet_all_recvfrom_netlabel(dante_t) +corenet_tcp_sendrecv_generic_if(dante_t) +corenet_udp_sendrecv_generic_if(dante_t) +corenet_tcp_sendrecv_generic_node(dante_t) +corenet_udp_sendrecv_generic_node(dante_t) +corenet_tcp_sendrecv_all_ports(dante_t) +corenet_udp_sendrecv_all_ports(dante_t) +corenet_tcp_bind_generic_node(dante_t) +corenet_tcp_bind_socks_port(dante_t) + +dev_read_sysfs(dante_t) + +domain_use_interactive_fds(dante_t) + +files_read_etc_files(dante_t) +files_read_etc_runtime_files(dante_t) + +fs_getattr_all_fs(dante_t) +fs_search_auto_mountpoints(dante_t) + +init_write_utmp(dante_t) + +logging_send_syslog_msg(dante_t) + +miscfiles_read_localization(dante_t) + +sysnet_read_config(dante_t) + +userdom_dontaudit_use_unpriv_user_fds(dante_t) +userdom_dontaudit_search_user_home_dirs(dante_t) + +optional_policy(` + seutil_sigchld_newrole(dante_t) +') + +optional_policy(` + udev_read_db(dante_t) +') diff --git a/policy/modules/contrib/dbadm.fc b/policy/modules/contrib/dbadm.fc new file mode 100644 index 00000000..e6aa2fba --- /dev/null +++ b/policy/modules/contrib/dbadm.fc @@ -0,0 +1 @@ +# No dbadm file contexts diff --git a/policy/modules/contrib/dbadm.if b/policy/modules/contrib/dbadm.if new file mode 100644 index 00000000..56f2af74 --- /dev/null +++ b/policy/modules/contrib/dbadm.if @@ -0,0 +1,50 @@ +## <summary>Database administrator role</summary> + +######################################## +## <summary> +## Change to the database administrator role. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dbadm_role_change',` + gen_require(` + role dbadm_r; + ') + + allow $1 dbadm_r; +') + +######################################## +## <summary> +## Change from the database administrator role. +## </summary> +## <desc> +## <p> +## Change from the database administrator role to +## the specified role. +## </p> +## <p> +## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +## </p> +## </desc> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dbadm_role_change_to',` + gen_require(` + role dbadm_r; + ') + + allow dbadm_r $1; +') diff --git a/policy/modules/contrib/dbadm.te b/policy/modules/contrib/dbadm.te new file mode 100644 index 00000000..1875064e --- /dev/null +++ b/policy/modules/contrib/dbadm.te @@ -0,0 +1,60 @@ +policy_module(dbadm, 1.0.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow dbadm to manage files in users home directories +## </p> +## </desc> +gen_tunable(dbadm_manage_user_files, false) + +## <desc> +## <p> +## Allow dbadm to read files in users home directories +## </p> +## </desc> +gen_tunable(dbadm_read_user_files, false) + +role dbadm_r; + +userdom_base_user_template(dbadm) + +######################################## +# +# database admin local policy +# + +allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; + +files_dontaudit_search_all_dirs(dbadm_t) +files_delete_generic_locks(dbadm_t) +files_list_var(dbadm_t) + +selinux_get_enforce_mode(dbadm_t) + +logging_send_syslog_msg(dbadm_t) + +userdom_dontaudit_search_user_home_dirs(dbadm_t) + +tunable_policy(`dbadm_manage_user_files',` + userdom_manage_user_home_content_files(dbadm_t) + userdom_read_user_tmp_files(dbadm_t) + userdom_write_user_tmp_files(dbadm_t) +') + +tunable_policy(`dbadm_read_user_files',` + userdom_read_user_home_content_files(dbadm_t) + userdom_read_user_tmp_files(dbadm_t) +') + +optional_policy(` + mysql_admin(dbadm_t, dbadm_r) +') + +optional_policy(` + postgresql_admin(dbadm_t, dbadm_r) +') diff --git a/policy/modules/contrib/dbskk.fc b/policy/modules/contrib/dbskk.fc new file mode 100644 index 00000000..7af25903 --- /dev/null +++ b/policy/modules/contrib/dbskk.fc @@ -0,0 +1,2 @@ + +/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0) diff --git a/policy/modules/contrib/dbskk.if b/policy/modules/contrib/dbskk.if new file mode 100644 index 00000000..9e710048 --- /dev/null +++ b/policy/modules/contrib/dbskk.if @@ -0,0 +1 @@ +## <summary>Dictionary server for the SKK Japanese input method system.</summary> diff --git a/policy/modules/contrib/dbskk.te b/policy/modules/contrib/dbskk.te new file mode 100644 index 00000000..1445f97d --- /dev/null +++ b/policy/modules/contrib/dbskk.te @@ -0,0 +1,69 @@ +policy_module(dbskk, 1.5.0) + +######################################## +# +# Declarations +# + +type dbskkd_t; +type dbskkd_exec_t; +inetd_service_domain(dbskkd_t, dbskkd_exec_t) +role system_r types dbskkd_t; + +type dbskkd_tmp_t; +files_tmp_file(dbskkd_tmp_t) + +type dbskkd_var_run_t; +files_pid_file(dbskkd_var_run_t) + +######################################## +# +# Local policy +# + +allow dbskkd_t self:process signal_perms; +allow dbskkd_t self:fifo_file rw_fifo_file_perms; +allow dbskkd_t self:tcp_socket connected_stream_socket_perms; +allow dbskkd_t self:udp_socket create_socket_perms; + +# for identd +# cjp: this should probably only be inetd_child rules? +allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow dbskkd_t self:capability { setuid setgid }; +files_search_home(dbskkd_t) +optional_policy(` + kerberos_use(dbskkd_t) +') +#end for identd + +manage_dirs_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) +manage_files_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) +files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir }) + +manage_files_pattern(dbskkd_t, dbskkd_var_run_t, dbskkd_var_run_t) +files_pid_filetrans(dbskkd_t, dbskkd_var_run_t, file) + +kernel_read_kernel_sysctls(dbskkd_t) +kernel_read_system_state(dbskkd_t) +kernel_read_network_state(dbskkd_t) + +corenet_all_recvfrom_unlabeled(dbskkd_t) +corenet_all_recvfrom_netlabel(dbskkd_t) +corenet_tcp_sendrecv_generic_if(dbskkd_t) +corenet_udp_sendrecv_generic_if(dbskkd_t) +corenet_tcp_sendrecv_generic_node(dbskkd_t) +corenet_udp_sendrecv_generic_node(dbskkd_t) +corenet_tcp_sendrecv_all_ports(dbskkd_t) +corenet_udp_sendrecv_all_ports(dbskkd_t) + +dev_read_urand(dbskkd_t) + +fs_getattr_xattr_fs(dbskkd_t) + +files_read_etc_files(dbskkd_t) + +auth_use_nsswitch(dbskkd_t) + +logging_send_syslog_msg(dbskkd_t) + +miscfiles_read_localization(dbskkd_t) diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc new file mode 100644 index 00000000..68dd0068 --- /dev/null +++ b/policy/modules/contrib/dbus.fc @@ -0,0 +1,26 @@ +/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) + +/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) + +ifdef(`distro_redhat',` +/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +') + +/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) + +ifdef(`distro_debian',` +/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +') + +ifdef(`distro_gentoo',` +/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +') + +/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) + +/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) + +ifdef(`distro_redhat',` +/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if new file mode 100644 index 00000000..57dd64bf --- /dev/null +++ b/policy/modules/contrib/dbus.if @@ -0,0 +1,507 @@ +## <summary>Desktop messaging bus</summary> + +######################################## +## <summary> +## DBUS stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`dbus_stub',` + gen_require(` + type system_dbusd_t; + class dbus all_dbus_perms; + ') +') + +######################################## +## <summary> +## Role access for dbus +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +template(`dbus_role_template',` + gen_require(` + class dbus { send_msg acquire_svc }; + + attribute session_bus_type; + type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; + ') + + ############################## + # + # Delcarations + # + + type $1_dbusd_t, session_bus_type; + domain_type($1_dbusd_t) + domain_entry_file($1_dbusd_t, dbusd_exec_t) + ubac_constrained($1_dbusd_t) + role $2 types $1_dbusd_t; + + ############################## + # + # Local policy + # + + allow $1_dbusd_t self:process { getattr sigkill signal }; + dontaudit $1_dbusd_t self:process ptrace; + allow $1_dbusd_t self:file { getattr read write }; + allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; + allow $1_dbusd_t self:dbus { send_msg acquire_svc }; + allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; + allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; + allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; + allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; + + # For connecting to the bus + allow $3 $1_dbusd_t:unix_stream_socket connectto; + + # SE-DBus specific permissions + allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + + allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; + read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) + read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) + + manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) + manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) + files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) + + domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) + allow $3 $1_dbusd_t:process { signull sigkill signal }; + + # cjp: this seems very broken + corecmd_bin_domtrans($1_dbusd_t, $3) + allow $1_dbusd_t $3:process sigkill; + allow $3 $1_dbusd_t:fd use; + allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; + allow $3 $1_dbusd_t:process sigchld; + + kernel_read_system_state($1_dbusd_t) + kernel_read_kernel_sysctls($1_dbusd_t) + + corecmd_list_bin($1_dbusd_t) + corecmd_read_bin_symlinks($1_dbusd_t) + corecmd_read_bin_files($1_dbusd_t) + corecmd_read_bin_pipes($1_dbusd_t) + corecmd_read_bin_sockets($1_dbusd_t) + + corenet_all_recvfrom_unlabeled($1_dbusd_t) + corenet_all_recvfrom_netlabel($1_dbusd_t) + corenet_tcp_sendrecv_generic_if($1_dbusd_t) + corenet_tcp_sendrecv_generic_node($1_dbusd_t) + corenet_tcp_sendrecv_all_ports($1_dbusd_t) + corenet_tcp_bind_generic_node($1_dbusd_t) + corenet_tcp_bind_reserved_port($1_dbusd_t) + + dev_read_urand($1_dbusd_t) + + domain_use_interactive_fds($1_dbusd_t) + domain_read_all_domains_state($1_dbusd_t) + + files_read_etc_files($1_dbusd_t) + files_list_home($1_dbusd_t) + files_read_usr_files($1_dbusd_t) + files_dontaudit_search_var($1_dbusd_t) + + fs_getattr_romfs($1_dbusd_t) + fs_getattr_xattr_fs($1_dbusd_t) + fs_list_inotifyfs($1_dbusd_t) + fs_dontaudit_list_nfs($1_dbusd_t) + + selinux_get_fs_mount($1_dbusd_t) + selinux_validate_context($1_dbusd_t) + selinux_compute_access_vector($1_dbusd_t) + selinux_compute_create_context($1_dbusd_t) + selinux_compute_relabel_context($1_dbusd_t) + selinux_compute_user_contexts($1_dbusd_t) + + auth_read_pam_console_data($1_dbusd_t) + auth_use_nsswitch($1_dbusd_t) + + logging_send_audit_msgs($1_dbusd_t) + logging_send_syslog_msg($1_dbusd_t) + + miscfiles_read_localization($1_dbusd_t) + + seutil_read_config($1_dbusd_t) + seutil_read_default_contexts($1_dbusd_t) + + term_use_all_terms($1_dbusd_t) + + userdom_read_user_home_content_files($1_dbusd_t) + + + ifdef(`hide_broken_symptoms', ` + dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; + ') + + optional_policy(` + hal_dbus_chat($1_dbusd_t) + ') + + optional_policy(` + xdg_read_generic_data_home_files($1_dbusd_t) + ') + + optional_policy(` + xserver_use_xdm_fds($1_dbusd_t) + xserver_rw_xdm_pipes($1_dbusd_t) + ') +') + +####################################### +## <summary> +## Template for creating connections to +## the system DBUS. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_system_bus_client',` + gen_require(` + type system_dbusd_t, system_dbusd_t; + type system_dbusd_var_run_t, system_dbusd_var_lib_t; + class dbus send_msg; + ') + + # SE-DBus specific permissions + allow $1 { system_dbusd_t self }:dbus send_msg; + allow system_dbusd_t $1:dbus send_msg; + + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + files_search_var_lib($1) + + # For connecting to the bus + files_search_pids($1) + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) + dbus_read_config($1) +') + +####################################### +## <summary> +## Template for creating connections to +## a user DBUS. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_session_bus_client',` + gen_require(` + attribute session_bus_type; + class dbus send_msg; + ') + + # SE-DBus specific permissions + allow $1 { session_bus_type self }:dbus send_msg; + + # For connecting to the bus + allow $1 session_bus_type:unix_stream_socket connectto; + + dontaudit $1 session_bus_type:fd use; +') + +######################################## +## <summary> +## Send a message the session DBUS. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_send_session_bus',` + gen_require(` + attribute session_bus_type; + class dbus send_msg; + ') + + allow $1 session_bus_type:dbus send_msg; +') + +######################################## +## <summary> +## Read dbus configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_read_config',` + gen_require(` + type dbusd_etc_t; + ') + + allow $1 dbusd_etc_t:dir list_dir_perms; + allow $1 dbusd_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Read system dbus lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_read_lib_files',` + gen_require(` + type system_dbusd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## system dbus lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_manage_lib_files',` + gen_require(` + type system_dbusd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + +######################################## +## <summary> +## Connect to the system DBUS +## for service (acquire_svc). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_connect_session_bus',` + gen_require(` + attribute session_bus_type; + class dbus acquire_svc; + ') + + allow $1 session_bus_type:dbus acquire_svc; +') + +######################################## +## <summary> +## Allow a application domain to be started +## by the session dbus. +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an +## entry point to this domain. +## </summary> +## </param> +# +interface(`dbus_session_domain',` + gen_require(` + attribute session_bus_type; + ') + + domtrans_pattern(session_bus_type, $2, $1) + + dbus_session_bus_client($1) + dbus_connect_session_bus($1) +') + +######################################## +## <summary> +## Connect to the system DBUS +## for service (acquire_svc). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_connect_system_bus',` + gen_require(` + type system_dbusd_t; + class dbus acquire_svc; + ') + + allow $1 system_dbusd_t:dbus acquire_svc; +') + +######################################## +## <summary> +## Send a message on the system DBUS. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_send_system_bus',` + gen_require(` + type system_dbusd_t; + class dbus send_msg; + ') + + allow $1 system_dbusd_t:dbus send_msg; +') + +######################################## +## <summary> +## Allow unconfined access to the system DBUS. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_system_bus_unconfined',` + gen_require(` + type system_dbusd_t; + class dbus all_dbus_perms; + ') + + allow $1 system_dbusd_t:dbus *; +') + +######################################## +## <summary> +## Create a domain for processes +## which can be started by the system dbus +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +# +interface(`dbus_system_domain',` + gen_require(` + type system_dbusd_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(system_dbusd_t, $2, $1) + + dbus_system_bus_client($1) + dbus_connect_system_bus($1) + + ps_process_pattern(system_dbusd_t, $1) + + userdom_read_all_users_state($1) + + ifdef(`hide_broken_symptoms', ` + dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; + ') +') + +######################################## +## <summary> +## Use and inherit system DBUS file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_use_system_bus_fds',` + gen_require(` + type system_dbusd_t; + ') + + allow $1 system_dbusd_t:fd use; +') + +######################################## +## <summary> +## Dontaudit Read, and write system dbus TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` + gen_require(` + type system_dbusd_t; + ') + + allow $1 system_dbusd_t:tcp_socket { read write }; + allow $1 system_dbusd_t:fd use; +') + +######################################## +## <summary> +## Allow unconfined access to the system DBUS. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_unconfined',` + gen_require(` + attribute dbusd_unconfined; + ') + + typeattribute $1 dbusd_unconfined; +') diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te new file mode 100644 index 00000000..ea3d8d26 --- /dev/null +++ b/policy/modules/contrib/dbus.te @@ -0,0 +1,161 @@ +policy_module(dbus, 1.16.0) + +gen_require(` + class dbus all_dbus_perms; +') + +############################## +# +# Delcarations +# + +attribute dbusd_unconfined; +attribute session_bus_type; + +type dbusd_etc_t; +files_config_file(dbusd_etc_t) + +type dbusd_exec_t; +corecmd_executable_file(dbusd_exec_t) +typealias dbusd_exec_t alias system_dbusd_exec_t; + +type session_dbusd_tmp_t; +typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; +typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; +userdom_user_tmp_file(session_dbusd_tmp_t) + +type system_dbusd_t; +init_system_domain(system_dbusd_t, dbusd_exec_t) + +type system_dbusd_tmp_t; +files_tmp_file(system_dbusd_tmp_t) + +type system_dbusd_var_lib_t; +files_type(system_dbusd_var_lib_t) + +type system_dbusd_var_run_t; +files_pid_file(system_dbusd_var_run_t) + +ifdef(`enable_mcs',` + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) +') + +############################## +# +# System bus local policy +# + +# dac_override: /var/run/dbus is owned by messagebus on Debian +# cjp: dac_override should probably go in a distro_debian +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; +dontaudit system_dbusd_t self:capability sys_tty_config; +allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; +allow system_dbusd_t self:fifo_file rw_fifo_file_perms; +allow system_dbusd_t self:dbus { send_msg acquire_svc }; +allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; +allow system_dbusd_t self:unix_dgram_socket create_socket_perms; +# Receive notifications of policy reloads and enforcing status changes. +allow system_dbusd_t self:netlink_selinux_socket { create bind read }; + +can_exec(system_dbusd_t, dbusd_exec_t) + +allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; +read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) +read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) + +manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) +manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) +files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) + +read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + +manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) +manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) +files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file) + +kernel_read_system_state(system_dbusd_t) +kernel_read_kernel_sysctls(system_dbusd_t) + +dev_read_urand(system_dbusd_t) +dev_read_sysfs(system_dbusd_t) + +fs_getattr_all_fs(system_dbusd_t) +fs_list_inotifyfs(system_dbusd_t) +fs_search_auto_mountpoints(system_dbusd_t) +fs_dontaudit_list_nfs(system_dbusd_t) + +mls_fd_use_all_levels(system_dbusd_t) +mls_rangetrans_target(system_dbusd_t) +mls_file_read_all_levels(system_dbusd_t) +mls_socket_write_all_levels(system_dbusd_t) +mls_socket_read_to_clearance(system_dbusd_t) +mls_dbus_recv_all_levels(system_dbusd_t) + +selinux_get_fs_mount(system_dbusd_t) +selinux_validate_context(system_dbusd_t) +selinux_compute_access_vector(system_dbusd_t) +selinux_compute_create_context(system_dbusd_t) +selinux_compute_relabel_context(system_dbusd_t) +selinux_compute_user_contexts(system_dbusd_t) + +term_dontaudit_use_console(system_dbusd_t) + +auth_use_nsswitch(system_dbusd_t) +auth_read_pam_console_data(system_dbusd_t) + +corecmd_list_bin(system_dbusd_t) +corecmd_read_bin_pipes(system_dbusd_t) +corecmd_read_bin_sockets(system_dbusd_t) + +domain_use_interactive_fds(system_dbusd_t) +domain_read_all_domains_state(system_dbusd_t) + +files_read_etc_files(system_dbusd_t) +files_list_home(system_dbusd_t) +files_read_usr_files(system_dbusd_t) + +init_use_fds(system_dbusd_t) +init_use_script_ptys(system_dbusd_t) +init_domtrans_script(system_dbusd_t) + +logging_send_audit_msgs(system_dbusd_t) +logging_send_syslog_msg(system_dbusd_t) + +miscfiles_read_localization(system_dbusd_t) +miscfiles_read_generic_certs(system_dbusd_t) + +seutil_read_config(system_dbusd_t) +seutil_read_default_contexts(system_dbusd_t) +seutil_sigchld_newrole(system_dbusd_t) + +userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) +userdom_dontaudit_search_user_home_dirs(system_dbusd_t) + +optional_policy(` + bind_domtrans(system_dbusd_t) +') + +optional_policy(` + policykit_dbus_chat(system_dbusd_t) + policykit_domtrans_auth(system_dbusd_t) + policykit_search_lib(system_dbusd_t) +') + +optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) +') + +optional_policy(` + udev_read_db(system_dbusd_t) +') + +######################################## +# +# Unconfined access to this module +# + +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; diff --git a/policy/modules/contrib/dcc.fc b/policy/modules/contrib/dcc.fc new file mode 100644 index 00000000..29773e72 --- /dev/null +++ b/policy/modules/contrib/dcc.fc @@ -0,0 +1,30 @@ +/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) +/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) +/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) + +/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) +/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0) + +/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) +/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) +/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) +/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) + +ifdef(`distro_debian',` +/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) +/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) +/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) +/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) +') + +/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) +/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) + +/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) +/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) +/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) + +ifdef(`distro_redhat',` +/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) +/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) +') diff --git a/policy/modules/contrib/dcc.if b/policy/modules/contrib/dcc.if new file mode 100644 index 00000000..784753e6 --- /dev/null +++ b/policy/modules/contrib/dcc.if @@ -0,0 +1,173 @@ +## <summary>Distributed checksum clearinghouse spam filtering</summary> + +######################################## +## <summary> +## Execute cdcc in the cdcc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dcc_domtrans_cdcc',` + gen_require(` + type cdcc_t, cdcc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cdcc_exec_t, cdcc_t) +') + +######################################## +## <summary> +## Execute cdcc in the cdcc domain, and +## allow the specified role the cdcc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dcc_run_cdcc',` + gen_require(` + type cdcc_t; + ') + + dcc_domtrans_cdcc($1) + role $2 types cdcc_t; +') + +######################################## +## <summary> +## Execute dcc_client in the dcc_client domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dcc_domtrans_client',` + gen_require(` + type dcc_client_t, dcc_client_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dcc_client_exec_t, dcc_client_t) +') + +######################################## +## <summary> +## Send a signal to the dcc_client. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dcc_signal_client',` + gen_require(` + type dcc_client_t; + ') + + allow $1 dcc_client_t:process signal; +') + +######################################## +## <summary> +## Execute dcc_client in the dcc_client domain, and +## allow the specified role the dcc_client domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dcc_run_client',` + gen_require(` + type dcc_client_t; + ') + + dcc_domtrans_client($1) + role $2 types dcc_client_t; +') + +######################################## +## <summary> +## Execute dbclean in the dcc_dbclean domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dcc_domtrans_dbclean',` + gen_require(` + type dcc_dbclean_t, dcc_dbclean_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t) +') + +######################################## +## <summary> +## Execute dbclean in the dcc_dbclean domain, and +## allow the specified role the dcc_dbclean domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dcc_run_dbclean',` + gen_require(` + type dcc_dbclean_t; + ') + + dcc_domtrans_dbclean($1) + role $2 types dcc_dbclean_t; +') + +######################################## +## <summary> +## Connect to dccifd over a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dcc_stream_connect_dccifd',` + gen_require(` + type dcc_var_t, dccifd_var_run_t, dccifd_t; + ') + + files_search_var($1) + stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) +') diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te new file mode 100644 index 00000000..51783373 --- /dev/null +++ b/policy/modules/contrib/dcc.te @@ -0,0 +1,404 @@ +policy_module(dcc, 1.11.0) + +######################################## +# +# Declarations +# + +type cdcc_t; +type cdcc_exec_t; +application_domain(cdcc_t, cdcc_exec_t) +role system_r types cdcc_t; + +type cdcc_tmp_t; +files_tmp_file(cdcc_tmp_t) + +type dcc_client_t; +type dcc_client_exec_t; +application_domain(dcc_client_t, dcc_client_exec_t) +role system_r types dcc_client_t; + +type dcc_client_map_t; +files_type(dcc_client_map_t) + +type dcc_client_tmp_t; +files_tmp_file(dcc_client_tmp_t) + +type dcc_dbclean_t; +type dcc_dbclean_exec_t; +application_domain(dcc_dbclean_t, dcc_dbclean_exec_t) +role system_r types dcc_dbclean_t; + +type dcc_dbclean_tmp_t; +files_tmp_file(dcc_dbclean_tmp_t) + +type dcc_var_t; +files_type(dcc_var_t) + +type dcc_var_run_t; +files_type(dcc_var_run_t) + +type dccd_t; +type dccd_exec_t; +init_daemon_domain(dccd_t, dccd_exec_t) + +type dccd_tmp_t; +files_tmp_file(dccd_tmp_t) + +type dccd_var_run_t; +files_pid_file(dccd_var_run_t) + +type dccifd_t; +type dccifd_exec_t; +init_daemon_domain(dccifd_t, dccifd_exec_t) + +type dccifd_tmp_t; +files_tmp_file(dccifd_tmp_t) + +type dccifd_var_run_t; +files_pid_file(dccifd_var_run_t) + +type dccm_t; +type dccm_exec_t; +init_daemon_domain(dccm_t, dccm_exec_t) + +type dccm_tmp_t; +files_tmp_file(dccm_tmp_t) + +type dccm_var_run_t; +files_pid_file(dccm_var_run_t) + +# NOTE: DCC has writeable files in /etc/dcc that should probably be in +# /var/lib/dcc. For now this policy supports both directories being +# writable. + +# cjp: dccifd and dccm should be merged, as +# they have the same rules. + +######################################## +# +# dcc daemon controller local policy +# + +allow cdcc_t self:capability { setuid setgid }; +allow cdcc_t self:unix_dgram_socket create_socket_perms; +allow cdcc_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) +manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) +files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir }) + +allow cdcc_t dcc_client_map_t:file rw_file_perms; + +# Access files in /var/dcc. The map file can be updated +allow cdcc_t dcc_var_t:dir list_dir_perms; +read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) +read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) + +corenet_all_recvfrom_unlabeled(cdcc_t) +corenet_all_recvfrom_netlabel(cdcc_t) +corenet_udp_sendrecv_generic_if(cdcc_t) +corenet_udp_sendrecv_generic_node(cdcc_t) +corenet_udp_sendrecv_all_ports(cdcc_t) + +files_read_etc_files(cdcc_t) +files_read_etc_runtime_files(cdcc_t) + +auth_use_nsswitch(cdcc_t) + +logging_send_syslog_msg(cdcc_t) + +miscfiles_read_localization(cdcc_t) + +userdom_use_user_terminals(cdcc_t) + +######################################## +# +# dcc procmail interface local policy +# + +allow dcc_client_t self:capability { setuid setgid }; +allow dcc_client_t self:unix_dgram_socket create_socket_perms; +allow dcc_client_t self:udp_socket create_socket_perms; + +allow dcc_client_t dcc_client_map_t:file rw_file_perms; + +manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) +manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) +files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) + +# Access files in /var/dcc. The map file can be updated +allow dcc_client_t dcc_var_t:dir list_dir_perms; +manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) +read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) + +kernel_read_system_state(dcc_client_t) + +corenet_all_recvfrom_unlabeled(dcc_client_t) +corenet_all_recvfrom_netlabel(dcc_client_t) +corenet_udp_sendrecv_generic_if(dcc_client_t) +corenet_udp_sendrecv_generic_node(dcc_client_t) +corenet_udp_sendrecv_all_ports(dcc_client_t) +corenet_udp_bind_generic_node(dcc_client_t) + +files_read_etc_files(dcc_client_t) +files_read_etc_runtime_files(dcc_client_t) + +fs_getattr_all_fs(dcc_client_t) + +auth_use_nsswitch(dcc_client_t) + +logging_send_syslog_msg(dcc_client_t) + +miscfiles_read_localization(dcc_client_t) + +userdom_use_user_terminals(dcc_client_t) + +optional_policy(` + amavis_read_spool_files(dcc_client_t) +') + +optional_policy(` + spamassassin_read_spamd_tmp_files(dcc_client_t) +') + +######################################## +# +# Database cleanup tool local policy +# + +allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms; +allow dcc_dbclean_t self:udp_socket create_socket_perms; + +allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms; + +manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) +manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) +files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir }) + +manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) +manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) +manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) + +kernel_read_system_state(dcc_dbclean_t) + +corenet_all_recvfrom_unlabeled(dcc_dbclean_t) +corenet_all_recvfrom_netlabel(dcc_dbclean_t) +corenet_udp_sendrecv_generic_if(dcc_dbclean_t) +corenet_udp_sendrecv_generic_node(dcc_dbclean_t) +corenet_udp_sendrecv_all_ports(dcc_dbclean_t) + +files_read_etc_files(dcc_dbclean_t) +files_read_etc_runtime_files(dcc_dbclean_t) + +auth_use_nsswitch(dcc_dbclean_t) + +logging_send_syslog_msg(dcc_dbclean_t) + +miscfiles_read_localization(dcc_dbclean_t) + +userdom_use_user_terminals(dcc_dbclean_t) + +######################################## +# +# Server daemon local policy +# + +allow dccd_t self:capability net_admin; +dontaudit dccd_t self:capability sys_tty_config; +allow dccd_t self:process signal_perms; +allow dccd_t self:unix_stream_socket create_socket_perms; +allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow dccd_t self:udp_socket create_socket_perms; + +allow dccd_t dcc_client_map_t:file rw_file_perms; + +# Access files in /var/dcc. The map file can be updated +allow dccd_t dcc_var_t:dir list_dir_perms; +read_files_pattern(dccd_t, dcc_var_t, dcc_var_t) +read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) + +# Runs the dbclean program +domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) +corecmd_search_bin(dccd_t) + +# Updating dcc_db, flod, ... +manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t) +manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t) +manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) + +manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) +manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) +files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) + +manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) +manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) +files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) + +kernel_read_system_state(dccd_t) +kernel_read_kernel_sysctls(dccd_t) + +corenet_all_recvfrom_unlabeled(dccd_t) +corenet_all_recvfrom_netlabel(dccd_t) +corenet_udp_sendrecv_generic_if(dccd_t) +corenet_udp_sendrecv_generic_node(dccd_t) +corenet_udp_sendrecv_all_ports(dccd_t) +corenet_udp_bind_generic_node(dccd_t) +corenet_udp_bind_dcc_port(dccd_t) +corenet_sendrecv_dcc_server_packets(dccd_t) + +dev_read_sysfs(dccd_t) + +domain_use_interactive_fds(dccd_t) + +files_read_etc_files(dccd_t) +files_read_etc_runtime_files(dccd_t) + +fs_getattr_all_fs(dccd_t) +fs_search_auto_mountpoints(dccd_t) + +auth_use_nsswitch(dccd_t) + +logging_send_syslog_msg(dccd_t) + +miscfiles_read_localization(dccd_t) + +userdom_dontaudit_use_unpriv_user_fds(dccd_t) +userdom_dontaudit_search_user_home_dirs(dccd_t) + +optional_policy(` + seutil_sigchld_newrole(dccd_t) +') + +optional_policy(` + udev_read_db(dccd_t) +') + +######################################## +# +# Spamassassin and general MTA persistent client local policy +# + +dontaudit dccifd_t self:capability sys_tty_config; +allow dccifd_t self:process signal_perms; +allow dccifd_t self:unix_stream_socket create_stream_socket_perms; +allow dccifd_t self:unix_dgram_socket create_socket_perms; +allow dccifd_t self:udp_socket create_socket_perms; + +allow dccifd_t dcc_client_map_t:file rw_file_perms; + +# Updating dcc_db, flod, ... +manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t) +manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) +manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) +manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) +manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) + +manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) +manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) +files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir }) + +manage_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) +manage_sock_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) +filetrans_pattern(dccifd_t, dcc_var_t, dccifd_var_run_t, { file sock_file }) +files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) + +kernel_read_system_state(dccifd_t) +kernel_read_kernel_sysctls(dccifd_t) + +corenet_all_recvfrom_unlabeled(dccifd_t) +corenet_all_recvfrom_netlabel(dccifd_t) +corenet_udp_sendrecv_generic_if(dccifd_t) +corenet_udp_sendrecv_generic_node(dccifd_t) +corenet_udp_sendrecv_all_ports(dccifd_t) + +dev_read_sysfs(dccifd_t) + +domain_use_interactive_fds(dccifd_t) + +files_read_etc_files(dccifd_t) +files_read_etc_runtime_files(dccifd_t) + +fs_getattr_all_fs(dccifd_t) +fs_search_auto_mountpoints(dccifd_t) + +auth_use_nsswitch(dccifd_t) + +logging_send_syslog_msg(dccifd_t) + +miscfiles_read_localization(dccifd_t) + +userdom_dontaudit_use_unpriv_user_fds(dccifd_t) +userdom_dontaudit_search_user_home_dirs(dccifd_t) + +optional_policy(` + seutil_sigchld_newrole(dccifd_t) +') + +optional_policy(` + udev_read_db(dccifd_t) +') + +######################################## +# +# sendmail milter client local policy +# + +dontaudit dccm_t self:capability sys_tty_config; +allow dccm_t self:process signal_perms; +allow dccm_t self:unix_stream_socket create_stream_socket_perms; +allow dccm_t self:unix_dgram_socket create_socket_perms; +allow dccm_t self:udp_socket create_socket_perms; + +allow dccm_t dcc_client_map_t:file rw_file_perms; + +manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t) +manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t) +manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t) +manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t) +manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t) + +manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) +manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) +files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir }) + +manage_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) +manage_sock_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) +filetrans_pattern(dccm_t, dcc_var_run_t, dccm_var_run_t, { file sock_file }) +files_pid_filetrans(dccm_t, dccm_var_run_t, file) + +kernel_read_system_state(dccm_t) +kernel_read_kernel_sysctls(dccm_t) + +corenet_all_recvfrom_unlabeled(dccm_t) +corenet_all_recvfrom_netlabel(dccm_t) +corenet_udp_sendrecv_generic_if(dccm_t) +corenet_udp_sendrecv_generic_node(dccm_t) +corenet_udp_sendrecv_all_ports(dccm_t) + +dev_read_sysfs(dccm_t) + +domain_use_interactive_fds(dccm_t) + +files_read_etc_files(dccm_t) +files_read_etc_runtime_files(dccm_t) + +fs_getattr_all_fs(dccm_t) +fs_search_auto_mountpoints(dccm_t) + +auth_use_nsswitch(dccm_t) + +logging_send_syslog_msg(dccm_t) + +miscfiles_read_localization(dccm_t) + +userdom_dontaudit_use_unpriv_user_fds(dccm_t) +userdom_dontaudit_search_user_home_dirs(dccm_t) + +optional_policy(` + seutil_sigchld_newrole(dccm_t) +') + +optional_policy(` + udev_read_db(dccm_t) +') diff --git a/policy/modules/contrib/ddclient.fc b/policy/modules/contrib/ddclient.fc new file mode 100644 index 00000000..083c1351 --- /dev/null +++ b/policy/modules/contrib/ddclient.fc @@ -0,0 +1,12 @@ +/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) +/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) +/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0) + +/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0) +/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) + +/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0) +/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0) +/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) +/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) +/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if new file mode 100644 index 00000000..0a1a61b3 --- /dev/null +++ b/policy/modules/contrib/ddclient.if @@ -0,0 +1,93 @@ +## <summary>Update dynamic IP address at DynDNS.org</summary> + +####################################### +## <summary> +## Execute ddclient in the ddclient domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ddclient_domtrans',` + gen_require(` + type ddclient_t, ddclient_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ddclient_exec_t, ddclient_t) +') + +######################################## +## <summary> +## Execute ddclient daemon on behalf of a user or staff type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ddclient_run',` + gen_require(` + type ddclient_t; + ') + + ddclient_domtrans($1) + role $2 types ddclient_t; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an ddclient environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the ddclient domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`ddclient_admin',` + gen_require(` + type ddclient_t, ddclient_etc_t, ddclient_log_t; + type ddclient_var_t, ddclient_var_lib_t; + type ddclient_var_run_t, ddclient_initrc_exec_t; + ') + + allow $1 ddclient_t:process { ptrace signal_perms }; + ps_process_pattern($1, ddclient_t) + + init_labeled_script_domtrans($1, ddclient_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ddclient_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, ddclient_etc_t) + + logging_list_logs($1) + admin_pattern($1, ddclient_log_t) + + files_list_var($1) + admin_pattern($1, ddclient_var_t) + + files_list_var_lib($1) + admin_pattern($1, ddclient_var_lib_t) + + files_list_pids($1) + admin_pattern($1, ddclient_var_run_t) +') diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te new file mode 100644 index 00000000..24ba98a6 --- /dev/null +++ b/policy/modules/contrib/ddclient.te @@ -0,0 +1,108 @@ +policy_module(ddclient, 1.9.0) + +######################################## +# +# Declarations +# + +type ddclient_t; +type ddclient_exec_t; +init_daemon_domain(ddclient_t, ddclient_exec_t) + +type ddclient_etc_t; +files_config_file(ddclient_etc_t) + +type ddclient_initrc_exec_t; +init_script_file(ddclient_initrc_exec_t) + +type ddclient_log_t; +logging_log_file(ddclient_log_t) + +type ddclient_var_t; +files_type(ddclient_var_t) + +type ddclient_var_lib_t; +files_type(ddclient_var_lib_t) + +type ddclient_var_run_t; +files_pid_file(ddclient_var_run_t) + +######################################## +# +# Declarations +# + +dontaudit ddclient_t self:capability sys_tty_config; +allow ddclient_t self:process signal_perms; +allow ddclient_t self:fifo_file rw_fifo_file_perms; +allow ddclient_t self:tcp_socket create_socket_perms; +allow ddclient_t self:udp_socket create_socket_perms; + +allow ddclient_t ddclient_etc_t:file read_file_perms; + +allow ddclient_t ddclient_log_t:file manage_file_perms; +logging_log_filetrans(ddclient_t, ddclient_log_t, file) + +manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) +manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) +manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) +manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) +manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) +files_var_filetrans(ddclient_t, ddclient_var_t, { file lnk_file sock_file fifo_file }) + +manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t) +files_var_lib_filetrans(ddclient_t, ddclient_var_lib_t, file) + +manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t) +files_pid_filetrans(ddclient_t, ddclient_var_run_t, file) + +kernel_read_system_state(ddclient_t) +kernel_read_network_state(ddclient_t) +kernel_read_software_raid_state(ddclient_t) +kernel_getattr_core_if(ddclient_t) +kernel_getattr_message_if(ddclient_t) +kernel_read_kernel_sysctls(ddclient_t) + +corecmd_exec_shell(ddclient_t) +corecmd_exec_bin(ddclient_t) + +corenet_all_recvfrom_unlabeled(ddclient_t) +corenet_all_recvfrom_netlabel(ddclient_t) +corenet_tcp_sendrecv_generic_if(ddclient_t) +corenet_udp_sendrecv_generic_if(ddclient_t) +corenet_tcp_sendrecv_generic_node(ddclient_t) +corenet_udp_sendrecv_generic_node(ddclient_t) +corenet_tcp_sendrecv_all_ports(ddclient_t) +corenet_udp_sendrecv_all_ports(ddclient_t) +corenet_tcp_connect_all_ports(ddclient_t) +corenet_sendrecv_all_client_packets(ddclient_t) + +dev_read_sysfs(ddclient_t) +dev_read_urand(ddclient_t) + +domain_use_interactive_fds(ddclient_t) + +files_read_etc_files(ddclient_t) +files_read_etc_runtime_files(ddclient_t) +files_read_usr_files(ddclient_t) + +fs_getattr_all_fs(ddclient_t) +fs_search_auto_mountpoints(ddclient_t) + +logging_send_syslog_msg(ddclient_t) + +miscfiles_read_localization(ddclient_t) + +sysnet_exec_ifconfig(ddclient_t) +sysnet_read_config(ddclient_t) + +userdom_dontaudit_use_unpriv_user_fds(ddclient_t) +userdom_dontaudit_search_user_home_dirs(ddclient_t) + +optional_policy(` + seutil_sigchld_newrole(ddclient_t) +') + +optional_policy(` + udev_read_db(ddclient_t) +') diff --git a/policy/modules/contrib/ddcprobe.fc b/policy/modules/contrib/ddcprobe.fc new file mode 100644 index 00000000..49e6a256 --- /dev/null +++ b/policy/modules/contrib/ddcprobe.fc @@ -0,0 +1,4 @@ +# +# /usr +# +/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0) diff --git a/policy/modules/contrib/ddcprobe.if b/policy/modules/contrib/ddcprobe.if new file mode 100644 index 00000000..9868652f --- /dev/null +++ b/policy/modules/contrib/ddcprobe.if @@ -0,0 +1,45 @@ +## <summary>ddcprobe retrieves monitor and graphics card information</summary> + +######################################## +## <summary> +## Execute ddcprobe in the ddcprobe domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ddcprobe_domtrans',` + gen_require(` + type ddcprobe_t, ddcprobe_exec_t; + ') + + domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t) +') + +######################################## +## <summary> +## Execute ddcprobe in the ddcprobe domain, and +## allow the specified role the ddcprobe domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role to be authenticated for ddcprobe domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`ddcprobe_run',` + gen_require(` + type ddcprobe_t; + ') + + ddcprobe_domtrans($1) + role $2 types ddcprobe_t; +') diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te new file mode 100644 index 00000000..5e062bc1 --- /dev/null +++ b/policy/modules/contrib/ddcprobe.te @@ -0,0 +1,51 @@ +policy_module(ddcprobe, 1.2.0) + +######################################## +# +# Declarations +# + +type ddcprobe_t; +type ddcprobe_exec_t; +application_domain(ddcprobe_t, ddcprobe_exec_t) +role system_r types ddcprobe_t; + +######################################## +# +# Local policy +# + +allow ddcprobe_t self:capability { sys_rawio sys_admin }; +allow ddcprobe_t self:process execmem; + +kernel_read_system_state(ddcprobe_t) +kernel_read_kernel_sysctls(ddcprobe_t) +kernel_change_ring_buffer_level(ddcprobe_t) + +files_search_kernel_modules(ddcprobe_t) + +corecmd_list_bin(ddcprobe_t) +corecmd_exec_bin(ddcprobe_t) + +dev_read_urand(ddcprobe_t) +dev_read_raw_memory(ddcprobe_t) +dev_wx_raw_memory(ddcprobe_t) + +files_read_etc_files(ddcprobe_t) +files_read_etc_runtime_files(ddcprobe_t) +files_read_usr_files(ddcprobe_t) + +term_use_all_ttys(ddcprobe_t) +term_use_all_ptys(ddcprobe_t) + +libs_read_lib_files(ddcprobe_t) + +miscfiles_read_localization(ddcprobe_t) + +modutils_read_module_deps(ddcprobe_t) + +userdom_use_user_terminals(ddcprobe_t) +userdom_use_all_users_fds(ddcprobe_t) + +#reh why? this does not seem even necessary to function properly +kudzu_getattr_exec_files(ddcprobe_t) diff --git a/policy/modules/contrib/denyhosts.fc b/policy/modules/contrib/denyhosts.fc new file mode 100644 index 00000000..257fef60 --- /dev/null +++ b/policy/modules/contrib/denyhosts.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0) + +/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0) + +/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0) +/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0) +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0) diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if new file mode 100644 index 00000000..567865f3 --- /dev/null +++ b/policy/modules/contrib/denyhosts.if @@ -0,0 +1,85 @@ +## <summary>DenyHosts SSH dictionary attack mitigation</summary> +## <desc> +## <p> +## DenyHosts is a script intended to be run by Linux +## system administrators to help thwart SSH server attacks +## (also known as dictionary based attacks and brute force +## attacks). +## </p> +## </desc> + +######################################## +## <summary> +## Execute a domain transition to run denyhosts. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`denyhosts_domtrans', ` + gen_require(` + type denyhosts_t, denyhosts_exec_t; + ') + + domtrans_pattern($1, denyhosts_exec_t, denyhosts_t) +') + +######################################## +## <summary> +## Execute denyhost server in the denyhost domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`denyhosts_initrc_domtrans', ` + gen_require(` + type denyhosts_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, denyhosts_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an denyhosts environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`denyhosts_admin', ` + gen_require(` + type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; + type denyhosts_var_log_t, denyhosts_initrc_exec_t; + ') + + allow $1 denyhosts_t:process { ptrace signal_perms }; + ps_process_pattern($1, denyhosts_t) + + denyhosts_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 denyhosts_initrc_exec_t system_r; + allow $2 system_r; + + files_search_var_lib($1) + admin_pattern($1, denyhosts_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, denyhosts_var_log_t) + + files_search_locks($1) + admin_pattern($1, denyhosts_var_lock_t) +') diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te new file mode 100644 index 00000000..8ba94250 --- /dev/null +++ b/policy/modules/contrib/denyhosts.te @@ -0,0 +1,72 @@ +policy_module(denyhosts, 1.0.0) + +######################################## +# +# DenyHosts personal declarations. +# + +type denyhosts_t; +type denyhosts_exec_t; +init_daemon_domain(denyhosts_t, denyhosts_exec_t) + +type denyhosts_initrc_exec_t; +init_script_file(denyhosts_initrc_exec_t) + +type denyhosts_var_lib_t; +files_type(denyhosts_var_lib_t) + +type denyhosts_var_lock_t; +files_lock_file(denyhosts_var_lock_t) + +type denyhosts_var_log_t; +logging_log_file(denyhosts_var_log_t) + +######################################## +# +# DenyHosts personal policy. +# + +allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; +allow denyhosts_t self:tcp_socket create_socket_perms; +allow denyhosts_t self:udp_socket create_socket_perms; + +manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t) +files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file) + +manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) +manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) +files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file }) + +append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) + +kernel_read_system_state(denyhosts_t) + +corecmd_exec_bin(denyhosts_t) + +corenet_all_recvfrom_unlabeled(denyhosts_t) +corenet_all_recvfrom_netlabel(denyhosts_t) +corenet_tcp_sendrecv_generic_if(denyhosts_t) +corenet_tcp_sendrecv_generic_node(denyhosts_t) +corenet_tcp_bind_generic_node(denyhosts_t) +corenet_tcp_connect_smtp_port(denyhosts_t) +corenet_sendrecv_smtp_client_packets(denyhosts_t) + +dev_read_urand(denyhosts_t) + +files_read_etc_files(denyhosts_t) + +# /var/log/secure +logging_read_generic_logs(denyhosts_t) + +miscfiles_read_localization(denyhosts_t) + +sysnet_manage_config(denyhosts_t) +sysnet_etc_filetrans_config(denyhosts_t) + +optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) +') diff --git a/policy/modules/contrib/devicekit.fc b/policy/modules/contrib/devicekit.fc new file mode 100644 index 00000000..9af85c85 --- /dev/null +++ b/policy/modules/contrib/devicekit.fc @@ -0,0 +1,20 @@ +/usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + +/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) +/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) + +ifdef(`distro_debian',` +/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +') + +/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) + +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/contrib/devicekit.if b/policy/modules/contrib/devicekit.if new file mode 100644 index 00000000..f706b994 --- /dev/null +++ b/policy/modules/contrib/devicekit.if @@ -0,0 +1,185 @@ +## <summary>Devicekit modular hardware abstraction layer</summary> + +######################################## +## <summary> +## Execute a domain transition to run devicekit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`devicekit_domtrans',` + gen_require(` + type devicekit_t, devicekit_exec_t; + ') + + domtrans_pattern($1, devicekit_exec_t, devicekit_t) +') + +######################################## +## <summary> +## Send to devicekit over a unix domain +## datagram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_dgram_send',` + gen_require(` + type devicekit_t; + ') + + allow $1 devicekit_t:unix_dgram_socket sendto; +') + +######################################## +## <summary> +## Send and receive messages from +## devicekit over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_dbus_chat',` + gen_require(` + type devicekit_t; + class dbus send_msg; + ') + + allow $1 devicekit_t:dbus send_msg; + allow devicekit_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## devicekit disk over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_dbus_chat_disk',` + gen_require(` + type devicekit_disk_t; + class dbus send_msg; + ') + + allow $1 devicekit_disk_t:dbus send_msg; + allow devicekit_disk_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send signal devicekit power +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_signal_power',` + gen_require(` + type devicekit_power_t; + ') + + allow $1 devicekit_power_t:process signal; +') + +######################################## +## <summary> +## Send and receive messages from +## devicekit power over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_dbus_chat_power',` + gen_require(` + type devicekit_power_t; + class dbus send_msg; + ') + + allow $1 devicekit_power_t:dbus send_msg; + allow devicekit_power_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Read devicekit PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`devicekit_read_pid_files',` + gen_require(` + type devicekit_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an devicekit environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the devicekit domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the user terminal. +## </summary> +## </param> +## <rolecap/> +# +interface(`devicekit_admin',` + gen_require(` + type devicekit_t, devicekit_disk_t, devicekit_power_t; + type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; + ') + + allow $1 devicekit_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, devicekit_t) + + allow $1 devicekit_disk_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, devicekit_disk_t) + + allow $1 devicekit_power_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, devicekit_power_t) + + admin_pattern($1, devicekit_tmp_t) + files_search_tmp($1) + + admin_pattern($1, devicekit_var_lib_t) + files_search_var_lib($1) + + admin_pattern($1, devicekit_var_run_t) + files_search_pids($1) +') diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te new file mode 100644 index 00000000..1819518a --- /dev/null +++ b/policy/modules/contrib/devicekit.te @@ -0,0 +1,284 @@ +policy_module(devicekit, 1.2.0) + +######################################## +# +# Declarations +# + +type devicekit_t; +type devicekit_exec_t; +dbus_system_domain(devicekit_t, devicekit_exec_t) + +type devicekit_power_t; +type devicekit_power_exec_t; +dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) + +type devicekit_disk_t; +type devicekit_disk_exec_t; +dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) + +type devicekit_tmp_t; +files_tmp_file(devicekit_tmp_t) + +type devicekit_var_run_t; +files_pid_file(devicekit_var_run_t) + +type devicekit_var_lib_t; +files_type(devicekit_var_lib_t) + +######################################## +# +# DeviceKit local policy +# + +allow devicekit_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir }) + +kernel_read_system_state(devicekit_t) + +dev_read_sysfs(devicekit_t) +dev_read_urand(devicekit_t) + +files_read_etc_files(devicekit_t) + +miscfiles_read_localization(devicekit_t) + +optional_policy(` + dbus_system_bus_client(devicekit_t) + + allow devicekit_t devicekit_disk_t:dbus send_msg; + allow devicekit_t devicekit_power_t:dbus send_msg; +') + +optional_policy(` + udev_read_db(devicekit_t) +') + +######################################## +# +# DeviceKit disk local policy +# + +allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:process { getsched signal_perms }; +allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) +manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) +files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir }) + +manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) + +manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) + +kernel_getattr_message_if(devicekit_disk_t) +kernel_read_fs_sysctls(devicekit_disk_t) +kernel_read_network_state(devicekit_disk_t) +kernel_read_software_raid_state(devicekit_disk_t) +kernel_read_system_state(devicekit_disk_t) +kernel_request_load_module(devicekit_disk_t) +kernel_setsched(devicekit_disk_t) + +corecmd_exec_bin(devicekit_disk_t) +corecmd_exec_shell(devicekit_disk_t) +corecmd_getattr_all_executables(devicekit_disk_t) + +dev_rw_sysfs(devicekit_disk_t) +dev_read_urand(devicekit_disk_t) +dev_getattr_usbfs_dirs(devicekit_disk_t) +dev_manage_generic_files(devicekit_disk_t) +dev_getattr_all_chr_files(devicekit_disk_t) +dev_getattr_mtrr_dev(devicekit_disk_t) + +domain_getattr_all_pipes(devicekit_disk_t) +domain_getattr_all_sockets(devicekit_disk_t) +domain_getattr_all_stream_sockets(devicekit_disk_t) +domain_read_all_domains_state(devicekit_disk_t) + +files_dontaudit_read_all_symlinks(devicekit_disk_t) +files_getattr_all_sockets(devicekit_disk_t) +files_getattr_all_mountpoints(devicekit_disk_t) +files_getattr_all_files(devicekit_disk_t) +files_manage_isid_type_dirs(devicekit_disk_t) +files_manage_mnt_dirs(devicekit_disk_t) +files_read_etc_files(devicekit_disk_t) +files_read_etc_runtime_files(devicekit_disk_t) +files_read_usr_files(devicekit_disk_t) + +fs_list_inotifyfs(devicekit_disk_t) +fs_manage_fusefs_dirs(devicekit_disk_t) +fs_mount_all_fs(devicekit_disk_t) +fs_unmount_all_fs(devicekit_disk_t) +fs_search_all(devicekit_disk_t) + +mls_file_read_all_levels(devicekit_disk_t) +mls_file_write_to_clearance(devicekit_disk_t) + +storage_raw_read_fixed_disk(devicekit_disk_t) +storage_raw_write_fixed_disk(devicekit_disk_t) +storage_raw_read_removable_device(devicekit_disk_t) +storage_raw_write_removable_device(devicekit_disk_t) + +term_use_all_terms(devicekit_disk_t) + +auth_use_nsswitch(devicekit_disk_t) + +miscfiles_read_localization(devicekit_disk_t) + +userdom_read_all_users_state(devicekit_disk_t) +userdom_search_user_home_dirs(devicekit_disk_t) + +optional_policy(` + dbus_system_bus_client(devicekit_disk_t) + + allow devicekit_disk_t devicekit_t:dbus send_msg; + + optional_policy(` + consolekit_dbus_chat(devicekit_disk_t) + ') +') + +optional_policy(` + fstools_domtrans(devicekit_disk_t) +') + +optional_policy(` + lvm_domtrans(devicekit_disk_t) +') + +optional_policy(` + mount_domtrans(devicekit_disk_t) +') + +optional_policy(` + policykit_dbus_chat(devicekit_disk_t) + policykit_domtrans_auth(devicekit_disk_t) + policykit_read_lib(devicekit_disk_t) + policykit_read_reload(devicekit_disk_t) +') + +optional_policy(` + raid_domtrans_mdadm(devicekit_disk_t) +') + +optional_policy(` + udev_domtrans(devicekit_disk_t) + udev_read_db(devicekit_disk_t) +') + +optional_policy(` + virt_manage_images(devicekit_disk_t) +') + +######################################## +# +# DeviceKit-Power local policy +# + +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:process getsched; +allow devicekit_power_t self:fifo_file rw_fifo_file_perms; +allow devicekit_power_t self:unix_dgram_socket create_socket_perms; +allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) + +kernel_read_network_state(devicekit_power_t) +kernel_read_system_state(devicekit_power_t) +kernel_rw_hotplug_sysctls(devicekit_power_t) +kernel_rw_kernel_sysctl(devicekit_power_t) +kernel_search_debugfs(devicekit_power_t) +kernel_write_proc_files(devicekit_power_t) + +corecmd_exec_bin(devicekit_power_t) +corecmd_exec_shell(devicekit_power_t) + +consoletype_exec(devicekit_power_t) + +domain_read_all_domains_state(devicekit_power_t) + +dev_read_input(devicekit_power_t) +dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_generic_chr_files(devicekit_power_t) +dev_rw_netcontrol(devicekit_power_t) +dev_rw_sysfs(devicekit_power_t) + +files_read_kernel_img(devicekit_power_t) +files_read_etc_files(devicekit_power_t) +files_read_usr_files(devicekit_power_t) + +fs_list_inotifyfs(devicekit_power_t) + +term_use_all_terms(devicekit_power_t) + +auth_use_nsswitch(devicekit_power_t) + +miscfiles_read_localization(devicekit_power_t) + +sysnet_read_config(devicekit_power_t) +sysnet_domtrans_ifconfig(devicekit_power_t) + +userdom_read_all_users_state(devicekit_power_t) + +optional_policy(` + bootloader_domtrans(devicekit_power_t) +') + +optional_policy(` + cron_initrc_domtrans(devicekit_power_t) +') + +optional_policy(` + dbus_system_bus_client(devicekit_power_t) + + allow devicekit_power_t devicekit_t:dbus send_msg; + + optional_policy(` + consolekit_dbus_chat(devicekit_power_t) + ') + + optional_policy(` + networkmanager_dbus_chat(devicekit_power_t) + ') + + optional_policy(` + rpm_dbus_chat(devicekit_power_t) + ') +') + +optional_policy(` + fstools_domtrans(devicekit_power_t) +') + +optional_policy(` + hal_domtrans_mac(devicekit_power_t) + hal_manage_log(devicekit_power_t) + hal_manage_pid_dirs(devicekit_power_t) + hal_manage_pid_files(devicekit_power_t) + hal_dbus_chat(devicekit_power_t) +') + +optional_policy(` + policykit_dbus_chat(devicekit_power_t) + policykit_domtrans_auth(devicekit_power_t) + policykit_read_lib(devicekit_power_t) + policykit_read_reload(devicekit_power_t) +') + +optional_policy(` + udev_read_db(devicekit_power_t) +') + +optional_policy(` + vbetool_domtrans(devicekit_power_t) +') diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc new file mode 100644 index 00000000..767e0c79 --- /dev/null +++ b/policy/modules/contrib/dhcp.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) + +/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) + +/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) +/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) + +/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if new file mode 100644 index 00000000..5e2cea82 --- /dev/null +++ b/policy/modules/contrib/dhcp.if @@ -0,0 +1,99 @@ +## <summary>Dynamic host configuration protocol (DHCP) server</summary> + +######################################## +## <summary> +## Transition to dhcpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dhcpd_domtrans',` + gen_require(` + type dhcpd_t, dhcpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) +') + +######################################## +## <summary> +## Set the attributes of the DCHP +## server state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dhcpd_setattr_state_files',` + gen_require(` + type dhcpd_state_t; + ') + + sysnet_search_dhcp_state($1) + allow $1 dhcpd_state_t:file setattr; +') + +######################################## +## <summary> +## Execute dhcp server in the dhcp domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +# +interface(`dhcpd_initrc_domtrans',` + gen_require(` + type dhcpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an dhcp environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the dhcp domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`dhcpd_admin',` + gen_require(` + type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t; + type dhcpd_var_run_t, dhcpd_initrc_exec_t; + ') + + allow $1 dhcpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, dhcpd_t) + + init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dhcpd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, dhcpd_tmp_t) + + admin_pattern($1, dhcpd_state_t) + + files_list_pids($1) + admin_pattern($1, dhcpd_var_run_t) +') diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te new file mode 100644 index 00000000..ddcac941 --- /dev/null +++ b/policy/modules/contrib/dhcp.te @@ -0,0 +1,135 @@ +policy_module(dhcp, 1.9.0) + +######################################## +# +# Declarations +# +## <desc> +## <p> +## Enable LDAP backend support for DHCP daemon. +## </p> +## </desc> +gen_tunable(dhcp_use_ldap, false) + +type dhcpd_t; +type dhcpd_exec_t; +init_daemon_domain(dhcpd_t, dhcpd_exec_t) + +type dhcpd_initrc_exec_t; +init_script_file(dhcpd_initrc_exec_t) + +type dhcpd_state_t; +files_type(dhcpd_state_t) + +type dhcpd_tmp_t; +files_tmp_file(dhcpd_tmp_t) + +type dhcpd_var_run_t; +files_pid_file(dhcpd_var_run_t) + +######################################## +# +# Local policy +# + +allow dhcpd_t self:capability { net_raw sys_resource }; +dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; +allow dhcpd_t self:process signal_perms; +allow dhcpd_t self:fifo_file rw_fifo_file_perms; +allow dhcpd_t self:unix_dgram_socket create_socket_perms; +allow dhcpd_t self:unix_stream_socket create_socket_perms; +allow dhcpd_t self:tcp_socket create_stream_socket_perms; +allow dhcpd_t self:udp_socket create_socket_perms; +# Allow dhcpd_t to use packet sockets +allow dhcpd_t self:packet_socket create_socket_perms; +allow dhcpd_t self:rawip_socket create_socket_perms; + +can_exec(dhcpd_t, dhcpd_exec_t) + +manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t) +sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file) + +manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) +manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) +files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir }) + +manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t) +files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file) + +kernel_read_system_state(dhcpd_t) +kernel_read_kernel_sysctls(dhcpd_t) +kernel_read_network_state(dhcpd_t) + +corenet_all_recvfrom_unlabeled(dhcpd_t) +corenet_all_recvfrom_netlabel(dhcpd_t) +corenet_tcp_sendrecv_generic_if(dhcpd_t) +corenet_udp_sendrecv_generic_if(dhcpd_t) +corenet_raw_sendrecv_generic_if(dhcpd_t) +corenet_tcp_sendrecv_generic_node(dhcpd_t) +corenet_udp_sendrecv_generic_node(dhcpd_t) +corenet_raw_sendrecv_generic_node(dhcpd_t) +corenet_tcp_sendrecv_all_ports(dhcpd_t) +corenet_udp_sendrecv_all_ports(dhcpd_t) +corenet_tcp_bind_generic_node(dhcpd_t) +corenet_udp_bind_generic_node(dhcpd_t) +corenet_udp_bind_all_unreserved_ports(dhcpd_t) # scanning available interfaces +corenet_tcp_bind_dhcpd_port(dhcpd_t) +corenet_udp_bind_dhcpd_port(dhcpd_t) +corenet_udp_bind_pxe_port(dhcpd_t) +corenet_tcp_connect_all_ports(dhcpd_t) +corenet_sendrecv_dhcpd_server_packets(dhcpd_t) +corenet_sendrecv_pxe_server_packets(dhcpd_t) +corenet_sendrecv_all_client_packets(dhcpd_t) + +dev_read_sysfs(dhcpd_t) +dev_read_rand(dhcpd_t) +dev_read_urand(dhcpd_t) + +fs_getattr_all_fs(dhcpd_t) +fs_search_auto_mountpoints(dhcpd_t) + +corecmd_exec_bin(dhcpd_t) + +domain_use_interactive_fds(dhcpd_t) + +files_read_etc_files(dhcpd_t) +files_read_usr_files(dhcpd_t) +files_read_etc_runtime_files(dhcpd_t) +files_search_var_lib(dhcpd_t) + +auth_use_nsswitch(dhcpd_t) + +logging_send_syslog_msg(dhcpd_t) + +miscfiles_read_localization(dhcpd_t) + +sysnet_read_dhcp_config(dhcpd_t) + +userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) +userdom_dontaudit_search_user_home_dirs(dhcpd_t) + +ifdef(`distro_gentoo',` + allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; +') + +tunable_policy(`dhcp_use_ldap',` + sysnet_use_ldap(dhcpd_t) +') + +optional_policy(` + # used for dynamic DNS + bind_read_dnssec_keys(dhcpd_t) +') + +optional_policy(` + dbus_system_bus_client(dhcpd_t) + dbus_connect_system_bus(dhcpd_t) +') + +optional_policy(` + seutil_sigchld_newrole(dhcpd_t) +') + +optional_policy(` + udev_read_db(dhcpd_t) +') diff --git a/policy/modules/contrib/dictd.fc b/policy/modules/contrib/dictd.fc new file mode 100644 index 00000000..54f88c87 --- /dev/null +++ b/policy/modules/contrib/dictd.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0) + +/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0) + +/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) + +/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) + +/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if new file mode 100644 index 00000000..a0d23ce1 --- /dev/null +++ b/policy/modules/contrib/dictd.if @@ -0,0 +1,57 @@ +## <summary>Dictionary daemon</summary> + +######################################## +## <summary> +## Use dictionary services by connecting +## over TCP. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dictd_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## All of the rules required to administrate +## an dictd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the dictd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`dictd_admin',` + gen_require(` + type dictd_t, dictd_etc_t, dictd_var_lib_t; + type dictd_var_run_t, dictd_initrc_exec_t; + ') + + allow $1 dictd_t:process { ptrace signal_perms }; + ps_process_pattern($1, dictd_t) + + init_labeled_script_domtrans($1, dictd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dictd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, dictd_etc_t) + + files_list_var_lib($1) + admin_pattern($1, dictd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, dictd_var_run_t) +') diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te new file mode 100644 index 00000000..d2d93594 --- /dev/null +++ b/policy/modules/contrib/dictd.te @@ -0,0 +1,98 @@ +policy_module(dictd, 1.7.0) + +######################################## +# +# Declarations +# + +type dictd_t; +type dictd_exec_t; +init_daemon_domain(dictd_t, dictd_exec_t) + +type dictd_etc_t; +files_config_file(dictd_etc_t) + +type dictd_initrc_exec_t; +init_script_file(dictd_initrc_exec_t) + +type dictd_var_lib_t alias var_lib_dictd_t; +files_type(dictd_var_lib_t) + +type dictd_var_run_t; +files_pid_file(dictd_var_run_t) + +######################################## +# +# Local policy +# + +allow dictd_t self:capability { setuid setgid }; +dontaudit dictd_t self:capability sys_tty_config; +allow dictd_t self:process { signal_perms setpgid }; +allow dictd_t self:unix_stream_socket create_stream_socket_perms; +allow dictd_t self:tcp_socket create_stream_socket_perms; +allow dictd_t self:udp_socket create_socket_perms; + +allow dictd_t dictd_etc_t:file read_file_perms; +files_search_etc(dictd_t) + +allow dictd_t dictd_var_lib_t:dir list_dir_perms; +allow dictd_t dictd_var_lib_t:file read_file_perms; + +manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t) +files_pid_filetrans(dictd_t, dictd_var_run_t, file) + +kernel_read_system_state(dictd_t) +kernel_read_kernel_sysctls(dictd_t) + +corenet_all_recvfrom_unlabeled(dictd_t) +corenet_all_recvfrom_netlabel(dictd_t) +corenet_tcp_sendrecv_generic_if(dictd_t) +corenet_raw_sendrecv_generic_if(dictd_t) +corenet_udp_sendrecv_generic_if(dictd_t) +corenet_tcp_sendrecv_generic_node(dictd_t) +corenet_udp_sendrecv_generic_node(dictd_t) +corenet_raw_sendrecv_generic_node(dictd_t) +corenet_tcp_sendrecv_all_ports(dictd_t) +corenet_udp_sendrecv_all_ports(dictd_t) +corenet_tcp_bind_generic_node(dictd_t) +corenet_tcp_bind_dict_port(dictd_t) +corenet_sendrecv_dict_server_packets(dictd_t) + +dev_read_sysfs(dictd_t) + +fs_getattr_xattr_fs(dictd_t) +fs_search_auto_mountpoints(dictd_t) + +domain_use_interactive_fds(dictd_t) + +files_read_etc_files(dictd_t) +files_read_etc_runtime_files(dictd_t) +files_read_usr_files(dictd_t) +files_search_var_lib(dictd_t) +# for checking for nscd +files_dontaudit_search_pids(dictd_t) + +logging_send_syslog_msg(dictd_t) + +miscfiles_read_localization(dictd_t) + +sysnet_read_config(dictd_t) + +userdom_dontaudit_use_unpriv_user_fds(dictd_t) + +optional_policy(` + nis_use_ypbind(dictd_t) +') + +optional_policy(` + nscd_socket_use(dictd_t) +') + +optional_policy(` + seutil_sigchld_newrole(dictd_t) +') + +optional_policy(` + udev_read_db(dictd_t) +') diff --git a/policy/modules/contrib/distcc.fc b/policy/modules/contrib/distcc.fc new file mode 100644 index 00000000..6ce6b006 --- /dev/null +++ b/policy/modules/contrib/distcc.fc @@ -0,0 +1,2 @@ + +/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0) diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if new file mode 100644 index 00000000..926e9595 --- /dev/null +++ b/policy/modules/contrib/distcc.if @@ -0,0 +1 @@ +## <summary>Distributed compiler daemon</summary> diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te new file mode 100644 index 00000000..54d93e8f --- /dev/null +++ b/policy/modules/contrib/distcc.te @@ -0,0 +1,93 @@ +policy_module(distcc, 1.8.0) + +######################################## +# +# Declarations +# + +type distccd_t; +type distccd_exec_t; +init_daemon_domain(distccd_t, distccd_exec_t) + +type distccd_log_t; +logging_log_file(distccd_log_t) + +type distccd_tmp_t; +files_tmp_file(distccd_tmp_t) + +type distccd_var_run_t; +files_pid_file(distccd_var_run_t) + +######################################## +# +# Local policy +# + +allow distccd_t self:capability { setgid setuid }; +dontaudit distccd_t self:capability sys_tty_config; +allow distccd_t self:process { signal_perms setsched }; +allow distccd_t self:fifo_file rw_fifo_file_perms; +allow distccd_t self:netlink_route_socket r_netlink_socket_perms; +allow distccd_t self:tcp_socket create_stream_socket_perms; +allow distccd_t self:udp_socket create_socket_perms; + +allow distccd_t distccd_log_t:file manage_file_perms; +logging_log_filetrans(distccd_t, distccd_log_t, file) + +manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) +manage_files_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) +files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir }) + +manage_files_pattern(distccd_t, distccd_var_run_t, distccd_var_run_t) +files_pid_filetrans(distccd_t, distccd_var_run_t, file) + +kernel_read_system_state(distccd_t) +kernel_read_kernel_sysctls(distccd_t) + +corenet_all_recvfrom_unlabeled(distccd_t) +corenet_all_recvfrom_netlabel(distccd_t) +corenet_tcp_sendrecv_generic_if(distccd_t) +corenet_udp_sendrecv_generic_if(distccd_t) +corenet_tcp_sendrecv_generic_node(distccd_t) +corenet_udp_sendrecv_generic_node(distccd_t) +corenet_tcp_sendrecv_all_ports(distccd_t) +corenet_udp_sendrecv_all_ports(distccd_t) +corenet_tcp_bind_generic_node(distccd_t) +corenet_tcp_bind_distccd_port(distccd_t) +corenet_sendrecv_distccd_server_packets(distccd_t) + +dev_read_sysfs(distccd_t) + +fs_getattr_all_fs(distccd_t) +fs_search_auto_mountpoints(distccd_t) + +corecmd_exec_bin(distccd_t) +corecmd_read_bin_symlinks(distccd_t) + +domain_use_interactive_fds(distccd_t) + +files_read_etc_files(distccd_t) +files_read_etc_runtime_files(distccd_t) + +libs_exec_lib_files(distccd_t) + +logging_send_syslog_msg(distccd_t) + +miscfiles_read_localization(distccd_t) + +sysnet_read_config(distccd_t) + +userdom_dontaudit_use_unpriv_user_fds(distccd_t) +userdom_dontaudit_search_user_home_dirs(distccd_t) + +optional_policy(` + nis_use_ypbind(distccd_t) +') + +optional_policy(` + seutil_sigchld_newrole(distccd_t) +') + +optional_policy(` + udev_read_db(distccd_t) +') diff --git a/policy/modules/contrib/djbdns.fc b/policy/modules/contrib/djbdns.fc new file mode 100644 index 00000000..fdb66525 --- /dev/null +++ b/policy/modules/contrib/djbdns.fc @@ -0,0 +1,9 @@ + +/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0) +/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0) +/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0) + +/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0) +/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0) +/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0) + diff --git a/policy/modules/contrib/djbdns.if b/policy/modules/contrib/djbdns.if new file mode 100644 index 00000000..ade3079b --- /dev/null +++ b/policy/modules/contrib/djbdns.if @@ -0,0 +1,90 @@ +## <summary>small and secure DNS daemon</summary> + +######################################## +## <summary> +## Create a set of derived types for djbdns +## components that are directly supervised by daemontools. +## </summary> +## <param name="prefix"> +## <summary> +## The prefix to be used for deriving type names. +## </summary> +## </param> +# +template(`djbdns_daemontools_domain_template',` + + type djbdns_$1_t; + type djbdns_$1_exec_t; + type djbdns_$1_conf_t; + files_config_file(djbdns_$1_conf_t) + + domain_type(djbdns_$1_t) + domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t) + role system_r types djbdns_$1_t; + + daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t) + daemontools_read_svc(djbdns_$1_t) + + allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot }; + allow djbdns_$1_t self:process signal; + allow djbdns_$1_t self:fifo_file rw_fifo_file_perms; + allow djbdns_$1_t self:tcp_socket create_stream_socket_perms; + allow djbdns_$1_t self:udp_socket create_socket_perms; + + allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; + allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; + + corenet_all_recvfrom_unlabeled(djbdns_$1_t) + corenet_all_recvfrom_netlabel(djbdns_$1_t) + corenet_tcp_sendrecv_generic_if(djbdns_$1_t) + corenet_udp_sendrecv_generic_if(djbdns_$1_t) + corenet_tcp_sendrecv_generic_node(djbdns_$1_t) + corenet_udp_sendrecv_generic_node(djbdns_$1_t) + corenet_tcp_sendrecv_all_ports(djbdns_$1_t) + corenet_udp_sendrecv_all_ports(djbdns_$1_t) + corenet_tcp_bind_generic_node(djbdns_$1_t) + corenet_udp_bind_generic_node(djbdns_$1_t) + corenet_tcp_bind_dns_port(djbdns_$1_t) + corenet_udp_bind_dns_port(djbdns_$1_t) + corenet_udp_bind_generic_port(djbdns_$1_t) + corenet_sendrecv_dns_server_packets(djbdns_$1_t) + corenet_sendrecv_generic_server_packets(djbdns_$1_t) + + files_search_var(djbdns_$1_t) +') + +##################################### +## <summary> +## Allow search the djbdns-tinydns key ring. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`djbdns_search_tinydns_keys',` + gen_require(` + type djbdns_tinydns_t; + ') + + allow $1 djbdns_tinydns_t:key search; +') + +##################################### +## <summary> +## Allow link to the djbdns-tinydns key ring. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`djbdns_link_tinydns_keys',` + gen_require(` + type djbdns_tinydn_t; + ') + + allow $1 djbdns_tinydn_t:key link; +') diff --git a/policy/modules/contrib/djbdns.te b/policy/modules/contrib/djbdns.te new file mode 100644 index 00000000..03b5286d --- /dev/null +++ b/policy/modules/contrib/djbdns.te @@ -0,0 +1,49 @@ +policy_module(djbdns, 1.5.0) + +######################################## +# +# Declarations +# + +type djbdns_axfrdns_t; +type djbdns_axfrdns_exec_t; +domain_type(djbdns_axfrdns_t) +domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) +role system_r types djbdns_axfrdns_t; + +type djbdns_axfrdns_conf_t; +files_config_file(djbdns_axfrdns_conf_t) + +djbdns_daemontools_domain_template(dnscache) + +djbdns_daemontools_domain_template(tinydns) + +######################################## +# +# Local policy for axfrdns component +# + +daemontools_ipc_domain(djbdns_axfrdns_t) +daemontools_read_svc(djbdns_axfrdns_t) + +allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; + +allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms; +allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms; + +allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms; +allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms; + +allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms; +allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms; + +files_search_var(djbdns_axfrdns_t) + +ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) + +######################################## +# +# Local policy for tinydns +# + +init_dontaudit_use_script_fds(djbdns_tinydns_t) diff --git a/policy/modules/contrib/dkim.fc b/policy/modules/contrib/dkim.fc new file mode 100644 index 00000000..bf4321a1 --- /dev/null +++ b/policy/modules/contrib/dkim.fc @@ -0,0 +1,14 @@ +/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) +/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) +/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) + +/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + +/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) +/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + +/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if new file mode 100644 index 00000000..32d108ad --- /dev/null +++ b/policy/modules/contrib/dkim.if @@ -0,0 +1 @@ +## <summary>DomainKeys Identified Mail milter.</summary> diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te new file mode 100644 index 00000000..cc1199e1 --- /dev/null +++ b/policy/modules/contrib/dkim.te @@ -0,0 +1,33 @@ +policy_module(dkim, 1.1.0) + +######################################## +# +# Declarations +# + +milter_template(dkim) + +# Type for the private key of dkim-filter +type dkim_milter_private_key_t; +files_type(dkim_milter_private_key_t) + +######################################## +# +# Local policy +# + +allow dkim_milter_t self:capability { setgid setuid }; +allow dkim_milter_t self:process signal; + +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) + +kernel_read_kernel_sysctls(dkim_milter_t) + +dev_read_urand(dkim_milter_t) + +files_read_etc_files(dkim_milter_t) +files_search_spool(dkim_milter_t) + +sysnet_dns_name_resolve(dkim_milter_t) + +mta_read_config(dkim_milter_t) diff --git a/policy/modules/contrib/dmidecode.fc b/policy/modules/contrib/dmidecode.fc new file mode 100644 index 00000000..016e6b88 --- /dev/null +++ b/policy/modules/contrib/dmidecode.fc @@ -0,0 +1,4 @@ + +/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) +/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0) +/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) diff --git a/policy/modules/contrib/dmidecode.if b/policy/modules/contrib/dmidecode.if new file mode 100644 index 00000000..4bf435c9 --- /dev/null +++ b/policy/modules/contrib/dmidecode.if @@ -0,0 +1,50 @@ +## <summary>Decode DMI data for x86/ia64 bioses.</summary> + +######################################## +## <summary> +## Execute dmidecode in the dmidecode domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dmidecode_domtrans',` + gen_require(` + type dmidecode_t, dmidecode_exec_t; + ') + + domain_auto_trans($1, dmidecode_exec_t, dmidecode_t) + + allow $1 dmidecode_t:fd use; + allow dmidecode_t $1:fd use; + allow dmidecode_t $1:fifo_file rw_file_perms; + allow dmidecode_t $1:process sigchld; +') + +######################################## +## <summary> +## Execute dmidecode in the dmidecode domain, and +## allow the specified role the dmidecode domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dmidecode_run',` + gen_require(` + type dmidecode_t; + ') + + dmidecode_domtrans($1) + role $2 types dmidecode_t; +') diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te new file mode 100644 index 00000000..d6356b53 --- /dev/null +++ b/policy/modules/contrib/dmidecode.te @@ -0,0 +1,30 @@ +policy_module(dmidecode, 1.4.0) + +######################################## +# +# Declarations +# + +type dmidecode_t; +type dmidecode_exec_t; +application_domain(dmidecode_t, dmidecode_exec_t) +role system_r types dmidecode_t; + +######################################## +# +# Local policy +# + +allow dmidecode_t self:capability sys_rawio; + +dev_read_sysfs(dmidecode_t) +# Allow dmidecode to read /dev/mem +dev_read_raw_memory(dmidecode_t) + +mls_file_read_all_levels(dmidecode_t) + +files_list_usr(dmidecode_t) + +locallogin_use_fds(dmidecode_t) + +userdom_use_user_terminals(dmidecode_t) diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc new file mode 100644 index 00000000..b8866766 --- /dev/null +++ b/policy/modules/contrib/dnsmasq.fc @@ -0,0 +1,12 @@ +/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) +/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) + +/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) + +/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) +/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) + +/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0) + +/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if new file mode 100644 index 00000000..9bd812b4 --- /dev/null +++ b/policy/modules/contrib/dnsmasq.if @@ -0,0 +1,211 @@ +## <summary>dnsmasq DNS forwarder and DHCP server</summary> + +######################################## +## <summary> +## Execute dnsmasq server in the dnsmasq domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +# +interface(`dnsmasq_domtrans',` + gen_require(` + type dnsmasq_exec_t, dnsmasq_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) +') + +######################################## +## <summary> +## Execute the dnsmasq init script in the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +# +interface(`dnsmasq_initrc_domtrans',` + gen_require(` + type dnsmasq_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) +') + +######################################## +## <summary> +## Send dnsmasq a signal +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`dnsmasq_signal',` + gen_require(` + type dnsmasq_t; + ') + + allow $1 dnsmasq_t:process signal; +') + +######################################## +## <summary> +## Send dnsmasq a signull +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`dnsmasq_signull',` + gen_require(` + type dnsmasq_t; + ') + + allow $1 dnsmasq_t:process signull; +') + +######################################## +## <summary> +## Send dnsmasq a kill signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`dnsmasq_kill',` + gen_require(` + type dnsmasq_t; + ') + + allow $1 dnsmasq_t:process sigkill; +') + +######################################## +## <summary> +## Read dnsmasq config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dnsmasq_read_config',` + gen_require(` + type dnsmasq_etc_t; + ') + + read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) + files_search_etc($1) +') + +######################################## +## <summary> +## Write to dnsmasq config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dnsmasq_write_config',` + gen_require(` + type dnsmasq_etc_t; + ') + + write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) + files_search_etc($1) +') + +######################################## +## <summary> +## Delete dnsmasq pid files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`dnsmasq_delete_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + + delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) +') + +######################################## +## <summary> +## Read dnsmasq pid files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`dnsmasq_read_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + + read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an dnsmasq environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the dnsmasq domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`dnsmasq_admin',` + gen_require(` + type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; + type dnsmasq_initrc_exec_t; + ') + + allow $1 dnsmasq_t:process { ptrace signal_perms }; + ps_process_pattern($1, dnsmasq_t) + + init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dnsmasq_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var_lib($1) + admin_pattern($1, dnsmasq_lease_t) + + files_list_pids($1) + admin_pattern($1, dnsmasq_var_run_t) +') diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te new file mode 100644 index 00000000..fdaeebac --- /dev/null +++ b/policy/modules/contrib/dnsmasq.te @@ -0,0 +1,117 @@ +policy_module(dnsmasq, 1.9.0) + +######################################## +# +# Declarations +# + +type dnsmasq_t; +type dnsmasq_exec_t; +init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) + +type dnsmasq_initrc_exec_t; +init_script_file(dnsmasq_initrc_exec_t) + +type dnsmasq_etc_t; +files_config_file(dnsmasq_etc_t) + +type dnsmasq_lease_t; +files_type(dnsmasq_lease_t) + +type dnsmasq_var_log_t; +logging_log_file(dnsmasq_var_log_t) + +type dnsmasq_var_run_t; +files_pid_file(dnsmasq_var_run_t) + +######################################## +# +# Local policy +# + +allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw }; +dontaudit dnsmasq_t self:capability sys_tty_config; +allow dnsmasq_t self:process { getcap setcap signal_perms }; +allow dnsmasq_t self:fifo_file rw_fifo_file_perms; +allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write }; +allow dnsmasq_t self:tcp_socket create_stream_socket_perms; +allow dnsmasq_t self:udp_socket create_socket_perms; +allow dnsmasq_t self:packet_socket create_socket_perms; +allow dnsmasq_t self:rawip_socket create_socket_perms; + +read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) + +# dhcp leases +manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) +files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) + +manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) +logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) + +manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) +files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) + +kernel_read_kernel_sysctls(dnsmasq_t) +kernel_read_system_state(dnsmasq_t) + +corenet_all_recvfrom_unlabeled(dnsmasq_t) +corenet_all_recvfrom_netlabel(dnsmasq_t) +corenet_tcp_sendrecv_generic_if(dnsmasq_t) +corenet_udp_sendrecv_generic_if(dnsmasq_t) +corenet_raw_sendrecv_generic_if(dnsmasq_t) +corenet_tcp_sendrecv_generic_node(dnsmasq_t) +corenet_udp_sendrecv_generic_node(dnsmasq_t) +corenet_raw_sendrecv_generic_node(dnsmasq_t) +corenet_tcp_sendrecv_all_ports(dnsmasq_t) +corenet_udp_sendrecv_all_ports(dnsmasq_t) +corenet_tcp_bind_generic_node(dnsmasq_t) +corenet_udp_bind_generic_node(dnsmasq_t) +corenet_tcp_bind_dns_port(dnsmasq_t) +corenet_udp_bind_all_ports(dnsmasq_t) +corenet_sendrecv_dns_server_packets(dnsmasq_t) +corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) + +dev_read_sysfs(dnsmasq_t) +dev_read_urand(dnsmasq_t) + +domain_use_interactive_fds(dnsmasq_t) + +files_read_etc_files(dnsmasq_t) +files_read_etc_runtime_files(dnsmasq_t) + +fs_getattr_all_fs(dnsmasq_t) +fs_search_auto_mountpoints(dnsmasq_t) + +auth_use_nsswitch(dnsmasq_t) + +logging_send_syslog_msg(dnsmasq_t) + +miscfiles_read_localization(dnsmasq_t) + +userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) +userdom_dontaudit_search_user_home_dirs(dnsmasq_t) + +optional_policy(` + cobbler_read_lib_files(dnsmasq_t) +') + +optional_policy(` + dbus_system_bus_client(dnsmasq_t) +') + +optional_policy(` + seutil_sigchld_newrole(dnsmasq_t) +') + +optional_policy(` + tftp_read_content(dnsmasq_t) +') + +optional_policy(` + udev_read_db(dnsmasq_t) +') + +optional_policy(` + virt_manage_lib_files(dnsmasq_t) + virt_read_pid_files(dnsmasq_t) +') diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc new file mode 100644 index 00000000..3a3ecb28 --- /dev/null +++ b/policy/modules/contrib/dovecot.fc @@ -0,0 +1,46 @@ + +# +# /etc +# +/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0) +/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) +/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) + +/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) +/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) + +# Debian uses /etc/dovecot/ +ifdef(`distro_debian',` +/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) +') + +# +# /usr +# +/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) + +/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) +/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) + +ifdef(`distro_debian', ` +/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +') + +ifdef(`distro_redhat', ` +/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +') + +# +# /var +# +/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) + +/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) + +/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) +/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) + +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if new file mode 100644 index 00000000..e1d7dc5a --- /dev/null +++ b/policy/modules/contrib/dovecot.if @@ -0,0 +1,130 @@ +## <summary>Dovecot POP and IMAP mail server</summary> + +######################################## +## <summary> +## Connect to dovecot auth unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dovecot_stream_connect_auth',` + gen_require(` + type dovecot_auth_t, dovecot_var_run_t; + ') + + stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) +') + +######################################## +## <summary> +## Execute dovecot_deliver in the dovecot_deliver domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dovecot_domtrans_deliver',` + gen_require(` + type dovecot_deliver_t, dovecot_deliver_exec_t; + ') + + domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) +') + +######################################## +## <summary> +## Create, read, write, and delete the dovecot spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dovecot_manage_spool',` + gen_require(` + type dovecot_spool_t; + ') + + manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) + manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) +') + +######################################## +## <summary> +## Do not audit attempts to delete dovecot lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dovecot_dontaudit_unlink_lib_files',` + gen_require(` + type dovecot_var_lib_t; + ') + + dontaudit $1 dovecot_var_lib_t:file unlink; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an dovecot environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the dovecot domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`dovecot_admin',` + gen_require(` + type dovecot_t, dovecot_etc_t, dovecot_log_t; + type dovecot_spool_t, dovecot_var_lib_t; + type dovecot_var_run_t; + + type dovecot_cert_t, dovecot_passwd_t; + type dovecot_initrc_exec_t; + ') + + allow $1 dovecot_t:process { ptrace signal_perms }; + ps_process_pattern($1, dovecot_t) + + init_labeled_script_domtrans($1, dovecot_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dovecot_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, dovecot_etc_t) + + logging_list_logs($1) + admin_pattern($1, dovecot_log_t) + + files_list_spool($1) + admin_pattern($1, dovecot_spool_t) + + files_list_var_lib($1) + admin_pattern($1, dovecot_var_lib_t) + + files_list_pids($1) + admin_pattern($1, dovecot_var_run_t) + + admin_pattern($1, dovecot_cert_t) + + admin_pattern($1, dovecot_passwd_t) +') diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te new file mode 100644 index 00000000..2df77662 --- /dev/null +++ b/policy/modules/contrib/dovecot.te @@ -0,0 +1,306 @@ +policy_module(dovecot, 1.14.0) + +######################################## +# +# Declarations +# +type dovecot_t; +type dovecot_exec_t; +init_daemon_domain(dovecot_t, dovecot_exec_t) + +type dovecot_auth_t; +type dovecot_auth_exec_t; +domain_type(dovecot_auth_t) +domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) +role system_r types dovecot_auth_t; + +type dovecot_auth_tmp_t; +files_tmp_file(dovecot_auth_tmp_t) + +type dovecot_cert_t; +files_type(dovecot_cert_t) + +type dovecot_deliver_t; +type dovecot_deliver_exec_t; +domain_type(dovecot_deliver_t) +domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) +role system_r types dovecot_deliver_t; + +type dovecot_etc_t; +files_config_file(dovecot_etc_t) + +type dovecot_initrc_exec_t; +init_script_file(dovecot_initrc_exec_t) + +type dovecot_passwd_t; +files_type(dovecot_passwd_t) + +type dovecot_spool_t; +files_type(dovecot_spool_t) + +type dovecot_tmp_t; +files_tmp_file(dovecot_tmp_t) + +# /var/lib/dovecot holds SSL parameters file +type dovecot_var_lib_t; +files_type(dovecot_var_lib_t) + +type dovecot_var_log_t; +logging_log_file(dovecot_var_log_t) + +type dovecot_var_run_t; +files_pid_file(dovecot_var_run_t) + +######################################## +# +# dovecot local policy +# + +allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; +dontaudit dovecot_t self:capability sys_tty_config; +allow dovecot_t self:process { setrlimit signal_perms getcap setcap }; +allow dovecot_t self:fifo_file rw_fifo_file_perms; +allow dovecot_t self:tcp_socket create_stream_socket_perms; +allow dovecot_t self:unix_dgram_socket create_socket_perms; +allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) + +allow dovecot_t dovecot_auth_t:process signal; + +allow dovecot_t dovecot_cert_t:dir list_dir_perms; +read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) +read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) + +allow dovecot_t dovecot_etc_t:file read_file_perms; +files_search_etc(dovecot_t) + +can_exec(dovecot_t, dovecot_exec_t) + +manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) +manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) +files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) + +# Allow dovecot to create and read SSL parameters file +manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) +files_search_var_lib(dovecot_t) +files_read_var_symlinks(dovecot_t) + +manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) + +manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) + +manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) + +kernel_read_kernel_sysctls(dovecot_t) +kernel_read_system_state(dovecot_t) + +corenet_all_recvfrom_unlabeled(dovecot_t) +corenet_all_recvfrom_netlabel(dovecot_t) +corenet_tcp_sendrecv_generic_if(dovecot_t) +corenet_tcp_sendrecv_generic_node(dovecot_t) +corenet_tcp_sendrecv_all_ports(dovecot_t) +corenet_tcp_bind_generic_node(dovecot_t) +corenet_tcp_bind_mail_port(dovecot_t) +corenet_tcp_bind_pop_port(dovecot_t) +corenet_tcp_bind_sieve_port(dovecot_t) +corenet_tcp_connect_all_ports(dovecot_t) +corenet_tcp_connect_postgresql_port(dovecot_t) +corenet_sendrecv_pop_server_packets(dovecot_t) +corenet_sendrecv_all_client_packets(dovecot_t) + +dev_read_sysfs(dovecot_t) +dev_read_urand(dovecot_t) + +fs_getattr_all_fs(dovecot_t) +fs_getattr_all_dirs(dovecot_t) +fs_search_auto_mountpoints(dovecot_t) +fs_list_inotifyfs(dovecot_t) + +corecmd_exec_bin(dovecot_t) + +domain_use_interactive_fds(dovecot_t) + +files_read_etc_files(dovecot_t) +files_search_spool(dovecot_t) +files_search_tmp(dovecot_t) +files_dontaudit_list_default(dovecot_t) +# Dovecot now has quota support and it uses getmntent() to find the mountpoints. +files_read_etc_runtime_files(dovecot_t) +files_search_all_mountpoints(dovecot_t) + +init_getattr_utmp(dovecot_t) + +auth_use_nsswitch(dovecot_t) + +logging_send_syslog_msg(dovecot_t) + +miscfiles_read_generic_certs(dovecot_t) +miscfiles_read_localization(dovecot_t) + +userdom_dontaudit_use_unpriv_user_fds(dovecot_t) +userdom_manage_user_home_content_dirs(dovecot_t) +userdom_manage_user_home_content_files(dovecot_t) +userdom_manage_user_home_content_symlinks(dovecot_t) +userdom_manage_user_home_content_pipes(dovecot_t) +userdom_manage_user_home_content_sockets(dovecot_t) +userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) + +mta_manage_spool(dovecot_t) + +optional_policy(` + kerberos_keytab_template(dovecot, dovecot_t) +') + +optional_policy(` + postgresql_stream_connect(dovecot_t) +') + +optional_policy(` + seutil_sigchld_newrole(dovecot_t) +') + +optional_policy(` + squid_dontaudit_search_cache(dovecot_t) +') + +optional_policy(` + udev_read_db(dovecot_t) +') + +######################################## +# +# dovecot auth local policy +# + +allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; +allow dovecot_auth_t self:process { signal_perms getcap setcap }; +allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; +allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; +allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; + +allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; + +read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) + +manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) + +allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; +manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) +dovecot_stream_connect_auth(dovecot_auth_t) + +kernel_read_all_sysctls(dovecot_auth_t) +kernel_read_system_state(dovecot_auth_t) + +logging_send_audit_msgs(dovecot_auth_t) +logging_send_syslog_msg(dovecot_auth_t) + +dev_read_urand(dovecot_auth_t) + +auth_domtrans_chk_passwd(dovecot_auth_t) +auth_use_nsswitch(dovecot_auth_t) + +files_read_etc_files(dovecot_auth_t) +files_read_etc_runtime_files(dovecot_auth_t) +files_search_pids(dovecot_auth_t) +files_read_usr_files(dovecot_auth_t) +files_read_usr_symlinks(dovecot_auth_t) +files_read_var_lib_files(dovecot_auth_t) +files_search_tmp(dovecot_auth_t) +files_read_var_lib_files(dovecot_t) + +init_rw_utmp(dovecot_auth_t) + +miscfiles_read_localization(dovecot_auth_t) + +seutil_dontaudit_search_config(dovecot_auth_t) + +optional_policy(` + kerberos_use(dovecot_auth_t) + + # for gssapi (kerberos) + userdom_list_user_tmp(dovecot_auth_t) + userdom_read_user_tmp_files(dovecot_auth_t) + userdom_read_user_tmp_symlinks(dovecot_auth_t) +') + +optional_policy(` + mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) +') + +optional_policy(` + nis_authenticate(dovecot_auth_t) +') + +optional_policy(` + postfix_search_spool(dovecot_auth_t) +') + +######################################## +# +# dovecot deliver local policy +# +allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; + +allow dovecot_deliver_t dovecot_t:process signull; + +allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; +allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; + +kernel_read_all_sysctls(dovecot_deliver_t) +kernel_read_system_state(dovecot_deliver_t) + +files_read_etc_files(dovecot_deliver_t) +files_read_etc_runtime_files(dovecot_deliver_t) + +auth_use_nsswitch(dovecot_deliver_t) + +logging_send_syslog_msg(dovecot_deliver_t) +logging_search_logs(dovecot_auth_t) + +miscfiles_read_localization(dovecot_deliver_t) + +dovecot_stream_connect_auth(dovecot_deliver_t) + +files_search_tmp(dovecot_deliver_t) + +fs_getattr_all_fs(dovecot_deliver_t) + +userdom_manage_user_home_content_dirs(dovecot_deliver_t) +userdom_manage_user_home_content_files(dovecot_deliver_t) +userdom_manage_user_home_content_symlinks(dovecot_deliver_t) +userdom_manage_user_home_content_pipes(dovecot_deliver_t) +userdom_manage_user_home_content_sockets(dovecot_deliver_t) +userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(dovecot_deliver_t) + fs_manage_nfs_files(dovecot_deliver_t) + fs_manage_nfs_symlinks(dovecot_deliver_t) + fs_manage_nfs_dirs(dovecot_t) + fs_manage_nfs_files(dovecot_t) + fs_manage_nfs_symlinks(dovecot_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(dovecot_deliver_t) + fs_manage_cifs_files(dovecot_deliver_t) + fs_manage_cifs_symlinks(dovecot_deliver_t) + fs_manage_cifs_dirs(dovecot_t) + fs_manage_cifs_files(dovecot_t) + fs_manage_cifs_symlinks(dovecot_t) +') + +optional_policy(` + mta_manage_spool(dovecot_deliver_t) +') diff --git a/policy/modules/contrib/dpkg.fc b/policy/modules/contrib/dpkg.fc new file mode 100644 index 00000000..6d0f9eea --- /dev/null +++ b/policy/modules/contrib/dpkg.fc @@ -0,0 +1,12 @@ +# Debian package manager +/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) +/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) +# not sure if dselect should be in apt instead? +/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) + +/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) +# lockfile is treated specially, since used by apt, too +/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) + +/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) +/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if new file mode 100644 index 00000000..4d32b425 --- /dev/null +++ b/policy/modules/contrib/dpkg.if @@ -0,0 +1,224 @@ +## <summary>Policy for the Debian package manager.</summary> +# TODO: need debconf policy +# TODO: need install-menu policy + +######################################## +## <summary> +## Execute dpkg programs in the dpkg domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dpkg_domtrans',` + gen_require(` + type dpkg_t, dpkg_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, dpkg_exec_t, dpkg_t) +') + +######################################## +## <summary> +## Execute dpkg_script programs in the dpkg_script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dpkg_domtrans_script',` + gen_require(` + type dpkg_script_t; + ') + + # transition to dpkg script: + corecmd_shell_domtrans($1, dpkg_script_t) + allow dpkg_script_t $1:fd use; + allow dpkg_script_t $1:fifo_file rw_file_perms; + allow dpkg_script_t $1:process sigchld; +') + +######################################## +## <summary> +## Execute dpkg programs in the dpkg domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the dpkg domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`dpkg_run',` + gen_require(` + attribute_role dpkg_roles; + ') + + dpkg_domtrans($1) + roleattribute $2 dpkg_roles; +') + +######################################## +## <summary> +## Inherit and use file descriptors from dpkg. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_use_fds',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:fd use; +') + +######################################## +## <summary> +## Read from an unnamed dpkg pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_read_pipes',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:fifo_file read_fifo_file_perms; +') + +######################################## +## <summary> +## Read and write an unnamed dpkg pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_rw_pipes',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Inherit and use file descriptors from dpkg scripts. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_use_script_fds',` + gen_require(` + type dpkg_script_t; + ') + + allow $1 dpkg_script_t:fd use; +') + +######################################## +## <summary> +## Read the dpkg package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_read_db',` + gen_require(` + type dpkg_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 dpkg_var_lib_t:dir list_dir_perms; + read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) + read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete the dpkg package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_manage_db',` + gen_require(` + type dpkg_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) + manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) +') + +######################################## +## <summary> +## Do not audit attempts to create, read, +## write, and delete the dpkg package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dpkg_dontaudit_manage_db',` + gen_require(` + type dpkg_var_lib_t; + ') + + dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms; + dontaudit $1 dpkg_var_lib_t:file manage_file_perms; + dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Lock the dpkg package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_lock_db',` + gen_require(` + type dpkg_lock_t, dpkg_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 dpkg_var_lib_t:dir list_dir_perms; + allow $1 dpkg_lock_t:file manage_file_perms; +') diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te new file mode 100644 index 00000000..20ee3f5c --- /dev/null +++ b/policy/modules/contrib/dpkg.te @@ -0,0 +1,341 @@ +policy_module(dpkg, 1.9.0) + +######################################## +# +# Declarations +# + +attribute_role dpkg_roles; +roleattribute system_r dpkg_roles; + +type dpkg_t; +type dpkg_exec_t; +# dpkg can start/stop services +init_system_domain(dpkg_t, dpkg_exec_t) +# dpkg can change file labels, roles, IO +domain_obj_id_change_exemption(dpkg_t) +domain_role_change_exemption(dpkg_t) +domain_system_change_exemption(dpkg_t) +domain_interactive_fd(dpkg_t) +role dpkg_roles types dpkg_t; + +# lockfile +type dpkg_lock_t; +files_type(dpkg_lock_t) + +type dpkg_tmp_t; +files_tmp_file(dpkg_tmp_t) + +type dpkg_tmpfs_t; +files_tmpfs_file(dpkg_tmpfs_t) + +# status files +type dpkg_var_lib_t alias var_lib_dpkg_t; +files_type(dpkg_var_lib_t) + +# package scripts +type dpkg_script_t; +domain_type(dpkg_script_t) +domain_entry_file(dpkg_t, dpkg_var_lib_t) +corecmd_shell_entry_type(dpkg_script_t) +domain_obj_id_change_exemption(dpkg_script_t) +domain_system_change_exemption(dpkg_script_t) +domain_interactive_fd(dpkg_script_t) +role dpkg_roles types dpkg_script_t; + +type dpkg_script_tmp_t; +files_tmp_file(dpkg_script_tmp_t) + +type dpkg_script_tmpfs_t; +files_tmpfs_file(dpkg_script_tmpfs_t) + +######################################## +# +# dpkg Local policy +# + +allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; +allow dpkg_t self:process { setpgid fork getsched setfscreate }; +allow dpkg_t self:fd use; +allow dpkg_t self:fifo_file rw_fifo_file_perms; +allow dpkg_t self:unix_dgram_socket create_socket_perms; +allow dpkg_t self:unix_stream_socket rw_stream_socket_perms; +allow dpkg_t self:unix_dgram_socket sendto; +allow dpkg_t self:unix_stream_socket connectto; +allow dpkg_t self:udp_socket { connect create_socket_perms }; +allow dpkg_t self:tcp_socket create_stream_socket_perms; +allow dpkg_t self:shm create_shm_perms; +allow dpkg_t self:sem create_sem_perms; +allow dpkg_t self:msgq create_msgq_perms; +allow dpkg_t self:msg { send receive }; + +allow dpkg_t dpkg_lock_t:file manage_file_perms; + +manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) +manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) +files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) + +manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) +manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) +manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) +manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) +manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) +fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +# Access /var/lib/dpkg files +manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t) +files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) + +kernel_read_system_state(dpkg_t) +kernel_read_kernel_sysctls(dpkg_t) + +corecmd_exec_all_executables(dpkg_t) + +# TODO: do we really need all networking? +corenet_all_recvfrom_unlabeled(dpkg_t) +corenet_all_recvfrom_netlabel(dpkg_t) +corenet_tcp_sendrecv_generic_if(dpkg_t) +corenet_raw_sendrecv_generic_if(dpkg_t) +corenet_udp_sendrecv_generic_if(dpkg_t) +corenet_tcp_sendrecv_generic_node(dpkg_t) +corenet_raw_sendrecv_generic_node(dpkg_t) +corenet_udp_sendrecv_generic_node(dpkg_t) +corenet_tcp_sendrecv_all_ports(dpkg_t) +corenet_udp_sendrecv_all_ports(dpkg_t) +corenet_tcp_connect_all_ports(dpkg_t) +corenet_sendrecv_all_client_packets(dpkg_t) + +dev_list_sysfs(dpkg_t) +dev_list_usbfs(dpkg_t) +dev_read_urand(dpkg_t) +#devices_manage_all_device_types(dpkg_t) + +domain_read_all_domains_state(dpkg_t) +domain_getattr_all_domains(dpkg_t) +domain_dontaudit_ptrace_all_domains(dpkg_t) +domain_use_interactive_fds(dpkg_t) +domain_dontaudit_getattr_all_pipes(dpkg_t) +domain_dontaudit_getattr_all_tcp_sockets(dpkg_t) +domain_dontaudit_getattr_all_udp_sockets(dpkg_t) +domain_dontaudit_getattr_all_packet_sockets(dpkg_t) +domain_dontaudit_getattr_all_raw_sockets(dpkg_t) +domain_dontaudit_getattr_all_stream_sockets(dpkg_t) +domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) + +fs_manage_nfs_dirs(dpkg_t) +fs_manage_nfs_files(dpkg_t) +fs_manage_nfs_symlinks(dpkg_t) +fs_getattr_all_fs(dpkg_t) +fs_search_auto_mountpoints(dpkg_t) + +mls_file_read_all_levels(dpkg_t) +mls_file_write_all_levels(dpkg_t) +mls_file_upgrade(dpkg_t) + +selinux_get_fs_mount(dpkg_t) +selinux_validate_context(dpkg_t) +selinux_compute_access_vector(dpkg_t) +selinux_compute_create_context(dpkg_t) +selinux_compute_relabel_context(dpkg_t) +selinux_compute_user_contexts(dpkg_t) + +storage_raw_write_fixed_disk(dpkg_t) +# for installing kernel packages +storage_raw_read_fixed_disk(dpkg_t) + +auth_relabel_all_files_except_auth_files(dpkg_t) +auth_manage_all_files_except_auth_files(dpkg_t) +auth_dontaudit_read_shadow(dpkg_t) + +files_exec_etc_files(dpkg_t) + +init_domtrans_script(dpkg_t) +init_use_script_ptys(dpkg_t) + +libs_exec_ld_so(dpkg_t) +libs_exec_lib_files(dpkg_t) +libs_run_ldconfig(dpkg_t, dpkg_roles) + +logging_send_syslog_msg(dpkg_t) + +# allow compiling and loading new policy +seutil_manage_src_policy(dpkg_t) +seutil_manage_bin_policy(dpkg_t) + +sysnet_read_config(dpkg_t) + +userdom_use_user_terminals(dpkg_t) +userdom_use_unpriv_users_fds(dpkg_t) + +# transition to dpkg script: +dpkg_domtrans_script(dpkg_t) +# since the scripts aren't labeled correctly yet... +allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; + +optional_policy(` + apt_use_ptys(dpkg_t) +') + +# TODO: allow? +#optional_policy(` +# cron_system_entry(dpkg_t,dpkg_exec_t) +#') + +optional_policy(` + nis_use_ypbind(dpkg_t) +') + +optional_policy(` + unconfined_domain(dpkg_t) +') + +# TODO: the following was copied from dpkg_script_t, and could probably +# be removed again when dpkg_script_t is actually used... +domain_signal_all_domains(dpkg_t) +domain_signull_all_domains(dpkg_t) +files_read_etc_runtime_files(dpkg_t) +files_exec_usr_files(dpkg_t) +miscfiles_read_localization(dpkg_t) +modutils_run_depmod(dpkg_t, dpkg_roles) +modutils_run_insmod(dpkg_t, dpkg_roles) +seutil_run_loadpolicy(dpkg_t, dpkg_roles) +seutil_run_setfiles(dpkg_t, dpkg_roles) +userdom_use_all_users_fds(dpkg_t) +optional_policy(` + mta_send_mail(dpkg_t) +') +optional_policy(` + usermanage_run_groupadd(dpkg_t, dpkg_roles) + usermanage_run_useradd(dpkg_t, dpkg_roles) +') + +######################################## +# +# dpkg-script Local policy +# +# TODO: actually use dpkg_script_t + +allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; +allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow dpkg_script_t self:fd use; +allow dpkg_script_t self:fifo_file rw_fifo_file_perms; +allow dpkg_script_t self:unix_dgram_socket create_socket_perms; +allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms; +allow dpkg_script_t self:unix_dgram_socket sendto; +allow dpkg_script_t self:unix_stream_socket connectto; +allow dpkg_script_t self:shm create_shm_perms; +allow dpkg_script_t self:sem create_sem_perms; +allow dpkg_script_t self:msgq create_msgq_perms; +allow dpkg_script_t self:msg { send receive }; + +allow dpkg_script_t dpkg_tmp_t:file read_file_perms; + +allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton }; +allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms; +files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir }) + +allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(dpkg_script_t) +kernel_read_system_state(dpkg_script_t) + +corecmd_exec_all_executables(dpkg_script_t) + +dev_list_sysfs(dpkg_script_t) +# ideally we would not need this +dev_manage_generic_blk_files(dpkg_script_t) +dev_manage_generic_chr_files(dpkg_script_t) +dev_manage_all_blk_files(dpkg_script_t) +dev_manage_all_chr_files(dpkg_script_t) + +domain_read_all_domains_state(dpkg_script_t) +domain_getattr_all_domains(dpkg_script_t) +domain_dontaudit_ptrace_all_domains(dpkg_script_t) +domain_use_interactive_fds(dpkg_script_t) +domain_signal_all_domains(dpkg_script_t) +domain_signull_all_domains(dpkg_script_t) + +files_exec_etc_files(dpkg_script_t) +files_read_etc_runtime_files(dpkg_script_t) +files_exec_usr_files(dpkg_script_t) + +fs_manage_nfs_files(dpkg_script_t) +fs_getattr_nfs(dpkg_script_t) +# why is this not using mount? +fs_getattr_xattr_fs(dpkg_script_t) +fs_mount_xattr_fs(dpkg_script_t) +fs_unmount_xattr_fs(dpkg_script_t) +fs_search_auto_mountpoints(dpkg_script_t) + +mls_file_read_all_levels(dpkg_script_t) +mls_file_write_all_levels(dpkg_script_t) + +selinux_get_fs_mount(dpkg_script_t) +selinux_validate_context(dpkg_script_t) +selinux_compute_access_vector(dpkg_script_t) +selinux_compute_create_context(dpkg_script_t) +selinux_compute_relabel_context(dpkg_script_t) +selinux_compute_user_contexts(dpkg_script_t) + +storage_raw_read_fixed_disk(dpkg_script_t) +storage_raw_write_fixed_disk(dpkg_script_t) + +term_use_all_terms(dpkg_script_t) + +auth_dontaudit_getattr_shadow(dpkg_script_t) +# ideally we would not need this +auth_manage_all_files_except_auth_files(dpkg_script_t) + +init_domtrans_script(dpkg_script_t) +init_use_script_fds(dpkg_script_t) + +libs_exec_ld_so(dpkg_script_t) +libs_exec_lib_files(dpkg_script_t) +libs_run_ldconfig(dpkg_script_t, dpkg_roles) + +logging_send_syslog_msg(dpkg_script_t) + +miscfiles_read_localization(dpkg_script_t) + +modutils_run_depmod(dpkg_script_t, dpkg_roles) +modutils_run_insmod(dpkg_script_t, dpkg_roles) + +seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) +seutil_run_setfiles(dpkg_script_t, dpkg_roles) + +userdom_use_all_users_fds(dpkg_script_t) + +tunable_policy(`allow_execmem',` + allow dpkg_script_t self:process execmem; +') + +optional_policy(` + apt_rw_pipes(dpkg_script_t) + apt_use_fds(dpkg_script_t) +') + +optional_policy(` + bootloader_run(dpkg_script_t, dpkg_roles) +') + +optional_policy(` + mta_send_mail(dpkg_script_t) +') + +optional_policy(` + nis_use_ypbind(dpkg_script_t) +') + +optional_policy(` + unconfined_domain(dpkg_script_t) +') + +optional_policy(` + usermanage_run_groupadd(dpkg_script_t, dpkg_roles) + usermanage_run_useradd(dpkg_script_t, dpkg_roles) +') diff --git a/policy/modules/contrib/dracut.fc b/policy/modules/contrib/dracut.fc new file mode 100644 index 00000000..fca0d673 --- /dev/null +++ b/policy/modules/contrib/dracut.fc @@ -0,0 +1,4 @@ +# +# /usr +# +/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) diff --git a/policy/modules/contrib/dracut.if b/policy/modules/contrib/dracut.if new file mode 100644 index 00000000..929fffd3 --- /dev/null +++ b/policy/modules/contrib/dracut.if @@ -0,0 +1,69 @@ +## <summary>Dracut initramfs creation tool</summary> + +######################################## +## <summary> +## Execute the dracut program in the dracut domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dracut_domtrans',` + gen_require(` + type dracut_t, dracut_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dracut_exec_t, dracut_t) +') + +######################################## +## <summary> +## Execute dracut in the dracut domain, and +## allow the specified role the dracut domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`dracut_run',` + gen_require(` + type dracut_t; + ') + + dracut_domtrans($1) + role $2 types dracut_t; +') + +######################################## +## <summary> +## Allow domain to manage dracut temporary files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dracut_manage_tmp_files',` + gen_require(` + type dracut_tmp_t; + ') + + files_search_var($1) + files_search_tmp($1) + + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t) + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t) + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t) +') + diff --git a/policy/modules/contrib/dracut.te b/policy/modules/contrib/dracut.te new file mode 100644 index 00000000..9a80a059 --- /dev/null +++ b/policy/modules/contrib/dracut.te @@ -0,0 +1,74 @@ +policy_module(dracut, 1.0) + +type dracut_t; +type dracut_exec_t; +application_domain(dracut_t, dracut_exec_t) + +type dracut_var_log_t; +logging_log_file(dracut_var_log_t) + +type dracut_tmp_t; +files_tmp_file(dracut_tmp_t) + +######################################## +# +# Local policy +# +allow dracut_t self:process setfscreate; +allow dracut_t self:fifo_file rw_fifo_file_perms; +allow dracut_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir }) + +manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t) +logging_log_filetrans(dracut_t, dracut_var_log_t, file) + +kernel_read_system_state(dracut_t) + +corecmd_exec_bin(dracut_t) +corecmd_exec_shell(dracut_t) +corecmd_read_all_executables(dracut_t) + +dev_read_sysfs(dracut_t) + +domain_use_interactive_fds(dracut_t) + +files_create_kernel_img(dracut_t) +files_read_kernel_modules(dracut_t) +files_read_etc_files(dracut_t) +files_read_usr_files(dracut_t) +files_search_pids(dracut_t) + +fstools_exec(dracut_t) + +libs_domtrans_ldconfig(dracut_t) +libs_exec_ld_so(dracut_t) +libs_exec_lib_files(dracut_t) + +lvm_exec(dracut_t) +lvm_read_config(dracut_t) + +miscfiles_read_localization(dracut_t) + +modutils_exec_depmod(dracut_t) +modutils_exec_insmod(dracut_t) +modutils_read_module_config(dracut_t) +modutils_list_module_config(dracut_t) +modutils_read_module_deps(dracut_t) + +mount_exec(dracut_t) + +seutil_exec_setfiles(dracut_t) + +udev_exec(dracut_t) +udev_read_rules_files(dracut_t) + +userdom_use_user_terminals(dracut_t) + +optional_policy(` + dmesg_exec(dracut_t) +') + diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc new file mode 100644 index 00000000..d2d8ce34 --- /dev/null +++ b/policy/modules/contrib/entropyd.fc @@ -0,0 +1,8 @@ +# +# /usr +# +/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) +/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) + +/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) +/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if new file mode 100644 index 00000000..67906f01 --- /dev/null +++ b/policy/modules/contrib/entropyd.if @@ -0,0 +1 @@ +## <summary>Generate entropy from audio input</summary> diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te new file mode 100644 index 00000000..b6ac808a --- /dev/null +++ b/policy/modules/contrib/entropyd.te @@ -0,0 +1,80 @@ +policy_module(entropyd, 1.7.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow the use of the audio devices as the source for the entropy feeds +## </p> +## </desc> +gen_tunable(entropyd_use_audio, false) + +type entropyd_t; +type entropyd_exec_t; +init_daemon_domain(entropyd_t, entropyd_exec_t) + +type entropyd_var_run_t; +files_pid_file(entropyd_var_run_t) + +######################################## +# +# Local policy +# + +allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; +dontaudit entropyd_t self:capability sys_tty_config; +allow entropyd_t self:process signal_perms; +allow entropyd_t self:unix_dgram_socket create_socket_perms; + +manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) +files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) + +kernel_rw_kernel_sysctl(entropyd_t) +kernel_list_proc(entropyd_t) +kernel_read_proc_symlinks(entropyd_t) + +dev_read_sysfs(entropyd_t) +dev_read_urand(entropyd_t) +dev_write_urand(entropyd_t) +dev_read_rand(entropyd_t) +dev_write_rand(entropyd_t) + +files_read_etc_files(entropyd_t) +files_read_usr_files(entropyd_t) + +fs_getattr_all_fs(entropyd_t) +fs_search_auto_mountpoints(entropyd_t) + +domain_use_interactive_fds(entropyd_t) + +logging_send_syslog_msg(entropyd_t) + +miscfiles_read_localization(entropyd_t) + +userdom_dontaudit_use_unpriv_user_fds(entropyd_t) +userdom_dontaudit_search_user_home_dirs(entropyd_t) + +tunable_policy(`entropyd_use_audio',` + dev_read_sound(entropyd_t) + # set sound card parameters such as sample format, number of channels + # and sample rate. + dev_write_sound(entropyd_t) +') + +optional_policy(` + tunable_policy(`entropyd_use_audio',` + alsa_read_lib(entropyd_t) + alsa_read_rw_config(entropyd_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(entropyd_t) +') + +optional_policy(` + udev_read_db(entropyd_t) +') diff --git a/policy/modules/contrib/evolution.fc b/policy/modules/contrib/evolution.fc new file mode 100644 index 00000000..c0112777 --- /dev/null +++ b/policy/modules/contrib/evolution.fc @@ -0,0 +1,21 @@ +# +# HOME_DIR/ +# + +HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) + +# +# /tmp +# +/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) + +# +# /usr +# +/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0) + +/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) +/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0) +/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0) +/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if new file mode 100644 index 00000000..1cb204c9 --- /dev/null +++ b/policy/modules/contrib/evolution.if @@ -0,0 +1,153 @@ +## <summary>Evolution email client</summary> + +######################################## +## <summary> +## Role access for evolution +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`evolution_role',` + gen_require(` + type evolution_t, evolution_exec_t, evolution_home_t; + type evolution_alarm_t, evolution_alarm_exec_t; + type evolution_exchange_t, evolution_exchange_exec_t; + type evolution_exchange_orbit_tmp_t; + type evolution_server_t, evolution_server_exec_t; + type evolution_webcal_t, evolution_webcal_exec_t; + ') + + role $1 types { evolution_t evolution_alarm_t evolution_exchange_t }; + role $1 types { evolution_server_t evolution_webcal_t }; + + domtrans_pattern($2, evolution_exec_t, evolution_t) + domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t) + domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t) + domtrans_pattern($2, evolution_server_exec_t, evolution_server_t) + domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t) + + ps_process_pattern($2, evolution_t) + ps_process_pattern($2, evolution_alarm_t) + ps_process_pattern($2, evolution_exchange_t) + ps_process_pattern($2, evolution_server_t) + ps_process_pattern($2, evolution_webcal_t) + + allow evolution_t $2:dir search; + allow evolution_t $2:file read; + allow evolution_t $2:lnk_file read; + allow evolution_t $2:unix_stream_socket connectto; + + allow $2 evolution_t:unix_stream_socket connectto; + allow $2 evolution_t:process noatsecure; + allow $2 evolution_t:process signal_perms; + + # Access .evolution + allow $2 evolution_home_t:dir manage_dir_perms; + allow $2 evolution_home_t:file manage_file_perms; + allow $2 evolution_home_t:lnk_file manage_lnk_file_perms; + allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + + allow evolution_exchange_t $2:unix_stream_socket connectto; + + # Clock applet talks to exchange (FIXME: Needs policy) + allow $2 evolution_exchange_t:unix_stream_socket connectto; + allow $2 evolution_exchange_orbit_tmp_t:sock_file write; +') + +######################################## +## <summary> +## Create objects in users evolution home folders. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="file_type"> +## <summary> +## Private file type. +## </summary> +## </param> +## <param name="class"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +# +interface(`evolution_home_filetrans',` + gen_require(` + type evolution_home_t; + ') + + allow $1 evolution_home_t:dir rw_dir_perms; + type_transition $1 evolution_home_t:$3 $2; +') + +######################################## +## <summary> +## Connect to evolution unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`evolution_stream_connect',` + gen_require(` + type evolution_t, evolution_home_t; + ') + + allow $1 evolution_t:unix_stream_socket connectto; + allow $1 evolution_home_t:dir search; +') + +######################################## +## <summary> +## Send and receive messages from +## evolution over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`evolution_dbus_chat',` + gen_require(` + type evolution_t; + class dbus send_msg; + ') + + allow $1 evolution_t:dbus send_msg; + allow evolution_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## evolution_alarm over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`evolution_alarm_dbus_chat',` + gen_require(` + type evolution_alarm_t; + class dbus send_msg; + ') + + allow $1 evolution_alarm_t:dbus send_msg; + allow evolution_alarm_t $1:dbus send_msg; +') diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te new file mode 100644 index 00000000..73cb712c --- /dev/null +++ b/policy/modules/contrib/evolution.te @@ -0,0 +1,604 @@ +policy_module(evolution, 2.3.0) + +######################################## +# +# Declarations +# + +type evolution_t; +type evolution_exec_t; +typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t }; +typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t }; +userdom_user_application_domain(evolution_t, evolution_exec_t) + +type evolution_alarm_t; +type evolution_alarm_exec_t; +typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; +typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t }; +userdom_user_application_domain(evolution_alarm_t, evolution_alarm_exec_t) + +type evolution_alarm_tmpfs_t; +typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t }; +typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t }; +userdom_user_tmpfs_file(evolution_alarm_tmpfs_t) + +type evolution_alarm_orbit_tmp_t; +typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t }; +typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t }; +userdom_user_tmp_file(evolution_alarm_orbit_tmp_t) + +type evolution_exchange_t; +type evolution_exchange_exec_t; +typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t }; +typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t }; +userdom_user_application_domain(evolution_exchange_t, evolution_exchange_exec_t) + +type evolution_exchange_tmpfs_t; +typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t }; +typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t }; +userdom_user_tmpfs_file(evolution_exchange_tmpfs_t) + +type evolution_exchange_tmp_t; +typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t }; +typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t }; +userdom_user_tmp_file(evolution_exchange_tmp_t) + +type evolution_exchange_orbit_tmp_t; +typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; +typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; +userdom_user_tmp_file(evolution_exchange_orbit_tmp_t) + +type evolution_home_t; +typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t }; +typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t }; +userdom_user_home_content(evolution_home_t) + +type evolution_orbit_tmp_t; +typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t }; +typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t }; +userdom_user_tmp_file(evolution_orbit_tmp_t) + +type evolution_server_t; +type evolution_server_exec_t; +typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t }; +typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t }; +userdom_user_application_domain(evolution_server_t, evolution_server_exec_t) + +type evolution_server_orbit_tmp_t; +typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; +typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t }; +userdom_user_tmp_file(evolution_server_orbit_tmp_t) + +type evolution_tmpfs_t; +typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t }; +typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t }; +userdom_user_tmpfs_file(evolution_tmpfs_t) + +type evolution_webcal_t; +type evolution_webcal_exec_t; +typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t }; +typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t }; +userdom_user_application_domain(evolution_webcal_t, evolution_webcal_exec_t) + +type evolution_webcal_tmpfs_t; +typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t }; +typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t }; +userdom_user_tmpfs_file(evolution_webcal_tmpfs_t) + +######################################## +# +# Evolution local policy +# + +allow evolution_t self:capability { setuid setgid sys_nice }; +allow evolution_t self:process { signal getsched setsched }; +allow evolution_t self:fifo_file rw_file_perms; +allow evolution_t self:tcp_socket create_socket_perms; +allow evolution_t self:udp_socket create_socket_perms; + +allow evolution_t evolution_alarm_t:dir search_dir_perms; +allow evolution_t evolution_alarm_t:file read; + +allow evolution_t evolution_alarm_t:unix_stream_socket connectto; +allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write; + +can_exec(evolution_t, evolution_alarm_exec_t) + +allow evolution_t evolution_exchange_t:unix_stream_socket connectto; +allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write; + +allow evolution_t evolution_home_t:dir manage_dir_perms; +allow evolution_t evolution_home_t:file manage_file_perms; +allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms; +userdom_search_user_home_dirs(evolution_t) + +allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms; +allow evolution_t evolution_orbit_tmp_t:file manage_file_perms; +files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file }) + +allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms; +allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms; +files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file }) + +allow evolution_t evolution_server_t:dir search_dir_perms; +allow evolution_t evolution_server_t:file read; + +allow evolution_t evolution_server_t:unix_stream_socket connectto; +allow evolution_t evolution_server_orbit_tmp_t:sock_file write; + +can_exec(evolution_t, evolution_server_exec_t) + +allow evolution_t evolution_tmpfs_t:dir rw_dir_perms; +allow evolution_t evolution_tmpfs_t:file manage_file_perms; +allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +#FIXME check to see if really needed +kernel_read_kernel_sysctls(evolution_t) +kernel_read_system_state(evolution_t) +# Allow netstat +kernel_read_network_state(evolution_t) +kernel_read_net_sysctls(evolution_t) + +corecmd_exec_shell(evolution_t) +# Run various programs +corecmd_exec_bin(evolution_t) + +corenet_all_recvfrom_unlabeled(evolution_t) +corenet_all_recvfrom_netlabel(evolution_t) +corenet_tcp_sendrecv_generic_if(evolution_t) +corenet_udp_sendrecv_generic_if(evolution_t) +corenet_raw_sendrecv_generic_if(evolution_t) +corenet_tcp_sendrecv_generic_node(evolution_t) +corenet_udp_sendrecv_generic_node(evolution_t) +corenet_tcp_sendrecv_pop_port(evolution_t) +corenet_udp_sendrecv_pop_port(evolution_t) +corenet_tcp_sendrecv_smtp_port(evolution_t) +corenet_udp_sendrecv_smtp_port(evolution_t) +corenet_tcp_sendrecv_innd_port(evolution_t) +corenet_udp_sendrecv_innd_port(evolution_t) +corenet_tcp_sendrecv_ldap_port(evolution_t) +corenet_udp_sendrecv_ldap_port(evolution_t) +corenet_tcp_sendrecv_ipp_port(evolution_t) +corenet_udp_sendrecv_ipp_port(evolution_t) +corenet_tcp_connect_pop_port(evolution_t) +corenet_tcp_connect_smtp_port(evolution_t) +corenet_tcp_connect_innd_port(evolution_t) +corenet_tcp_connect_ldap_port(evolution_t) +corenet_tcp_connect_ipp_port(evolution_t) +corenet_sendrecv_pop_client_packets(evolution_t) +corenet_sendrecv_smtp_client_packets(evolution_t) +corenet_sendrecv_innd_client_packets(evolution_t) +corenet_sendrecv_ldap_client_packets(evolution_t) +corenet_sendrecv_ipp_client_packets(evolution_t) +# not sure about this bind +corenet_udp_bind_generic_node(evolution_t) +corenet_udp_bind_generic_port(evolution_t) + +dev_read_urand(evolution_t) + +domain_dontaudit_read_all_domains_state(evolution_t) + +files_read_etc_files(evolution_t) +files_read_usr_files(evolution_t) +files_read_usr_symlinks(evolution_t) +files_read_var_files(evolution_t) + +fs_search_auto_mountpoints(evolution_t) + +logging_send_syslog_msg(evolution_t) + +miscfiles_read_localization(evolution_t) + +sysnet_read_config(evolution_t) +sysnet_dns_name_resolve(evolution_t) + +udev_read_state(evolution_t) + +userdom_rw_user_tmp_files(evolution_t) +userdom_manage_user_tmp_dirs(evolution_t) +userdom_manage_user_tmp_sockets(evolution_t) +userdom_manage_user_tmp_files(evolution_t) +userdom_use_user_terminals(evolution_t) +# FIXME: suppress access to .local/.icons/.themes until properly implemented +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +userdom_dontaudit_read_user_home_content_files(evolution_t) + +mta_read_config(evolution_t) + +xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t) +xserver_read_xdm_tmp_files(evolution_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(evolution_t) + fs_manage_nfs_files(evolution_t) + fs_manage_nfs_symlinks(evolution_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(evolution_t) + fs_manage_cifs_files(evolution_t) + fs_manage_cifs_symlinks(evolution_t) +') + +tunable_policy(`mail_read_content && use_nfs_home_dirs',` + fs_list_auto_mountpoints(evolution_t) + files_list_home(evolution_t) + fs_read_nfs_files(evolution_t) + fs_read_nfs_symlinks(evolution_t) + +',` + files_dontaudit_list_home(evolution_t) + fs_dontaudit_list_auto_mountpoints(evolution_t) + fs_dontaudit_read_nfs_files(evolution_t) + fs_dontaudit_list_nfs(evolution_t) +') + +tunable_policy(`mail_read_content && use_samba_home_dirs',` + fs_list_auto_mountpoints(evolution_t) + files_list_home(evolution_t) + fs_read_cifs_files(evolution_t) + fs_read_cifs_symlinks(evolution_t) +',` + files_dontaudit_list_home(evolution_t) + fs_dontaudit_list_auto_mountpoints(evolution_t) + fs_dontaudit_read_cifs_files(evolution_t) + fs_dontaudit_list_cifs(evolution_t) +') + +tunable_policy(`mail_read_content',` + userdom_list_user_tmp(evolution_t) + userdom_read_user_tmp_files(evolution_t) + userdom_read_user_tmp_symlinks(evolution_t) + userdom_read_user_home_content_files(evolution_t) + userdom_read_user_home_content_symlinks(evolution_t) + + ifndef(`enable_mls',` + fs_search_removable(evolution_t) + fs_read_removable_files(evolution_t) + fs_read_removable_symlinks(evolution_t) + ') +',` + files_dontaudit_list_tmp(evolution_t) + files_dontaudit_list_home(evolution_t) + fs_dontaudit_list_removable(evolution_t) + fs_dontaudit_read_removable_files(evolution_t) + userdom_dontaudit_list_user_tmp(evolution_t) + userdom_dontaudit_read_user_tmp_files(evolution_t) + userdom_dontaudit_list_user_home_dirs(evolution_t) + userdom_dontaudit_read_user_home_content_files(evolution_t) +') + +optional_policy(` + automount_read_state(evolution_t) +') + +# Allow printing the mail +optional_policy(` + cups_read_rw_config(evolution_t) +') + +optional_policy(` + dbus_system_bus_client(evolution_t) + dbus_session_bus_client(evolution_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_t) +') + +# Encrypt mail +optional_policy(` + gpg_domtrans(evolution_t) + gpg_signal(evolution_t) +') + +optional_policy(` + lpd_domtrans_lpr(evolution_t) +') + +optional_policy(` + mozilla_read_user_home_files(evolution_t) + mozilla_domtrans(evolution_t) +') + +# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) +optional_policy(` + nis_use_ypbind(evolution_t) +') + +optional_policy(` + nscd_socket_use(evolution_t) +') + +### Junk mail filtering (start spamd) +optional_policy(` + spamassassin_exec_spamd(evolution_t) + spamassassin_domtrans_client(evolution_t) + spamassassin_domtrans_local_client(evolution_t) + # Allow evolution to signal the daemon + # FIXME: Now evolution can read spamd temp files + spamassassin_read_spamd_tmp_files(evolution_t) + spamassassin_signal_spamd(evolution_t) + spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t) +') + +######################################## +# +# Evolution alarm local policy +# + +allow evolution_alarm_t self:process { signal getsched }; +allow evolution_alarm_t self:fifo_file rw_fifo_file_perms; + +allow evolution_alarm_t evolution_t:unix_stream_socket connectto; +allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write; + +allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto; +allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write; + +# Access evolution home +allow evolution_alarm_t evolution_home_t:dir manage_dir_perms; +allow evolution_alarm_t evolution_home_t:file manage_file_perms; +allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms; + +allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto; +allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write; + +dev_read_urand(evolution_alarm_t) + +files_read_etc_files(evolution_alarm_t) +files_read_usr_files(evolution_alarm_t) + +fs_search_auto_mountpoints(evolution_alarm_t) + +miscfiles_read_localization(evolution_alarm_t) + +# Access evolution home +userdom_search_user_home_dirs(evolution_alarm_t) +# FIXME: suppress access to .local/.icons/.themes until properly implemented +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) + +xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) + +# Access evolution home +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(evolution_alarm_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(evolution_alarm_t) +') + +optional_policy(` + dbus_session_bus_client(evolution_alarm_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_alarm_t) +') + +optional_policy(` + nscd_socket_use(evolution_alarm_t) +') + +######################################## +# +# Evolution exchange connector local policy +# + +allow evolution_exchange_t self:process getsched; +allow evolution_exchange_t self:fifo_file rw_fifo_file_perms; + +allow evolution_exchange_t self:tcp_socket create_socket_perms; +allow evolution_exchange_t self:udp_socket create_socket_perms; + +allow evolution_exchange_t evolution_t:unix_stream_socket connectto; +allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write; + +allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto; +allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write; + +# Access evolution home +allow evolution_exchange_t evolution_home_t:dir manage_dir_perms; +allow evolution_exchange_t evolution_home_t:file manage_file_perms; +allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms; + +allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto; +allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write; + +# /tmp/.exchange-$USER +allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms; +allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms; +files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir }) + +allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_network_state(evolution_exchange_t) +kernel_read_net_sysctls(evolution_exchange_t) + +# Allow netstat +corecmd_exec_bin(evolution_exchange_t) + +dev_read_urand(evolution_exchange_t) + +files_read_etc_files(evolution_exchange_t) +files_read_usr_files(evolution_exchange_t) + +# Access evolution home +fs_search_auto_mountpoints(evolution_exchange_t) + +miscfiles_read_localization(evolution_exchange_t) + +userdom_write_user_tmp_sockets(evolution_exchange_t) +# Access evolution home +userdom_search_user_home_dirs(evolution_exchange_t) +# FIXME: suppress access to .local/.icons/.themes until properly implemented +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) + +xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t) + +# Access evolution home +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(evolution_exchange_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(evolution_exchange_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_exchange_t) +') + +optional_policy(` + nscd_socket_use(evolution_exchange_t) +') + +######################################## +# +# Evolution data server local policy +# + +allow evolution_server_t self:process { getsched signal }; + +allow evolution_server_t self:fifo_file { read write }; +allow evolution_server_t self:unix_stream_socket { accept connectto }; +# Talk to ldap (address book), +# Obtain weather data via http (read server name from xml file in /usr) +allow evolution_server_t self:tcp_socket create_socket_perms; + +allow evolution_server_t evolution_t:unix_stream_socket connectto; +allow evolution_server_t evolution_orbit_tmp_t:sock_file write; + +allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto; +allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write; + +# Access evolution home +allow evolution_server_t evolution_home_t:dir manage_dir_perms; +allow evolution_server_t evolution_home_t:file manage_file_perms; +allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms; + +allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto; +allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write; + +kernel_read_system_state(evolution_server_t) + +corecmd_exec_shell(evolution_server_t) + +# Obtain weather data via http (read server name from xml file in /usr) +corenet_all_recvfrom_unlabeled(evolution_server_t) +corenet_all_recvfrom_netlabel(evolution_server_t) +corenet_tcp_sendrecv_generic_if(evolution_server_t) +corenet_tcp_sendrecv_generic_node(evolution_server_t) +corenet_tcp_sendrecv_http_port(evolution_server_t) +corenet_tcp_sendrecv_http_cache_port(evolution_server_t) +corenet_tcp_connect_http_cache_port(evolution_server_t) +corenet_tcp_connect_http_port(evolution_server_t) +corenet_sendrecv_http_client_packets(evolution_server_t) +corenet_sendrecv_http_cache_client_packets(evolution_server_t) + +dev_read_urand(evolution_server_t) + +files_read_etc_files(evolution_server_t) +# Obtain weather data via http (read server name from xml file in /usr) +files_read_usr_files(evolution_server_t) + +fs_search_auto_mountpoints(evolution_server_t) + +miscfiles_read_localization(evolution_server_t) +# Look in /etc/pki +miscfiles_read_generic_certs(evolution_server_t) + +# Talk to ldap (address book) +sysnet_read_config(evolution_server_t) +sysnet_dns_name_resolve(evolution_server_t) +sysnet_use_ldap(evolution_server_t) + +# Access evolution home +userdom_search_user_home_dirs(evolution_server_t) +# FIXME: suppress access to .local/.icons/.themes until properly implemented +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +userdom_dontaudit_read_user_home_content_files(evolution_server_t) + +# Access evolution home +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(evolution_server_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(evolution_server_t) +') + +optional_policy(` + gnome_stream_connect_gconf(evolution_server_t) +') + +optional_policy(` + nscd_socket_use(evolution_server_t) +') + +######################################## +# +# Evolution webcal local policy +# + +allow evolution_webcal_t self:tcp_socket create_socket_perms; + +# X/evolution common stuff +allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms; +allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +corenet_all_recvfrom_unlabeled(evolution_webcal_t) +corenet_all_recvfrom_netlabel(evolution_webcal_t) +corenet_tcp_sendrecv_generic_if(evolution_webcal_t) +corenet_raw_sendrecv_generic_if(evolution_webcal_t) +corenet_tcp_sendrecv_generic_node(evolution_webcal_t) +corenet_raw_sendrecv_generic_node(evolution_webcal_t) +corenet_tcp_sendrecv_http_port(evolution_webcal_t) +corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t) +corenet_tcp_connect_http_cache_port(evolution_webcal_t) +corenet_tcp_connect_http_port(evolution_webcal_t) +corenet_sendrecv_http_client_packets(evolution_webcal_t) +corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) + +# Networking capability - connect to website and handle ics link +sysnet_read_config(evolution_webcal_t) +sysnet_dns_name_resolve(evolution_webcal_t) + +# Search home directory (?) +userdom_search_user_home_dirs(evolution_webcal_t) +# FIXME: suppress access to .local/.icons/.themes until properly implemented +# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) +# until properly implemented +userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) + +xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) + +optional_policy(` + nscd_socket_use(evolution_webcal_t) +') diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc new file mode 100644 index 00000000..298f0660 --- /dev/null +++ b/policy/modules/contrib/exim.fc @@ -0,0 +1,8 @@ +/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) +/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) +/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) +/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) + +ifdef(`distro_debian',` +/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) +') diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if new file mode 100644 index 00000000..6bef7f86 --- /dev/null +++ b/policy/modules/contrib/exim.if @@ -0,0 +1,196 @@ +## <summary>Exim mail transfer agent</summary> + +######################################## +## <summary> +## Execute a domain transition to run exim. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`exim_domtrans',` + gen_require(` + type exim_t, exim_exec_t; + ') + + domtrans_pattern($1, exim_exec_t, exim_t) +') + +######################################## +## <summary> +## Do not audit attempts to read, +## exim tmp files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`exim_dontaudit_read_tmp_files',` + gen_require(` + type exim_tmp_t; + ') + + dontaudit $1 exim_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow domain to read, exim tmp files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_read_tmp_files',` + gen_require(` + type exim_tmp_t; + ') + + allow $1 exim_tmp_t:file read_file_perms; + files_search_tmp($1) +') + +######################################## +## <summary> +## Read exim PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_read_pid_files',` + gen_require(` + type exim_var_run_t; + ') + + allow $1 exim_var_run_t:file read_file_perms; + files_search_pids($1) +') + +######################################## +## <summary> +## Allow the specified domain to read exim's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`exim_read_log',` + gen_require(` + type exim_log_t; + ') + + read_files_pattern($1, exim_log_t, exim_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## Allow the specified domain to append +## exim log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_append_log',` + gen_require(` + type exim_log_t; + ') + + append_files_pattern($1, exim_log_t, exim_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## Allow the specified domain to manage exim's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`exim_manage_log',` + gen_require(` + type exim_log_t; + ') + + manage_files_pattern($1, exim_log_t, exim_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## exim spool dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_manage_spool_dirs',` + gen_require(` + type exim_spool_t; + ') + + manage_dirs_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) +') + +######################################## +## <summary> +## Read exim spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_read_spool_files',` + gen_require(` + type exim_spool_t; + ') + + allow $1 exim_spool_t:file read_file_perms; + allow $1 exim_spool_t:dir list_dir_perms; + files_search_spool($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## exim spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`exim_manage_spool_files',` + gen_require(` + type exim_spool_t; + ') + + manage_files_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) +') diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te new file mode 100644 index 00000000..f28f64b9 --- /dev/null +++ b/policy/modules/contrib/exim.te @@ -0,0 +1,203 @@ +policy_module(exim, 1.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow exim to connect to databases (postgres, mysql) +## </p> +## </desc> +gen_tunable(exim_can_connect_db, false) + +## <desc> +## <p> +## Allow exim to read unprivileged user files. +## </p> +## </desc> +gen_tunable(exim_read_user_files, false) + +## <desc> +## <p> +## Allow exim to create, read, write, and delete +## unprivileged user files. +## </p> +## </desc> +gen_tunable(exim_manage_user_files, false) + +type exim_t; +type exim_exec_t; +init_daemon_domain(exim_t, exim_exec_t) +mta_mailserver(exim_t, exim_exec_t) +mta_mailserver_user_agent(exim_t) +application_executable_file(exim_exec_t) +mta_agent_executable(exim_exec_t) + +type exim_log_t; +logging_log_file(exim_log_t) + +type exim_spool_t; +files_type(exim_spool_t) + +type exim_tmp_t; +files_tmp_file(exim_tmp_t) + +type exim_var_run_t; +files_pid_file(exim_var_run_t) + +######################################## +# +# exim local policy +# + +allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; +allow exim_t self:process { setrlimit setpgid }; +allow exim_t self:fifo_file rw_fifo_file_perms; +allow exim_t self:unix_stream_socket create_stream_socket_perms; +allow exim_t self:tcp_socket create_stream_socket_perms; +allow exim_t self:udp_socket create_socket_perms; + +can_exec(exim_t, exim_exec_t) + +manage_files_pattern(exim_t, exim_log_t, exim_log_t) +logging_log_filetrans(exim_t, exim_log_t, { file dir }) + +manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t) +manage_files_pattern(exim_t, exim_spool_t, exim_spool_t) +manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t) +files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file }) + +manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t) +manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t) +files_tmp_filetrans(exim_t, exim_tmp_t, { file dir }) + +manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t) +manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t) +files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(exim_t) +kernel_read_network_state(exim_t) +kernel_dontaudit_read_system_state(exim_t) + +corecmd_search_bin(exim_t) + +corenet_all_recvfrom_unlabeled(exim_t) +corenet_all_recvfrom_netlabel(exim_t) +corenet_tcp_sendrecv_generic_if(exim_t) +corenet_udp_sendrecv_generic_if(exim_t) +corenet_tcp_sendrecv_generic_node(exim_t) +corenet_udp_sendrecv_generic_node(exim_t) +corenet_tcp_sendrecv_all_ports(exim_t) +corenet_tcp_bind_generic_node(exim_t) +corenet_tcp_bind_smtp_port(exim_t) +corenet_tcp_bind_amavisd_send_port(exim_t) +corenet_tcp_connect_auth_port(exim_t) +corenet_tcp_connect_smtp_port(exim_t) +corenet_tcp_connect_ldap_port(exim_t) +corenet_tcp_connect_inetd_child_port(exim_t) +# connect to spamassassin +corenet_tcp_connect_spamd_port(exim_t) + +dev_read_rand(exim_t) +dev_read_urand(exim_t) + +# Init script handling +domain_use_interactive_fds(exim_t) + +files_search_usr(exim_t) +files_search_var(exim_t) +files_read_etc_files(exim_t) +files_read_etc_runtime_files(exim_t) +files_getattr_all_mountpoints(exim_t) + +fs_getattr_xattr_fs(exim_t) +fs_list_inotifyfs(exim_t) + +auth_use_nsswitch(exim_t) + +logging_send_syslog_msg(exim_t) + +miscfiles_read_localization(exim_t) +miscfiles_read_generic_certs(exim_t) + +userdom_dontaudit_search_user_home_dirs(exim_t) + +mta_read_aliases(exim_t) +mta_read_config(exim_t) +mta_manage_spool(exim_t) +mta_mailserver_delivery(exim_t) + +tunable_policy(`exim_can_connect_db',` + corenet_tcp_connect_mysqld_port(exim_t) + corenet_sendrecv_mysqld_client_packets(exim_t) + corenet_tcp_connect_postgresql_port(exim_t) + corenet_sendrecv_postgresql_client_packets(exim_t) +') + +tunable_policy(`exim_read_user_files',` + userdom_read_user_home_content_files(exim_t) + userdom_read_user_tmp_files(exim_t) +') + +tunable_policy(`exim_manage_user_files',` + userdom_manage_user_home_content_dirs(exim_t) + userdom_read_user_tmp_files(exim_t) + userdom_write_user_tmp_files(exim_t) +') + +optional_policy(` + clamav_domtrans_clamscan(exim_t) + clamav_stream_connect(exim_t) +') + +optional_policy(` + cron_read_pipes(exim_t) + cron_rw_system_job_pipes(exim_t) +') + +optional_policy(` + cyrus_stream_connect(exim_t) +') + +optional_policy(` + kerberos_keytab_template(exim, exim_t) +') + +optional_policy(` + mailman_read_data_files(exim_t) + mailman_domtrans(exim_t) +') + +optional_policy(` + tunable_policy(`exim_can_connect_db',` + mysql_stream_connect(exim_t) + ') +') + +optional_policy(` + tunable_policy(`exim_can_connect_db',` + postgresql_stream_connect(exim_t) + ') +') + +optional_policy(` + procmail_domtrans(exim_t) +') + +optional_policy(` + sasl_connect(exim_t) +') + +optional_policy(` + # https://bugzilla.redhat.com/show_bug.cgi?id=512710 + # uses sendmail for outgoing mail and exim + # for incoming mail + sendmail_manage_tmp_files(exim_t) +') + +optional_policy(` + spamassassin_exec(exim_t) + spamassassin_exec_client(exim_t) +') diff --git a/policy/modules/contrib/fail2ban.fc b/policy/modules/contrib/fail2ban.fc new file mode 100644 index 00000000..0de2b83b --- /dev/null +++ b/policy/modules/contrib/fail2ban.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) + +/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) + +/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) +/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) +/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if new file mode 100644 index 00000000..f590a1ff --- /dev/null +++ b/policy/modules/contrib/fail2ban.if @@ -0,0 +1,175 @@ +## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary> + +######################################## +## <summary> +## Execute a domain transition to run fail2ban. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`fail2ban_domtrans',` + gen_require(` + type fail2ban_t, fail2ban_exec_t; + ') + + domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) +') + +##################################### +## <summary> +## Connect to fail2ban over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_stream_connect',` + gen_require(` + type fail2ban_t, fail2ban_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) +') + +######################################## +## <summary> +## Read and write to an fail2ban unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; +') + +######################################## +## <summary> +## Read fail2ban lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_read_lib_files',` + gen_require(` + type fail2ban_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 fail2ban_var_lib_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow the specified domain to read fail2ban's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fail2ban_read_log',` + gen_require(` + type fail2ban_log_t; + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow the specified domain to append +## fail2ban log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_append_log',` + gen_require(` + type fail2ban_log_t; + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file append_file_perms; +') + +######################################## +## <summary> +## Read fail2ban PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fail2ban_read_pid_files',` + gen_require(` + type fail2ban_var_run_t; + ') + + files_search_pids($1) + allow $1 fail2ban_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an fail2ban environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the fail2ban domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`fail2ban_admin',` + gen_require(` + type fail2ban_t, fail2ban_log_t; + type fail2ban_var_run_t, fail2ban_initrc_exec_t; + ') + + allow $1 fail2ban_t:process { ptrace signal_perms }; + ps_process_pattern($1, fail2ban_t) + + init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fail2ban_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, fail2ban_log_t) + + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) +') diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te new file mode 100644 index 00000000..4cdbca54 --- /dev/null +++ b/policy/modules/contrib/fail2ban.te @@ -0,0 +1,102 @@ +policy_module(fail2ban, 1.4.0) + +######################################## +# +# Declarations +# + +type fail2ban_t; +type fail2ban_exec_t; +init_daemon_domain(fail2ban_t, fail2ban_exec_t) + +type fail2ban_initrc_exec_t; +init_script_file(fail2ban_initrc_exec_t) + +# log files +type fail2ban_log_t; +logging_log_file(fail2ban_log_t) + +type fail2ban_var_lib_t; +files_type(fail2ban_var_lib_t) + +# pid files +type fail2ban_var_run_t; +files_pid_file(fail2ban_var_run_t) + +######################################## +# +# fail2ban local policy +# + +allow fail2ban_t self:capability { sys_tty_config }; +allow fail2ban_t self:process signal; +allow fail2ban_t self:fifo_file rw_fifo_file_perms; +allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow fail2ban_t self:unix_dgram_socket create_socket_perms; +allow fail2ban_t self:tcp_socket create_stream_socket_perms; + +# log files +allow fail2ban_t fail2ban_log_t:dir setattr; +manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) + +manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) +manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) +files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file }) + +# pid file +manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) + +# FAM support needs this (/proc/self and parent stuff) +read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) + +kernel_read_system_state(fail2ban_t) + +corecmd_exec_bin(fail2ban_t) +corecmd_exec_shell(fail2ban_t) + +corenet_all_recvfrom_unlabeled(fail2ban_t) +corenet_all_recvfrom_netlabel(fail2ban_t) +corenet_tcp_sendrecv_generic_if(fail2ban_t) +corenet_tcp_sendrecv_generic_node(fail2ban_t) +corenet_tcp_sendrecv_all_ports(fail2ban_t) +corenet_tcp_connect_whois_port(fail2ban_t) +corenet_sendrecv_whois_client_packets(fail2ban_t) + +dev_read_urand(fail2ban_t) + +domain_use_interactive_fds(fail2ban_t) + +files_read_etc_files(fail2ban_t) +files_read_etc_runtime_files(fail2ban_t) +files_read_usr_files(fail2ban_t) +files_list_var(fail2ban_t) +files_search_var_lib(fail2ban_t) +files_dontaudit_write_usr_dirs(fail2ban_t) + +fs_list_inotifyfs(fail2ban_t) +fs_getattr_all_fs(fail2ban_t) + +auth_use_nsswitch(fail2ban_t) + +logging_read_all_logs(fail2ban_t) +logging_send_syslog_msg(fail2ban_t) + +miscfiles_read_localization(fail2ban_t) + +mta_send_mail(fail2ban_t) + +optional_policy(` + apache_read_log(fail2ban_t) +') + +optional_policy(` + ftp_read_log(fail2ban_t) +') + +optional_policy(` + iptables_domtrans(fail2ban_t) +') diff --git a/policy/modules/contrib/fetchmail.fc b/policy/modules/contrib/fetchmail.fc new file mode 100644 index 00000000..39928d5a --- /dev/null +++ b/policy/modules/contrib/fetchmail.fc @@ -0,0 +1,19 @@ + +# +# /etc +# + +/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) + +# +# /usr +# + +/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0) + +# +# /var +# +/var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) +/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) +/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if new file mode 100644 index 00000000..6537214c --- /dev/null +++ b/policy/modules/contrib/fetchmail.if @@ -0,0 +1,30 @@ +## <summary>Remote-mail retrieval and forwarding utility</summary> + +######################################## +## <summary> +## All of the rules required to administrate +## an fetchmail environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fetchmail_admin',` + gen_require(` + type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t; + type fetchmail_var_run_t; + ') + + ps_process_pattern($1, fetchmail_t) + + files_list_etc($1) + admin_pattern($1, fetchmail_etc_t) + + admin_pattern($1, fetchmail_uidl_cache_t) + + files_list_pids($1) + admin_pattern($1, fetchmail_var_run_t) +') diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te new file mode 100644 index 00000000..ac6626eb --- /dev/null +++ b/policy/modules/contrib/fetchmail.te @@ -0,0 +1,104 @@ +policy_module(fetchmail, 1.12.0) + +######################################## +# +# Declarations +# + +type fetchmail_t; +type fetchmail_exec_t; +init_daemon_domain(fetchmail_t, fetchmail_exec_t) +application_executable_file(fetchmail_exec_t) + +type fetchmail_var_run_t; +files_pid_file(fetchmail_var_run_t) + +type fetchmail_etc_t; +files_config_file(fetchmail_etc_t) + +type fetchmail_uidl_cache_t; +files_type(fetchmail_uidl_cache_t) + +######################################## +# +# Local policy +# + +dontaudit fetchmail_t self:capability sys_tty_config; +allow fetchmail_t self:process { signal_perms setrlimit }; +allow fetchmail_t self:unix_dgram_socket create_socket_perms; +allow fetchmail_t self:unix_stream_socket create_stream_socket_perms; +allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms; +allow fetchmail_t self:tcp_socket create_socket_perms; +allow fetchmail_t self:udp_socket create_socket_perms; + +allow fetchmail_t fetchmail_etc_t:file read_file_perms; + +allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; +mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) + +manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) +manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) +files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file }) + +kernel_read_kernel_sysctls(fetchmail_t) +kernel_list_proc(fetchmail_t) +kernel_getattr_proc_files(fetchmail_t) +kernel_read_proc_symlinks(fetchmail_t) +kernel_dontaudit_read_system_state(fetchmail_t) + +#looks like it uses system command - calls uname +corecmd_exec_bin(fetchmail_t) +corecmd_exec_shell(fetchmail_t) + +corenet_all_recvfrom_unlabeled(fetchmail_t) +corenet_all_recvfrom_netlabel(fetchmail_t) +corenet_tcp_sendrecv_generic_if(fetchmail_t) +corenet_udp_sendrecv_generic_if(fetchmail_t) +corenet_tcp_sendrecv_generic_node(fetchmail_t) +corenet_udp_sendrecv_generic_node(fetchmail_t) +corenet_tcp_sendrecv_dns_port(fetchmail_t) +corenet_udp_sendrecv_dns_port(fetchmail_t) +corenet_tcp_sendrecv_pop_port(fetchmail_t) +corenet_tcp_sendrecv_smtp_port(fetchmail_t) +corenet_tcp_connect_all_ports(fetchmail_t) +corenet_sendrecv_all_client_packets(fetchmail_t) + +dev_read_sysfs(fetchmail_t) +dev_read_rand(fetchmail_t) +dev_read_urand(fetchmail_t) + +files_read_etc_files(fetchmail_t) +files_read_etc_runtime_files(fetchmail_t) +files_dontaudit_search_home(fetchmail_t) + +fs_getattr_all_fs(fetchmail_t) +fs_search_auto_mountpoints(fetchmail_t) + +domain_use_interactive_fds(fetchmail_t) + +logging_send_syslog_msg(fetchmail_t) + +miscfiles_read_localization(fetchmail_t) +miscfiles_read_generic_certs(fetchmail_t) + +sysnet_read_config(fetchmail_t) + +userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) +userdom_dontaudit_search_user_home_dirs(fetchmail_t) + +optional_policy(` + procmail_domtrans(fetchmail_t) +') + +optional_policy(` + sendmail_manage_log(fetchmail_t) +') + +optional_policy(` + seutil_sigchld_newrole(fetchmail_t) +') + +optional_policy(` + udev_read_db(fetchmail_t) +') diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc new file mode 100644 index 00000000..c8611923 --- /dev/null +++ b/policy/modules/contrib/finger.fc @@ -0,0 +1,19 @@ +# fingerd + +# +# /etc +# +/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0) + +/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) + +# +# /usr +# +/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) +/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) + +# +# /var +# +/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0) diff --git a/policy/modules/contrib/finger.if b/policy/modules/contrib/finger.if new file mode 100644 index 00000000..b5dd671f --- /dev/null +++ b/policy/modules/contrib/finger.if @@ -0,0 +1,33 @@ +## <summary>Finger user information service.</summary> + +######################################## +## <summary> +## Execute fingerd in the fingerd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`finger_domtrans',` + gen_require(` + type fingerd_t, fingerd_exec_t; + ') + + domtrans_pattern($1, fingerd_exec_t, fingerd_t) +') + +######################################## +## <summary> +## Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`finger_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te new file mode 100644 index 00000000..9b7036aa --- /dev/null +++ b/policy/modules/contrib/finger.te @@ -0,0 +1,121 @@ +policy_module(finger, 1.9.0) + +######################################## +# +# Declarations +# + +type fingerd_t; +type fingerd_exec_t; +init_daemon_domain(fingerd_t, fingerd_exec_t) +inetd_tcp_service_domain(fingerd_t, fingerd_exec_t) + +type fingerd_etc_t; +files_config_file(fingerd_etc_t) + +type fingerd_log_t; +logging_log_file(fingerd_log_t) + +type fingerd_var_run_t; +files_pid_file(fingerd_var_run_t) + +######################################## +# +# Local policy +# + +allow fingerd_t self:capability { setgid setuid }; +dontaudit fingerd_t self:capability { sys_tty_config fsetid }; +allow fingerd_t self:process signal_perms; +allow fingerd_t self:fifo_file rw_fifo_file_perms; +allow fingerd_t self:tcp_socket connected_stream_socket_perms; +allow fingerd_t self:udp_socket create_socket_perms; +allow fingerd_t self:unix_dgram_socket create_socket_perms; +allow fingerd_t self:unix_stream_socket create_socket_perms; + +manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t) +files_pid_filetrans(fingerd_t, fingerd_var_run_t, file) + +allow fingerd_t fingerd_etc_t:dir list_dir_perms; +read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) +read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) + +allow fingerd_t fingerd_log_t:file manage_file_perms; +logging_log_filetrans(fingerd_t, fingerd_log_t, file) + +kernel_read_kernel_sysctls(fingerd_t) +kernel_read_system_state(fingerd_t) + +corenet_all_recvfrom_unlabeled(fingerd_t) +corenet_all_recvfrom_netlabel(fingerd_t) +corenet_tcp_sendrecv_generic_if(fingerd_t) +corenet_udp_sendrecv_generic_if(fingerd_t) +corenet_tcp_sendrecv_generic_node(fingerd_t) +corenet_udp_sendrecv_generic_node(fingerd_t) +corenet_tcp_sendrecv_all_ports(fingerd_t) +corenet_udp_sendrecv_all_ports(fingerd_t) +corenet_tcp_bind_generic_node(fingerd_t) +corenet_tcp_bind_fingerd_port(fingerd_t) + +dev_read_sysfs(fingerd_t) + +fs_getattr_all_fs(fingerd_t) +fs_search_auto_mountpoints(fingerd_t) + +term_getattr_all_ttys(fingerd_t) +term_getattr_all_ptys(fingerd_t) + +auth_read_lastlog(fingerd_t) + +corecmd_exec_bin(fingerd_t) +corecmd_exec_shell(fingerd_t) + +domain_use_interactive_fds(fingerd_t) + +files_search_home(fingerd_t) +files_read_etc_files(fingerd_t) +files_read_etc_runtime_files(fingerd_t) + +init_read_utmp(fingerd_t) +init_dontaudit_write_utmp(fingerd_t) + +logging_send_syslog_msg(fingerd_t) + +mta_getattr_spool(fingerd_t) + +sysnet_read_config(fingerd_t) + +miscfiles_read_localization(fingerd_t) + +# stop it accessing sub-directories, prevents checking a Maildir for new mail, +# have to change this when we create a type for Maildir +userdom_read_user_home_content_files(fingerd_t) +userdom_dontaudit_use_unpriv_user_fds(fingerd_t) + +optional_policy(` + cron_system_entry(fingerd_t, fingerd_exec_t) +') + +optional_policy(` + logrotate_exec(fingerd_t) +') + +optional_policy(` + nis_use_ypbind(fingerd_t) +') + +optional_policy(` + nscd_socket_use(fingerd_t) +') + +optional_policy(` + seutil_sigchld_newrole(fingerd_t) +') + +optional_policy(` + tcpd_wrapped_domain(fingerd_t, fingerd_exec_t) +') + +optional_policy(` + udev_read_db(fingerd_t) +') diff --git a/policy/modules/contrib/firstboot.fc b/policy/modules/contrib/firstboot.fc new file mode 100644 index 00000000..ba614e45 --- /dev/null +++ b/policy/modules/contrib/firstboot.fc @@ -0,0 +1,3 @@ +/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) + +/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) diff --git a/policy/modules/contrib/firstboot.if b/policy/modules/contrib/firstboot.if new file mode 100644 index 00000000..8fa451cc --- /dev/null +++ b/policy/modules/contrib/firstboot.if @@ -0,0 +1,157 @@ +## <summary> +## Final system configuration run during the first boot +## after installation of Red Hat/Fedora systems. +## </summary> + +######################################## +## <summary> +## Execute firstboot in the firstboot domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`firstboot_domtrans',` + gen_require(` + type firstboot_t, firstboot_exec_t; + ') + + domtrans_pattern($1, firstboot_exec_t, firstboot_t) +') + +######################################## +## <summary> +## Execute firstboot in the firstboot domain, and +## allow the specified role the firstboot domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`firstboot_run',` + gen_require(` + type firstboot_t; + ') + + firstboot_domtrans($1) + role $2 types firstboot_t; +') + +######################################## +## <summary> +## Inherit and use a file descriptor from firstboot. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firstboot_use_fds',` + gen_require(` + type firstboot_t; + ') + + allow $1 firstboot_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to inherit a +## file descriptor from firstboot. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`firstboot_dontaudit_use_fds',` + gen_require(` + type firstboot_t; + ') + + dontaudit $1 firstboot_t:fd use; +') + +######################################## +## <summary> +## Write to a firstboot unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firstboot_write_pipes',` + gen_require(` + type firstboot_t; + ') + + allow $1 firstboot_t:fifo_file write; +') + +######################################## +## <summary> +## Read and Write to a firstboot unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firstboot_rw_pipes',` + gen_require(` + type firstboot_t; + ') + + allow $1 firstboot_t:fifo_file { read write }; +') + +######################################## +## <summary> +## Do not audit attemps to read and write to a firstboot unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`firstboot_dontaudit_rw_pipes',` + gen_require(` + type firstboot_t; + ') + + dontaudit $1 firstboot_t:fifo_file { read write }; +') + +######################################## +## <summary> +## Do not audit attemps to read and write to a firstboot +## unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`firstboot_dontaudit_rw_stream_sockets',` + gen_require(` + type firstboot_t; + ') + + dontaudit $1 firstboot_t:unix_stream_socket { read write }; +') diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te new file mode 100644 index 00000000..c4d89985 --- /dev/null +++ b/policy/modules/contrib/firstboot.te @@ -0,0 +1,135 @@ +policy_module(firstboot, 1.12.0) + +gen_require(` + class passwd rootok; +') + +######################################## +# +# Declarations +# + +type firstboot_t; +type firstboot_exec_t; +init_system_domain(firstboot_t, firstboot_exec_t) +domain_obj_id_change_exemption(firstboot_t) +domain_subj_id_change_exemption(firstboot_t) +role system_r types firstboot_t; + +type firstboot_etc_t; +files_config_file(firstboot_etc_t) + +######################################## +# +# Local policy +# + +allow firstboot_t self:capability { dac_override setgid }; +allow firstboot_t self:process setfscreate; +allow firstboot_t self:fifo_file rw_fifo_file_perms; +allow firstboot_t self:tcp_socket create_stream_socket_perms; +allow firstboot_t self:unix_stream_socket { connect create }; +allow firstboot_t self:passwd rootok; + +allow firstboot_t firstboot_etc_t:file read_file_perms; + +kernel_read_system_state(firstboot_t) +kernel_read_kernel_sysctls(firstboot_t) + +corenet_all_recvfrom_unlabeled(firstboot_t) +corenet_all_recvfrom_netlabel(firstboot_t) +corenet_tcp_sendrecv_generic_if(firstboot_t) +corenet_tcp_sendrecv_generic_node(firstboot_t) +corenet_tcp_sendrecv_all_ports(firstboot_t) + +dev_read_urand(firstboot_t) + +selinux_get_fs_mount(firstboot_t) +selinux_validate_context(firstboot_t) +selinux_compute_access_vector(firstboot_t) +selinux_compute_create_context(firstboot_t) +selinux_compute_relabel_context(firstboot_t) +selinux_compute_user_contexts(firstboot_t) + +auth_dontaudit_getattr_shadow(firstboot_t) + +corecmd_exec_all_executables(firstboot_t) + +files_exec_etc_files(firstboot_t) +files_manage_etc_files(firstboot_t) +files_manage_etc_runtime_files(firstboot_t) +files_read_usr_files(firstboot_t) +files_manage_var_dirs(firstboot_t) +files_manage_var_files(firstboot_t) +files_manage_var_symlinks(firstboot_t) + +init_domtrans_script(firstboot_t) +init_rw_utmp(firstboot_t) + +libs_exec_ld_so(firstboot_t) +libs_exec_lib_files(firstboot_t) + +locallogin_use_fds(firstboot_t) + +logging_send_syslog_msg(firstboot_t) + +miscfiles_read_localization(firstboot_t) + +modutils_domtrans_insmod(firstboot_t) +modutils_domtrans_depmod(firstboot_t) +modutils_read_module_config(firstboot_t) +modutils_read_module_deps(firstboot_t) + +userdom_use_user_terminals(firstboot_t) +# Add/remove user home directories +userdom_manage_user_home_content_dirs(firstboot_t) +userdom_manage_user_home_content_files(firstboot_t) +userdom_manage_user_home_content_symlinks(firstboot_t) +userdom_manage_user_home_content_pipes(firstboot_t) +userdom_manage_user_home_content_sockets(firstboot_t) +userdom_home_filetrans_user_home_dir(firstboot_t) +userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) + +optional_policy(` + consoletype_domtrans(firstboot_t) +') + +optional_policy(` + dbus_system_bus_client(firstboot_t) + + optional_policy(` + hal_dbus_chat(firstboot_t) + ') +') + +optional_policy(` + nis_use_ypbind(firstboot_t) +') + +optional_policy(` + samba_rw_config(firstboot_t) +') + +optional_policy(` + unconfined_domtrans(firstboot_t) + # The big hammer + unconfined_domain(firstboot_t) +') + +optional_policy(` + usermanage_domtrans_chfn(firstboot_t) + usermanage_domtrans_groupadd(firstboot_t) + usermanage_domtrans_passwd(firstboot_t) + usermanage_domtrans_useradd(firstboot_t) + usermanage_domtrans_admin_passwd(firstboot_t) +') + +optional_policy(` + gnome_manage_config(firstboot_t) +') + +optional_policy(` + xserver_domtrans(firstboot_t) + xserver_rw_shm(firstboot_t) + xserver_unconfined(firstboot_t) +') diff --git a/policy/modules/contrib/fprintd.fc b/policy/modules/contrib/fprintd.fc new file mode 100644 index 00000000..a4f5fb1e --- /dev/null +++ b/policy/modules/contrib/fprintd.fc @@ -0,0 +1,2 @@ +/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) +/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0) diff --git a/policy/modules/contrib/fprintd.if b/policy/modules/contrib/fprintd.if new file mode 100644 index 00000000..ebad8c42 --- /dev/null +++ b/policy/modules/contrib/fprintd.if @@ -0,0 +1,41 @@ +## <summary>DBus fingerprint reader service</summary> + +######################################## +## <summary> +## Execute a domain transition to run fprintd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`fprintd_domtrans',` + gen_require(` + type fprintd_t, fprintd_exec_t; + ') + + domtrans_pattern($1, fprintd_exec_t, fprintd_t) +') + +######################################## +## <summary> +## Send and receive messages from +## fprintd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fprintd_dbus_chat',` + gen_require(` + type fprintd_t; + class dbus send_msg; + ') + + allow $1 fprintd_t:dbus send_msg; + allow fprintd_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te new file mode 100644 index 00000000..7df52c7d --- /dev/null +++ b/policy/modules/contrib/fprintd.te @@ -0,0 +1,57 @@ +policy_module(fprintd, 1.1.0) + +######################################## +# +# Declarations +# + +type fprintd_t; +type fprintd_exec_t; +dbus_system_domain(fprintd_t, fprintd_exec_t) + +type fprintd_var_lib_t; +files_type(fprintd_var_lib_t) + +######################################## +# +# Local policy +# + +allow fprintd_t self:capability sys_ptrace; +allow fprintd_t self:fifo_file rw_fifo_file_perms; +allow fprintd_t self:process { getsched signal }; + +manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) +manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) +files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file }) + +kernel_read_system_state(fprintd_t) + +corecmd_search_bin(fprintd_t) + +dev_list_usbfs(fprintd_t) +dev_rw_generic_usb_dev(fprintd_t) +dev_read_sysfs(fprintd_t) + +files_read_etc_files(fprintd_t) +files_read_usr_files(fprintd_t) + +fs_getattr_all_fs(fprintd_t) + +auth_use_nsswitch(fprintd_t) + +miscfiles_read_localization(fprintd_t) + +userdom_use_user_ptys(fprintd_t) +userdom_read_all_users_state(fprintd_t) + +optional_policy(` + consolekit_dbus_chat(fprintd_t) +') + +optional_policy(` + policykit_read_reload(fprintd_t) + policykit_read_lib(fprintd_t) + policykit_dbus_chat(fprintd_t) + policykit_domtrans_auth(fprintd_t) +') diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc new file mode 100644 index 00000000..69dcd2a0 --- /dev/null +++ b/policy/modules/contrib/ftp.fc @@ -0,0 +1,31 @@ +# +# /etc +# +/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) +/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) + +# +# /usr +# +/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0) + +/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + +/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + +# +# /var +# +/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) + +/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) +/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) +/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) +/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) +/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if new file mode 100644 index 00000000..9d3201b6 --- /dev/null +++ b/policy/modules/contrib/ftp.if @@ -0,0 +1,206 @@ +## <summary>File transfer protocol service</summary> + +####################################### +## <summary> +## Allow domain dyntransition to sftpd_anon domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ftp_dyntrans_anon_sftpd',` + gen_require(` + type anon_sftpd_t; + ') + + dyntrans_pattern($1, anon_sftpd_t) +') + +######################################## +## <summary> +## Use ftp by connecting over TCP. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ftp_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Read ftpd etc files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ftp_read_config',` + gen_require(` + type ftpd_etc_t; + ') + + files_search_etc($1) + allow $1 ftpd_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute FTP daemon entry point programs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ftp_check_exec',` + gen_require(` + type ftpd_exec_t; + ') + + corecmd_search_bin($1) + allow $1 ftpd_exec_t:file { getattr execute }; +') + +######################################## +## <summary> +## Read FTP transfer logs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ftp_read_log',` + gen_require(` + type xferlog_t; + ') + + logging_search_logs($1) + allow $1 xferlog_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute the ftpdctl program in the ftpdctl domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ftp_domtrans_ftpdctl',` + gen_require(` + type ftpdctl_t, ftpdctl_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t) +') + +######################################## +## <summary> +## Execute the ftpdctl program in the ftpdctl domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the ftpdctl domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`ftp_run_ftpdctl',` + gen_require(` + type ftpdctl_t; + ') + + ftp_domtrans_ftpdctl($1) + role $2 types ftpdctl_t; +') + +####################################### +## <summary> +## Allow domain dyntransition to sftpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ftp_dyntrans_sftpd',` + gen_require(` + type sftpd_t; + ') + + dyntrans_pattern($1, sftpd_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an ftp environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the ftp domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`ftp_admin',` + gen_require(` + type ftpd_t, ftpdctl_t, ftpd_tmp_t; + type ftpd_etc_t, ftpd_lock_t; + type ftpd_var_run_t, xferlog_t; + type ftpd_initrc_exec_t; + ') + + allow $1 ftpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ftpd_t) + + init_labeled_script_domtrans($1, ftpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ftpd_initrc_exec_t system_r; + allow $2 system_r; + + ps_process_pattern($1, ftpdctl_t) + ftp_run_ftpdctl($1, $2) + + miscfiles_manage_public_files($1) + + files_list_tmp($1) + admin_pattern($1, ftpd_tmp_t) + + files_list_etc($1) + admin_pattern($1, ftpd_etc_t) + + files_list_var($1) + admin_pattern($1, ftpd_lock_t) + + files_list_pids($1) + admin_pattern($1, ftpd_var_run_t) + + logging_list_logs($1) + admin_pattern($1, xferlog_t) +') diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te new file mode 100644 index 00000000..02ffdfb4 --- /dev/null +++ b/policy/modules/contrib/ftp.te @@ -0,0 +1,412 @@ +policy_module(ftp, 1.13.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow ftp servers to upload files, used for public file +## transfer services. Directories must be labeled +## public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_ftpd_anon_write, false) + +## <desc> +## <p> +## Allow ftp servers to login to local users and +## read/write all files on the system, governed by DAC. +## </p> +## </desc> +gen_tunable(allow_ftpd_full_access, false) + +## <desc> +## <p> +## Allow ftp servers to use cifs +## used for public file transfer services. +## </p> +## </desc> +gen_tunable(allow_ftpd_use_cifs, false) + +## <desc> +## <p> +## Allow ftp servers to use nfs +## used for public file transfer services. +## </p> +## </desc> +gen_tunable(allow_ftpd_use_nfs, false) + +## <desc> +## <p> +## Allow ftp to read and write files in the user home directories +## </p> +## </desc> +gen_tunable(ftp_home_dir, false) + +## <desc> +## <p> +## Allow anon internal-sftp to upload files, used for +## public file transfer services. Directories must be labeled +## public_content_rw_t. +## </p> +## </desc> +gen_tunable(sftpd_anon_write, false) + +## <desc> +## <p> +## Allow sftp-internal to read and write files +## in the user home directories +## </p> +## </desc> +gen_tunable(sftpd_enable_homedirs, false) + +## <desc> +## <p> +## Allow sftp-internal to login to local users and +## read/write all files on the system, governed by DAC. +## </p> +## </desc> +gen_tunable(sftpd_full_access, false) + +type anon_sftpd_t; +typealias anon_sftpd_t alias sftpd_anon_t; +domain_type(anon_sftpd_t) +role system_r types anon_sftpd_t; + +type ftpd_t; +type ftpd_exec_t; +init_daemon_domain(ftpd_t, ftpd_exec_t) + +type ftpd_etc_t; +files_config_file(ftpd_etc_t) + +type ftpd_initrc_exec_t; +init_script_file(ftpd_initrc_exec_t) + +type ftpd_lock_t; +files_lock_file(ftpd_lock_t) + +type ftpd_tmp_t; +files_tmp_file(ftpd_tmp_t) + +type ftpd_tmpfs_t; +files_tmpfs_file(ftpd_tmpfs_t) + +type ftpd_var_run_t; +files_pid_file(ftpd_var_run_t) + +type ftpdctl_t; +type ftpdctl_exec_t; +init_system_domain(ftpdctl_t, ftpdctl_exec_t) + +type ftpdctl_tmp_t; +files_tmp_file(ftpdctl_tmp_t) + +type sftpd_t; +domain_type(sftpd_t) +role system_r types sftpd_t; + +type xferlog_t; +logging_log_file(xferlog_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) +') + +######################################## +# +# anon-sftp local policy +# + +files_read_etc_files(anon_sftpd_t) + +miscfiles_read_public_files(anon_sftpd_t) + +tunable_policy(`sftpd_anon_write',` + miscfiles_manage_public_files(anon_sftpd_t) +') + +######################################## +# +# ftpd local policy +# + +allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; +dontaudit ftpd_t self:capability sys_tty_config; +allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; +allow ftpd_t self:fifo_file rw_fifo_file_perms; +allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; +allow ftpd_t self:unix_stream_socket create_stream_socket_perms; +allow ftpd_t self:tcp_socket create_stream_socket_perms; +allow ftpd_t self:udp_socket create_socket_perms; +allow ftpd_t self:shm create_shm_perms; +allow ftpd_t self:key manage_key_perms; + +allow ftpd_t ftpd_etc_t:file read_file_perms; + +allow ftpd_t ftpd_lock_t:file manage_file_perms; +files_lock_filetrans(ftpd_t, ftpd_lock_t, file) + +manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) +manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) +files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) + +manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) +manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) +manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) +files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) + +# proftpd requires the client side to bind a socket so that +# it can stat the socket to perform access control decisions, +# since getsockopt with SO_PEERCRED is not available on all +# proftpd-supported OSs +allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; + +# Create and modify /var/log/xferlog. +manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) +logging_log_filetrans(ftpd_t, xferlog_t, file) + +kernel_read_kernel_sysctls(ftpd_t) +kernel_read_system_state(ftpd_t) +kernel_search_network_state(ftpd_t) + +dev_read_sysfs(ftpd_t) +dev_read_urand(ftpd_t) + +corecmd_exec_bin(ftpd_t) + +corenet_all_recvfrom_unlabeled(ftpd_t) +corenet_all_recvfrom_netlabel(ftpd_t) +corenet_tcp_sendrecv_generic_if(ftpd_t) +corenet_udp_sendrecv_generic_if(ftpd_t) +corenet_tcp_sendrecv_generic_node(ftpd_t) +corenet_udp_sendrecv_generic_node(ftpd_t) +corenet_tcp_sendrecv_all_ports(ftpd_t) +corenet_udp_sendrecv_all_ports(ftpd_t) +corenet_tcp_bind_generic_node(ftpd_t) +corenet_tcp_bind_ftp_port(ftpd_t) +corenet_tcp_bind_ftp_data_port(ftpd_t) +corenet_tcp_bind_generic_port(ftpd_t) +corenet_tcp_bind_all_unreserved_ports(ftpd_t) +corenet_dontaudit_tcp_bind_all_ports(ftpd_t) +corenet_tcp_connect_all_ports(ftpd_t) +corenet_sendrecv_ftp_server_packets(ftpd_t) + +domain_use_interactive_fds(ftpd_t) + +files_search_etc(ftpd_t) +files_read_etc_files(ftpd_t) +files_read_etc_runtime_files(ftpd_t) +files_search_var_lib(ftpd_t) + +fs_search_auto_mountpoints(ftpd_t) +fs_getattr_all_fs(ftpd_t) +fs_search_fusefs(ftpd_t) + +auth_use_nsswitch(ftpd_t) +auth_domtrans_chk_passwd(ftpd_t) +# Append to /var/log/wtmp. +auth_append_login_records(ftpd_t) +#kerberized ftp requires the following +auth_write_login_records(ftpd_t) +auth_rw_faillog(ftpd_t) + +init_rw_utmp(ftpd_t) + +logging_send_audit_msgs(ftpd_t) +logging_send_syslog_msg(ftpd_t) +logging_set_loginuid(ftpd_t) + +miscfiles_read_localization(ftpd_t) +miscfiles_read_public_files(ftpd_t) + +seutil_dontaudit_search_config(ftpd_t) + +sysnet_read_config(ftpd_t) +sysnet_use_ldap(ftpd_t) + +userdom_dontaudit_use_unpriv_user_fds(ftpd_t) +userdom_dontaudit_search_user_home_dirs(ftpd_t) + +tunable_policy(`allow_ftpd_anon_write',` + miscfiles_manage_public_files(ftpd_t) +') + +tunable_policy(`allow_ftpd_use_cifs',` + fs_read_cifs_files(ftpd_t) + fs_read_cifs_symlinks(ftpd_t) +') + +tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` + fs_manage_cifs_files(ftpd_t) +') + +tunable_policy(`allow_ftpd_use_nfs',` + fs_read_nfs_files(ftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') + +tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` + fs_manage_nfs_files(ftpd_t) +') + +tunable_policy(`allow_ftpd_full_access',` + allow ftpd_t self:capability { dac_override dac_read_search }; + auth_manage_all_files_except_auth_files(ftpd_t) +') + +tunable_policy(`ftp_home_dir',` + allow ftpd_t self:capability { dac_override dac_read_search }; + + # allow access to /home + files_list_home(ftpd_t) + userdom_read_user_home_content_files(ftpd_t) + userdom_manage_user_home_content_dirs(ftpd_t) + userdom_manage_user_home_content_files(ftpd_t) + userdom_manage_user_home_content_symlinks(ftpd_t) + userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) +') + +tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` + fs_manage_nfs_files(ftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') + +tunable_policy(`ftp_home_dir && use_samba_home_dirs',` + fs_manage_cifs_files(ftpd_t) + fs_read_cifs_symlinks(ftpd_t) +') + +optional_policy(` + tunable_policy(`ftp_home_dir',` + apache_search_sys_content(ftpd_t) + ') +') + +optional_policy(` + corecmd_exec_shell(ftpd_t) + + files_read_usr_files(ftpd_t) + + cron_system_entry(ftpd_t, ftpd_exec_t) + + optional_policy(` + logrotate_exec(ftpd_t) + ') +') + +optional_policy(` + daemontools_service_domain(ftpd_t, ftpd_exec_t) +') + +optional_policy(` + selinux_validate_context(ftpd_t) + + kerberos_keytab_template(ftpd, ftpd_t) + kerberos_manage_host_rcache(ftpd_t) +') + +optional_policy(` + inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) + + optional_policy(` + tcpd_domtrans(tcpd_t) + ') +') + +optional_policy(` + dbus_system_bus_client(ftpd_t) + + optional_policy(` + oddjob_dbus_chat(ftpd_t) + oddjob_domtrans_mkhomedir(ftpd_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(ftpd_t) +') + +optional_policy(` + udev_read_db(ftpd_t) +') + +######################################## +# +# ftpdctl local policy +# + +# Allow ftpdctl to talk to ftpd over a socket connection +stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) + +# ftpdctl creates a socket so that the daemon can perform +# access control decisions (see comments in ftpd_t rules above) +allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; +files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) + +# Allow ftpdctl to read config files +files_read_etc_files(ftpdctl_t) + +userdom_use_user_terminals(ftpdctl_t) + +######################################## +# +# sftpd local policy +# + +files_read_etc_files(sftpd_t) + +# allow read access to /home by default +userdom_read_user_home_content_files(sftpd_t) +userdom_read_user_home_content_symlinks(sftpd_t) + +tunable_policy(`sftpd_enable_homedirs',` + allow sftpd_t self:capability { dac_override dac_read_search }; + + # allow access to /home + files_list_home(sftpd_t) + userdom_manage_user_home_content_files(sftpd_t) + userdom_manage_user_home_content_dirs(sftpd_t) + userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) +') + +tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` + fs_manage_nfs_dirs(sftpd_t) + fs_manage_nfs_files(sftpd_t) + fs_manage_nfs_symlinks(sftpd_t) +') + +tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` + fs_manage_cifs_dirs(sftpd_t) + fs_manage_cifs_files(sftpd_t) + fs_manage_cifs_symlinks(sftpd_t) +') + +tunable_policy(`sftpd_full_access',` + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) + auth_manage_all_files_except_auth_files(sftpd_t) +') + +tunable_policy(`use_samba_home_dirs',` + # allow read access to /home by default + fs_list_cifs(sftpd_t) + fs_read_cifs_files(sftpd_t) + fs_read_cifs_symlinks(sftpd_t) +') + +tunable_policy(`use_nfs_home_dirs',` + # allow read access to /home by default + fs_list_nfs(sftpd_t) + fs_read_nfs_files(sftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') diff --git a/policy/modules/contrib/games.fc b/policy/modules/contrib/games.fc new file mode 100644 index 00000000..78dc515e --- /dev/null +++ b/policy/modules/contrib/games.fc @@ -0,0 +1,66 @@ +# +# /usr +# +/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0) +/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0) + +# +# /var +# +/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) +/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) + +ifndef(`distro_debian',` +/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0) +')dnl end non-Debian section diff --git a/policy/modules/contrib/games.if b/policy/modules/contrib/games.if new file mode 100644 index 00000000..7ac736d3 --- /dev/null +++ b/policy/modules/contrib/games.if @@ -0,0 +1,51 @@ +## <summary>Games</summary> + +############################################################ +## <summary> +## Role access for games +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`games_role',` + gen_require(` + type games_t, games_exec_t; + ') + + role $1 types games_t; + + domtrans_pattern($2, games_exec_t, games_t) + allow $2 games_t:unix_stream_socket connectto; + allow games_t $2:unix_stream_socket connectto; + + # Allow the user domain to signal/ps. + ps_process_pattern($2, games_t) + allow $2 games_t:process signal_perms; +') + +######################################## +## <summary> +## Allow the specified domain to read/write +## games data. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`games_rw_data',` + gen_require(` + type games_data_t; + ') + + rw_files_pattern($1, games_data_t, games_data_t) +') diff --git a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te new file mode 100644 index 00000000..b73d33c9 --- /dev/null +++ b/policy/modules/contrib/games.te @@ -0,0 +1,178 @@ +policy_module(games, 2.2.0) + +######################################## +# +# Declarations +# + +type games_t; +type games_exec_t; +typealias games_t alias { user_games_t staff_games_t sysadm_games_t }; +typealias games_t alias { auditadm_games_t secadm_games_t }; +userdom_user_application_domain(games_t, games_exec_t) + +type games_data_t; +typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; +typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t }; +files_type(games_data_t) +ubac_constrained(games_data_t) + +type games_devpts_t; +typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t }; +typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t }; +term_pty(games_devpts_t) +ubac_constrained(games_devpts_t) + +# games_srv_t is for system operation of games, generic games daemons and +# games recovery scripts +type games_srv_t; +init_system_domain(games_srv_t, games_exec_t) + +type games_srv_var_run_t; +files_pid_file(games_srv_var_run_t) + +type games_tmp_t; +typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t }; +typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t }; +userdom_user_tmp_file(games_tmp_t) + +type games_tmpfs_t; +typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t }; +typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t }; +userdom_user_tmpfs_file(games_tmpfs_t) + +######################################## +# +# Server local policy +# + +dontaudit games_srv_t self:capability sys_tty_config; +allow games_srv_t self:process signal_perms; + +manage_files_pattern(games_srv_t, games_data_t, games_data_t) +manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t) + +manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t) +files_pid_filetrans(games_srv_t, games_srv_var_run_t, file) + +can_exec(games_srv_t, games_exec_t) + +kernel_read_kernel_sysctls(games_srv_t) +kernel_list_proc(games_srv_t) +kernel_read_proc_symlinks(games_srv_t) + +dev_read_sysfs(games_srv_t) + +fs_getattr_all_fs(games_srv_t) +fs_search_auto_mountpoints(games_srv_t) + +term_dontaudit_use_console(games_srv_t) + +domain_use_interactive_fds(games_srv_t) + +init_use_fds(games_srv_t) +init_use_script_ptys(games_srv_t) + +logging_send_syslog_msg(games_srv_t) + +miscfiles_read_localization(games_srv_t) + +userdom_dontaudit_use_unpriv_user_fds(games_srv_t) + +userdom_dontaudit_search_user_home_dirs(games_srv_t) + +optional_policy(` + seutil_sigchld_newrole(games_srv_t) +') + +optional_policy(` + udev_read_db(games_srv_t) +') + +######################################## +# +# Local policy +# + +allow games_t self:sem create_sem_perms; +allow games_t self:tcp_socket create_stream_socket_perms; +allow games_t self:udp_socket create_socket_perms; + +manage_files_pattern(games_t, games_data_t, games_data_t) +manage_lnk_files_pattern(games_t, games_data_t, games_data_t) + +allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr }; +term_create_pty(games_t, games_devpts_t) + +manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t) +manage_files_pattern(games_t, games_tmp_t, games_tmp_t) +files_tmp_filetrans(games_t, games_tmp_t, { file dir }) + +manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) +fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file }) + +can_exec(games_t, games_exec_t) + +kernel_read_system_state(games_t) + +corecmd_exec_bin(games_t) + +corenet_all_recvfrom_unlabeled(games_t) +corenet_all_recvfrom_netlabel(games_t) +corenet_tcp_sendrecv_generic_if(games_t) +corenet_udp_sendrecv_generic_if(games_t) +corenet_tcp_sendrecv_generic_node(games_t) +corenet_udp_sendrecv_generic_node(games_t) +corenet_tcp_sendrecv_all_ports(games_t) +corenet_udp_sendrecv_all_ports(games_t) +corenet_tcp_bind_generic_node(games_t) +corenet_tcp_bind_generic_port(games_t) +corenet_tcp_connect_generic_port(games_t) +corenet_sendrecv_generic_client_packets(games_t) +corenet_sendrecv_generic_server_packets(games_t) + +dev_read_sound(games_t) +dev_write_sound(games_t) +dev_read_input(games_t) +dev_read_mouse(games_t) +dev_read_urand(games_t) + +files_list_var(games_t) +files_search_var_lib(games_t) +files_dontaudit_search_var(games_t) +files_read_etc_files(games_t) +files_read_usr_files(games_t) +files_read_var_files(games_t) + +init_dontaudit_rw_utmp(games_t) + +logging_dontaudit_search_logs(games_t) + +miscfiles_read_man_pages(games_t) +miscfiles_read_localization(games_t) + +sysnet_read_config(games_t) + +userdom_manage_user_tmp_dirs(games_t) +userdom_manage_user_tmp_files(games_t) +userdom_manage_user_tmp_symlinks(games_t) +userdom_manage_user_tmp_sockets(games_t) +# Suppress .icons denial until properly implemented +userdom_dontaudit_read_user_home_content_files(games_t) + +tunable_policy(`allow_execmem',` + allow games_t self:process execmem; +') + +optional_policy(` + nscd_socket_use(games_t) +') + +optional_policy(` + xserver_user_x_domain_template(games, games_t, games_tmpfs_t) + xserver_create_xdm_tmp_sockets(games_t) + xserver_read_xdm_lib_files(games_t) +') diff --git a/policy/modules/contrib/gatekeeper.fc b/policy/modules/contrib/gatekeeper.fc new file mode 100644 index 00000000..d6ef0255 --- /dev/null +++ b/policy/modules/contrib/gatekeeper.fc @@ -0,0 +1,8 @@ +/etc/gatekeeper\.ini -- gen_context(system_u:object_r:gatekeeper_etc_t,s0) + +/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) +/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) + +/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0) +/var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0) +/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0) diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if new file mode 100644 index 00000000..311cb061 --- /dev/null +++ b/policy/modules/contrib/gatekeeper.if @@ -0,0 +1 @@ +## <summary>OpenH.323 Voice-Over-IP Gatekeeper</summary> diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te new file mode 100644 index 00000000..99a94de5 --- /dev/null +++ b/policy/modules/contrib/gatekeeper.te @@ -0,0 +1,99 @@ +policy_module(gatekeeper, 1.7.0) + +######################################## +# +# Declarations +# + +type gatekeeper_t; +type gatekeeper_exec_t; +init_daemon_domain(gatekeeper_t, gatekeeper_exec_t) + +type gatekeeper_etc_t; +files_config_file(gatekeeper_etc_t) + +type gatekeeper_log_t; +logging_log_file(gatekeeper_log_t) + +# for stupid symlinks +type gatekeeper_tmp_t; +files_tmp_file(gatekeeper_tmp_t) + +type gatekeeper_var_run_t; +files_pid_file(gatekeeper_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit gatekeeper_t self:capability sys_tty_config; +allow gatekeeper_t self:process { setsched signal_perms }; +allow gatekeeper_t self:fifo_file rw_fifo_file_perms; +allow gatekeeper_t self:tcp_socket create_stream_socket_perms; +allow gatekeeper_t self:udp_socket create_socket_perms; + +allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read }; +allow gatekeeper_t gatekeeper_etc_t:file read_file_perms; +files_search_etc(gatekeeper_t) + +manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) +logging_log_filetrans(gatekeeper_t, gatekeeper_log_t, { file dir }) + +manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) +manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) +files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir }) + +manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t) +files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, file) + +kernel_read_system_state(gatekeeper_t) +kernel_read_kernel_sysctls(gatekeeper_t) + +corecmd_list_bin(gatekeeper_t) + +corenet_all_recvfrom_unlabeled(gatekeeper_t) +corenet_all_recvfrom_netlabel(gatekeeper_t) +corenet_tcp_sendrecv_generic_if(gatekeeper_t) +corenet_udp_sendrecv_generic_if(gatekeeper_t) +corenet_tcp_sendrecv_generic_node(gatekeeper_t) +corenet_udp_sendrecv_generic_node(gatekeeper_t) +corenet_tcp_sendrecv_all_ports(gatekeeper_t) +corenet_udp_sendrecv_all_ports(gatekeeper_t) +corenet_tcp_bind_generic_node(gatekeeper_t) +corenet_udp_bind_generic_node(gatekeeper_t) +corenet_tcp_bind_gatekeeper_port(gatekeeper_t) +corenet_udp_bind_gatekeeper_port(gatekeeper_t) +corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t) + +dev_read_sysfs(gatekeeper_t) +# for SSP +dev_read_urand(gatekeeper_t) + +domain_use_interactive_fds(gatekeeper_t) + +files_read_etc_files(gatekeeper_t) + +fs_getattr_all_fs(gatekeeper_t) +fs_search_auto_mountpoints(gatekeeper_t) + +logging_send_syslog_msg(gatekeeper_t) + +miscfiles_read_localization(gatekeeper_t) + +sysnet_read_config(gatekeeper_t) + +userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) +userdom_dontaudit_search_user_home_dirs(gatekeeper_t) + +optional_policy(` + nis_use_ypbind(gatekeeper_t) +') + +optional_policy(` + seutil_sigchld_newrole(gatekeeper_t) +') + +optional_policy(` + udev_read_db(gatekeeper_t) +') diff --git a/policy/modules/contrib/gift.fc b/policy/modules/contrib/gift.fc new file mode 100644 index 00000000..df7ced4b --- /dev/null +++ b/policy/modules/contrib/gift.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0) + +/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) +/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) +/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) +/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) diff --git a/policy/modules/contrib/gift.if b/policy/modules/contrib/gift.if new file mode 100644 index 00000000..c9b90d3a --- /dev/null +++ b/policy/modules/contrib/gift.if @@ -0,0 +1,42 @@ +## <summary>giFT peer to peer file sharing tool</summary> + +############################################################ +## <summary> +## Role access for gift +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`gift_role',` + gen_require(` + type gift_t, gift_exec_t; + type giftd_t, giftd_exec_t; + type gift_home_t; + ') + + role $1 types { gift_t giftd_t }; + + # transition from user domain + domtrans_pattern($2, gift_exec_t, gift_t) + domtrans_pattern($2, giftd_exec_t, giftd_t) + + # user managed content + manage_dirs_pattern($2, gift_home_t, gift_home_t) + manage_files_pattern($2, gift_home_t, gift_home_t) + manage_lnk_files_pattern($2, gift_home_t, gift_home_t) + relabel_dirs_pattern($2, gift_home_t, gift_home_t) + relabel_files_pattern($2, gift_home_t, gift_home_t) + relabel_lnk_files_pattern($2, gift_home_t, gift_home_t) + + # Allow the user domain to signal/ps. + ps_process_pattern($2, { gift_t giftd_t }) + allow $2 { gift_t giftd_t }:process signal_perms; +') diff --git a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te new file mode 100644 index 00000000..49753439 --- /dev/null +++ b/policy/modules/contrib/gift.te @@ -0,0 +1,144 @@ +policy_module(gift, 2.3.0) + +######################################## +# +# Declarations +# + +type gift_t; +type gift_exec_t; +typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t }; +typealias gift_t alias { auditadm_gift_t secadm_gift_t }; +userdom_user_application_domain(gift_t, gift_exec_t) + +type gift_home_t; +typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t }; +typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t }; +userdom_user_home_content(gift_home_t) + +type gift_tmpfs_t; +typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t }; +typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t }; +userdom_user_tmpfs_file(gift_tmpfs_t) + +type giftd_t; +type giftd_exec_t; +typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t }; +typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t }; +userdom_user_application_domain(giftd_t, giftd_exec_t) + +############################## +# +# giFT user interface local policy +# + +allow gift_t self:tcp_socket create_socket_perms; + +manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) +fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(gift_t, gift_home_t, gift_home_t) +manage_files_pattern(gift_t, gift_home_t, gift_home_t) +manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t) +userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir) + +# Launch gift daemon +domtrans_pattern(gift_t, giftd_exec_t, giftd_t) + +# Read /proc/meminfo +kernel_read_system_state(gift_t) + +# Connect to gift daemon +corenet_all_recvfrom_unlabeled(gift_t) +corenet_all_recvfrom_netlabel(gift_t) +corenet_tcp_sendrecv_generic_if(gift_t) +corenet_tcp_sendrecv_generic_node(gift_t) +corenet_tcp_sendrecv_giftd_port(gift_t) +corenet_tcp_connect_giftd_port(gift_t) +corenet_sendrecv_giftd_client_packets(gift_t) + +fs_search_auto_mountpoints(gift_t) + +sysnet_read_config(gift_t) + +# giftui looks in .icons, .themes. +userdom_dontaudit_read_user_home_content_files(gift_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gift_t) + fs_manage_nfs_files(gift_t) + fs_manage_nfs_symlinks(gift_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gift_t) + fs_manage_cifs_files(gift_t) + fs_manage_cifs_symlinks(gift_t) +') + +optional_policy(` + nscd_socket_use(gift_t) +') + +optional_policy(` + xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) +') + +############################## +# +# giFT server local policy +# + +allow giftd_t self:process { signal setsched }; +allow giftd_t self:unix_stream_socket create_socket_perms; +allow giftd_t self:tcp_socket create_stream_socket_perms; +allow giftd_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t) +manage_files_pattern(giftd_t, gift_home_t, gift_home_t) +manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t) +userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir) + +kernel_read_system_state(giftd_t) +kernel_read_kernel_sysctls(giftd_t) + +# Serve content on various p2p networks. Ports can be random. +corenet_all_recvfrom_unlabeled(giftd_t) +corenet_all_recvfrom_netlabel(giftd_t) +corenet_tcp_sendrecv_generic_if(giftd_t) +corenet_udp_sendrecv_generic_if(giftd_t) +corenet_tcp_sendrecv_generic_node(giftd_t) +corenet_udp_sendrecv_generic_node(giftd_t) +corenet_tcp_sendrecv_all_ports(giftd_t) +corenet_udp_sendrecv_all_ports(giftd_t) +corenet_tcp_bind_generic_node(giftd_t) +corenet_udp_bind_generic_node(giftd_t) +corenet_tcp_bind_all_ports(giftd_t) +corenet_udp_bind_all_ports(giftd_t) +corenet_tcp_connect_all_ports(giftd_t) +corenet_sendrecv_all_client_packets(giftd_t) + +files_read_usr_files(giftd_t) +# Read /etc/mtab +files_read_etc_runtime_files(giftd_t) + +miscfiles_read_localization(giftd_t) + +sysnet_read_config(giftd_t) + +userdom_use_user_terminals(giftd_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(giftd_t) + fs_manage_nfs_files(giftd_t) + fs_manage_nfs_symlinks(giftd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(giftd_t) + fs_manage_cifs_files(giftd_t) + fs_manage_cifs_symlinks(giftd_t) +') diff --git a/policy/modules/contrib/git.fc b/policy/modules/contrib/git.fc new file mode 100644 index 00000000..13e72a7a --- /dev/null +++ b/policy/modules/contrib/git.fc @@ -0,0 +1,11 @@ +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) + +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) + +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) + +/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) + +/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/contrib/git.if b/policy/modules/contrib/git.if new file mode 100644 index 00000000..b0242d92 --- /dev/null +++ b/policy/modules/contrib/git.if @@ -0,0 +1,50 @@ +## <summary>GIT revision control system.</summary> + +######################################## +## <summary> +## Role access for Git session. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +template(`git_role',` + gen_require(` + type git_session_t, gitd_exec_t, git_user_content_t; + ') + + ######################################## + # + # Declarations + # + + role $1 types git_session_t; + + ######################################## + # + # Policy + # + + manage_dirs_pattern($2, git_user_content_t, git_user_content_t) + relabel_dirs_pattern($2, git_user_content_t, git_user_content_t) + + exec_files_pattern($2, git_user_content_t, git_user_content_t) + manage_files_pattern($2, git_user_content_t, git_user_content_t) + relabel_files_pattern($2, git_user_content_t, git_user_content_t) + + allow $2 git_session_t:process { ptrace signal_perms }; + ps_process_pattern($2, git_session_t) + + tunable_policy(`git_session_users',` + domtrans_pattern($2, gitd_exec_t, git_session_t) + ',` + can_exec($2, gitd_exec_t) + ') +') diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te new file mode 100644 index 00000000..58c3c61a --- /dev/null +++ b/policy/modules/contrib/git.te @@ -0,0 +1,226 @@ +policy_module(git, 1.1.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether Git CGI +## can search home directories. +## </p> +## </desc> +gen_tunable(git_cgi_enable_homedirs, false) + +## <desc> +## <p> +## Determine whether Git CGI +## can access cifs file systems. +## </p> +## </desc> +gen_tunable(git_cgi_use_cifs, false) + +## <desc> +## <p> +## Determine whether Git CGI +## can access nfs file systems. +## </p> +## </desc> +gen_tunable(git_cgi_use_nfs, false) + +## <desc> +## <p> +## Determine whether calling user domains +## can execute Git daemon in the +## git_session_t domain. +## </p> +## </desc> +gen_tunable(git_session_users, false) + +## <desc> +## <p> +## Determine whether Git session daemons +## can send syslog messages. +## </p> +## </desc> +gen_tunable(git_session_send_syslog_msg, false) + +## <desc> +## <p> +## Determine whether Git system daemon +## can search home directories. +## </p> +## </desc> +gen_tunable(git_system_enable_homedirs, false) + +## <desc> +## <p> +## Determine whether Git system daemon +## can access cifs file systems. +## </p> +## </desc> +gen_tunable(git_system_use_cifs, false) + +## <desc> +## <p> +## Determine whether Git system daemon +## can access nfs file systems. +## </p> +## </desc> +gen_tunable(git_system_use_nfs, false) + +attribute git_daemon; + +apache_content_template(git) + +type git_system_t, git_daemon; +type gitd_exec_t; +inetd_service_domain(git_system_t, gitd_exec_t) + +type git_session_t, git_daemon; +userdom_user_application_domain(git_session_t, gitd_exec_t) + +type git_sys_content_t; +files_type(git_sys_content_t) + +type git_user_content_t; +userdom_user_home_content(git_user_content_t) + +######################################## +# +# Git session policy +# + +allow git_session_t self:tcp_socket { accept listen }; + +list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) +read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) +userdom_search_user_home_dirs(git_session_t) + +corenet_all_recvfrom_netlabel(git_session_t) +corenet_all_recvfrom_unlabeled(git_session_t) +corenet_tcp_bind_generic_node(git_session_t) +corenet_tcp_sendrecv_generic_if(git_session_t) +corenet_tcp_sendrecv_generic_node(git_session_t) +corenet_tcp_sendrecv_generic_port(git_session_t) +corenet_tcp_bind_git_port(git_session_t) +corenet_tcp_sendrecv_git_port(git_session_t) +corenet_sendrecv_git_server_packets(git_session_t) + +userdom_use_user_terminals(git_session_t) + +tunable_policy(`git_session_send_syslog_msg',` + logging_send_syslog_msg(git_session_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(git_session_t) +',` + fs_dontaudit_read_nfs_files(git_session_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(git_session_t) +',` + fs_dontaudit_read_cifs_files(git_session_t) +') + +######################################## +# +# Git system policy +# + +list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) +read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) +files_search_var_lib(git_system_t) + +logging_send_syslog_msg(git_system_t) + +tunable_policy(`git_system_enable_homedirs',` + userdom_search_user_home_dirs(git_system_t) +') + +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(git_system_t) +',` + fs_dontaudit_read_nfs_files(git_system_t) +') + +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(git_system_t) +',` + fs_dontaudit_read_cifs_files(git_system_t) +') + +tunable_policy(`git_system_use_cifs',` + fs_read_cifs_files(git_system_t) +',` + fs_dontaudit_read_cifs_files(git_system_t) +') + +tunable_policy(`git_system_use_nfs',` + fs_read_nfs_files(git_system_t) +',` + fs_dontaudit_read_nfs_files(git_system_t) +') + +######################################## +# +# Git CGI policy +# + +list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +files_search_var_lib(httpd_git_script_t) + +files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) + +auth_use_nsswitch(httpd_git_script_t) + +tunable_policy(`git_cgi_enable_homedirs',` + userdom_search_user_home_dirs(httpd_git_script_t) +') + +tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_git_script_t) +',` + fs_dontaudit_read_nfs_files(httpd_git_script_t) +') + +tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_git_script_t) +',` + fs_dontaudit_read_cifs_files(httpd_git_script_t) +') + +tunable_policy(`git_cgi_use_cifs',` + fs_read_cifs_files(httpd_git_script_t) +',` + fs_dontaudit_read_cifs_files(httpd_git_script_t) +') + +tunable_policy(`git_cgi_use_nfs',` + fs_read_nfs_files(httpd_git_script_t) +',` + fs_dontaudit_read_nfs_files(httpd_git_script_t) +') + +######################################## +# +# Git global policy +# + +allow git_daemon self:fifo_file rw_fifo_file_perms; + +kernel_read_system_state(git_daemon) + +corecmd_exec_bin(git_daemon) + +files_read_usr_files(git_daemon) + +fs_search_auto_mountpoints(git_daemon) + +auth_use_nsswitch(git_daemon) + +miscfiles_read_localization(git_daemon) diff --git a/policy/modules/contrib/gitosis.fc b/policy/modules/contrib/gitosis.fc new file mode 100644 index 00000000..24f64418 --- /dev/null +++ b/policy/modules/contrib/gitosis.fc @@ -0,0 +1,9 @@ +ifdef(`distro_debian',` +/srv/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) +') + +/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) +/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0) + +/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) +/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) diff --git a/policy/modules/contrib/gitosis.if b/policy/modules/contrib/gitosis.if new file mode 100644 index 00000000..e898b911 --- /dev/null +++ b/policy/modules/contrib/gitosis.if @@ -0,0 +1,86 @@ +## <summary>Tools for managing and hosting git repositories.</summary> + +####################################### +## <summary> +## Execute a domain transition to run gitosis. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gitosis_domtrans',` + gen_require(` + type gitosis_t, gitosis_exec_t; + ') + + domtrans_pattern($1, gitosis_exec_t, gitosis_t) +') + +####################################### +## <summary> +## Execute gitosis-serve in the gitosis domain, and +## allow the specified role the gitosis domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`gitosis_run',` + gen_require(` + type gitosis_t; + ') + + gitosis_domtrans($1) + role $2 types gitosis_t; +') + +####################################### +## <summary> +## Allow the specified domain to read +## gitosis lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gitosis_read_lib_files',` + gen_require(` + type gitosis_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') + +###################################### +## <summary> +## Allow the specified domain to manage +## gitosis lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gitosis_manage_lib_files',` + gen_require(` + type gitosis_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') diff --git a/policy/modules/contrib/gitosis.te b/policy/modules/contrib/gitosis.te new file mode 100644 index 00000000..0eb75f41 --- /dev/null +++ b/policy/modules/contrib/gitosis.te @@ -0,0 +1,41 @@ +policy_module(gitosis, 1.3.0) + +######################################## +# +# Declarations +# + +type gitosis_t; +type gitosis_exec_t; +application_domain(gitosis_t, gitosis_exec_t) +role system_r types gitosis_t; + +type gitosis_var_lib_t; +files_type(gitosis_var_lib_t) + +######################################## +# +# gitosis local policy +# + +allow gitosis_t self:fifo_file rw_fifo_file_perms; + +exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) +manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) +manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) +manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) + +kernel_read_system_state(gitosis_t) + +corecmd_exec_bin(gitosis_t) +corecmd_exec_shell(gitosis_t) + +dev_read_urand(gitosis_t) + +files_read_etc_files(gitosis_t) +files_read_usr_files(gitosis_t) +files_search_var_lib(gitosis_t) + +miscfiles_read_localization(gitosis_t) + +sysnet_read_config(gitosis_t) diff --git a/policy/modules/contrib/glance.fc b/policy/modules/contrib/glance.fc new file mode 100644 index 00000000..ed3528d2 --- /dev/null +++ b/policy/modules/contrib/glance.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0) + +/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0) + +/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) +/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0) + +/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0) + +/var/log/glance(/.*)? gen_context(system_u:object_r:glance_log_t,s0) + +/var/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0) diff --git a/policy/modules/contrib/glance.if b/policy/modules/contrib/glance.if new file mode 100644 index 00000000..7ff9d6d9 --- /dev/null +++ b/policy/modules/contrib/glance.if @@ -0,0 +1,261 @@ +## <summary>policy for glance</summary> + +######################################## +## <summary> +## Transition to glance registry. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`glance_domtrans_registry',` + gen_require(` + type glance_registry_t, glance_registry_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, glance_registry_exec_t, glance_registry_t) +') + +######################################## +## <summary> +## Transition to glance api. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`glance_domtrans_api',` + gen_require(` + type glance_api_t, glance_api_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, glance_api_exec_t, glance_api_t) +') + +######################################## +## <summary> +## Read glance's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`glance_read_log',` + gen_require(` + type glance_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, glance_log_t, glance_log_t) +') + +######################################## +## <summary> +## Append to glance log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_append_log',` + gen_require(` + type glance_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, glance_log_t, glance_log_t) +') + +######################################## +## <summary> +## Manage glance log files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_manage_log',` + gen_require(` + type glance_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, glance_log_t, glance_log_t) + manage_files_pattern($1, glance_log_t, glance_log_t) + manage_lnk_files_pattern($1, glance_log_t, glance_log_t) +') + +######################################## +## <summary> +## Search glance lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_search_lib',` + gen_require(` + type glance_var_lib_t; + ') + + allow $1 glance_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read glance lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_read_lib_files',` + gen_require(` + type glance_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, glance_var_lib_t, glance_var_lib_t) +') + +######################################## +## <summary> +## Manage glance lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_manage_lib_files',` + gen_require(` + type glance_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t) +') + +######################################## +## <summary> +## Manage glance lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_manage_lib_dirs',` + gen_require(` + type glance_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t) +') + +######################################## +## <summary> +## Read glance PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_read_pid_files',` + gen_require(` + type glance_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, glance_var_run_t, glance_var_run_t) +') + +######################################## +## <summary> +## Manage glance PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`glance_manage_pid_files',` + gen_require(` + type glance_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, glance_var_run_t, glance_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an glance environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`glance_admin',` + gen_require(` + type glance_registry_t, glance_api_t, glance_log_t; + type glance_var_lib_t, glance_var_run_t; + type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; + ') + + allow $1 glance_registry_t:process signal_perms; + ps_process_pattern($1, glance_registry_t) + + allow $1 glance_api_t:process signal_perms; + ps_process_pattern($1, glance_api_t) + + init_labeled_script_domtrans($1, glance_registry_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 glance_registry_initrc_exec_t system_r; + allow $2 system_r; + + init_labeled_script_domtrans($1, glance_api_initrc_exec_t) + role_transition $2 glance_api_initrc_exec_t system_r; + + logging_search_logs($1) + admin_pattern($1, glance_log_t) + + files_search_var_lib($1) + admin_pattern($1, glance_var_lib_t) + + files_search_pids($1) + admin_pattern($1, glance_var_run_t) +') diff --git a/policy/modules/contrib/glance.te b/policy/modules/contrib/glance.te new file mode 100644 index 00000000..4afb81fe --- /dev/null +++ b/policy/modules/contrib/glance.te @@ -0,0 +1,104 @@ +policy_module(glance, 1.0.0) + +######################################## +# +# Declarations +# + +attribute glance_domain; + +type glance_registry_t, glance_domain; +type glance_registry_exec_t; +init_daemon_domain(glance_registry_t, glance_registry_exec_t) + +type glance_registry_initrc_exec_t; +init_script_file(glance_registry_initrc_exec_t) + +type glance_registry_tmp_t; +files_tmp_file(glance_registry_tmp_t) + +type glance_api_t, glance_domain; +type glance_api_exec_t; +init_daemon_domain(glance_api_t, glance_api_exec_t) + +type glance_api_initrc_exec_t; +init_script_file(glance_api_initrc_exec_t) + +type glance_log_t; +logging_log_file(glance_log_t) + +type glance_var_lib_t; +files_type(glance_var_lib_t) + +type glance_tmp_t; +files_tmp_file(glance_tmp_t) + +type glance_var_run_t; +files_pid_file(glance_var_run_t) + +####################################### +# +# glance general domain local policy +# + +allow glance_domain self:fifo_file rw_fifo_file_perms; +allow glance_domain self:unix_stream_socket create_stream_socket_perms; +allow glance_domain self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(glance_domain, glance_log_t, glance_log_t) +manage_files_pattern(glance_domain, glance_log_t, glance_log_t) + +manage_dirs_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) +manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) + +manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) +manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) + +kernel_read_system_state(glance_domain) + +corecmd_exec_bin(glance_domain) + +dev_read_urand(glance_domain) + +files_read_etc_files(glance_domain) +files_read_usr_files(glance_domain) + +miscfiles_read_localization(glance_domain) + +optional_policy(` + sysnet_dns_name_resolve(glance_domain) +') + +######################################## +# +# glance-registry local policy +# + +manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) +manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) +files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) + +corenet_tcp_bind_generic_node(glance_registry_t) +corenet_tcp_bind_glance_registry_port(glance_registry_t) + +######################################## +# +# glance-api local policy +# + +manage_dirs_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) +can_exec(glance_api_t, glance_tmp_t) + +corecmd_exec_shell(glance_api_t) + +corenet_tcp_bind_generic_node(glance_api_t) +corenet_tcp_bind_hplip_port(glance_api_t) +corenet_tcp_connect_glance_registry_port(glance_api_t) + +dev_read_urand(glance_api_t) + +fs_getattr_xattr_fs(glance_api_t) + +libs_exec_ldconfig(glance_api_t) diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc new file mode 100644 index 00000000..00a19e3c --- /dev/null +++ b/policy/modules/contrib/gnome.fc @@ -0,0 +1,9 @@ +HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) + +/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) + +/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) + +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if new file mode 100644 index 00000000..f5afe78d --- /dev/null +++ b/policy/modules/contrib/gnome.if @@ -0,0 +1,190 @@ +## <summary>GNU network object model environment (GNOME)</summary> + +############################################################ +## <summary> +## Role access for gnome +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`gnome_role',` + gen_require(` + type gconfd_t, gconfd_exec_t; + type gconf_tmp_t; + ') + + role $1 types gconfd_t; + + domain_auto_trans($2, gconfd_exec_t, gconfd_t) + allow gconfd_t $2:fd use; + allow gconfd_t $2:fifo_file write; + allow gconfd_t $2:unix_stream_socket connectto; + + ps_process_pattern($2, gconfd_t) + + #gnome_stream_connect_gconf_template($1, $2) + read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) + allow $2 gconfd_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Execute gconf programs in +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_exec_gconf',` + gen_require(` + type gconfd_exec_t; + ') + + can_exec($1, gconfd_exec_t) +') + +######################################## +## <summary> +## Read gconf config files. +## </summary> +## <param name="user_domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +template(`gnome_read_gconf_config',` + gen_require(` + type gconf_etc_t; + ') + + allow $1 gconf_etc_t:dir list_dir_perms; + read_files_pattern($1, gconf_etc_t, gconf_etc_t) + files_search_etc($1) +') + +####################################### +## <summary> +## Create, read, write, and delete gconf config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_manage_gconf_config',` + gen_require(` + type gconf_etc_t; + ') + + manage_files_pattern($1, gconf_etc_t, gconf_etc_t) + files_search_etc($1) +') + +######################################## +## <summary> +## gconf connection template. +## </summary> +## <param name="user_domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_stream_connect_gconf',` + gen_require(` + type gconfd_t, gconf_tmp_t; + ') + + read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) + allow $1 gconfd_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Run gconfd in gconfd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_domtrans_gconfd',` + gen_require(` + type gconfd_t, gconfd_exec_t; + ') + + domtrans_pattern($1, gconfd_exec_t, gconfd_t) +') + +######################################## +## <summary> +## Set attributes of Gnome config dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_setattr_config_dirs',` + gen_require(` + type gnome_home_t; + ') + + setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) + files_search_home($1) +') + +######################################## +## <summary> +## Read gnome homedir content (.config) +## </summary> +## <param name="user_domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +template(`gnome_read_config',` + gen_require(` + type gnome_home_t; + ') + + list_dirs_pattern($1, gnome_home_t, gnome_home_t) + read_files_pattern($1, gnome_home_t, gnome_home_t) + read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) +') + +######################################## +## <summary> +## manage gnome homedir content (.config) +## </summary> +## <param name="user_domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_manage_config',` + gen_require(` + type gnome_home_t; + ') + + allow $1 gnome_home_t:dir manage_dir_perms; + allow $1 gnome_home_t:file manage_file_perms; + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te new file mode 100644 index 00000000..783c5fbc --- /dev/null +++ b/policy/modules/contrib/gnome.te @@ -0,0 +1,75 @@ +policy_module(gnome, 2.2.0) + +############################## +# +# Declarations +# + +attribute gnomedomain; + +type gconf_etc_t; +files_config_file(gconf_etc_t) + +type gconf_home_t; +typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; +typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; +typealias gconf_home_t alias unconfined_gconf_home_t; +userdom_user_home_content(gconf_home_t) + +type gconf_tmp_t; +typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; +typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; +typealias gconf_tmp_t alias unconfined_gconf_tmp_t; +userdom_user_tmp_file(gconf_tmp_t) + +type gconfd_t, gnomedomain; +type gconfd_exec_t; +typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; +typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; +userdom_user_application_domain(gconfd_t, gconfd_exec_t) + +type gnome_home_t; +typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; +typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; +typealias gnome_home_t alias unconfined_gnome_home_t; +userdom_user_home_content(gnome_home_t) + +############################## +# +# Local Policy +# + +allow gconfd_t self:process getsched; +allow gconfd_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) +manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) +userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) + +manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) + +allow gconfd_t gconf_etc_t:dir list_dir_perms; +read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) + +dev_read_urand(gconfd_t) + +files_read_etc_files(gconfd_t) + +miscfiles_read_localization(gconfd_t) + +logging_send_syslog_msg(gconfd_t) + +userdom_manage_user_tmp_sockets(gconfd_t) +userdom_manage_user_tmp_dirs(gconfd_t) +userdom_tmp_filetrans_user_tmp(gconfd_t, dir) + +optional_policy(` + nscd_dontaudit_search_pid(gconfd_t) +') + +optional_policy(` + xserver_use_xdm_fds(gconfd_t) + xserver_rw_xdm_pipes(gconfd_t) +') diff --git a/policy/modules/contrib/gnomeclock.fc b/policy/modules/contrib/gnomeclock.fc new file mode 100644 index 00000000..462de63b --- /dev/null +++ b/policy/modules/contrib/gnomeclock.fc @@ -0,0 +1,2 @@ +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + diff --git a/policy/modules/contrib/gnomeclock.if b/policy/modules/contrib/gnomeclock.if new file mode 100644 index 00000000..671d8fd2 --- /dev/null +++ b/policy/modules/contrib/gnomeclock.if @@ -0,0 +1,65 @@ +## <summary>Gnome clock handler for setting the time.</summary> + +######################################## +## <summary> +## Execute a domain transition to run gnomeclock. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gnomeclock_domtrans',` + gen_require(` + type gnomeclock_t, gnomeclock_exec_t; + ') + + domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) +') + +######################################## +## <summary> +## Execute gnomeclock in the gnomeclock domain, and +## allow the specified role the gnomeclock domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`gnomeclock_run',` + gen_require(` + type gnomeclock_t; + ') + + gnomeclock_domtrans($1) + role $2 types gnomeclock_t; +') + +######################################## +## <summary> +## Send and receive messages from +## gnomeclock over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnomeclock_dbus_chat',` + gen_require(` + type gnomeclock_t; + class dbus send_msg; + ') + + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/contrib/gnomeclock.te b/policy/modules/contrib/gnomeclock.te new file mode 100644 index 00000000..4fde46bc --- /dev/null +++ b/policy/modules/contrib/gnomeclock.te @@ -0,0 +1,46 @@ +policy_module(gnomeclock, 1.0.0) + +######################################## +# +# Declarations +# + +type gnomeclock_t; +type gnomeclock_exec_t; +dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + +######################################## +# +# gnomeclock local policy +# + +allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; +allow gnomeclock_t self:process { getattr getsched }; +allow gnomeclock_t self:fifo_file rw_fifo_file_perms; +allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; + +corecmd_exec_bin(gnomeclock_t) + +files_read_etc_files(gnomeclock_t) +files_read_usr_files(gnomeclock_t) + +auth_use_nsswitch(gnomeclock_t) + +clock_domtrans(gnomeclock_t) + +miscfiles_read_localization(gnomeclock_t) +miscfiles_manage_localization(gnomeclock_t) +miscfiles_etc_filetrans_localization(gnomeclock_t) + +userdom_read_all_users_state(gnomeclock_t) + +optional_policy(` + consolekit_dbus_chat(gnomeclock_t) +') + +optional_policy(` + policykit_dbus_chat(gnomeclock_t) + policykit_domtrans_auth(gnomeclock_t) + policykit_read_lib(gnomeclock_t) + policykit_read_reload(gnomeclock_t) +') diff --git a/policy/modules/contrib/gorg.fc b/policy/modules/contrib/gorg.fc new file mode 100644 index 00000000..bbf5693a --- /dev/null +++ b/policy/modules/contrib/gorg.fc @@ -0,0 +1,3 @@ +/etc/gorg(/.*)? gen_context(system_u:object_r:gorg_config_t,s0) +/var/cache/gorg(/.*)? gen_context(system_u:object_r:gorg_cache_t,s0) +/usr/bin/gorg -- gen_context(system_u:object_r:gorg_exec_t,s0) diff --git a/policy/modules/contrib/gorg.if b/policy/modules/contrib/gorg.if new file mode 100644 index 00000000..814d5593 --- /dev/null +++ b/policy/modules/contrib/gorg.if @@ -0,0 +1,34 @@ +## <summary>Policy for gorg</summary> + +####################################### +## <summary> +## Role access for gorg +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`gorg_role',` + gen_require(` + type gorg_t, gorg_exec_t; + ') + + role $1 types gorg_t; + + domain_auto_trans($2, gorg_exec_t, gorg_t) + allow $2 gorg_t:process { noatsecure siginh rlimitinh }; + allow gorg_t $2:fd use; + allow gorg_t $2:process { sigchld signull }; + + ps_process_pattern($2, gorg_t) + allow $2 gorg_t:process signal_perms; + # Needed for command-usage (pipe) + allow gorg_t $2:fifo_file write; +') diff --git a/policy/modules/contrib/gorg.te b/policy/modules/contrib/gorg.te new file mode 100644 index 00000000..b0c8ae33 --- /dev/null +++ b/policy/modules/contrib/gorg.te @@ -0,0 +1,63 @@ +policy_module(gorg, 1.0.0) + +type gorg_t; +type gorg_exec_t; +application_domain(gorg_t, gorg_exec_t) + +type gorg_cache_t; +files_type(gorg_cache_t); + +type gorg_config_t; +files_type(gorg_config_t); + +################################### +# +# gorg_t local policy +# +allow gorg_t self:process signal; + +# Allow gorg_t to put files in the gorg_cache_t location(s) +manage_dirs_pattern(gorg_t, gorg_cache_t, gorg_cache_t) +manage_files_pattern(gorg_t, gorg_cache_t, gorg_cache_t) + +# Allow gorg_t to read configuration file(s) +allow gorg_t gorg_config_t:dir list_dir_perms; +read_files_pattern(gorg_t, gorg_config_t, gorg_config_t) + +# gorg logs through /dev/log +logging_send_syslog_msg(gorg_t) + +# Allow gorg to bind to port 8080 (http_cache_port_t) +sysnet_read_config(gorg_t) +sysnet_dns_name_resolve(gorg_t) +corenet_all_recvfrom_unlabeled(gorg_t) +corenet_all_recvfrom_netlabel(gorg_t) +corenet_tcp_sendrecv_generic_if(gorg_t) +corenet_tcp_sendrecv_generic_node(gorg_t) +#corenet_tcp_sendrecv_all_ports(gorg_t) +corenet_tcp_bind_generic_node(gorg_t) +corenet_tcp_bind_http_cache_port(gorg_t) +allow gorg_t self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow gorg_t self:tcp_socket { listen accept }; + +# Allow gorg read access to user home files (usually where cvs/git pull is stored) +files_search_home(gorg_t) +userdom_search_user_home_dirs(gorg_t) +userdom_user_home_content(gorg_t) +userdom_list_user_home_content(gorg_t) +userdom_read_user_home_content_symlinks(gorg_t) +userdom_read_user_home_content_files(gorg_t) + +# Local policy +allow gorg_t self:fifo_file rw_fifo_file_perms; + +# Read /etc files (xml/catalog, hosts.conf, ...) +files_read_etc_files(gorg_t) +miscfiles_read_localization(gorg_t) + +# Gorg is ruby, so be able to execute ruby +corecmd_exec_bin(gorg_t) + +# Output to screen +userdom_use_user_terminals(gorg_t) +domain_use_interactive_fds(gorg_t) diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc new file mode 100644 index 00000000..8617d55b --- /dev/null +++ b/policy/modules/contrib/gpg.fc @@ -0,0 +1,11 @@ +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0) + +/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) +/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) + +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if new file mode 100644 index 00000000..6d50300c --- /dev/null +++ b/policy/modules/contrib/gpg.if @@ -0,0 +1,181 @@ +## <summary>Policy for GNU Privacy Guard and related programs.</summary> + +############################################################ +## <summary> +## Role access for gpg +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`gpg_role',` + gen_require(` + type gpg_t, gpg_exec_t; + type gpg_agent_t, gpg_agent_exec_t; + type gpg_agent_tmp_t; + type gpg_helper_t, gpg_pinentry_t; + type gpg_pinentry_tmp_t; + ') + + role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }; + + # transition from the userdomain to the derived domain + domtrans_pattern($2, gpg_exec_t, gpg_t) + + # allow ps to show gpg + ps_process_pattern($2, gpg_t) + allow $2 gpg_t:process { signull sigstop signal sigkill }; + + # communicate with the user + allow gpg_helper_t $2:fd use; + allow gpg_helper_t $2:fifo_file write; + + # allow ps to show gpg-agent + ps_process_pattern($2, gpg_agent_t) + + # Allow the user shell to signal the gpg-agent program. + allow $2 gpg_agent_t:process { signal sigkill }; + + manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) + files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) + + # Transition from the user domain to the agent domain. + domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) + + manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) + relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) + + optional_policy(` + gpg_pinentry_dbus_chat($2) + ') + + ifdef(`hide_broken_symptoms',` + #Leaked File Descriptors + dontaudit gpg_t $2:socket_class_set { getattr read write }; + dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; + dontaudit gpg_agent_t $2:socket_class_set { getattr read write }; + dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; + ') +') + +######################################## +## <summary> +## Transition to a user gpg domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gpg_domtrans',` + gen_require(` + type gpg_t, gpg_exec_t; + ') + + domtrans_pattern($1, gpg_exec_t, gpg_t) +') + +######################################## +## <summary> +## Execute the gpg application without transitioning +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to execute gpg +## </summary> +## </param> +# +interface(`gpg_exec',` + gen_require(` + type gpg_exec_t; + ') + + can_exec($1, gpg_exec_t) +') + +######################################## +## <summary> +## Send generic signals to user gpg processes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_signal',` + gen_require(` + type gpg_t; + ') + + allow $1 gpg_t:process signal; +') + +######################################## +## <summary> +## Read and write GPG agent pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_rw_agent_pipes',` + # Just wants read/write could this be a leak? + gen_require(` + type gpg_agent_t; + ') + + allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Send messages to and from GPG +## Pinentry over DBUS. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_pinentry_dbus_chat',` + gen_require(` + type gpg_pinentry_t; + class dbus send_msg; + ') + + allow $1 gpg_pinentry_t:dbus send_msg; + allow gpg_pinentry_t $1:dbus send_msg; +') + +######################################## +## <summary> +## List Gnu Privacy Guard user secrets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_list_user_secrets',` + gen_require(` + type gpg_secret_t; + ') + + list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te new file mode 100644 index 00000000..8a2bd802 --- /dev/null +++ b/policy/modules/contrib/gpg.te @@ -0,0 +1,358 @@ +policy_module(gpg, 2.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow usage of the gpg-agent --write-env-file option. +## This also allows gpg-agent to manage user files. +## </p> +## </desc> +gen_tunable(gpg_agent_env_file, false) + +type gpg_t; +type gpg_exec_t; +typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; +typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; +userdom_user_application_domain(gpg_t, gpg_exec_t) +role system_r types gpg_t; + +type gpg_agent_t; +type gpg_agent_exec_t; +typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; +typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; +userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) + +type gpg_agent_tmp_t; +typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; +typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; +userdom_user_tmp_file(gpg_agent_tmp_t) + +type gpg_secret_t; +typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; +typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t }; +userdom_user_home_content(gpg_secret_t) + +type gpg_helper_t; +type gpg_helper_exec_t; +typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; +typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; +userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t) +role system_r types gpg_helper_t; + +type gpg_pinentry_t; +type pinentry_exec_t; +typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; +typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; +userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t) + +type gpg_pinentry_tmp_t; +userdom_user_tmp_file(gpg_pinentry_tmp_t) + +type gpg_pinentry_tmpfs_t; +userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t) + +######################################## +# +# GPG local policy +# + +allow gpg_t self:capability { ipc_lock setuid }; +# setrlimit is for ulimit -c 0 +allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid }; + +allow gpg_t self:fifo_file rw_fifo_file_perms; +allow gpg_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) + +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) + +# transition from the gpg domain to the helper domain +domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) + +allow gpg_t gpg_secret_t:dir create_dir_perms; +manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) + +kernel_read_sysctl(gpg_t) + +corecmd_exec_shell(gpg_t) +corecmd_exec_bin(gpg_t) + +corenet_all_recvfrom_unlabeled(gpg_t) +corenet_all_recvfrom_netlabel(gpg_t) +corenet_tcp_sendrecv_generic_if(gpg_t) +corenet_udp_sendrecv_generic_if(gpg_t) +corenet_tcp_sendrecv_generic_node(gpg_t) +corenet_udp_sendrecv_generic_node(gpg_t) +corenet_tcp_sendrecv_all_ports(gpg_t) +corenet_udp_sendrecv_all_ports(gpg_t) +corenet_tcp_connect_all_ports(gpg_t) +corenet_sendrecv_all_client_packets(gpg_t) + +dev_read_rand(gpg_t) +dev_read_urand(gpg_t) +dev_read_generic_usb_dev(gpg_t) + +fs_getattr_xattr_fs(gpg_t) +fs_list_inotifyfs(gpg_t) + +domain_use_interactive_fds(gpg_t) + +files_read_etc_files(gpg_t) +files_read_usr_files(gpg_t) +files_dontaudit_search_var(gpg_t) + +auth_use_nsswitch(gpg_t) + +logging_send_syslog_msg(gpg_t) + +miscfiles_read_localization(gpg_t) + +userdom_use_user_terminals(gpg_t) +# sign/encrypt user files +userdom_manage_user_tmp_files(gpg_t) +userdom_manage_user_home_content_files(gpg_t) +userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) + +mta_write_config(gpg_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gpg_t) + fs_manage_nfs_files(gpg_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gpg_t) + fs_manage_cifs_files(gpg_t) +') + +optional_policy(` + mozilla_read_user_home_files(gpg_t) + mozilla_write_user_home_files(gpg_t) +') + +optional_policy(` + xserver_use_xdm_fds(gpg_t) + xserver_rw_xdm_pipes(gpg_t) +') + +optional_policy(` + cron_system_entry(gpg_t, gpg_exec_t) + cron_read_system_job_tmp_files(gpg_t) +') + +######################################## +# +# GPG helper local policy +# + +allow gpg_helper_t self:process { getsched setsched }; + +# for helper programs (which automatically fetch keys) +# Note: this is only tested with the hkp interface. If you use eg the +# mail interface you will likely need additional permissions. + +allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; +allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; +allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; + +dontaudit gpg_helper_t gpg_secret_t:file read; + +corenet_all_recvfrom_unlabeled(gpg_helper_t) +corenet_all_recvfrom_netlabel(gpg_helper_t) +corenet_tcp_sendrecv_generic_if(gpg_helper_t) +corenet_raw_sendrecv_generic_if(gpg_helper_t) +corenet_udp_sendrecv_generic_if(gpg_helper_t) +corenet_tcp_sendrecv_generic_node(gpg_helper_t) +corenet_udp_sendrecv_generic_node(gpg_helper_t) +corenet_raw_sendrecv_generic_node(gpg_helper_t) +corenet_tcp_sendrecv_all_ports(gpg_helper_t) +corenet_udp_sendrecv_all_ports(gpg_helper_t) +corenet_tcp_bind_generic_node(gpg_helper_t) +corenet_udp_bind_generic_node(gpg_helper_t) +corenet_tcp_connect_all_ports(gpg_helper_t) + +files_read_etc_files(gpg_helper_t) + +auth_use_nsswitch(gpg_helper_t) + +userdom_use_user_terminals(gpg_helper_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(gpg_helper_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files(gpg_helper_t) +') + +######################################## +# +# GPG agent local policy +# + +# rlimit: gpg-agent wants to prevent coredumps +allow gpg_agent_t self:process setrlimit; + +allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; +allow gpg_agent_t self:fifo_file rw_fifo_file_perms; + +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) +manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) +manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + +# Allow the gpg-agent to manage its tmp files (socket) +manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) + +# allow gpg to connect to the gpg agent +stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) + +corecmd_read_bin_symlinks(gpg_agent_t) +corecmd_search_bin(gpg_agent_t) +corecmd_exec_shell(gpg_agent_t) + +dev_read_urand(gpg_agent_t) + +domain_use_interactive_fds(gpg_agent_t) + +fs_dontaudit_list_inotifyfs(gpg_agent_t) + +miscfiles_read_localization(gpg_agent_t) + +# Write to the user domain tty. +userdom_use_user_terminals(gpg_agent_t) +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +userdom_search_user_home_dirs(gpg_agent_t) + +ifdef(`hide_broken_symptoms',` + userdom_dontaudit_read_user_tmp_files(gpg_agent_t) +') + +tunable_policy(`gpg_agent_env_file',` + # write ~/.gpg-agent-info or a similar to the users home dir + # or subdir (gpg-agent --write-env-file option) + # + userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) + userdom_manage_user_home_content_dirs(gpg_agent_t) + userdom_manage_user_home_content_files(gpg_agent_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gpg_agent_t) + fs_manage_nfs_files(gpg_agent_t) + fs_manage_nfs_symlinks(gpg_agent_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gpg_agent_t) + fs_manage_cifs_files(gpg_agent_t) + fs_manage_cifs_symlinks(gpg_agent_t) +') + +optional_policy(` + mozilla_dontaudit_rw_user_home_files(gpg_agent_t) +') + +############################## +# +# Pinentry local policy +# + +allow gpg_pinentry_t self:process { getcap getsched setsched signal }; +allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; +allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; +allow gpg_pinentry_t self:shm create_shm_perms; +allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms; +allow gpg_pinentry_t self:unix_dgram_socket sendto; +allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; + +can_exec(gpg_pinentry_t, pinentry_exec_t) + +# we need to allow gpg-agent to call pinentry so it can get the passphrase +# from the user. +domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) + +manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) +userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) + +manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) + +# read /proc/meminfo +kernel_read_system_state(gpg_pinentry_t) + +corecmd_exec_bin(gpg_pinentry_t) + +corenet_all_recvfrom_netlabel(gpg_pinentry_t) +corenet_all_recvfrom_unlabeled(gpg_pinentry_t) +corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) +corenet_tcp_bind_generic_node(gpg_pinentry_t) +corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) +corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) +corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) +corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) + +dev_read_urand(gpg_pinentry_t) +dev_read_rand(gpg_pinentry_t) + +files_read_usr_files(gpg_pinentry_t) +# read /etc/X11/qtrc +files_read_etc_files(gpg_pinentry_t) + +fs_dontaudit_list_inotifyfs(gpg_pinentry_t) +fs_getattr_tmpfs(gpg_pinentry_t) + +auth_use_nsswitch(gpg_pinentry_t) + +logging_send_syslog_msg(gpg_pinentry_t) + +miscfiles_read_fonts(gpg_pinentry_t) +miscfiles_read_localization(gpg_pinentry_t) + +# for .Xauthority +userdom_read_user_home_content_files(gpg_pinentry_t) +userdom_read_user_tmpfs_files(gpg_pinentry_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(gpg_pinentry_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(gpg_pinentry_t) +') + +optional_policy(` + dbus_session_bus_client(gpg_pinentry_t) + dbus_system_bus_client(gpg_pinentry_t) +') + +optional_policy(` + mutt_read_home_files(gpg_t) + mutt_read_tmp_files(gpg_t) + mutt_rw_tmp_files(gpg_t) +') + +optional_policy(` + pulseaudio_exec(gpg_pinentry_t) + pulseaudio_rw_home_files(gpg_pinentry_t) + pulseaudio_setattr_home_dir(gpg_pinentry_t) + pulseaudio_stream_connect(gpg_pinentry_t) + pulseaudio_signull(gpg_pinentry_t) +') + +optional_policy(` + xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) +') diff --git a/policy/modules/contrib/gpm.fc b/policy/modules/contrib/gpm.fc new file mode 100644 index 00000000..6fc9661e --- /dev/null +++ b/policy/modules/contrib/gpm.fc @@ -0,0 +1,7 @@ + +/dev/gpmctl -s gen_context(system_u:object_r:gpmctl_t,s0) +/dev/gpmdata -p gen_context(system_u:object_r:gpmctl_t,s0) + +/etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0) + +/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if new file mode 100644 index 00000000..7d972985 --- /dev/null +++ b/policy/modules/contrib/gpm.if @@ -0,0 +1,81 @@ +## <summary>General Purpose Mouse driver</summary> + +######################################## +## <summary> +## Connect to GPM over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpm_stream_connect',` + gen_require(` + type gpmctl_t, gpm_t; + ') + + allow $1 gpmctl_t:sock_file rw_sock_file_perms; + allow $1 gpm_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Get the attributes of the GPM +## control channel named socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpm_getattr_gpmctl',` + gen_require(` + type gpmctl_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 gpmctl_t:sock_file getattr; +') + +######################################## +## <summary> +## Do not audit attempts to get the +## attributes of the GPM control channel +## named socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`gpm_dontaudit_getattr_gpmctl',` + gen_require(` + type gpmctl_t; + ') + + dontaudit $1 gpmctl_t:sock_file getattr; +') + +######################################## +## <summary> +## Set the attributes of the GPM +## control channel named socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpm_setattr_gpmctl',` + gen_require(` + type gpmctl_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 gpmctl_t:sock_file setattr; +') diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te new file mode 100644 index 00000000..a627b345 --- /dev/null +++ b/policy/modules/contrib/gpm.te @@ -0,0 +1,79 @@ +policy_module(gpm, 1.8.0) + +######################################## +# +# Declarations +# + +type gpm_t; +type gpm_exec_t; +init_daemon_domain(gpm_t, gpm_exec_t) + +type gpm_conf_t; +files_type(gpm_conf_t) + +type gpm_tmp_t; +files_tmp_file(gpm_tmp_t) + +type gpm_var_run_t; +files_pid_file(gpm_var_run_t) + +type gpmctl_t; +files_type(gpmctl_t) + +######################################## +# +# Local policy +# + +allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config }; +allow gpm_t self:process { getcap setcap }; +allow gpm_t self:unix_stream_socket create_stream_socket_perms; + +allow gpm_t gpm_conf_t:dir list_dir_perms; +read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t) +read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t) + +manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) +manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) +files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir }) + +allow gpm_t gpm_var_run_t:file manage_file_perms; +files_pid_filetrans(gpm_t, gpm_var_run_t, file) + +allow gpm_t gpmctl_t:sock_file manage_sock_file_perms; +allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms; +dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file }) + +kernel_read_kernel_sysctls(gpm_t) +kernel_list_proc(gpm_t) +kernel_read_proc_symlinks(gpm_t) + +dev_read_sysfs(gpm_t) +# Access the mouse. +dev_rw_input_dev(gpm_t) +dev_rw_mouse(gpm_t) + +files_read_etc_files(gpm_t) + +fs_getattr_all_fs(gpm_t) +fs_search_auto_mountpoints(gpm_t) + +term_use_unallocated_ttys(gpm_t) + +domain_use_interactive_fds(gpm_t) + +logging_send_syslog_msg(gpm_t) + +miscfiles_read_localization(gpm_t) + +userdom_dontaudit_use_unpriv_user_fds(gpm_t) +userdom_dontaudit_search_user_home_dirs(gpm_t) + +optional_policy(` + seutil_sigchld_newrole(gpm_t) +') + +optional_policy(` + udev_read_db(gpm_t) +') diff --git a/policy/modules/contrib/gpsd.fc b/policy/modules/contrib/gpsd.fc new file mode 100644 index 00000000..5e81e334 --- /dev/null +++ b/policy/modules/contrib/gpsd.fc @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) + +/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) + +/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) +/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if new file mode 100644 index 00000000..c0ee676e --- /dev/null +++ b/policy/modules/contrib/gpsd.if @@ -0,0 +1,66 @@ +## <summary>gpsd monitor daemon</summary> + +######################################## +## <summary> +## Execute a domain transition to run gpsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gpsd_domtrans',` + gen_require(` + type gpsd_t, gpsd_exec_t; + ') + + domtrans_pattern($1, gpsd_exec_t, gpsd_t) +') + +######################################## +## <summary> +## Execute gpsd in the gpsd domain, and +## allow the specified role the gpsd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`gpsd_run',` + gen_require(` + type gpsd_t; + ') + + gpsd_domtrans($1) + role $2 types gpsd_t; +') + +######################################## +## <summary> +## Read and write gpsd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpsd_rw_shm',` + gen_require(` + type gpsd_t, gpsd_tmpfs_t; + ') + + allow $1 gpsd_t:shm rw_shm_perms; + allow $1 gpsd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + fs_search_tmpfs($1) +') diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te new file mode 100644 index 00000000..03742d88 --- /dev/null +++ b/policy/modules/contrib/gpsd.te @@ -0,0 +1,64 @@ +policy_module(gpsd, 1.1.0) + +######################################## +# +# Declarations +# + +type gpsd_t; +type gpsd_exec_t; +application_domain(gpsd_t, gpsd_exec_t) +init_daemon_domain(gpsd_t, gpsd_exec_t) + +type gpsd_initrc_exec_t; +init_script_file(gpsd_initrc_exec_t) + +type gpsd_tmpfs_t; +files_tmpfs_file(gpsd_tmpfs_t) + +type gpsd_var_run_t; +files_pid_file(gpsd_var_run_t) + +######################################## +# +# gpsd local policy +# + +allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config }; +allow gpsd_t self:process setsched; +allow gpsd_t self:shm create_shm_perms; +allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow gpsd_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) +manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) +fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) + +manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) + +corenet_all_recvfrom_unlabeled(gpsd_t) +corenet_all_recvfrom_netlabel(gpsd_t) +corenet_tcp_sendrecv_generic_if(gpsd_t) +corenet_tcp_sendrecv_generic_node(gpsd_t) +corenet_tcp_sendrecv_all_ports(gpsd_t) +corenet_tcp_bind_all_nodes(gpsd_t) +corenet_tcp_bind_gpsd_port(gpsd_t) + +term_use_unallocated_ttys(gpsd_t) +term_setattr_unallocated_ttys(gpsd_t) + +auth_use_nsswitch(gpsd_t) + +logging_send_syslog_msg(gpsd_t) + +miscfiles_read_localization(gpsd_t) + +optional_policy(` + dbus_system_bus_client(gpsd_t) +') + +optional_policy(` + ntp_rw_shm(gpsd_t) +') diff --git a/policy/modules/contrib/guest.fc b/policy/modules/contrib/guest.fc new file mode 100644 index 00000000..601a7b02 --- /dev/null +++ b/policy/modules/contrib/guest.fc @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/contrib/guest.if b/policy/modules/contrib/guest.if new file mode 100644 index 00000000..8906a329 --- /dev/null +++ b/policy/modules/contrib/guest.if @@ -0,0 +1,50 @@ +## <summary>Least privledge terminal user role</summary> + +######################################## +## <summary> +## Change to the guest role. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`guest_role_change',` + gen_require(` + role guest_r; + ') + + allow $1 guest_r; +') + +######################################## +## <summary> +## Change from the guest role. +## </summary> +## <desc> +## <p> +## Change from the guest role to +## the specified role. +## </p> +## <p> +## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +## </p> +## </desc> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`guest_role_change_to',` + gen_require(` + role guest_r; + ') + + allow guest_r $1; +') diff --git a/policy/modules/contrib/guest.te b/policy/modules/contrib/guest.te new file mode 100644 index 00000000..1cb73118 --- /dev/null +++ b/policy/modules/contrib/guest.te @@ -0,0 +1,17 @@ +policy_module(guest, 1.2.0) + +######################################## +# +# Declarations +# + +role guest_r; + +userdom_restricted_user_template(guest) + +######################################## +# +# Local policy +# + +#gen_user(guest_u,, guest_r, s0, s0) diff --git a/policy/modules/contrib/hadoop.fc b/policy/modules/contrib/hadoop.fc new file mode 100644 index 00000000..633c4701 --- /dev/null +++ b/policy/modules/contrib/hadoop.fc @@ -0,0 +1,59 @@ +/etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) + +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) +/etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) + +/etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hadoop-zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) + +/etc/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0) +/etc/zookeeper\.dist(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0) + +/usr/lib/hadoop.*/bin/hadoop -- gen_context(system_u:object_r:hadoop_exec_t,s0) + +/usr/bin/zookeeper-client -- gen_context(system_u:object_r:zookeeper_exec_t,s0) +/usr/bin/zookeeper-server -- gen_context(system_u:object_r:zookeeper_server_exec_t,s0) + +/var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) +/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) +/var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) + +/var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) +/var/lock/subsys/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_lock_t,s0) +/var/lock/subsys/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_lock_t,s0) +/var/lock/subsys/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_lock_t,s0) +/var/lock/subsys/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_lock_t,s0) + +/var/log/hadoop.* gen_context(system_u:object_r:hadoop_log_t,s0) +/var/log/hadoop.*/hadoop-hadoop-datanode(-.*)? gen_context(system_u:object_r:hadoop_datanode_log_t,s0) +/var/log/hadoop.*/hadoop-hadoop-jobtracker(-.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0) +/var/log/hadoop.*/hadoop-hadoop-namenode(-.*)? gen_context(system_u:object_r:hadoop_namenode_log_t,s0) +/var/log/hadoop.*/hadoop-hadoop-secondarynamenode(-.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_log_t,s0) +/var/log/hadoop.*/hadoop-hadoop-tasktracker(-.*)? gen_context(system_u:object_r:hadoop_tasktracker_log_t,s0) +/var/log/hadoop.*/history(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0) +/var/log/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_log_t,s0) + +/var/run/hadoop.* -d gen_context(system_u:object_r:hadoop_var_run_t,s0) +/var/run/hadoop.*/hadoop-hadoop-datanode\.pid -- gen_context(system_u:object_r:hadoop_datanode_initrc_var_run_t,s0) +/var/run/hadoop.*/hadoop-hadoop-jobtracker\.pid -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_var_run_t,s0) +/var/run/hadoop.*/hadoop-hadoop-namenode\.pid -- gen_context(system_u:object_r:hadoop_namenode_initrc_var_run_t,s0) +/var/run/hadoop.*/hadoop-hadoop-secondarynamenode\.pid -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_var_run_t,s0) +/var/run/hadoop.*/hadoop-hadoop-tasktracker\.pid -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_var_run_t,s0) + +/var/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if new file mode 100644 index 00000000..2d0b4e1a --- /dev/null +++ b/policy/modules/contrib/hadoop.if @@ -0,0 +1,534 @@ +## <summary>Software for reliable, scalable, distributed computing.</summary> + +####################################### +## <summary> +## The template to define a hadoop domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`hadoop_domain_template',` + gen_require(` + attribute hadoop_domain; + type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t; + type hadoop_exec_t, hadoop_hsperfdata_t; + ') + + ######################################## + # + # Shared declarations. + # + + type hadoop_$1_t, hadoop_domain; + domain_type(hadoop_$1_t) + domain_entry_file(hadoop_$1_t, hadoop_exec_t) + role system_r types hadoop_$1_t; + + type hadoop_$1_initrc_t; + type hadoop_$1_initrc_exec_t; + init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) + role system_r types hadoop_$1_initrc_t; + + type hadoop_$1_initrc_var_run_t; + files_pid_file(hadoop_$1_initrc_var_run_t) + + type hadoop_$1_lock_t; + files_lock_file(hadoop_$1_lock_t) + + type hadoop_$1_log_t; + logging_log_file(hadoop_$1_log_t) + + type hadoop_$1_tmp_t; + files_tmp_file(hadoop_$1_tmp_t) + + type hadoop_$1_var_lib_t; + files_type(hadoop_$1_var_lib_t) + + #################################### + # + # Shared hadoop_$1 policy. + # + + allow hadoop_$1_t self:capability { chown kill setgid setuid }; + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; + allow hadoop_$1_t self:key search; + allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; + allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; + allow hadoop_$1_t self:udp_socket create_socket_perms; + dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; + + allow hadoop_$1_t hadoop_domain:process signull; + + manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t) + filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) + logging_search_logs(hadoop_$1_t) + + manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) + manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) + filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) + files_search_var_lib(hadoop_$1_t) + + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) + files_search_pids(hadoop_$1_t) + + allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; + manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) + filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file) + files_tmp_filetrans(hadoop_$1_t, hadoop_hsperfdata_t, dir) + + kernel_read_kernel_sysctls(hadoop_$1_t) + kernel_read_sysctl(hadoop_$1_t) + kernel_read_network_state(hadoop_$1_t) + kernel_read_system_state(hadoop_$1_t) + + corecmd_exec_bin(hadoop_$1_t) + corecmd_exec_shell(hadoop_$1_t) + + corenet_all_recvfrom_unlabeled(hadoop_$1_t) + corenet_all_recvfrom_netlabel(hadoop_$1_t) + corenet_tcp_bind_all_nodes(hadoop_$1_t) + corenet_tcp_sendrecv_generic_if(hadoop_$1_t) + corenet_udp_sendrecv_generic_if(hadoop_$1_t) + corenet_tcp_sendrecv_generic_node(hadoop_$1_t) + corenet_udp_sendrecv_generic_node(hadoop_$1_t) + corenet_tcp_sendrecv_all_ports(hadoop_$1_t) + corenet_udp_bind_generic_node(hadoop_$1_t) + # Hadoop uses high ordered random ports for services + # If permanent ports are chosen, remove line below and lock down + corenet_tcp_connect_generic_port(hadoop_$1_t) + + dev_read_rand(hadoop_$1_t) + dev_read_urand(hadoop_$1_t) + dev_read_sysfs(hadoop_$1_t) + + files_read_etc_files(hadoop_$1_t) + + auth_domtrans_chkpwd(hadoop_$1_t) + + hadoop_match_lan_spd(hadoop_$1_t) + + init_read_utmp(hadoop_$1_t) + init_use_fds(hadoop_$1_t) + init_use_script_fds(hadoop_$1_t) + init_use_script_ptys(hadoop_$1_t) + + logging_send_audit_msgs(hadoop_$1_t) + logging_send_syslog_msg(hadoop_$1_t) + + miscfiles_read_localization(hadoop_$1_t) + + sysnet_read_config(hadoop_$1_t) + + hadoop_exec_config(hadoop_$1_t) + + java_exec(hadoop_$1_t) + + kerberos_use(hadoop_$1_t) + + su_exec(hadoop_$1_t) + + optional_policy(` + nscd_socket_use(hadoop_$1_t) + ') + + #################################### + # + # Shared hadoop_$1 initrc policy. + # + + allow hadoop_$1_initrc_t self:capability { setuid setgid }; + dontaudit hadoop_$1_initrc_t self:capability sys_tty_config; + allow hadoop_$1_initrc_t self:process setsched; + allow hadoop_$1_initrc_t self:fifo_file rw_fifo_file_perms; + + allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull }; + + domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t) + + manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t) + files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file) + files_search_locks(hadoop_$1_initrc_t) + + manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) + filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) + files_search_pids(hadoop_$1_initrc_t) + + manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t) + filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) + logging_search_logs(hadoop_$1_initrc_t) + + manage_dirs_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t) + manage_files_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t) + + kernel_read_kernel_sysctls(hadoop_$1_initrc_t) + kernel_read_sysctl(hadoop_$1_initrc_t) + kernel_read_system_state(hadoop_$1_initrc_t) + + corecmd_exec_bin(hadoop_$1_initrc_t) + corecmd_exec_shell(hadoop_$1_initrc_t) + + files_read_etc_files(hadoop_$1_initrc_t) + files_read_usr_files(hadoop_$1_initrc_t) + + consoletype_exec(hadoop_$1_initrc_t) + + fs_getattr_xattr_fs(hadoop_$1_initrc_t) + fs_search_cgroup_dirs(hadoop_$1_initrc_t) + + term_use_generic_ptys(hadoop_$1_initrc_t) + + hadoop_exec_config(hadoop_$1_initrc_t) + + init_rw_utmp(hadoop_$1_initrc_t) + init_use_fds(hadoop_$1_initrc_t) + init_use_script_ptys(hadoop_$1_initrc_t) + + logging_send_syslog_msg(hadoop_$1_initrc_t) + logging_send_audit_msgs(hadoop_$1_initrc_t) + + miscfiles_read_localization(hadoop_$1_initrc_t) + + userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t) + + optional_policy(` + nscd_socket_use(hadoop_$1_initrc_t) + ') +') + +######################################## +## <summary> +## Role access for hadoop. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`hadoop_role',` + gen_require(` + type hadoop_t; + ') + + hadoop_domtrans($2) + role $1 types hadoop_t; + + allow $2 hadoop_t:process { ptrace signal_perms }; + ps_process_pattern($2, hadoop_t) + + hadoop_domtrans_zookeeper_client($2) + role $1 types zookeeper_t; + + allow $2 zookeeper_t:process { ptrace signal_perms }; + ps_process_pattern($2, zookeeper_t) +') + +######################################## +## <summary> +## Execute hadoop in the +## hadoop domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hadoop_domtrans',` + gen_require(` + type hadoop_t, hadoop_exec_t; + ') + + domtrans_pattern($1, hadoop_exec_t, hadoop_t) +') + +######################################## +## <summary> +## Give permission to a domain to +## recvfrom hadoop_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing recvfrom +## permission +## </summary> +## </param> +# +interface(`hadoop_recvfrom',` + gen_require(` + type hadoop_t; + ') + + allow $1 hadoop_t:peer recv; +') + +######################################## +## <summary> +## Execute zookeeper client in the +## zookeeper client domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hadoop_domtrans_zookeeper_client',` + gen_require(` + type zookeeper_t, zookeeper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, zookeeper_exec_t, zookeeper_t) +') + +######################################## +## <summary> +## Give permission to a domain to +## recvfrom zookeeper_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing recvfrom +## permission +## </summary> +## </param> +# +interface(`hadoop_recvfrom_zookeeper_client',` + gen_require(` + type zookeeper_t; + ') + + allow $1 zookeeper_t:peer recv; +') + +######################################## +## <summary> +## Execute zookeeper server in the +## zookeeper server domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hadoop_domtrans_zookeeper_server',` + gen_require(` + type zookeeper_server_t, zookeeper_server_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t) +') + +######################################## +## <summary> +## Give permission to a domain to +## recvfrom zookeeper_server_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing recvfrom +## permission +## </summary> +## </param> +# +interface(`hadoop_recvfrom_zookeeper_server',` + gen_require(` + type zookeeper_server_t; + ') + + allow $1 zookeeper_server_t:peer recv; +') + +######################################## +## <summary> +## Execute zookeeper server in the +## zookeeper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hadoop_initrc_domtrans_zookeeper_server',` + gen_require(` + type zookeeper_server_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t) +') + +######################################## +## <summary> +## Give permission to a domain to +## recvfrom hadoop_datanode_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing recvfrom +## permission +## </summary> +## </param> +# +interface(`hadoop_recvfrom_datanode',` + gen_require(` + type hadoop_datanode_t; + ') + + allow $1 hadoop_datanode_t:peer recv; +') + +######################################## +## <summary> +## Give permission to a domain to read +## hadoop_etc_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing read permission +## </summary> +## </param> +# +interface(`hadoop_read_config',` + gen_require(` + type hadoop_etc_t; + ') + + read_files_pattern($1, hadoop_etc_t, hadoop_etc_t) + read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t) +') + +######################################## +## <summary> +## Give permission to a domain to +## execute hadoop_etc_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing read and execute +## permission +## </summary> +## </param> +# +interface(`hadoop_exec_config',` + gen_require(` + type hadoop_etc_t; + ') + + hadoop_read_config($1) + allow $1 hadoop_etc_t:file exec_file_perms; +') + +######################################## +## <summary> +## Give permission to a domain to +## recvfrom hadoop_jobtracker_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing recvfrom +## permission +## </summary> +## </param> +# +interface(`hadoop_recvfrom_jobtracker',` + gen_require(` + type hadoop_jobtracker_t; + ') + + allow $1 hadoop_jobtracker_t:peer recv; +') + +######################################## +## <summary> +## Give permission to a domain to +## polmatch on hadoop_lan_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing polmatch +## permission +## </summary> +## </param> +# +interface(`hadoop_match_lan_spd',` + gen_require(` + type hadoop_lan_t; + ') + + allow $1 hadoop_lan_t:association polmatch; +') + +######################################## +## <summary> +## Give permission to a domain to +## recvfrom hadoop_namenode_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing recvfrom +## permission +## </summary> +## </param> +# +interface(`hadoop_recvfrom_namenode',` + gen_require(` + type hadoop_namenode_t; + ') + + allow $1 hadoop_namenode_t:peer recv; +') + +######################################## +## <summary> +## Give permission to a domain to +## recvfrom hadoop_secondarynamenode_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing recvfrom +## permission +## </summary> +## </param> +# +interface(`hadoop_recvfrom_secondarynamenode',` + gen_require(` + type hadoop_secondarynamenode_t; + ') + + allow $1 hadoop_secondarynamenode_t:peer recv; +') + +######################################## +## <summary> +## Give permission to a domain to +## recvfrom hadoop_tasktracker_t +## </summary> +## <param name="domain"> +## <summary> +## Domain needing recvfrom +## permission +## </summary> +## </param> +# +interface(`hadoop_recvfrom_tasktracker',` + gen_require(` + type hadoop_tasktracker_t; + ') + + allow $1 hadoop_tasktracker_t:peer recv; +') diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te new file mode 100644 index 00000000..c81c58ad --- /dev/null +++ b/policy/modules/contrib/hadoop.te @@ -0,0 +1,435 @@ +policy_module(hadoop, 1.2.0) + +######################################## +# +# Declarations. +# + +attribute hadoop_domain; + +type hadoop_t; +type hadoop_exec_t; +userdom_user_application_domain(hadoop_t, hadoop_exec_t) + +type hadoop_etc_t; +files_config_file(hadoop_etc_t) + +type hadoop_home_t; +userdom_user_home_content(hadoop_home_t) + +type hadoop_lan_t; +corenet_spd_type(hadoop_lan_t) + +type hadoop_log_t; +logging_log_file(hadoop_log_t) + +type hadoop_tmp_t; +userdom_user_tmp_file(hadoop_tmp_t) + +type hadoop_var_lib_t; +files_type(hadoop_var_lib_t) + +type hadoop_var_run_t; +files_pid_file(hadoop_var_run_t) + +type hadoop_hsperfdata_t; +userdom_user_tmp_file(hadoop_hsperfdata_t) + +hadoop_domain_template(datanode) +hadoop_domain_template(jobtracker) +hadoop_domain_template(namenode) +hadoop_domain_template(secondarynamenode) +hadoop_domain_template(tasktracker) + +type zookeeper_t; +type zookeeper_exec_t; +userdom_user_application_domain(zookeeper_t, zookeeper_exec_t) + +type zookeeper_etc_t; +files_config_file(zookeeper_etc_t) + +type zookeeper_log_t; +logging_log_file(zookeeper_log_t) + +type zookeeper_server_t; +type zookeeper_server_exec_t; +init_daemon_domain(zookeeper_server_t, zookeeper_server_exec_t) + +type zookeeper_server_initrc_exec_t; +init_script_file(zookeeper_server_initrc_exec_t) + +type zookeeper_server_tmp_t; +files_tmp_file(zookeeper_server_tmp_t) + +type zookeeper_server_var_t; +files_type(zookeeper_server_var_t) + +# This will need a file context specification. +type zookeeper_server_var_run_t; +files_pid_file(zookeeper_server_var_run_t) + +type zookeeper_tmp_t; +userdom_user_tmp_file(zookeeper_tmp_t) + +######################################## +# +# Hadoop policy. +# + +allow hadoop_t self:capability sys_resource; +allow hadoop_t self:process { getsched setsched signal signull setrlimit execmem }; +allow hadoop_t self:fifo_file rw_fifo_file_perms; +allow hadoop_t self:key write; +allow hadoop_t self:tcp_socket create_stream_socket_perms; +allow hadoop_t self:udp_socket create_socket_perms; +dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms; + +allow hadoop_t hadoop_domain:process signull; + +hadoop_match_lan_spd(hadoop_t) +allow hadoop_t self:peer recv; +hadoop_recvfrom_datanode(hadoop_t) +hadoop_recvfrom_jobtracker(hadoop_t) +hadoop_recvfrom_namenode(hadoop_t) +hadoop_recvfrom_tasktracker(hadoop_t) + +read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) +read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) +can_exec(hadoop_t, hadoop_etc_t) + +manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) +manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) +manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) +userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir }) + +allow hadoop_t hadoop_hsperfdata_t:dir manage_dir_perms; +files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir) + +manage_dirs_pattern(hadoop_t, hadoop_log_t, hadoop_log_t) + +manage_dirs_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t) +manage_files_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t) +filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, { dir file }) + +manage_dirs_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t) +manage_files_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t) +files_search_var_lib(hadoop_t) + +getattr_dirs_pattern(hadoop_t, hadoop_var_run_t, hadoop_var_run_t) + +kernel_read_network_state(hadoop_t) +kernel_read_system_state(hadoop_t) + +corecmd_exec_bin(hadoop_t) +corecmd_exec_shell(hadoop_t) + +corenet_all_recvfrom_unlabeled(hadoop_t) +corenet_all_recvfrom_netlabel(hadoop_t) +corenet_tcp_sendrecv_generic_if(hadoop_t) +corenet_udp_sendrecv_generic_if(hadoop_t) +corenet_tcp_sendrecv_generic_node(hadoop_t) +corenet_udp_sendrecv_generic_node(hadoop_t) +corenet_tcp_bind_generic_node(hadoop_t) +corenet_udp_bind_generic_node(hadoop_t) +corenet_tcp_sendrecv_all_ports(hadoop_t) +corenet_udp_sendrecv_all_ports(hadoop_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_t) +corenet_tcp_connect_hadoop_datanode_port(hadoop_t) +corenet_tcp_connect_portmap_port(hadoop_t) +corenet_tcp_connect_zope_port(hadoop_t) +corenet_sendrecv_hadoop_namenode_client_packets(hadoop_t) +corenet_sendrecv_portmap_client_packets(hadoop_t) +corenet_sendrecv_zope_client_packets(hadoop_t) +# Hadoop uses high ordered random ports for services +# If permanent ports are chosen, remove line below and lock down +corenet_tcp_connect_generic_port(hadoop_t) + +dev_read_rand(hadoop_t) +dev_read_sysfs(hadoop_t) +dev_read_urand(hadoop_t) + +domain_use_interactive_fds(hadoop_t) + +files_dontaudit_search_spool(hadoop_t) +files_read_etc_files(hadoop_t) +files_read_usr_files(hadoop_t) + +fs_getattr_xattr_fs(hadoop_t) + +miscfiles_read_localization(hadoop_t) + +sysnet_read_config(hadoop_t) + +userdom_use_user_terminals(hadoop_t) + +java_exec(hadoop_t) + +kerberos_use(hadoop_t) + +optional_policy(` + nis_use_ypbind(hadoop_t) +') + +optional_policy(` + nscd_socket_use(hadoop_t) +') + +######################################## +# +# Hadoop datanode policy. +# + +allow hadoop_datanode_t self:process signal; + +manage_dirs_pattern(hadoop_datanode_t, hadoop_var_lib_t, hadoop_var_lib_t) + +corenet_tcp_bind_hadoop_datanode_port(hadoop_datanode_t) +corenet_tcp_connect_hadoop_datanode_port(hadoop_datanode_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t) + +fs_getattr_xattr_fs(hadoop_datanode_t) + +allow hadoop_datanode_t self:peer recv; +hadoop_recvfrom_jobtracker(hadoop_datanode_t) +hadoop_recvfrom_namenode(hadoop_datanode_t) +hadoop_recvfrom(hadoop_datanode_t) +hadoop_recvfrom_tasktracker(hadoop_datanode_t) + +######################################## +# +# Hadoop jobtracker policy. +# + +create_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t) +setattr_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t) + +manage_dirs_pattern(hadoop_jobtracker_t, hadoop_var_lib_t, hadoop_var_lib_t) + +corenet_tcp_bind_zope_port(hadoop_jobtracker_t) +corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t) + +allow hadoop_jobtracker_t self:peer recv; +hadoop_recvfrom_datanode(hadoop_jobtracker_t) +hadoop_recvfrom_namenode(hadoop_jobtracker_t) +hadoop_recvfrom(hadoop_jobtracker_t) +hadoop_recvfrom_tasktracker(hadoop_jobtracker_t) + +######################################## +# +# Hadoop namenode policy. +# + +manage_dirs_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) +manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) + +corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t) + +allow hadoop_namenode_t self:peer recv; +hadoop_recvfrom_datanode(hadoop_namenode_t) +hadoop_recvfrom_jobtracker(hadoop_namenode_t) +hadoop_recvfrom(hadoop_namenode_t) +hadoop_recvfrom_secondarynamenode(hadoop_namenode_t) +hadoop_recvfrom_tasktracker(hadoop_namenode_t) + +######################################## +# +# Hadoop secondary namenode policy. +# + +manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib_t) + +corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t) + +allow hadoop_secondarynamenode_t self:peer recv; +hadoop_recvfrom_namenode(hadoop_secondarynamenode_t) + +######################################## +# +# Hadoop tasktracker policy. +# + +allow hadoop_tasktracker_t self:process signal; + +manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t) +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) +filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) + +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) + +manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) + +corenet_tcp_connect_hadoop_datanode_port(hadoop_tasktracker_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) +corenet_tcp_connect_zope_port(hadoop_tasktracker_t) + +fs_getattr_xattr_fs(hadoop_tasktracker_t) + +allow hadoop_tasktracker_t self:peer recv; +hadoop_recvfrom_datanode(hadoop_tasktracker_t) +hadoop_recvfrom_jobtracker(hadoop_tasktracker_t) +hadoop_recvfrom(hadoop_tasktracker_t) +hadoop_recvfrom_namenode(hadoop_tasktracker_t) + +######################################## +# +# Hadoop zookeeper client policy. +# + +allow zookeeper_t self:process { getsched sigkill signal signull execmem }; +allow zookeeper_t self:fifo_file rw_fifo_file_perms; +allow zookeeper_t self:tcp_socket create_stream_socket_perms; +allow zookeeper_t self:udp_socket create_socket_perms; +dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms; + +hadoop_match_lan_spd(zookeeper_t) +hadoop_recvfrom_zookeeper_server(zookeeper_t) + +read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) +read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) + +can_exec(zookeeper_t, zookeeper_exec_t) + +allow zookeeper_t hadoop_hsperfdata_t:dir manage_dir_perms; +files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir) + +allow zookeeper_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms }; +allow zookeeper_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms }; +append_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t) +logging_log_filetrans(zookeeper_t, zookeeper_log_t, file) + +allow zookeeper_t zookeeper_server_t:process signull; + +manage_files_pattern(zookeeper_t, zookeeper_tmp_t, zookeeper_tmp_t) +filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file) + +kernel_read_network_state(zookeeper_t) +kernel_read_system_state(zookeeper_t) + +corecmd_exec_bin(zookeeper_t) +corecmd_exec_shell(zookeeper_t) + +corenet_all_recvfrom_unlabeled(zookeeper_t) +corenet_all_recvfrom_netlabel(zookeeper_t) +corenet_tcp_sendrecv_generic_if(zookeeper_t) +corenet_udp_sendrecv_generic_if(zookeeper_t) +corenet_tcp_sendrecv_generic_node(zookeeper_t) +corenet_udp_sendrecv_generic_node(zookeeper_t) +corenet_tcp_sendrecv_all_ports(zookeeper_t) +corenet_udp_sendrecv_all_ports(zookeeper_t) +corenet_tcp_bind_generic_node(zookeeper_t) +corenet_udp_bind_generic_node(zookeeper_t) +corenet_tcp_connect_zookeeper_client_port(zookeeper_t) +corenet_sendrecv_zookeeper_client_client_packets(zookeeper_t) +# Hadoop uses high ordered random ports for services +# If permanent ports are chosen, remove line below and lock down +corenet_tcp_connect_generic_port(zookeeper_t) + +dev_read_rand(zookeeper_t) +dev_read_sysfs(zookeeper_t) +dev_read_urand(zookeeper_t) + +domain_use_interactive_fds(zookeeper_t) + +files_read_etc_files(zookeeper_t) +files_read_usr_files(zookeeper_t) + +miscfiles_read_localization(zookeeper_t) + +sysnet_read_config(zookeeper_t) + +userdom_use_user_terminals(zookeeper_t) +userdom_dontaudit_search_user_home_dirs(zookeeper_t) + +java_exec(zookeeper_t) + +optional_policy(` + nscd_socket_use(zookeeper_t) +') + +######################################## +# +# Hadoop zookeeper server policy. +# + +allow zookeeper_server_t self:capability kill; +allow zookeeper_server_t self:process { execmem getsched sigkill signal signull }; +allow zookeeper_server_t self:fifo_file rw_fifo_file_perms; +allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms; +allow zookeeper_server_t self:tcp_socket create_stream_socket_perms; +allow zookeeper_server_t self:udp_socket create_socket_perms; + +hadoop_match_lan_spd(zookeeper_server_t) +allow zookeeper_server_t self:peer recv; +hadoop_recvfrom_zookeeper_client(zookeeper_server_t) + +allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms; +files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir) + +read_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t) +read_lnk_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t) + +manage_dirs_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t) +manage_files_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t) +files_var_lib_filetrans(zookeeper_server_t, zookeeper_server_var_t, { dir file }) + +allow zookeeper_server_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms }; +allow zookeeper_server_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms }; +logging_log_filetrans(zookeeper_server_t, zookeeper_log_t, file) + +manage_files_pattern(zookeeper_server_t, zookeeper_server_tmp_t, zookeeper_server_tmp_t) +filetrans_pattern(zookeeper_server_t, hadoop_hsperfdata_t, zookeeper_server_tmp_t, file) + +manage_files_pattern(zookeeper_server_t, zookeeper_server_var_run_t, zookeeper_server_var_run_t) +files_pid_filetrans(zookeeper_server_t, zookeeper_server_var_run_t, file) + +can_exec(zookeeper_server_t, zookeeper_server_exec_t) + +kernel_read_network_state(zookeeper_server_t) +kernel_read_system_state(zookeeper_server_t) + +corecmd_exec_bin(zookeeper_server_t) +corecmd_exec_shell(zookeeper_server_t) + +corenet_all_recvfrom_unlabeled(zookeeper_server_t) +corenet_all_recvfrom_netlabel(zookeeper_server_t) +corenet_tcp_sendrecv_generic_if(zookeeper_server_t) +corenet_udp_sendrecv_generic_if(zookeeper_server_t) +corenet_tcp_sendrecv_generic_node(zookeeper_server_t) +corenet_udp_sendrecv_generic_node(zookeeper_server_t) +corenet_tcp_sendrecv_all_ports(zookeeper_server_t) +corenet_udp_sendrecv_all_ports(zookeeper_server_t) +corenet_tcp_bind_generic_node(zookeeper_server_t) +corenet_udp_bind_generic_node(zookeeper_server_t) +corenet_tcp_bind_zookeeper_client_port(zookeeper_server_t) +corenet_tcp_bind_zookeeper_election_port(zookeeper_server_t) +corenet_tcp_bind_zookeeper_leader_port(zookeeper_server_t) +corenet_tcp_connect_zookeeper_election_port(zookeeper_server_t) +corenet_tcp_connect_zookeeper_leader_port(zookeeper_server_t) +corenet_sendrecv_zookeeper_election_client_packets(zookeeper_server_t) +corenet_sendrecv_zookeeper_leader_client_packets(zookeeper_server_t) +corenet_sendrecv_zookeeper_client_server_packets(zookeeper_server_t) +corenet_sendrecv_zookeeper_election_server_packets(zookeeper_server_t) +corenet_sendrecv_zookeeper_leader_server_packets(zookeeper_server_t) +# Hadoop uses high ordered random ports for services +# If permanent ports are chosen, remove line below and lock down +corenet_tcp_connect_generic_port(zookeeper_server_t) + +dev_read_rand(zookeeper_server_t) +dev_read_sysfs(zookeeper_server_t) +dev_read_urand(zookeeper_server_t) + +files_read_etc_files(zookeeper_server_t) +files_read_usr_files(zookeeper_server_t) + +fs_getattr_xattr_fs(zookeeper_server_t) + +logging_send_syslog_msg(zookeeper_server_t) + +miscfiles_read_localization(zookeeper_server_t) + +sysnet_read_config(zookeeper_server_t) + +java_exec(zookeeper_server_t) diff --git a/policy/modules/contrib/hal.fc b/policy/modules/contrib/hal.fc new file mode 100644 index 00000000..2b6e3a97 --- /dev/null +++ b/policy/modules/contrib/hal.fc @@ -0,0 +1,33 @@ + +/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) +/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) + +/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) + +/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) +/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) +/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) +/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) +/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) +/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) +/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0) + +/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) + +/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) + +/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) + +/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) +/var/log/pm-.*\.log.* gen_context(system_u:object_r:hald_log_t,s0) + +/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) +/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0) +/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) + +ifdef(`distro_gentoo',` +/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) +') diff --git a/policy/modules/contrib/hal.if b/policy/modules/contrib/hal.if new file mode 100644 index 00000000..7cf67639 --- /dev/null +++ b/policy/modules/contrib/hal.if @@ -0,0 +1,433 @@ +## <summary>Hardware abstraction layer</summary> + +######################################## +## <summary> +## Execute hal in the hal domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hal_domtrans',` + gen_require(` + type hald_t, hald_exec_t; + ') + + domtrans_pattern($1, hald_exec_t, hald_t) +') + +######################################## +## <summary> +## Get the attributes of a hal process. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_getattr',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:process getattr; +') + +######################################## +## <summary> +## Read hal system state +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_read_state',` + gen_require(` + type hald_t; + ') + + ps_process_pattern($1, hald_t) +') + +######################################## +## <summary> +## Allow ptrace of hal domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_ptrace',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:process ptrace; +') + +######################################## +## <summary> +## Allow domain to use file descriptors from hal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_use_fds',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to use file descriptors from hal. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_use_fds',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:fd use; +') + +######################################## +## <summary> +## Allow attempts to read and write to +## hald unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_rw_pipes',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and write to +## hald unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_rw_pipes',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Send to hal over a unix domain +## datagram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_dgram_send',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:unix_dgram_socket sendto; +') + +######################################## +## <summary> +## Send to hal over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_stream_connect',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Dontaudit read/write to a hal unix datagram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_rw_dgram_sockets',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:unix_dgram_socket { read write }; +') + +######################################## +## <summary> +## Send a dbus message to hal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_dbus_send',` + gen_require(` + type hald_t; + class dbus send_msg; + ') + + allow $1 hald_t:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## hal over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_dbus_chat',` + gen_require(` + type hald_t; + class dbus send_msg; + ') + + allow $1 hald_t:dbus send_msg; + allow hald_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute hal mac in the hal mac domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hal_domtrans_mac',` + gen_require(` + type hald_mac_t, hald_mac_exec_t; + ') + + domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) +') + +######################################## +## <summary> +## Allow attempts to write the hal +## log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_write_log',` + gen_require(` + type hald_log_t; + ') + + logging_search_logs($1) + allow $1 hald_log_t:file write_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to write the hal +## log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_write_log',` + gen_require(` + type hald_log_t; + ') + + dontaudit $1 hald_log_t:file { append write }; +') + +######################################## +## <summary> +## Manage hald log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_manage_log',` + gen_require(` + type hald_log_t; + ') + + # log files for hald + manage_files_pattern($1, hald_log_t, hald_log_t) + logging_log_filetrans($1, hald_log_t, file) +') + +######################################## +## <summary> +## Read hald tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_read_tmp_files',` + gen_require(` + type hald_tmp_t; + ') + + allow $1 hald_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read or write +## HAL libraries files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`hal_dontaudit_append_lib_files',` + gen_require(` + type hald_var_lib_t; + ') + + dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms }; +') + +######################################## +## <summary> +## Read hald PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_read_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + allow $1 hald_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Read/Write hald PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_rw_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + allow $1 hald_var_run_t:file rw_file_perms; +') + +######################################## +## <summary> +## Manage hald PID dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_manage_pid_dirs',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) +') + +######################################## +## <summary> +## Manage hald PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hal_manage_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, hald_var_run_t, hald_var_run_t) +') diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te new file mode 100644 index 00000000..e0476cbd --- /dev/null +++ b/policy/modules/contrib/hal.te @@ -0,0 +1,531 @@ +policy_module(hal, 1.14.0) + +######################################## +# +# Declarations +# + +type hald_t; +type hald_exec_t; +init_daemon_domain(hald_t, hald_exec_t) + +type hald_acl_t; +type hald_acl_exec_t; +domain_type(hald_acl_t) +domain_entry_file(hald_acl_t, hald_acl_exec_t) +role system_r types hald_acl_t; + +type hald_cache_t; +files_pid_file(hald_cache_t) + +type hald_dccm_t; +type hald_dccm_exec_t; +domain_type(hald_dccm_t) +domain_entry_file(hald_dccm_t, hald_dccm_exec_t) +role system_r types hald_dccm_t; + +type hald_keymap_t; +type hald_keymap_exec_t; +domain_type(hald_keymap_t) +domain_entry_file(hald_keymap_t, hald_keymap_exec_t) +role system_r types hald_keymap_t; + +type hald_log_t; +logging_log_file(hald_log_t) + +type hald_mac_t; +type hald_mac_exec_t; +domain_type(hald_mac_t) +domain_entry_file(hald_mac_t, hald_mac_exec_t) +role system_r types hald_mac_t; + +type hald_sonypic_t; +type hald_sonypic_exec_t; +domain_type(hald_sonypic_t) +domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t) +role system_r types hald_sonypic_t; + +type hald_tmp_t; +files_tmp_file(hald_tmp_t) + +type hald_var_run_t; +files_pid_file(hald_var_run_t) + +type hald_var_lib_t; +files_type(hald_var_lib_t) + +######################################## +# +# Local policy +# + +# execute openvt which needs setuid +allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; +dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; +allow hald_t self:process { getsched getattr signal_perms }; +allow hald_t self:fifo_file rw_fifo_file_perms; +allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow hald_t self:unix_dgram_socket create_socket_perms; +allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; +allow hald_t self:tcp_socket create_stream_socket_perms; +allow hald_t self:udp_socket create_socket_perms; +# For backwards compatibility with older kernels +allow hald_t self:netlink_socket create_socket_perms; + +manage_files_pattern(hald_t, hald_cache_t, hald_cache_t) + +# log files for hald +manage_files_pattern(hald_t, hald_log_t, hald_log_t) +logging_log_filetrans(hald_t, hald_log_t, file) + +manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t) +manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t) +files_tmp_filetrans(hald_t, hald_tmp_t, { file dir }) + +# var/lib files for hald +manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) +manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) + +manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t) +manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t) +files_pid_filetrans(hald_t, hald_var_run_t, { dir file }) + +kernel_read_system_state(hald_t) +kernel_read_network_state(hald_t) +kernel_read_software_raid_state(hald_t) +kernel_rw_kernel_sysctl(hald_t) +kernel_read_fs_sysctls(hald_t) +kernel_rw_irq_sysctls(hald_t) +kernel_rw_vm_sysctls(hald_t) +kernel_write_proc_files(hald_t) +kernel_search_network_sysctl(hald_t) +kernel_setsched(hald_t) +kernel_request_load_module(hald_t) + +auth_read_pam_console_data(hald_t) + +corecmd_exec_all_executables(hald_t) + +corenet_all_recvfrom_unlabeled(hald_t) +corenet_all_recvfrom_netlabel(hald_t) +corenet_tcp_sendrecv_generic_if(hald_t) +corenet_udp_sendrecv_generic_if(hald_t) +corenet_tcp_sendrecv_generic_node(hald_t) +corenet_udp_sendrecv_generic_node(hald_t) +corenet_tcp_sendrecv_all_ports(hald_t) +corenet_udp_sendrecv_all_ports(hald_t) + +dev_rw_usbfs(hald_t) +dev_read_rand(hald_t) +dev_read_urand(hald_t) +dev_read_input(hald_t) +dev_read_mouse(hald_t) +dev_rw_printer(hald_t) +dev_read_lvm_control(hald_t) +dev_getattr_all_chr_files(hald_t) +dev_manage_generic_chr_files(hald_t) +dev_rw_generic_usb_dev(hald_t) +dev_setattr_generic_usb_dev(hald_t) +dev_setattr_usbfs_files(hald_t) +dev_rw_power_management(hald_t) +dev_read_raw_memory(hald_t) +# hal is now execing pm-suspend +dev_rw_sysfs(hald_t) +dev_read_video_dev(hald_t) + +domain_use_interactive_fds(hald_t) +domain_read_all_domains_state(hald_t) +domain_dontaudit_ptrace_all_domains(hald_t) + +files_exec_etc_files(hald_t) +files_read_etc_files(hald_t) +files_rw_etc_runtime_files(hald_t) +files_manage_mnt_dirs(hald_t) +files_manage_mnt_files(hald_t) +files_manage_mnt_symlinks(hald_t) +files_search_var_lib(hald_t) +files_read_usr_files(hald_t) +# hal is now execing pm-suspend +files_create_boot_flag(hald_t) +files_getattr_all_dirs(hald_t) +files_getattr_all_files(hald_t) +files_read_kernel_img(hald_t) +files_rw_lock_dirs(hald_t) +files_read_generic_pids(hald_t) + +fs_getattr_all_fs(hald_t) +fs_search_all(hald_t) +fs_list_inotifyfs(hald_t) +fs_list_auto_mountpoints(hald_t) +fs_mount_dos_fs(hald_t) +fs_unmount_dos_fs(hald_t) +fs_manage_dos_files(hald_t) +fs_manage_fusefs_dirs(hald_t) +fs_rw_removable_blk_files(hald_t) + +files_getattr_all_mountpoints(hald_t) + +mls_file_read_all_levels(hald_t) + +selinux_get_fs_mount(hald_t) +selinux_validate_context(hald_t) +selinux_compute_access_vector(hald_t) +selinux_compute_create_context(hald_t) +selinux_compute_relabel_context(hald_t) +selinux_compute_user_contexts(hald_t) + +storage_raw_read_removable_device(hald_t) +storage_raw_write_removable_device(hald_t) +storage_raw_read_fixed_disk(hald_t) +storage_raw_write_fixed_disk(hald_t) + +# hal_probe_serial causes these +term_setattr_unallocated_ttys(hald_t) +term_use_unallocated_ttys(hald_t) + +auth_use_nsswitch(hald_t) + +fstools_getattr_swap_files(hald_t) + +init_domtrans_script(hald_t) +init_read_utmp(hald_t) +#hal runs shutdown, probably need a shutdown domain +init_rw_utmp(hald_t) +init_telinit(hald_t) + +libs_exec_ld_so(hald_t) +libs_exec_lib_files(hald_t) + +logging_send_audit_msgs(hald_t) +logging_send_syslog_msg(hald_t) +logging_search_logs(hald_t) + +miscfiles_read_localization(hald_t) +miscfiles_read_hwdata(hald_t) + +modutils_domtrans_insmod(hald_t) +modutils_read_module_deps(hald_t) + +seutil_read_config(hald_t) +seutil_read_default_contexts(hald_t) +seutil_read_file_contexts(hald_t) + +sysnet_read_config(hald_t) +sysnet_domtrans_dhcpc(hald_t) +sysnet_domtrans_ifconfig(hald_t) +sysnet_read_dhcp_config(hald_t) + +userdom_dontaudit_use_unpriv_user_fds(hald_t) +userdom_dontaudit_search_user_home_dirs(hald_t) + +optional_policy(` + alsa_domtrans(hald_t) + alsa_read_rw_config(hald_t) +') + +optional_policy(` + bootloader_domtrans(hald_t) +') + +optional_policy(` + # For /usr/libexec/hald-addon-acpi + # writes to /var/run/acpid.socket + apm_stream_connect(hald_t) +') + +optional_policy(` + bind_search_cache(hald_t) +') + +optional_policy(` + bluetooth_domtrans(hald_t) +') + +optional_policy(` + clock_domtrans(hald_t) +') + +optional_policy(` + cups_domtrans_config(hald_t) + cups_signal_config(hald_t) +') + +optional_policy(` + dbus_system_bus_client(hald_t) + dbus_connect_system_bus(hald_t) + + init_dbus_chat_script(hald_t) + + optional_policy(` + networkmanager_dbus_chat(hald_t) + ') +') + +optional_policy(` + # For /usr/libexec/hald-probe-smbios + dmidecode_domtrans(hald_t) +') + +optional_policy(` + gpm_dontaudit_getattr_gpmctl(hald_t) +') + +optional_policy(` + hotplug_read_config(hald_t) +') + +optional_policy(` + lvm_domtrans(hald_t) +') + +optional_policy(` + mount_domtrans(hald_t) +') + +optional_policy(` + ntp_domtrans(hald_t) +') + +optional_policy(` + pcmcia_manage_pid(hald_t) + pcmcia_manage_pid_chr_files(hald_t) +') + +optional_policy(` + podsleuth_domtrans(hald_t) +') + +optional_policy(` + ppp_domtrans(hald_t) + ppp_read_rw_config(hald_t) +') + +optional_policy(` + policykit_dbus_chat(hald_t) + policykit_domtrans_auth(hald_t) + policykit_domtrans_resolve(hald_t) + policykit_read_lib(hald_t) + policykit_read_reload(hald_t) +') + +optional_policy(` + rpc_search_nfs_state_data(hald_t) +') + +optional_policy(` + seutil_sigchld_newrole(hald_t) +') + +optional_policy(` + udev_domtrans(hald_t) + udev_read_db(hald_t) +') + +optional_policy(` + usbmuxd_stream_connect(hald_t) +') + +optional_policy(` + updfstab_domtrans(hald_t) +') + +optional_policy(` + vbetool_domtrans(hald_t) +') + +optional_policy(` + virt_manage_images(hald_t) +') + +######################################## +# +# Hal acl local policy +# + +allow hald_acl_t self:capability { dac_override fowner sys_resource }; +allow hald_acl_t self:process { getattr signal }; +allow hald_acl_t self:fifo_file rw_fifo_file_perms; + +domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) +allow hald_t hald_acl_t:process signal; +allow hald_acl_t hald_t:unix_stream_socket connectto; + +manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) +files_search_var_lib(hald_acl_t) + +manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) +manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) +files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) + +corecmd_exec_bin(hald_acl_t) + +dev_getattr_all_chr_files(hald_acl_t) +dev_setattr_all_chr_files(hald_acl_t) +dev_getattr_generic_usb_dev(hald_acl_t) +dev_getattr_video_dev(hald_acl_t) +dev_setattr_video_dev(hald_acl_t) +dev_getattr_sound_dev(hald_acl_t) +dev_setattr_sound_dev(hald_acl_t) +dev_setattr_generic_usb_dev(hald_acl_t) +dev_setattr_usbfs_files(hald_acl_t) + +files_read_usr_files(hald_acl_t) +files_read_etc_files(hald_acl_t) + +fs_getattr_all_fs(hald_acl_t) + +storage_getattr_removable_dev(hald_acl_t) +storage_setattr_removable_dev(hald_acl_t) +storage_getattr_fixed_disk_dev(hald_acl_t) +storage_setattr_fixed_disk_dev(hald_acl_t) + +auth_use_nsswitch(hald_acl_t) + +logging_send_syslog_msg(hald_acl_t) + +miscfiles_read_localization(hald_acl_t) + +optional_policy(` + policykit_dbus_chat(hald_acl_t) + policykit_domtrans_auth(hald_acl_t) + policykit_read_lib(hald_acl_t) + policykit_read_reload(hald_acl_t) +') + +######################################## +# +# Local hald mac policy +# + +allow hald_mac_t self:capability { setgid setuid sys_admin }; + +domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) +allow hald_t hald_mac_t:process signal; +allow hald_mac_t hald_t:unix_stream_socket connectto; + +manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) +files_search_var_lib(hald_mac_t) + +write_files_pattern(hald_mac_t, hald_log_t, hald_log_t) + +kernel_read_system_state(hald_mac_t) + +dev_read_raw_memory(hald_mac_t) +dev_write_raw_memory(hald_mac_t) +dev_read_sysfs(hald_mac_t) + +files_read_usr_files(hald_mac_t) +files_read_etc_files(hald_mac_t) + +auth_use_nsswitch(hald_mac_t) + +logging_send_syslog_msg(hald_mac_t) + +miscfiles_read_localization(hald_mac_t) + +######################################## +# +# Local hald sonypic policy +# + +domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t) +allow hald_t hald_sonypic_t:process signal; +allow hald_sonypic_t hald_t:unix_stream_socket connectto; + +dev_read_video_dev(hald_sonypic_t) +dev_write_video_dev(hald_sonypic_t) + +manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) +files_search_var_lib(hald_sonypic_t) + +write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t) + +files_read_usr_files(hald_sonypic_t) + +miscfiles_read_localization(hald_sonypic_t) + +######################################## +# +# Hal keymap local policy +# + +domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t) +allow hald_t hald_keymap_t:process signal; +allow hald_keymap_t hald_t:unix_stream_socket connectto; + +manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) +files_search_var_lib(hald_keymap_t) + +write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) + +dev_rw_input_dev(hald_keymap_t) + +files_read_etc_files(hald_keymap_t) +files_read_usr_files(hald_keymap_t) + +miscfiles_read_localization(hald_keymap_t) + +######################################## +# +# Local hald dccm policy +# + +allow hald_dccm_t self:capability { chown net_bind_service }; +allow hald_dccm_t self:process getsched; +allow hald_dccm_t self:fifo_file rw_fifo_file_perms; +allow hald_dccm_t self:tcp_socket create_stream_socket_perms; +allow hald_dccm_t self:udp_socket create_socket_perms; +allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; + +domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) +allow hald_t hald_dccm_t:process signal; +allow hald_dccm_t hald_t:unix_stream_socket connectto; + +manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) +files_search_var_lib(hald_dccm_t) + +manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) +manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) +manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) +files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file }) + +manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t) +files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file) + +write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) + +kernel_search_network_sysctl(hald_dccm_t) + +dev_read_urand(hald_dccm_t) + +corenet_all_recvfrom_unlabeled(hald_dccm_t) +corenet_all_recvfrom_netlabel(hald_dccm_t) +corenet_tcp_sendrecv_generic_if(hald_dccm_t) +corenet_udp_sendrecv_generic_if(hald_dccm_t) +corenet_tcp_sendrecv_generic_node(hald_dccm_t) +corenet_udp_sendrecv_generic_node(hald_dccm_t) +corenet_tcp_sendrecv_all_ports(hald_dccm_t) +corenet_udp_sendrecv_all_ports(hald_dccm_t) +corenet_tcp_bind_generic_node(hald_dccm_t) +corenet_udp_bind_generic_node(hald_dccm_t) +corenet_udp_bind_dhcpc_port(hald_dccm_t) +corenet_tcp_bind_ftp_port(hald_dccm_t) +corenet_tcp_bind_dccm_port(hald_dccm_t) + +logging_send_syslog_msg(hald_dccm_t) + +files_read_usr_files(hald_dccm_t) + +miscfiles_read_localization(hald_dccm_t) + +hal_dontaudit_rw_dgram_sockets(hald_dccm_t) + +optional_policy(` + dbus_system_bus_client(hald_dccm_t) +') diff --git a/policy/modules/contrib/hddtemp.fc b/policy/modules/contrib/hddtemp.fc new file mode 100644 index 00000000..16766123 --- /dev/null +++ b/policy/modules/contrib/hddtemp.fc @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) + +/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0) + +/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) diff --git a/policy/modules/contrib/hddtemp.if b/policy/modules/contrib/hddtemp.if new file mode 100644 index 00000000..87b45312 --- /dev/null +++ b/policy/modules/contrib/hddtemp.if @@ -0,0 +1,77 @@ +## <summary>hddtemp hard disk temperature tool running as a daemon.</summary> + +####################################### +## <summary> +## Execute a domain transition to run hddtemp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hddtemp_domtrans',` + gen_require(` + type hddtemp_t, hddtemp_exec_t; + ') + + domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) + corecmd_search_bin($1) +') + +###################################### +## <summary> +## Execute hddtemp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hddtemp_exec',` + gen_require(` + type hddtemp_exec_t; + ') + + can_exec($1, hddtemp_exec_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an hddtemp environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`hddtemp_admin',` + gen_require(` + type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; + ') + + allow $1 hddtemp_t:process { ptrace signal_perms }; + ps_process_pattern($1, hddtemp_t) + + init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 hddtemp_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, hddtemp_etc_t) + files_search_etc($1) + + allow $1 hddtemp_t:dir list_dir_perms; + read_lnk_files_pattern($1, hddtemp_t, hddtemp_t) + kernel_search_proc($1) +') diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te new file mode 100644 index 00000000..c234b323 --- /dev/null +++ b/policy/modules/contrib/hddtemp.te @@ -0,0 +1,49 @@ +policy_module(hddtemp, 1.1.0) + +######################################## +# +# Declarations +# + +type hddtemp_t; +type hddtemp_exec_t; +init_daemon_domain(hddtemp_t, hddtemp_exec_t) + +type hddtemp_initrc_exec_t; +init_script_file(hddtemp_initrc_exec_t) + +type hddtemp_etc_t; +files_config_file(hddtemp_etc_t) + +######################################## +# +# hddtemp local policy +# + +allow hddtemp_t self:capability sys_rawio; +dontaudit hddtemp_t self:capability sys_admin; +allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms; +allow hddtemp_t self:tcp_socket create_stream_socket_perms; +allow hddtemp_t self:udp_socket create_socket_perms; + +allow hddtemp_t hddtemp_etc_t:file read_file_perms; + +corenet_all_recvfrom_unlabeled(hddtemp_t) +corenet_all_recvfrom_netlabel(hddtemp_t) +corenet_tcp_sendrecv_generic_if(hddtemp_t) +corenet_tcp_sendrecv_generic_node(hddtemp_t) +corenet_tcp_bind_generic_node(hddtemp_t) +corenet_tcp_sendrecv_all_ports(hddtemp_t) +corenet_tcp_bind_hddtemp_port(hddtemp_t) +corenet_sendrecv_hddtemp_server_packets(hddtemp_t) +corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) + +files_search_etc(hddtemp_t) +files_read_usr_files(hddtemp_t) + +storage_raw_read_fixed_disk(hddtemp_t) + +logging_send_syslog_msg(hddtemp_t) + +miscfiles_read_localization(hddtemp_t) + diff --git a/policy/modules/contrib/howl.fc b/policy/modules/contrib/howl.fc new file mode 100644 index 00000000..faf9146c --- /dev/null +++ b/policy/modules/contrib/howl.fc @@ -0,0 +1,5 @@ + +/usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0) +/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0) + +/var/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0) diff --git a/policy/modules/contrib/howl.if b/policy/modules/contrib/howl.if new file mode 100644 index 00000000..9164dd26 --- /dev/null +++ b/policy/modules/contrib/howl.if @@ -0,0 +1,19 @@ +## <summary>Port of Apple Rendezvous multicast DNS</summary> + +######################################## +## <summary> +## Send generic signals to howl. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`howl_signal',` + gen_require(` + type howl_t; + ') + + allow $1 howl_t:process signal; +') diff --git a/policy/modules/contrib/howl.te b/policy/modules/contrib/howl.te new file mode 100644 index 00000000..6ad2d3cb --- /dev/null +++ b/policy/modules/contrib/howl.te @@ -0,0 +1,80 @@ +policy_module(howl, 1.9.0) + +######################################## +# +# Declarations +# + +type howl_t; +type howl_exec_t; +init_daemon_domain(howl_t, howl_exec_t) + +type howl_var_run_t; +files_pid_file(howl_var_run_t) + +######################################## +# +# Local policy +# + +allow howl_t self:capability { kill net_admin }; +dontaudit howl_t self:capability sys_tty_config; +allow howl_t self:process signal_perms; +allow howl_t self:fifo_file rw_fifo_file_perms; +allow howl_t self:tcp_socket create_stream_socket_perms; +allow howl_t self:udp_socket create_socket_perms; + +manage_files_pattern(howl_t, howl_var_run_t, howl_var_run_t) +files_pid_filetrans(howl_t, howl_var_run_t, file) + +kernel_read_network_state(howl_t) +kernel_read_kernel_sysctls(howl_t) +kernel_request_load_module(howl_t) +kernel_list_proc(howl_t) +kernel_read_proc_symlinks(howl_t) + +corenet_all_recvfrom_unlabeled(howl_t) +corenet_all_recvfrom_netlabel(howl_t) +corenet_tcp_sendrecv_generic_if(howl_t) +corenet_udp_sendrecv_generic_if(howl_t) +corenet_tcp_sendrecv_generic_node(howl_t) +corenet_udp_sendrecv_generic_node(howl_t) +corenet_tcp_sendrecv_all_ports(howl_t) +corenet_udp_sendrecv_all_ports(howl_t) +corenet_tcp_bind_generic_node(howl_t) +corenet_udp_bind_generic_node(howl_t) +corenet_tcp_bind_howl_port(howl_t) +corenet_udp_bind_howl_port(howl_t) +corenet_sendrecv_howl_server_packets(howl_t) + +dev_read_sysfs(howl_t) + +fs_getattr_all_fs(howl_t) +fs_search_auto_mountpoints(howl_t) + +domain_use_interactive_fds(howl_t) + +files_read_etc_files(howl_t) + +init_rw_utmp(howl_t) + +logging_send_syslog_msg(howl_t) + +miscfiles_read_localization(howl_t) + +sysnet_read_config(howl_t) + +userdom_dontaudit_use_unpriv_user_fds(howl_t) +userdom_dontaudit_search_user_home_dirs(howl_t) + +optional_policy(` + nis_use_ypbind(howl_t) +') + +optional_policy(` + seutil_sigchld_newrole(howl_t) +') + +optional_policy(` + udev_read_db(howl_t) +') diff --git a/policy/modules/contrib/i18n_input.fc b/policy/modules/contrib/i18n_input.fc new file mode 100644 index 00000000..024eb188 --- /dev/null +++ b/policy/modules/contrib/i18n_input.fc @@ -0,0 +1,19 @@ +# +# /usr +# + +/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0) + +/usr/lib/iiim/iiim-xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0) + +/usr/sbin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0) +/usr/sbin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0) + +# +# /var +# + +/var/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0) diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if new file mode 100644 index 00000000..bc7de4ff --- /dev/null +++ b/policy/modules/contrib/i18n_input.if @@ -0,0 +1,15 @@ +## <summary>IIIMF htt server</summary> + +######################################## +## <summary> +## Use i18n_input over a TCP connection. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`i18n_use',` + refpolicywarn(`$0($*) has been deprecated.') +') diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te new file mode 100644 index 00000000..5fc89c4e --- /dev/null +++ b/policy/modules/contrib/i18n_input.te @@ -0,0 +1,102 @@ +policy_module(i18n_input, 1.8.0) + +######################################## +# +# Declarations +# + +type i18n_input_t; +type i18n_input_exec_t; +init_daemon_domain(i18n_input_t, i18n_input_exec_t) + +type i18n_input_var_run_t; +files_pid_file(i18n_input_var_run_t) + +######################################## +# +# i18n_input local policy +# + +allow i18n_input_t self:capability { kill setgid setuid }; +dontaudit i18n_input_t self:capability sys_tty_config; +allow i18n_input_t self:process { signal_perms setsched setpgid }; +allow i18n_input_t self:fifo_file rw_fifo_file_perms; +allow i18n_input_t self:unix_dgram_socket create_socket_perms; +allow i18n_input_t self:unix_stream_socket create_stream_socket_perms; +allow i18n_input_t self:tcp_socket create_stream_socket_perms; +allow i18n_input_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) +manage_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) +manage_sock_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) +files_pid_filetrans(i18n_input_t, i18n_input_var_run_t, file) + +can_exec(i18n_input_t, i18n_input_exec_t) + +kernel_read_kernel_sysctls(i18n_input_t) +kernel_read_system_state(i18n_input_t) + +corenet_all_recvfrom_unlabeled(i18n_input_t) +corenet_all_recvfrom_netlabel(i18n_input_t) +corenet_tcp_sendrecv_generic_if(i18n_input_t) +corenet_udp_sendrecv_generic_if(i18n_input_t) +corenet_tcp_sendrecv_generic_node(i18n_input_t) +corenet_udp_sendrecv_generic_node(i18n_input_t) +corenet_tcp_sendrecv_all_ports(i18n_input_t) +corenet_udp_sendrecv_all_ports(i18n_input_t) +corenet_tcp_bind_generic_node(i18n_input_t) +corenet_tcp_bind_i18n_input_port(i18n_input_t) +corenet_tcp_connect_all_ports(i18n_input_t) +corenet_sendrecv_i18n_input_server_packets(i18n_input_t) +corenet_sendrecv_all_client_packets(i18n_input_t) + +dev_read_sysfs(i18n_input_t) + +fs_getattr_all_fs(i18n_input_t) +fs_search_auto_mountpoints(i18n_input_t) + +corecmd_search_bin(i18n_input_t) +corecmd_exec_bin(i18n_input_t) + +domain_use_interactive_fds(i18n_input_t) + +files_read_etc_files(i18n_input_t) +files_read_etc_runtime_files(i18n_input_t) +files_read_usr_files(i18n_input_t) + +init_stream_connect_script(i18n_input_t) + +logging_send_syslog_msg(i18n_input_t) + +miscfiles_read_localization(i18n_input_t) + +sysnet_read_config(i18n_input_t) + +userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) +userdom_read_user_home_content_files(i18n_input_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(i18n_input_t) + fs_read_nfs_symlinks(i18n_input_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(i18n_input_t) + fs_read_cifs_symlinks(i18n_input_t) +') + +optional_policy(` + canna_stream_connect(i18n_input_t) +') + +optional_policy(` + nis_use_ypbind(i18n_input_t) +') + +optional_policy(` + seutil_sigchld_newrole(i18n_input_t) +') + +optional_policy(` + udev_read_db(i18n_input_t) +') diff --git a/policy/modules/contrib/icecast.fc b/policy/modules/contrib/icecast.fc new file mode 100644 index 00000000..a81e0900 --- /dev/null +++ b/policy/modules/contrib/icecast.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) + +/usr/bin/icecast -- gen_context(system_u:object_r:icecast_exec_t,s0) + +/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) + +/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) diff --git a/policy/modules/contrib/icecast.if b/policy/modules/contrib/icecast.if new file mode 100644 index 00000000..ecab47ab --- /dev/null +++ b/policy/modules/contrib/icecast.if @@ -0,0 +1,188 @@ +## <summary> ShoutCast compatible streaming media server</summary> + +######################################## +## <summary> +## Execute a domain transition to run icecast. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`icecast_domtrans',` + gen_require(` + type icecast_t, icecast_exec_t; + ') + + domtrans_pattern($1, icecast_exec_t, icecast_t) +') + +######################################## +## <summary> +## Allow domain signal icecast +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`icecast_signal',` + gen_require(` + type icecast_t; + ') + + allow $1 icecast_t:process signal; +') + +######################################## +## <summary> +## Execute icecast server in the icecast domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`icecast_initrc_domtrans',` + gen_require(` + type icecast_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, icecast_initrc_exec_t) +') + +######################################## +## <summary> +## Read icecast PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`icecast_read_pid_files',` + gen_require(` + type icecast_var_run_t; + ') + + files_search_pids($1) + allow $1 icecast_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Manage icecast pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`icecast_manage_pid_files',` + gen_require(` + type icecast_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t) +') + +######################################## +## <summary> +## Allow the specified domain to read icecast's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`icecast_read_log',` + gen_require(` + type icecast_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, icecast_log_t, icecast_log_t) +') + +######################################## +## <summary> +## Allow the specified domain to append +## icecast log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`icecast_append_log',` + gen_require(` + type icecast_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, icecast_log_t, icecast_log_t) +') + +######################################## +## <summary> +## Allow domain to manage icecast log files +## </summary> +## <param name="domain"> +## <summary> +## Domain allow access. +## </summary> +## </param> +# +interface(`icecast_manage_log',` + gen_require(` + type icecast_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, icecast_log_t, icecast_log_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an icecast environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`icecast_admin',` + gen_require(` + type icecast_t, icecast_initrc_exec_t; + ') + + ps_process_pattern($1, icecast_t) + + # Allow icecast_t to restart the apache service + icecast_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 icecast_initrc_exec_t system_r; + allow $2 system_r; + + icecast_manage_pid_files($1) + + icecast_manage_log($1) + +') diff --git a/policy/modules/contrib/icecast.te b/policy/modules/contrib/icecast.te new file mode 100644 index 00000000..fdb7e9aa --- /dev/null +++ b/policy/modules/contrib/icecast.te @@ -0,0 +1,61 @@ +policy_module(icecast, 1.1.0) + +######################################## +# +# Declarations +# + +type icecast_t; +type icecast_exec_t; +init_daemon_domain(icecast_t, icecast_exec_t) + +type icecast_initrc_exec_t; +init_script_file(icecast_initrc_exec_t) + +type icecast_var_run_t; +files_pid_file(icecast_var_run_t) + +type icecast_log_t; +logging_log_file(icecast_log_t) + +######################################## +# +# icecast local policy +# + +allow icecast_t self:capability { dac_override setgid setuid sys_nice }; +allow icecast_t self:process { getsched fork setsched signal }; +allow icecast_t self:fifo_file rw_fifo_file_perms; +allow icecast_t self:unix_stream_socket create_stream_socket_perms; +allow icecast_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t) +manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t) +logging_log_filetrans(icecast_t, icecast_log_t, { file dir } ) + +manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) +manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) +files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) + +kernel_read_system_state(icecast_t) + +corenet_tcp_bind_soundd_port(icecast_t) + +# Init script handling +domain_use_interactive_fds(icecast_t) + +files_read_etc_files(icecast_t) + +auth_use_nsswitch(icecast_t) + +miscfiles_read_localization(icecast_t) + +sysnet_dns_name_resolve(icecast_t) + +optional_policy(` + apache_read_sys_content(icecast_t) +') + +optional_policy(` + rtkit_scheduled(icecast_t) +') diff --git a/policy/modules/contrib/ifplugd.fc b/policy/modules/contrib/ifplugd.fc new file mode 100644 index 00000000..2eda96f7 --- /dev/null +++ b/policy/modules/contrib/ifplugd.fc @@ -0,0 +1,7 @@ +/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) + +/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) + +/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) + +/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) diff --git a/policy/modules/contrib/ifplugd.if b/policy/modules/contrib/ifplugd.if new file mode 100644 index 00000000..dfb42326 --- /dev/null +++ b/policy/modules/contrib/ifplugd.if @@ -0,0 +1,133 @@ +## <summary>Bring up/down ethernet interfaces based on cable detection.</summary> + +######################################## +## <summary> +## Execute a domain transition to run ifplugd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ifplugd_domtrans',` + gen_require(` + type ifplugd_t, ifplugd_exec_t; + ') + + domtrans_pattern($1, ifplugd_exec_t, ifplugd_t) +') + +######################################## +## <summary> +## Send a generic signal to ifplugd +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ifplugd_signal',` + gen_require(` + type ifplugd_t; + ') + + allow $1 ifplugd_t:process signal; +') + +######################################## +## <summary> +## Read ifplugd etc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ifplugd_read_config',` + gen_require(` + type ifplugd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) +') + +######################################## +## <summary> +## Manage ifplugd etc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ifplugd_manage_config',` + gen_require(` + type ifplugd_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) + manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) +') + +######################################## +## <summary> +## Read ifplugd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ifplugd_read_pid_files',` + gen_require(` + type ifplugd_var_run_t; + ') + + files_search_pids($1) + allow $1 ifplugd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an ifplugd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the ifplugd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`ifplugd_admin',` + gen_require(` + type ifplugd_t, ifplugd_etc_t; + type ifplugd_var_run_t, ifplugd_initrc_exec_t; + ') + + allow $1 ifplugd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ifplugd_t) + + init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ifplugd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, ifplugd_etc_t) + + files_list_pids($1) + admin_pattern($1, ifplugd_var_run_t) +') diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te new file mode 100644 index 00000000..978c32fb --- /dev/null +++ b/policy/modules/contrib/ifplugd.te @@ -0,0 +1,76 @@ +policy_module(ifplugd, 1.0.0) + +######################################## +# +# Declarations +# + +type ifplugd_t; +type ifplugd_exec_t; +init_daemon_domain(ifplugd_t, ifplugd_exec_t) + +# config files +type ifplugd_etc_t; +files_type(ifplugd_etc_t) + +type ifplugd_initrc_exec_t; +init_script_file(ifplugd_initrc_exec_t) + +# pid files +type ifplugd_var_run_t; +files_pid_file(ifplugd_var_run_t) + +######################################## +# +# ifplugd local policy +# + +allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; +dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; +allow ifplugd_t self:process { signal signull }; +allow ifplugd_t self:fifo_file rw_fifo_file_perms; +allow ifplugd_t self:tcp_socket create_stream_socket_perms; +allow ifplugd_t self:udp_socket create_socket_perms; +allow ifplugd_t self:packet_socket create_socket_perms; +allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms; + +# pid file +manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) +manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) +files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file }) + +# config files +read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) +exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) + +kernel_read_system_state(ifplugd_t) +kernel_read_network_state(ifplugd_t) +kernel_rw_net_sysctls(ifplugd_t) +kernel_read_kernel_sysctls(ifplugd_t) + +corecmd_exec_shell(ifplugd_t) +corecmd_exec_bin(ifplugd_t) + +# reading of hardware information +dev_read_sysfs(ifplugd_t) + +domain_read_confined_domains_state(ifplugd_t) +domain_dontaudit_read_all_domains_state(ifplugd_t) + +auth_use_nsswitch(ifplugd_t) + +logging_send_syslog_msg(ifplugd_t) + +miscfiles_read_localization(ifplugd_t) + +netutils_domtrans(ifplugd_t) +# transition to ifconfig & dhcpc +sysnet_domtrans_ifconfig(ifplugd_t) +sysnet_domtrans_dhcpc(ifplugd_t) +sysnet_delete_dhcpc_pid(ifplugd_t) +sysnet_read_dhcpc_pid(ifplugd_t) +sysnet_signal_dhcpc(ifplugd_t) + +optional_policy(` + consoletype_exec(ifplugd_t) +') diff --git a/policy/modules/contrib/imaze.fc b/policy/modules/contrib/imaze.fc new file mode 100644 index 00000000..8d455ba6 --- /dev/null +++ b/policy/modules/contrib/imaze.fc @@ -0,0 +1,4 @@ +/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0) +/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0) + +/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0) diff --git a/policy/modules/contrib/imaze.if b/policy/modules/contrib/imaze.if new file mode 100644 index 00000000..8eb9ec3a --- /dev/null +++ b/policy/modules/contrib/imaze.if @@ -0,0 +1 @@ +## <summary>iMaze game server</summary> diff --git a/policy/modules/contrib/imaze.te b/policy/modules/contrib/imaze.te new file mode 100644 index 00000000..0778af87 --- /dev/null +++ b/policy/modules/contrib/imaze.te @@ -0,0 +1,99 @@ +policy_module(imaze, 1.7.0) + +######################################## +# +# Declarations +# + +type imazesrv_t; +type imazesrv_exec_t; +init_daemon_domain(imazesrv_t, imazesrv_exec_t) + +type imazesrv_data_t; +files_type(imazesrv_data_t) + +type imazesrv_data_labs_t; +files_type(imazesrv_data_labs_t) + +type imazesrv_log_t; +logging_log_file(imazesrv_log_t) + +type imazesrv_var_run_t; +files_pid_file(imazesrv_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit imazesrv_t self:capability sys_tty_config; +allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow imazesrv_t self:fd use; +allow imazesrv_t self:fifo_file rw_fifo_file_perms; +allow imazesrv_t self:unix_dgram_socket { create_socket_perms sendto }; +allow imazesrv_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow imazesrv_t self:shm create_shm_perms; +allow imazesrv_t self:sem create_sem_perms; +allow imazesrv_t self:msgq create_msgq_perms; +allow imazesrv_t self:msg { send receive }; +allow imazesrv_t self:tcp_socket create_stream_socket_perms; +allow imazesrv_t self:udp_socket create_socket_perms; + +allow imazesrv_t imazesrv_data_t:dir list_dir_perms; +read_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) +read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) + +allow imazesrv_t imazesrv_log_t:file manage_file_perms; +allow imazesrv_t imazesrv_log_t:dir add_entry_dir_perms; +logging_log_filetrans(imazesrv_t, imazesrv_log_t, file) + +manage_files_pattern(imazesrv_t, imazesrv_var_run_t, imazesrv_var_run_t) +files_pid_filetrans(imazesrv_t, imazesrv_var_run_t, file) + +kernel_read_kernel_sysctls(imazesrv_t) +kernel_list_proc(imazesrv_t) +kernel_read_proc_symlinks(imazesrv_t) + +corenet_all_recvfrom_unlabeled(imazesrv_t) +corenet_all_recvfrom_netlabel(imazesrv_t) +corenet_tcp_sendrecv_generic_if(imazesrv_t) +corenet_udp_sendrecv_generic_if(imazesrv_t) +corenet_tcp_sendrecv_generic_node(imazesrv_t) +corenet_udp_sendrecv_generic_node(imazesrv_t) +corenet_tcp_sendrecv_all_ports(imazesrv_t) +corenet_udp_sendrecv_all_ports(imazesrv_t) +corenet_tcp_bind_generic_node(imazesrv_t) +corenet_udp_bind_generic_node(imazesrv_t) +corenet_tcp_bind_imaze_port(imazesrv_t) +corenet_udp_bind_imaze_port(imazesrv_t) +corenet_sendrecv_imaze_server_packets(imazesrv_t) + +dev_read_sysfs(imazesrv_t) + +domain_use_interactive_fds(imazesrv_t) + +files_read_etc_files(imazesrv_t) + +fs_getattr_all_fs(imazesrv_t) +fs_search_auto_mountpoints(imazesrv_t) + +logging_send_syslog_msg(imazesrv_t) + +miscfiles_read_localization(imazesrv_t) + +sysnet_read_config(imazesrv_t) + +userdom_use_unpriv_users_fds(imazesrv_t) +userdom_dontaudit_search_user_home_dirs(imazesrv_t) + +optional_policy(` + nis_use_ypbind(imazesrv_t) +') + +optional_policy(` + seutil_sigchld_newrole(imazesrv_t) +') + +optional_policy(` + udev_read_db(imazesrv_t) +') diff --git a/policy/modules/contrib/inetd.fc b/policy/modules/contrib/inetd.fc new file mode 100644 index 00000000..39d5baa2 --- /dev/null +++ b/policy/modules/contrib/inetd.fc @@ -0,0 +1,12 @@ + +/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) +/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0) +/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0) + +/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) +/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) +/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) + +/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0) + +/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) diff --git a/policy/modules/contrib/inetd.if b/policy/modules/contrib/inetd.if new file mode 100644 index 00000000..df48e5ed --- /dev/null +++ b/policy/modules/contrib/inetd.if @@ -0,0 +1,205 @@ +## <summary>Internet services daemon.</summary> + +######################################## +## <summary> +## Define the specified domain as a inetd service. +## </summary> +## <desc> +## <p> +## Define the specified domain as a inetd service. The +## inetd_service_domain(), inetd_tcp_service_domain(), +## or inetd_udp_service_domain() interfaces should be used +## instead of this interface, as this interface only provides +## the common rules to these three interfaces. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_core_service_domain',` + gen_require(` + type inetd_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(inetd_t, $2, $1) + allow inetd_t $1:process { siginh sigkill }; +') + +######################################## +## <summary> +## Define the specified domain as a TCP inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_tcp_service_domain',` + + gen_require(` + type inetd_t; + ') + + inetd_core_service_domain($1, $2) + + allow $1 inetd_t:tcp_socket rw_stream_socket_perms; +') + +######################################## +## <summary> +## Define the specified domain as a UDP inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_udp_service_domain',` + gen_require(` + type inetd_t; + ') + + inetd_core_service_domain($1, $2) + + allow $1 inetd_t:udp_socket rw_socket_perms; +') + +######################################## +## <summary> +## Define the specified domain as a TCP and UDP inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_service_domain',` + gen_require(` + type inetd_t; + ') + + inetd_core_service_domain($1, $2) + + allow $1 inetd_t:tcp_socket rw_stream_socket_perms; + allow $1 inetd_t:udp_socket rw_socket_perms; + + # encrypt the service through stunnel + optional_policy(` + stunnel_service_domain($1, $2) + ') +') + +######################################## +## <summary> +## Inherit and use file descriptors from inetd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inetd_use_fds',` + gen_require(` + type inetd_t; + ') + + allow $1 inetd_t:fd use; +') + +######################################## +## <summary> +## Connect to the inetd service using a TCP connection. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inetd_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Run inetd child process in the inet child domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`inetd_domtrans_child',` + gen_require(` + type inetd_child_t, inetd_child_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, inetd_child_exec_t, inetd_child_t) +') + +######################################## +## <summary> +## Send UDP network traffic to inetd. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inetd_udp_send',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Read and write inetd TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inetd_rw_tcp_sockets',` + gen_require(` + type inetd_t; + ') + + allow $1 inetd_t:tcp_socket rw_stream_socket_perms; +') diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te new file mode 100644 index 00000000..10f25d3e --- /dev/null +++ b/policy/modules/contrib/inetd.te @@ -0,0 +1,243 @@ +policy_module(inetd, 1.12.0) + +######################################## +# +# Declarations +# + +type inetd_t; +type inetd_exec_t; +init_daemon_domain(inetd_t, inetd_exec_t) + +type inetd_log_t; +logging_log_file(inetd_log_t) + +type inetd_tmp_t; +files_tmp_file(inetd_tmp_t) + +type inetd_var_run_t; +files_pid_file(inetd_var_run_t) + +type inetd_child_t; +type inetd_child_exec_t; +inetd_service_domain(inetd_child_t, inetd_child_exec_t) +role system_r types inetd_child_t; + +type inetd_child_tmp_t; +files_tmp_file(inetd_child_tmp_t) + +type inetd_child_var_run_t; +files_pid_file(inetd_child_var_run_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh) +') + +######################################## +# +# Local policy +# + +allow inetd_t self:capability { setuid setgid sys_resource }; +dontaudit inetd_t self:capability sys_tty_config; +allow inetd_t self:process { setsched setexec setrlimit }; +allow inetd_t self:fifo_file rw_fifo_file_perms; +allow inetd_t self:tcp_socket create_stream_socket_perms; +allow inetd_t self:udp_socket create_socket_perms; +allow inetd_t self:fd use; + +allow inetd_t inetd_log_t:file manage_file_perms; +logging_log_filetrans(inetd_t, inetd_log_t, file) + +manage_dirs_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) +manage_files_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) +files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir }) + +allow inetd_t inetd_var_run_t:file manage_file_perms; +files_pid_filetrans(inetd_t, inetd_var_run_t, file) + +kernel_read_kernel_sysctls(inetd_t) +kernel_list_proc(inetd_t) +kernel_read_proc_symlinks(inetd_t) +kernel_read_system_state(inetd_t) +kernel_tcp_recvfrom_unlabeled(inetd_t) + +corecmd_bin_domtrans(inetd_t, inetd_child_t) + +# base networking: +corenet_all_recvfrom_unlabeled(inetd_t) +corenet_all_recvfrom_netlabel(inetd_t) +corenet_tcp_sendrecv_generic_if(inetd_t) +corenet_udp_sendrecv_generic_if(inetd_t) +corenet_tcp_sendrecv_generic_node(inetd_t) +corenet_udp_sendrecv_generic_node(inetd_t) +corenet_tcp_sendrecv_all_ports(inetd_t) +corenet_udp_sendrecv_all_ports(inetd_t) +corenet_tcp_bind_generic_node(inetd_t) +corenet_udp_bind_generic_node(inetd_t) +corenet_tcp_connect_all_ports(inetd_t) +corenet_sendrecv_all_client_packets(inetd_t) + +# listen on service ports: +corenet_tcp_bind_amanda_port(inetd_t) +corenet_udp_bind_amanda_port(inetd_t) +corenet_tcp_bind_auth_port(inetd_t) +corenet_udp_bind_comsat_port(inetd_t) +corenet_tcp_bind_dbskkd_port(inetd_t) +corenet_udp_bind_dbskkd_port(inetd_t) +corenet_tcp_bind_ftp_port(inetd_t) +corenet_udp_bind_ftp_port(inetd_t) +corenet_tcp_bind_inetd_child_port(inetd_t) +corenet_udp_bind_inetd_child_port(inetd_t) +corenet_tcp_bind_ircd_port(inetd_t) +corenet_udp_bind_ktalkd_port(inetd_t) +corenet_tcp_bind_pop_port(inetd_t) +corenet_tcp_bind_printer_port(inetd_t) +corenet_udp_bind_rlogind_port(inetd_t) +corenet_udp_bind_rsh_port(inetd_t) +corenet_tcp_bind_rsh_port(inetd_t) +corenet_tcp_bind_rsync_port(inetd_t) +corenet_udp_bind_rsync_port(inetd_t) +corenet_tcp_bind_stunnel_port(inetd_t) +corenet_tcp_bind_swat_port(inetd_t) +corenet_udp_bind_swat_port(inetd_t) +corenet_tcp_bind_telnetd_port(inetd_t) +corenet_udp_bind_tftp_port(inetd_t) +corenet_tcp_bind_ssh_port(inetd_t) +corenet_tcp_bind_git_port(inetd_t) +corenet_udp_bind_git_port(inetd_t) + +# service port packets: +corenet_sendrecv_amanda_server_packets(inetd_t) +corenet_sendrecv_auth_server_packets(inetd_t) +corenet_sendrecv_comsat_server_packets(inetd_t) +corenet_sendrecv_dbskkd_server_packets(inetd_t) +corenet_sendrecv_ftp_server_packets(inetd_t) +corenet_sendrecv_inetd_child_server_packets(inetd_t) +corenet_sendrecv_ircd_server_packets(inetd_t) +corenet_sendrecv_ktalkd_server_packets(inetd_t) +corenet_sendrecv_printer_server_packets(inetd_t) +corenet_sendrecv_rsh_server_packets(inetd_t) +corenet_sendrecv_rsync_server_packets(inetd_t) +corenet_sendrecv_stunnel_server_packets(inetd_t) +corenet_sendrecv_swat_server_packets(inetd_t) +corenet_sendrecv_tftp_server_packets(inetd_t) + +dev_read_sysfs(inetd_t) + +fs_getattr_all_fs(inetd_t) +fs_search_auto_mountpoints(inetd_t) + +selinux_validate_context(inetd_t) +selinux_compute_create_context(inetd_t) + +# Run other daemons in the inetd_child_t domain. +corecmd_search_bin(inetd_t) +corecmd_read_bin_symlinks(inetd_t) + +domain_use_interactive_fds(inetd_t) + +files_read_etc_files(inetd_t) +files_read_etc_runtime_files(inetd_t) + +auth_use_nsswitch(inetd_t) + +logging_send_syslog_msg(inetd_t) + +miscfiles_read_localization(inetd_t) + +# xinetd needs MLS override privileges to work +mls_fd_share_all_levels(inetd_t) +mls_socket_read_to_clearance(inetd_t) +mls_socket_write_to_clearance(inetd_t) +mls_process_set_level(inetd_t) + +sysnet_read_config(inetd_t) + +userdom_dontaudit_use_unpriv_user_fds(inetd_t) +userdom_dontaudit_search_user_home_dirs(inetd_t) + +ifdef(`distro_redhat',` + optional_policy(` + unconfined_domain(inetd_t) + ') +') + +ifdef(`enable_mls',` + corenet_tcp_recvfrom_netlabel(inetd_t) + corenet_udp_recvfrom_netlabel(inetd_t) +') + +optional_policy(` + amanda_search_lib(inetd_t) +') + +optional_policy(` + seutil_sigchld_newrole(inetd_t) +') + +optional_policy(` + udev_read_db(inetd_t) +') + +optional_policy(` + unconfined_domtrans(inetd_t) +') + +######################################## +# +# inetd child local_policy +# + +allow inetd_child_t self:process signal_perms; +allow inetd_child_t self:fifo_file rw_fifo_file_perms; +allow inetd_child_t self:tcp_socket connected_stream_socket_perms; +allow inetd_child_t self:udp_socket create_socket_perms; + +# for identd +allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow inetd_child_t self:capability { setuid setgid }; +files_search_home(inetd_child_t) + +manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) +manage_files_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) +files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir }) + +manage_files_pattern(inetd_child_t, inetd_child_var_run_t, inetd_child_var_run_t) +files_pid_filetrans(inetd_child_t, inetd_child_var_run_t, file) + +kernel_read_kernel_sysctls(inetd_child_t) +kernel_read_system_state(inetd_child_t) +kernel_read_network_state(inetd_child_t) + +corenet_all_recvfrom_unlabeled(inetd_child_t) +corenet_all_recvfrom_netlabel(inetd_child_t) +corenet_tcp_sendrecv_generic_if(inetd_child_t) +corenet_udp_sendrecv_generic_if(inetd_child_t) +corenet_tcp_sendrecv_generic_node(inetd_child_t) +corenet_udp_sendrecv_generic_node(inetd_child_t) +corenet_tcp_sendrecv_all_ports(inetd_child_t) +corenet_udp_sendrecv_all_ports(inetd_child_t) + +dev_read_urand(inetd_child_t) + +fs_getattr_xattr_fs(inetd_child_t) + +files_read_etc_files(inetd_child_t) +files_read_etc_runtime_files(inetd_child_t) + +auth_use_nsswitch(inetd_child_t) + +logging_send_syslog_msg(inetd_child_t) + +miscfiles_read_localization(inetd_child_t) + +sysnet_read_config(inetd_child_t) + +optional_policy(` + kerberos_use(inetd_child_t) +') + +optional_policy(` + unconfined_domain(inetd_child_t) +') diff --git a/policy/modules/contrib/inn.fc b/policy/modules/contrib/inn.fc new file mode 100644 index 00000000..8ca038d7 --- /dev/null +++ b/policy/modules/contrib/inn.fc @@ -0,0 +1,67 @@ + +# +# /etc +# +/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0) +/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0) +/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0) + +# +# /usr +# +/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0) + +/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0) + +/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0) + +/usr/lib(64)?/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib(64)?/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0) + +# cjp: split these to fix an ordering +# problem with a match in corecommands +/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib64/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) +/usr/lib64/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) + +/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0) + +/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) +/var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) + +/var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0) diff --git a/policy/modules/contrib/inn.if b/policy/modules/contrib/inn.if new file mode 100644 index 00000000..ebc9e0d7 --- /dev/null +++ b/policy/modules/contrib/inn.if @@ -0,0 +1,224 @@ +## <summary>Internet News NNTP server</summary> + +######################################## +## <summary> +## Allow the specified domain to execute innd +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_exec',` + gen_require(` + type innd_t; + ') + + can_exec($1, innd_exec_t) +') + +######################################## +## <summary> +## Allow the specified domain to execute +## inn configuration files in /etc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_exec_config',` + gen_require(` + type innd_etc_t; + ') + + can_exec($1, innd_etc_t) +') + +######################################## +## <summary> +## Create, read, write, and delete the innd log. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_manage_log',` + gen_require(` + type innd_log_t; + ') + + logging_rw_generic_log_dirs($1) + manage_files_pattern($1, innd_log_t, innd_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete the innd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_manage_pid',` + gen_require(` + type innd_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, innd_var_run_t, innd_var_run_t) + manage_lnk_files_pattern($1, innd_var_run_t, innd_var_run_t) +') + +######################################## +## <summary> +## Read innd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> + +# +interface(`inn_read_config',` + gen_require(` + type innd_etc_t; + ') + + allow $1 innd_etc_t:dir list_dir_perms; + allow $1 innd_etc_t:file read_file_perms; + allow $1 innd_etc_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Read innd news library files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_read_news_lib',` + gen_require(` + type innd_var_lib_t; + ') + + allow $1 innd_var_lib_t:dir list_dir_perms; + allow $1 innd_var_lib_t:file read_file_perms; + allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Read innd news library files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_read_news_spool',` + gen_require(` + type news_spool_t; + ') + + allow $1 news_spool_t:dir list_dir_perms; + allow $1 news_spool_t:file read_file_perms; + allow $1 news_spool_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Send to a innd unix dgram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inn_dgram_send',` + gen_require(` + type innd_t; + ') + + allow $1 innd_t:unix_dgram_socket sendto; +') + +######################################## +## <summary> +## Execute inn in the inn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`inn_domtrans',` + gen_require(` + type innd_t, innd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, innd_exec_t, innd_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an inn environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the inn domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`inn_admin',` + gen_require(` + type innd_t, innd_etc_t, innd_log_t; + type news_spool_t, innd_var_lib_t; + type innd_var_run_t, innd_initrc_exec_t; + ') + + allow $1 innd_t:process { ptrace signal_perms }; + ps_process_pattern($1, innd_t) + + init_labeled_script_domtrans($1, innd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 innd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, innd_etc_t) + + logging_list_logs($1) + admin_pattern($1, innd_log_t) + + files_list_var_lib($1) + admin_pattern($1, innd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, innd_var_run_t) + + files_list_spool($1) + admin_pattern($1, news_spool_t) +') diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te new file mode 100644 index 00000000..9fab1dc8 --- /dev/null +++ b/policy/modules/contrib/inn.te @@ -0,0 +1,129 @@ +policy_module(inn, 1.9.0) + +######################################## +# +# Declarations +# +type innd_t; +type innd_exec_t; +init_daemon_domain(innd_t, innd_exec_t) + +type innd_etc_t; +files_config_file(innd_etc_t) + +type innd_initrc_exec_t; +init_script_file(innd_initrc_exec_t) + +type innd_log_t; +logging_log_file(innd_log_t) + +type innd_var_lib_t; +files_type(innd_var_lib_t) + +type innd_var_run_t; +files_pid_file(innd_var_run_t) + +type news_spool_t; +files_mountpoint(news_spool_t) + +######################################## +# +# Local policy +# +allow innd_t self:capability { dac_override kill setgid setuid }; +dontaudit innd_t self:capability sys_tty_config; +allow innd_t self:process { setsched signal_perms }; +allow innd_t self:fifo_file rw_fifo_file_perms; +allow innd_t self:unix_dgram_socket { sendto create_socket_perms }; +allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow innd_t self:tcp_socket create_stream_socket_perms; +allow innd_t self:udp_socket create_socket_perms; +allow innd_t self:netlink_route_socket r_netlink_socket_perms; + +read_files_pattern(innd_t, innd_etc_t, innd_etc_t) +read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) + +can_exec(innd_t, innd_exec_t) + +manage_files_pattern(innd_t, innd_log_t, innd_log_t) +allow innd_t innd_log_t:dir setattr; +logging_log_filetrans(innd_t, innd_log_t, file) + +manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) +manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) +files_var_lib_filetrans(innd_t, innd_var_lib_t, file) + +manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) +manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) +manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) +files_pid_filetrans(innd_t, innd_var_run_t, file) + +manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) +manage_files_pattern(innd_t, news_spool_t, news_spool_t) +manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t) + +kernel_read_kernel_sysctls(innd_t) +kernel_read_system_state(innd_t) + +corenet_all_recvfrom_unlabeled(innd_t) +corenet_all_recvfrom_netlabel(innd_t) +corenet_tcp_sendrecv_generic_if(innd_t) +corenet_udp_sendrecv_generic_if(innd_t) +corenet_tcp_sendrecv_generic_node(innd_t) +corenet_udp_sendrecv_generic_node(innd_t) +corenet_tcp_sendrecv_all_ports(innd_t) +corenet_udp_sendrecv_all_ports(innd_t) +corenet_tcp_bind_generic_node(innd_t) +corenet_tcp_bind_innd_port(innd_t) +corenet_tcp_connect_all_ports(innd_t) +corenet_sendrecv_innd_server_packets(innd_t) +corenet_sendrecv_all_client_packets(innd_t) + +dev_read_sysfs(innd_t) +dev_read_urand(innd_t) + +fs_getattr_all_fs(innd_t) +fs_search_auto_mountpoints(innd_t) + +corecmd_exec_bin(innd_t) +corecmd_exec_shell(innd_t) + +domain_use_interactive_fds(innd_t) + +files_list_spool(innd_t) +files_read_etc_files(innd_t) +files_read_etc_runtime_files(innd_t) +files_read_usr_files(innd_t) + +logging_send_syslog_msg(innd_t) + +miscfiles_read_localization(innd_t) + +seutil_dontaudit_search_config(innd_t) + +sysnet_read_config(innd_t) + +userdom_dontaudit_use_unpriv_user_fds(innd_t) +userdom_dontaudit_search_user_home_dirs(innd_t) + +mta_send_mail(innd_t) + +optional_policy(` + cron_system_entry(innd_t, innd_exec_t) +') + +optional_policy(` + hostname_exec(innd_t) +') + +optional_policy(` + nis_use_ypbind(innd_t) +') + +optional_policy(` + seutil_sigchld_newrole(innd_t) +') + +optional_policy(` + udev_read_db(innd_t) +') diff --git a/policy/modules/contrib/irc.fc b/policy/modules/contrib/irc.fc new file mode 100644 index 00000000..65ece18f --- /dev/null +++ b/policy/modules/contrib/irc.fc @@ -0,0 +1,11 @@ +# +# /home +# +HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) + +# +# /usr +# +/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --git a/policy/modules/contrib/irc.if b/policy/modules/contrib/irc.if new file mode 100644 index 00000000..4f9dc90f --- /dev/null +++ b/policy/modules/contrib/irc.if @@ -0,0 +1,31 @@ +## <summary>IRC client policy</summary> + +######################################## +## <summary> +## Role access for IRC +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`irc_role',` + gen_require(` + type irc_t, irc_exec_t; + ') + + role $1 types irc_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, irc_exec_t, irc_t) + + # allow ps to show irc + ps_process_pattern($2, irc_t) + allow $2 irc_t:process signal; +') diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te new file mode 100644 index 00000000..6e2dbd2b --- /dev/null +++ b/policy/modules/contrib/irc.te @@ -0,0 +1,102 @@ +policy_module(irc, 2.2.0) + +######################################## +# +# Declarations +# + +type irc_t; +type irc_exec_t; +typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t }; +typealias irc_t alias { auditadm_irc_t secadm_irc_t }; +userdom_user_application_domain(irc_t, irc_exec_t) + +type irc_home_t; +typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t }; +typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; +userdom_user_home_content(irc_home_t) + +type irc_tmp_t; +typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; +typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; +userdom_user_tmp_file(irc_tmp_t) + +######################################## +# +# Local policy +# + +allow irc_t self:unix_stream_socket create_stream_socket_perms; +allow irc_t self:tcp_socket create_socket_perms; +allow irc_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) +manage_files_pattern(irc_t, irc_home_t, irc_home_t) +manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) +userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file }) + +# access files under /tmp +manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) + +kernel_read_proc_symlinks(irc_t) + +corenet_all_recvfrom_unlabeled(irc_t) +corenet_all_recvfrom_netlabel(irc_t) +corenet_tcp_sendrecv_generic_if(irc_t) +corenet_udp_sendrecv_generic_if(irc_t) +corenet_tcp_sendrecv_generic_node(irc_t) +corenet_udp_sendrecv_generic_node(irc_t) +corenet_tcp_sendrecv_all_ports(irc_t) +corenet_udp_sendrecv_all_ports(irc_t) +corenet_sendrecv_ircd_client_packets(irc_t) +# cjp: this seems excessive: +corenet_tcp_connect_all_ports(irc_t) +corenet_sendrecv_all_client_packets(irc_t) + +domain_use_interactive_fds(irc_t) + +files_dontaudit_search_pids(irc_t) +files_search_var(irc_t) +files_read_etc_files(irc_t) +files_read_usr_files(irc_t) + +fs_getattr_xattr_fs(irc_t) +fs_search_auto_mountpoints(irc_t) + +term_use_controlling_term(irc_t) +term_list_ptys(irc_t) + +# allow utmp access +init_read_utmp(irc_t) +init_dontaudit_lock_utmp(irc_t) + +miscfiles_read_localization(irc_t) + +# Inherit and use descriptors from newrole. +seutil_use_newrole_fds(irc_t) + +sysnet_read_config(irc_t) + +# Write to the user domain tty. +userdom_use_user_terminals(irc_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(irc_t) + fs_manage_nfs_files(irc_t) + fs_manage_nfs_symlinks(irc_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(irc_t) + fs_manage_cifs_files(irc_t) + fs_manage_cifs_symlinks(irc_t) +') + +optional_policy(` + nis_use_ypbind(irc_t) +') diff --git a/policy/modules/contrib/ircd.fc b/policy/modules/contrib/ircd.fc new file mode 100644 index 00000000..d733fa8f --- /dev/null +++ b/policy/modules/contrib/ircd.fc @@ -0,0 +1,7 @@ +/etc/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0) + +/usr/sbin/(dancer-)?ircd -- gen_context(system_u:object_r:ircd_exec_t,s0) + +/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0) +/var/log/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0) +/var/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if new file mode 100644 index 00000000..3f4de835 --- /dev/null +++ b/policy/modules/contrib/ircd.if @@ -0,0 +1 @@ +## <summary>IRC server</summary> diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te new file mode 100644 index 00000000..75ab1e2d --- /dev/null +++ b/policy/modules/contrib/ircd.te @@ -0,0 +1,93 @@ +policy_module(ircd, 1.7.0) + +######################################## +# +# Declarations +# + +type ircd_t; +type ircd_exec_t; +init_daemon_domain(ircd_t, ircd_exec_t) + +type ircd_etc_t; +files_config_file(ircd_etc_t) + +type ircd_log_t; +logging_log_file(ircd_log_t) + +type ircd_var_lib_t; +files_type(ircd_var_lib_t) + +type ircd_var_run_t; +files_pid_file(ircd_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit ircd_t self:capability sys_tty_config; +allow ircd_t self:process signal_perms; +allow ircd_t self:tcp_socket create_stream_socket_perms; +allow ircd_t self:udp_socket create_socket_perms; + +read_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t) +read_lnk_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t) +files_search_etc(ircd_t) + +manage_files_pattern(ircd_t, ircd_log_t, ircd_log_t) +logging_log_filetrans(ircd_t, ircd_log_t, { file dir }) + +manage_files_pattern(ircd_t, ircd_var_lib_t, ircd_var_lib_t) +files_var_lib_filetrans(ircd_t, ircd_var_lib_t, file) + +manage_files_pattern(ircd_t, ircd_var_run_t, ircd_var_run_t) +files_pid_filetrans(ircd_t, ircd_var_run_t, file) + +kernel_read_system_state(ircd_t) +kernel_read_kernel_sysctls(ircd_t) + +corecmd_search_bin(ircd_t) + +corenet_all_recvfrom_unlabeled(ircd_t) +corenet_all_recvfrom_netlabel(ircd_t) +corenet_tcp_sendrecv_generic_if(ircd_t) +corenet_udp_sendrecv_generic_if(ircd_t) +corenet_tcp_sendrecv_generic_node(ircd_t) +corenet_udp_sendrecv_generic_node(ircd_t) +corenet_tcp_sendrecv_all_ports(ircd_t) +corenet_udp_sendrecv_all_ports(ircd_t) +corenet_tcp_bind_generic_node(ircd_t) +corenet_tcp_bind_ircd_port(ircd_t) +corenet_sendrecv_ircd_server_packets(ircd_t) + +dev_read_sysfs(ircd_t) + +domain_use_interactive_fds(ircd_t) + +files_read_etc_files(ircd_t) +files_read_etc_runtime_files(ircd_t) + +fs_getattr_all_fs(ircd_t) +fs_search_auto_mountpoints(ircd_t) + +logging_send_syslog_msg(ircd_t) + +miscfiles_read_localization(ircd_t) + +sysnet_read_config(ircd_t) + +userdom_dontaudit_use_unpriv_user_fds(ircd_t) +userdom_dontaudit_search_user_home_dirs(ircd_t) + +optional_policy(` + nis_use_ypbind(ircd_t) +') + +optional_policy(` + seutil_sigchld_newrole(ircd_t) +') + +optional_policy(` + udev_read_db(ircd_t) +') diff --git a/policy/modules/contrib/irqbalance.fc b/policy/modules/contrib/irqbalance.fc new file mode 100644 index 00000000..38310757 --- /dev/null +++ b/policy/modules/contrib/irqbalance.fc @@ -0,0 +1,2 @@ + +/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0) diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if new file mode 100644 index 00000000..058fb75c --- /dev/null +++ b/policy/modules/contrib/irqbalance.if @@ -0,0 +1 @@ +## <summary>IRQ balancing daemon</summary> diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te new file mode 100644 index 00000000..9aeeaf93 --- /dev/null +++ b/policy/modules/contrib/irqbalance.te @@ -0,0 +1,56 @@ +policy_module(irqbalance, 1.5.0) + +######################################## +# +# Declarations +# + +type irqbalance_t; +type irqbalance_exec_t; +init_daemon_domain(irqbalance_t, irqbalance_exec_t) + +type irqbalance_var_run_t; +files_pid_file(irqbalance_var_run_t) + +######################################## +# +# Local policy +# + +allow irqbalance_t self:capability { setpcap net_admin }; +dontaudit irqbalance_t self:capability sys_tty_config; +allow irqbalance_t self:process { getcap setcap signal_perms }; +allow irqbalance_t self:udp_socket create_socket_perms; + +manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) +files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file) + +kernel_read_network_state(irqbalance_t) +kernel_read_system_state(irqbalance_t) +kernel_read_kernel_sysctls(irqbalance_t) +kernel_rw_irq_sysctls(irqbalance_t) + +dev_read_sysfs(irqbalance_t) + +files_read_etc_files(irqbalance_t) +files_read_etc_runtime_files(irqbalance_t) + +fs_getattr_all_fs(irqbalance_t) +fs_search_auto_mountpoints(irqbalance_t) + +domain_use_interactive_fds(irqbalance_t) + +logging_send_syslog_msg(irqbalance_t) + +miscfiles_read_localization(irqbalance_t) + +userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) +userdom_dontaudit_search_user_home_dirs(irqbalance_t) + +optional_policy(` + seutil_sigchld_newrole(irqbalance_t) +') + +optional_policy(` + udev_read_db(irqbalance_t) +') diff --git a/policy/modules/contrib/iscsi.fc b/policy/modules/contrib/iscsi.fc new file mode 100644 index 00000000..14d9670b --- /dev/null +++ b/policy/modules/contrib/iscsi.fc @@ -0,0 +1,7 @@ +/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) + +/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) +/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) +/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) +/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff --git a/policy/modules/contrib/iscsi.if b/policy/modules/contrib/iscsi.if new file mode 100644 index 00000000..4cae92ac --- /dev/null +++ b/policy/modules/contrib/iscsi.if @@ -0,0 +1,76 @@ +## <summary>Establish connections to iSCSI devices</summary> + +######################################## +## <summary> +## Execute a domain transition to run iscsid. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`iscsid_domtrans',` + gen_require(` + type iscsid_t, iscsid_exec_t; + ') + + domtrans_pattern($1, iscsid_exec_t, iscsid_t) +') + +######################################## +## <summary> +## Manage iscsid sempaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`iscsi_manage_semaphores',` + gen_require(` + type iscsid_t; + ') + + allow $1 iscsid_t:sem create_sem_perms; +') + +######################################## +## <summary> +## Connect to ISCSI using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`iscsi_stream_connect',` + gen_require(` + type iscsid_t, iscsi_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t) +') + +######################################## +## <summary> +## Read iscsi lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`iscsi_read_lib_files',` + gen_require(` + type iscsi_var_lib_t; + ') + + read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) + allow $1 iscsi_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te new file mode 100644 index 00000000..8bcfa2fe --- /dev/null +++ b/policy/modules/contrib/iscsi.te @@ -0,0 +1,97 @@ +policy_module(iscsi, 1.8.0) + +######################################## +# +# Declarations +# + +type iscsid_t; +type iscsid_exec_t; +domain_type(iscsid_t) +init_daemon_domain(iscsid_t, iscsid_exec_t) + +type iscsi_lock_t; +files_lock_file(iscsi_lock_t) + +type iscsi_log_t; +logging_log_file(iscsi_log_t) + +type iscsi_tmp_t; +files_tmp_file(iscsi_tmp_t) + +type iscsi_var_lib_t; +files_type(iscsi_var_lib_t) + +type iscsi_var_run_t; +files_pid_file(iscsi_var_run_t) + +######################################## +# +# iscsid local policy +# + +allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; +dontaudit iscsid_t self:capability sys_ptrace; +allow iscsid_t self:process { setrlimit setsched signal }; +allow iscsid_t self:fifo_file rw_fifo_file_perms; +allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow iscsid_t self:unix_dgram_socket create_socket_perms; +allow iscsid_t self:sem create_sem_perms; +allow iscsid_t self:shm create_shm_perms; +allow iscsid_t self:netlink_socket create_socket_perms; +allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; +allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms; +allow iscsid_t self:tcp_socket create_stream_socket_perms; + +can_exec(iscsid_t, iscsid_exec_t) + +manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) +manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) +files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file }) + +manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t) +logging_log_filetrans(iscsid_t, iscsi_log_t, file) + +manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) +manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) +fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } ) + +allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; +read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) +read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) +files_search_var_lib(iscsid_t) + +manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) +files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) + +kernel_read_network_state(iscsid_t) +kernel_read_system_state(iscsid_t) + +corenet_all_recvfrom_unlabeled(iscsid_t) +corenet_all_recvfrom_netlabel(iscsid_t) +corenet_tcp_sendrecv_generic_if(iscsid_t) +corenet_tcp_sendrecv_generic_node(iscsid_t) +corenet_tcp_sendrecv_all_ports(iscsid_t) +corenet_tcp_connect_http_port(iscsid_t) +corenet_tcp_connect_iscsi_port(iscsid_t) +corenet_tcp_connect_isns_port(iscsid_t) + +dev_rw_sysfs(iscsid_t) +dev_rw_userio_dev(iscsid_t) + +domain_use_interactive_fds(iscsid_t) +domain_dontaudit_read_all_domains_state(iscsid_t) + +files_read_etc_files(iscsid_t) + +auth_use_nsswitch(iscsid_t) + +init_stream_connect_script(iscsid_t) + +logging_send_syslog_msg(iscsid_t) + +miscfiles_read_localization(iscsid_t) + +optional_policy(` + tgtd_manage_semaphores(iscsid_t) +') diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc new file mode 100644 index 00000000..da6f4b49 --- /dev/null +++ b/policy/modules/contrib/jabber.fc @@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) + +/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) + +/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) + +/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if new file mode 100644 index 00000000..98784995 --- /dev/null +++ b/policy/modules/contrib/jabber.if @@ -0,0 +1,56 @@ +## <summary>Jabber instant messaging server</summary> + +######################################## +## <summary> +## Connect to jabber over a TCP socket (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`jabber_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## All of the rules required to administrate +## an jabber environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the jabber domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`jabber_admin',` + gen_require(` + type jabberd_t, jabberd_log_t, jabberd_var_lib_t; + type jabberd_var_run_t, jabberd_initrc_exec_t; + ') + + allow $1 jabberd_t:process { ptrace signal_perms }; + ps_process_pattern($1, jabberd_t) + + init_labeled_script_domtrans($1, jabberd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 jabberd_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, jabberd_log_t) + + files_list_var_lib($1) + admin_pattern($1, jabberd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, jabberd_var_run_t) +') diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te new file mode 100644 index 00000000..53e53ca3 --- /dev/null +++ b/policy/modules/contrib/jabber.te @@ -0,0 +1,94 @@ +policy_module(jabber, 1.9.0) + +######################################## +# +# Declarations +# + +type jabberd_t; +type jabberd_exec_t; +init_daemon_domain(jabberd_t, jabberd_exec_t) + +type jabberd_initrc_exec_t; +init_script_file(jabberd_initrc_exec_t) + +type jabberd_log_t; +logging_log_file(jabberd_log_t) + +type jabberd_var_lib_t; +files_type(jabberd_var_lib_t) + +type jabberd_var_run_t; +files_pid_file(jabberd_var_run_t) + +######################################## +# +# Local policy +# + +allow jabberd_t self:capability dac_override; +dontaudit jabberd_t self:capability sys_tty_config; +allow jabberd_t self:process signal_perms; +allow jabberd_t self:fifo_file read_fifo_file_perms; +allow jabberd_t self:tcp_socket create_stream_socket_perms; +allow jabberd_t self:udp_socket create_socket_perms; + +manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) +files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file) + +manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) + +manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) +files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) + +kernel_read_kernel_sysctls(jabberd_t) +kernel_list_proc(jabberd_t) +kernel_read_proc_symlinks(jabberd_t) + +corenet_all_recvfrom_unlabeled(jabberd_t) +corenet_all_recvfrom_netlabel(jabberd_t) +corenet_tcp_sendrecv_generic_if(jabberd_t) +corenet_udp_sendrecv_generic_if(jabberd_t) +corenet_tcp_sendrecv_generic_node(jabberd_t) +corenet_udp_sendrecv_generic_node(jabberd_t) +corenet_tcp_sendrecv_all_ports(jabberd_t) +corenet_udp_sendrecv_all_ports(jabberd_t) +corenet_tcp_bind_generic_node(jabberd_t) +corenet_tcp_bind_jabber_client_port(jabberd_t) +corenet_tcp_bind_jabber_interserver_port(jabberd_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_t) +corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) + +dev_read_sysfs(jabberd_t) +# For SSL +dev_read_rand(jabberd_t) + +domain_use_interactive_fds(jabberd_t) + +files_read_etc_files(jabberd_t) +files_read_etc_runtime_files(jabberd_t) + +fs_getattr_all_fs(jabberd_t) +fs_search_auto_mountpoints(jabberd_t) + +logging_send_syslog_msg(jabberd_t) + +miscfiles_read_localization(jabberd_t) + +sysnet_read_config(jabberd_t) + +userdom_dontaudit_use_unpriv_user_fds(jabberd_t) +userdom_dontaudit_search_user_home_dirs(jabberd_t) + +optional_policy(` + nis_use_ypbind(jabberd_t) +') + +optional_policy(` + seutil_sigchld_newrole(jabberd_t) +') + +optional_policy(` + udev_read_db(jabberd_t) +') diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc new file mode 100644 index 00000000..95b1cbcb --- /dev/null +++ b/policy/modules/contrib/java.fc @@ -0,0 +1,38 @@ +# +# /opt +# +/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) + +# +# /usr +# +/usr/(.*/)?bin/java -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) + +ifdef(`distro_redhat',` +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) +') diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if new file mode 100644 index 00000000..e6d84e86 --- /dev/null +++ b/policy/modules/contrib/java.if @@ -0,0 +1,200 @@ +## <summary>Java virtual machine</summary> + +######################################## +## <summary> +## Role access for java +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`java_role',` + gen_require(` + type java_t, java_exec_t; + ') + + role $1 types java_t; + + # The user role is authorized for this domain. + domtrans_pattern($2, java_exec_t, java_t) + allow java_t $2:process signull; + # Unrestricted inheritance from the caller. + allow $2 java_t:process { noatsecure siginh rlimitinh }; + + allow java_t $2:unix_stream_socket connectto; + allow java_t $2:unix_stream_socket { read write }; + allow java_t $2:tcp_socket { read write }; +') + +####################################### +## <summary> +## The role template for the java module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for java applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`java_role_template',` + gen_require(` + type java_exec_t; + ') + + type $1_java_t; + domain_type($1_java_t) + domain_entry_file($1_java_t, java_exec_t) + role $2 types $1_java_t; + + domain_interactive_fd($1_java_t) + + userdom_manage_user_tmpfs_files($1_java_t) + + allow $1_java_t self:process { ptrace signal getsched execmem execstack }; + + dontaudit $1_java_t $3:tcp_socket { read write }; + + allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms }; + + domtrans_pattern($3, java_exec_t, $1_java_t) + + corecmd_bin_domtrans($1_java_t, $3) + + dev_dontaudit_append_rand($1_java_t) + + files_execmod_all_files($1_java_t) + + fs_dontaudit_rw_tmpfs_files($1_java_t) + + optional_policy(` + xserver_role($2, $1_java_t) + ') +') + +######################################## +## <summary> +## Run java in javaplugin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +template(`java_domtrans',` + gen_require(` + type java_t, java_exec_t; + ') + + domtrans_pattern($1, java_exec_t, java_t) +') + +######################################## +## <summary> +## Execute java in the java domain, and +## allow the specified role the java domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`java_run',` + gen_require(` + type java_t; + ') + + java_domtrans($1) + role $2 types java_t; +') + +######################################## +## <summary> +## Execute the java program in the unconfined java domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`java_domtrans_unconfined',` + gen_require(` + type unconfined_java_t, java_exec_t; + ') + + domtrans_pattern($1, java_exec_t, unconfined_java_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute the java program in the unconfined java domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`java_run_unconfined',` + gen_require(` + type unconfined_java_t; + ') + + java_domtrans_unconfined($1) + role $2 types unconfined_java_t; +') + +######################################## +## <summary> +## Execute the java program in the java domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`java_exec',` + gen_require(` + type java_exec_t; + ') + + can_exec($1, java_exec_t) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te new file mode 100644 index 00000000..bce6b381 --- /dev/null +++ b/policy/modules/contrib/java.te @@ -0,0 +1,153 @@ +policy_module(java, 2.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow java executable stack +## </p> +## </desc> +gen_tunable(allow_java_execstack, false) + +type java_t; +type java_exec_t; +userdom_user_application_domain(java_t, java_exec_t) +typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; +typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; +role system_r types java_t; + +type java_tmp_t; +userdom_user_tmp_file(java_tmp_t) +typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t }; +typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t }; + +type java_tmpfs_t; +userdom_user_tmpfs_file(java_tmpfs_t) +typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; +typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t }; + +type unconfined_java_t; +init_system_domain(unconfined_java_t, java_exec_t) + +######################################## +# +# Local policy +# + +allow java_t self:process { signal_perms getsched setsched execmem }; +allow java_t self:fifo_file rw_fifo_file_perms; +allow java_t self:tcp_socket create_socket_perms; +allow java_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t) +manage_files_pattern(java_t, java_tmp_t, java_tmp_t) +files_tmp_filetrans(java_t, java_tmp_t, { file dir }) + +manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) +manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) +manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) +manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) +fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file }) + +can_exec(java_t, java_exec_t) + +kernel_read_all_sysctls(java_t) +kernel_search_vm_sysctl(java_t) +kernel_read_network_state(java_t) +kernel_read_system_state(java_t) + +# Search bin directory under java for java executable +corecmd_search_bin(java_t) + +corenet_all_recvfrom_unlabeled(java_t) +corenet_all_recvfrom_netlabel(java_t) +corenet_tcp_sendrecv_generic_if(java_t) +corenet_udp_sendrecv_generic_if(java_t) +corenet_tcp_sendrecv_generic_node(java_t) +corenet_udp_sendrecv_generic_node(java_t) +corenet_tcp_sendrecv_all_ports(java_t) +corenet_udp_sendrecv_all_ports(java_t) +corenet_tcp_connect_all_ports(java_t) +corenet_sendrecv_all_client_packets(java_t) + +dev_read_sound(java_t) +dev_write_sound(java_t) +dev_read_urand(java_t) +dev_read_rand(java_t) +dev_dontaudit_append_rand(java_t) + +files_read_usr_files(java_t) +files_search_home(java_t) +files_search_var_lib(java_t) +files_read_etc_runtime_files(java_t) +# Read global fonts and font config +files_read_etc_files(java_t) + +fs_getattr_xattr_fs(java_t) +fs_dontaudit_rw_tmpfs_files(java_t) + +logging_send_syslog_msg(java_t) + +miscfiles_read_localization(java_t) +# Read global fonts and font config +miscfiles_read_fonts(java_t) + +sysnet_read_config(java_t) + +userdom_dontaudit_use_user_terminals(java_t) +userdom_dontaudit_setattr_user_home_content_files(java_t) +userdom_dontaudit_exec_user_home_content_files(java_t) +userdom_manage_user_home_content_dirs(java_t) +userdom_manage_user_home_content_files(java_t) +userdom_manage_user_home_content_symlinks(java_t) +userdom_manage_user_home_content_pipes(java_t) +userdom_manage_user_home_content_sockets(java_t) +userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file }) +userdom_write_user_tmp_sockets(java_t) + +tunable_policy(`allow_java_execstack',` + allow java_t self:process execstack; + + allow java_t java_tmp_t:file execute; + + libs_legacy_use_shared_libs(java_t) + libs_legacy_use_ld_so(java_t) + + miscfiles_legacy_read_localization(java_t) +') + +optional_policy(` + nis_use_ypbind(java_t) +') + +optional_policy(` + nscd_socket_use(java_t) +') + +optional_policy(` + xserver_user_x_domain_template(java, java_t, java_tmpfs_t) +') + +######################################## +# +# Unconfined java local policy +# + +optional_policy(` + # execheap is needed for itanium/BEA jrocket + allow unconfined_java_t self:process { execstack execmem execheap }; + + files_execmod_all_files(unconfined_java_t) + + init_dbus_chat_script(unconfined_java_t) + + unconfined_domain_noaudit(unconfined_java_t) + unconfined_dbus_chat(unconfined_java_t) + + optional_policy(` + rpm_domtrans(unconfined_java_t) + ') +') diff --git a/policy/modules/contrib/kdump.fc b/policy/modules/contrib/kdump.fc new file mode 100644 index 00000000..c66934fb --- /dev/null +++ b/policy/modules/contrib/kdump.fc @@ -0,0 +1,5 @@ +/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) +/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) + +/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) diff --git a/policy/modules/contrib/kdump.if b/policy/modules/contrib/kdump.if new file mode 100644 index 00000000..4198ff5f --- /dev/null +++ b/policy/modules/contrib/kdump.if @@ -0,0 +1,111 @@ +## <summary>Kernel crash dumping mechanism</summary> + +###################################### +## <summary> +## Execute kdump in the kdump domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kdump_domtrans',` + gen_require(` + type kdump_t, kdump_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kdump_exec_t, kdump_t) +') + +####################################### +## <summary> +## Execute kdump in the kdump domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kdump_initrc_domtrans',` + gen_require(` + type kdump_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, kdump_initrc_exec_t) +') + +##################################### +## <summary> +## Read kdump configuration file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kdump_read_config',` + gen_require(` + type kdump_etc_t; + ') + + files_search_etc($1) + allow $1 kdump_etc_t:file read_file_perms; +') + +#################################### +## <summary> +## Manage kdump configuration file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kdump_manage_config',` + gen_require(` + type kdump_etc_t; + ') + + files_search_etc($1) + allow $1 kdump_etc_t:file manage_file_perms; +') + +###################################### +## <summary> +## All of the rules required to administrate +## an kdump environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the kdump domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`kdump_admin',` + gen_require(` + type kdump_t, kdump_etc_t; + type kdump_initrc_exec_t; + ') + + allow $1 kdump_t:process { ptrace signal_perms }; + ps_process_pattern($1, kdump_t) + + init_labeled_script_domtrans($1, kdump_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 kdump_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, kdump_etc_t) +') diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te new file mode 100644 index 00000000..b29d8e20 --- /dev/null +++ b/policy/modules/contrib/kdump.te @@ -0,0 +1,38 @@ +policy_module(kdump, 1.2.0) + +####################################### +# +# Declarations +# + +type kdump_t; +type kdump_exec_t; +init_system_domain(kdump_t, kdump_exec_t) + +type kdump_etc_t; +files_config_file(kdump_etc_t) + +type kdump_initrc_exec_t; +init_script_file(kdump_initrc_exec_t) + +##################################### +# +# kdump local policy +# + +allow kdump_t self:capability { sys_boot dac_override }; + +read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) + +files_read_etc_runtime_files(kdump_t) +files_read_kernel_img(kdump_t) + +kernel_read_system_state(kdump_t) +kernel_read_core_if(kdump_t) +kernel_read_debugfs(kdump_t) +kernel_request_load_module(kdump_t) + +dev_read_framebuffer(kdump_t) +dev_read_sysfs(kdump_t) + +term_use_console(kdump_t) diff --git a/policy/modules/contrib/kdumpgui.fc b/policy/modules/contrib/kdumpgui.fc new file mode 100644 index 00000000..250679cd --- /dev/null +++ b/policy/modules/contrib/kdumpgui.fc @@ -0,0 +1 @@ +/usr/share/system-config-kdump/system-config-kdump-backend\.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) diff --git a/policy/modules/contrib/kdumpgui.if b/policy/modules/contrib/kdumpgui.if new file mode 100644 index 00000000..d6af9b08 --- /dev/null +++ b/policy/modules/contrib/kdumpgui.if @@ -0,0 +1,2 @@ +## <summary>system-config-kdump GUI</summary> + diff --git a/policy/modules/contrib/kdumpgui.te b/policy/modules/contrib/kdumpgui.te new file mode 100644 index 00000000..0c52f607 --- /dev/null +++ b/policy/modules/contrib/kdumpgui.te @@ -0,0 +1,65 @@ +policy_module(kdumpgui, 1.1.0) + +######################################## +# +# Declarations +# + +type kdumpgui_t; +type kdumpgui_exec_t; +dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) + +###################################### +# +# system-config-kdump local policy +# + +allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; +allow kdumpgui_t self:fifo_file rw_fifo_file_perms; +allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; + +kernel_read_system_state(kdumpgui_t) +kernel_read_network_state(kdumpgui_t) + +corecmd_exec_bin(kdumpgui_t) +corecmd_exec_shell(kdumpgui_t) + +dev_dontaudit_getattr_all_chr_files(kdumpgui_t) +dev_read_sysfs(kdumpgui_t) + +files_manage_boot_files(kdumpgui_t) +files_manage_boot_symlinks(kdumpgui_t) +# Needed for running chkconfig +files_manage_etc_symlinks(kdumpgui_t) +# for blkid.tab +files_manage_etc_runtime_files(kdumpgui_t) +files_etc_filetrans_etc_runtime(kdumpgui_t, file) +files_read_usr_files(kdumpgui_t) + +storage_raw_read_fixed_disk(kdumpgui_t) +storage_raw_write_fixed_disk(kdumpgui_t) + +auth_use_nsswitch(kdumpgui_t) + +logging_send_syslog_msg(kdumpgui_t) + +miscfiles_read_localization(kdumpgui_t) + +init_dontaudit_read_all_script_files(kdumpgui_t) + +optional_policy(` + consoletype_exec(kdumpgui_t) +') + +optional_policy(` + dev_rw_lvm_control(kdumpgui_t) +') + +optional_policy(` + kdump_manage_config(kdumpgui_t) + kdump_initrc_domtrans(kdumpgui_t) +') + +optional_policy(` + policykit_dbus_chat(kdumpgui_t) +') diff --git a/policy/modules/contrib/kerberos.fc b/policy/modules/contrib/kerberos.fc new file mode 100644 index 00000000..3525d248 --- /dev/null +++ b/policy/modules/contrib/kerberos.fc @@ -0,0 +1,33 @@ +HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + +/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) +/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0) + +/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) +/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + +/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + +/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) + +/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + +/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) +/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) +/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) + +/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) +/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) + +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if new file mode 100644 index 00000000..604f67bf --- /dev/null +++ b/policy/modules/contrib/kerberos.if @@ -0,0 +1,380 @@ +## <summary>MIT Kerberos admin and KDC</summary> +## <desc> +## <p> +## This policy supports: +## </p> +## <p> +## Servers: +## <ul> +## <li>kadmind</li> +## <li>krb5kdc</li> +## </ul> +## </p> +## <p> +## Clients: +## <ul> +## <li>kinit</li> +## <li>kdestroy</li> +## <li>klist</li> +## <li>ksu (incomplete)</li> +## </ul> +## </p> +## </desc> + +######################################## +## <summary> +## Execute kadmind in the current domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_exec_kadmind',` + gen_require(` + type kadmind_exec_t; + ') + + can_exec($1, kadmind_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run kpropd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kerberos_domtrans_kpropd',` + gen_require(` + type kpropd_t, kpropd_exec_t; + ') + + domtrans_pattern($1, kpropd_exec_t, kpropd_t) +') + +######################################## +## <summary> +## Use kerberos services +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_use',` + gen_require(` + type krb5_conf_t, krb5kdc_conf_t; + type krb5_host_rcache_t; + ') + + files_search_etc($1) + read_files_pattern($1, krb5_conf_t, krb5_conf_t) + dontaudit $1 krb5_conf_t:file write; + dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; + dontaudit $1 krb5kdc_conf_t:file rw_file_perms; + + #kerberos libraries are attempting to set the correct file context + dontaudit $1 self:process setfscreate; + selinux_dontaudit_validate_context($1) + seutil_dontaudit_read_file_contexts($1) + + tunable_policy(`allow_kerberos',` + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_kerberos_port($1) + corenet_udp_sendrecv_kerberos_port($1) + corenet_tcp_bind_generic_node($1) + corenet_udp_bind_generic_node($1) + corenet_tcp_connect_kerberos_port($1) + corenet_tcp_connect_ocsp_port($1) + corenet_sendrecv_kerberos_client_packets($1) + corenet_sendrecv_ocsp_client_packets($1) + + allow $1 krb5_host_rcache_t:file getattr; + ') + + optional_policy(` + tunable_policy(`allow_kerberos',` + pcscd_stream_connect($1) + ') + ') + + optional_policy(` + sssd_read_public_files($1) + ') +') + +######################################## +## <summary> +## Read the kerberos configuration file (/etc/krb5.conf). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_read_config',` + gen_require(` + type krb5_conf_t, krb5_home_t; + ') + + files_search_etc($1) + allow $1 krb5_conf_t:file read_file_perms; + allow $1 krb5_home_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to write the kerberos +## configuration file (/etc/krb5.conf). +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`kerberos_dontaudit_write_config',` + gen_require(` + type krb5_conf_t; + ') + + dontaudit $1 krb5_conf_t:file write; +') + +######################################## +## <summary> +## Read and write the kerberos configuration file (/etc/krb5.conf). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_rw_config',` + gen_require(` + type krb5_conf_t; + ') + + files_search_etc($1) + allow $1 krb5_conf_t:file rw_file_perms; +') + +######################################## +## <summary> +## Read the kerberos key table. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_read_keytab',` + gen_require(` + type krb5_keytab_t; + ') + + files_search_etc($1) + allow $1 krb5_keytab_t:file read_file_perms; +') + +######################################## +## <summary> +## Read/Write the kerberos key table. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_rw_keytab',` + gen_require(` + type krb5_keytab_t; + ') + + files_search_etc($1) + allow $1 krb5_keytab_t:file rw_file_perms; +') + +######################################## +## <summary> +## Create a derived type for kerberos keytab +## </summary> +## <param name="prefix"> +## <summary> +## The prefix to be used for deriving type names. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +template(`kerberos_keytab_template',` + type $1_keytab_t; + files_type($1_keytab_t) + + allow $2 $1_keytab_t:file read_file_perms; + + kerberos_read_keytab($2) + kerberos_use($2) +') + +######################################## +## <summary> +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_read_kdc_config',` + gen_require(` + type krb5kdc_conf_t; + ') + + files_search_etc($1) + read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) +') + +######################################## +## <summary> +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_manage_host_rcache',` + gen_require(` + type krb5_host_rcache_t; + ') + + # creates files as system_u no matter what the selinux user + # cjp: should be in the below tunable but typeattribute + # does not work in conditionals + domain_obj_id_change_exemption($1) + + tunable_policy(`allow_kerberos',` + allow $1 self:process setfscreate; + + selinux_validate_context($1) + + seutil_read_file_contexts($1) + + allow $1 krb5_host_rcache_t:file manage_file_perms; + files_search_tmp($1) + ') +') + +######################################## +## <summary> +## Connect to krb524 service +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerberos_connect_524',` + tunable_policy(`allow_kerberos',` + allow $1 self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled($1) + corenet_udp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_node($1) + corenet_udp_sendrecv_kerberos_master_port($1) + corenet_sendrecv_kerberos_master_client_packets($1) + ') +') + +######################################## +## <summary> +## All of the rules required to administrate +## an kerberos environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the kerberos domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerberos_admin',` + gen_require(` + type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; + type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t, krb5kdc_tmp_t; + type krb5kdc_var_run_t, krb5_host_rcache_t; + type kpropd_t; + ') + + allow $1 kadmind_t:process { ptrace signal_perms }; + ps_process_pattern($1, kadmind_t) + + allow $1 krb5kdc_t:process { ptrace signal_perms }; + ps_process_pattern($1, krb5kdc_t) + + allow $1 kpropd_t:process { ptrace signal_perms }; + ps_process_pattern($1, kpropd_t) + + init_labeled_script_domtrans($1, kerberos_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 kerberos_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, kadmind_log_t) + + files_list_tmp($1) + admin_pattern($1, kadmind_tmp_t) + + files_list_pids($1) + admin_pattern($1, kadmind_var_run_t) + + admin_pattern($1, krb5_conf_t) + + admin_pattern($1, krb5_host_rcache_t) + + admin_pattern($1, krb5_keytab_t) + + admin_pattern($1, krb5kdc_principal_t) + + admin_pattern($1, krb5kdc_tmp_t) + + admin_pattern($1, krb5kdc_var_run_t) +') diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te new file mode 100644 index 00000000..8edc29b6 --- /dev/null +++ b/policy/modules/contrib/kerberos.te @@ -0,0 +1,325 @@ +policy_module(kerberos, 1.11.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow confined applications to run with kerberos. +## </p> +## </desc> +gen_tunable(allow_kerberos, false) + +type kadmind_t; +type kadmind_exec_t; +init_daemon_domain(kadmind_t, kadmind_exec_t) +domain_obj_id_change_exemption(kadmind_t) + +type kadmind_log_t; +logging_log_file(kadmind_log_t) + +type kadmind_tmp_t; +files_tmp_file(kadmind_tmp_t) + +type kadmind_var_run_t; +files_pid_file(kadmind_var_run_t) + +type kerberos_initrc_exec_t; +init_script_file(kerberos_initrc_exec_t) + +type kpropd_t; +type kpropd_exec_t; +init_daemon_domain(kpropd_t, kpropd_exec_t) +domain_obj_id_change_exemption(kpropd_t) + +type krb5_conf_t; +files_type(krb5_conf_t) + +type krb5_home_t; +userdom_user_home_content(krb5_home_t) + +type krb5_host_rcache_t; +files_tmp_file(krb5_host_rcache_t) + +# types for general configuration files in /etc +type krb5_keytab_t; +files_security_file(krb5_keytab_t) + +# types for KDC configs and principal file(s) +type krb5kdc_conf_t; +files_type(krb5kdc_conf_t) + +type krb5kdc_lock_t; +files_type(krb5kdc_lock_t) + +# types for KDC principal file(s) +type krb5kdc_principal_t; +files_type(krb5kdc_principal_t) + +type krb5kdc_t; +type krb5kdc_exec_t; +init_daemon_domain(krb5kdc_t, krb5kdc_exec_t) +domain_obj_id_change_exemption(krb5kdc_t) + +type krb5kdc_log_t; +logging_log_file(krb5kdc_log_t) + +type krb5kdc_tmp_t; +files_tmp_file(krb5kdc_tmp_t) + +type krb5kdc_var_run_t; +files_pid_file(krb5kdc_var_run_t) + +######################################## +# +# kadmind local policy +# + +# Use capabilities. Surplus capabilities may be allowed. +allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; +dontaudit kadmind_t self:capability sys_tty_config; +allow kadmind_t self:process { setfscreate signal_perms }; +allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; +allow kadmind_t self:unix_dgram_socket { connect create write }; +allow kadmind_t self:tcp_socket connected_stream_socket_perms; +allow kadmind_t self:udp_socket create_socket_perms; + +allow kadmind_t kadmind_log_t:file manage_file_perms; +logging_log_filetrans(kadmind_t, kadmind_log_t, file) + +allow kadmind_t krb5_conf_t:file read_file_perms; +dontaudit kadmind_t krb5_conf_t:file write; + +read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) +dontaudit kadmind_t krb5kdc_conf_t:file { write setattr }; + +allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr }; + +allow kadmind_t krb5kdc_principal_t:file manage_file_perms; +filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) + +can_exec(kadmind_t, kadmind_exec_t) + +manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) +manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) +files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) + +manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) +files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) + +kernel_read_kernel_sysctls(kadmind_t) +kernel_list_proc(kadmind_t) +kernel_read_network_state(kadmind_t) +kernel_read_proc_symlinks(kadmind_t) +kernel_read_system_state(kadmind_t) + +corenet_all_recvfrom_unlabeled(kadmind_t) +corenet_all_recvfrom_netlabel(kadmind_t) +corenet_tcp_sendrecv_generic_if(kadmind_t) +corenet_udp_sendrecv_generic_if(kadmind_t) +corenet_tcp_sendrecv_generic_node(kadmind_t) +corenet_udp_sendrecv_generic_node(kadmind_t) +corenet_tcp_sendrecv_all_ports(kadmind_t) +corenet_udp_sendrecv_all_ports(kadmind_t) +corenet_tcp_bind_generic_node(kadmind_t) +corenet_udp_bind_generic_node(kadmind_t) +corenet_tcp_bind_kerberos_admin_port(kadmind_t) +corenet_udp_bind_kerberos_admin_port(kadmind_t) +corenet_tcp_bind_reserved_port(kadmind_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) +corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) + +dev_read_sysfs(kadmind_t) +dev_read_rand(kadmind_t) +dev_read_urand(kadmind_t) + +fs_getattr_all_fs(kadmind_t) +fs_search_auto_mountpoints(kadmind_t) + +domain_use_interactive_fds(kadmind_t) + +files_read_etc_files(kadmind_t) +files_read_usr_symlinks(kadmind_t) +files_read_usr_files(kadmind_t) +files_read_var_files(kadmind_t) + +selinux_validate_context(kadmind_t) + +logging_send_syslog_msg(kadmind_t) + +miscfiles_read_localization(kadmind_t) + +seutil_read_file_contexts(kadmind_t) + +sysnet_read_config(kadmind_t) +sysnet_use_ldap(kadmind_t) + +userdom_dontaudit_use_unpriv_user_fds(kadmind_t) +userdom_dontaudit_search_user_home_dirs(kadmind_t) + +optional_policy(` + nis_use_ypbind(kadmind_t) +') + +optional_policy(` + seutil_sigchld_newrole(kadmind_t) +') + +optional_policy(` + udev_read_db(kadmind_t) +') + +######################################## +# +# Krb5kdc local policy +# + +# Use capabilities. Surplus capabilities may be allowed. +allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; +dontaudit krb5kdc_t self:capability sys_tty_config; +allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; +allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; +allow krb5kdc_t self:tcp_socket create_stream_socket_perms; +allow krb5kdc_t self:udp_socket create_socket_perms; +allow krb5kdc_t self:fifo_file rw_fifo_file_perms; + +allow krb5kdc_t krb5_conf_t:file read_file_perms; +dontaudit krb5kdc_t krb5_conf_t:file write; + +can_exec(krb5kdc_t, krb5kdc_exec_t) + +read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) +dontaudit krb5kdc_t krb5kdc_conf_t:file write; + +allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr }; + +allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; +logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) + +allow krb5kdc_t krb5kdc_principal_t:file read_file_perms; +dontaudit krb5kdc_t krb5kdc_principal_t:file write; + +manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) + +manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) +files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) + +kernel_read_system_state(krb5kdc_t) +kernel_read_kernel_sysctls(krb5kdc_t) +kernel_list_proc(krb5kdc_t) +kernel_read_proc_symlinks(krb5kdc_t) +kernel_read_network_state(krb5kdc_t) +kernel_search_network_sysctl(krb5kdc_t) + +corecmd_exec_bin(krb5kdc_t) + +corenet_all_recvfrom_unlabeled(krb5kdc_t) +corenet_all_recvfrom_netlabel(krb5kdc_t) +corenet_tcp_sendrecv_generic_if(krb5kdc_t) +corenet_udp_sendrecv_generic_if(krb5kdc_t) +corenet_tcp_sendrecv_generic_node(krb5kdc_t) +corenet_udp_sendrecv_generic_node(krb5kdc_t) +corenet_tcp_sendrecv_all_ports(krb5kdc_t) +corenet_udp_sendrecv_all_ports(krb5kdc_t) +corenet_tcp_bind_generic_node(krb5kdc_t) +corenet_udp_bind_generic_node(krb5kdc_t) +corenet_tcp_bind_kerberos_port(krb5kdc_t) +corenet_udp_bind_kerberos_port(krb5kdc_t) +corenet_tcp_connect_ocsp_port(krb5kdc_t) +corenet_sendrecv_kerberos_server_packets(krb5kdc_t) +corenet_sendrecv_ocsp_client_packets(krb5kdc_t) + +dev_read_sysfs(krb5kdc_t) +dev_read_urand(krb5kdc_t) + +fs_getattr_all_fs(krb5kdc_t) +fs_search_auto_mountpoints(krb5kdc_t) + +domain_use_interactive_fds(krb5kdc_t) + +files_read_etc_files(krb5kdc_t) +files_read_usr_symlinks(krb5kdc_t) +files_read_var_files(krb5kdc_t) + +selinux_validate_context(krb5kdc_t) + +logging_send_syslog_msg(krb5kdc_t) + +miscfiles_read_localization(krb5kdc_t) + +seutil_read_file_contexts(krb5kdc_t) + +sysnet_read_config(krb5kdc_t) +sysnet_use_ldap(krb5kdc_t) + +userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) +userdom_dontaudit_search_user_home_dirs(krb5kdc_t) + +optional_policy(` + nis_use_ypbind(krb5kdc_t) +') + +optional_policy(` + seutil_sigchld_newrole(krb5kdc_t) +') + +optional_policy(` + udev_read_db(krb5kdc_t) +') + +######################################## +# +# kpropd local policy +# + +allow kpropd_t self:capability net_bind_service; +allow kpropd_t self:process setfscreate; + +allow kpropd_t self:fifo_file rw_file_perms; +allow kpropd_t self:unix_stream_socket create_stream_socket_perms; +allow kpropd_t self:tcp_socket create_stream_socket_perms; + +allow kpropd_t krb5_host_rcache_t:file manage_file_perms; + +allow kpropd_t krb5_keytab_t:file read_file_perms; + +read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t) + +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) +filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file) + +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) + +manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) + +corecmd_exec_bin(kpropd_t) + +corenet_all_recvfrom_unlabeled(kpropd_t) +corenet_tcp_sendrecv_generic_if(kpropd_t) +corenet_tcp_sendrecv_generic_node(kpropd_t) +corenet_tcp_sendrecv_all_ports(kpropd_t) +corenet_tcp_bind_generic_node(kpropd_t) +corenet_tcp_bind_kprop_port(kpropd_t) + +dev_read_urand(kpropd_t) + +files_read_etc_files(kpropd_t) +files_search_tmp(kpropd_t) + +selinux_validate_context(kpropd_t) + +logging_send_syslog_msg(kpropd_t) + +miscfiles_read_localization(kpropd_t) + +seutil_read_file_contexts(kpropd_t) + +sysnet_dns_name_resolve(kpropd_t) + +kerberos_use(kpropd_t) diff --git a/policy/modules/contrib/kerneloops.fc b/policy/modules/contrib/kerneloops.fc new file mode 100644 index 00000000..5ef261a3 --- /dev/null +++ b/policy/modules/contrib/kerneloops.fc @@ -0,0 +1,3 @@ +/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0) + +/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) diff --git a/policy/modules/contrib/kerneloops.if b/policy/modules/contrib/kerneloops.if new file mode 100644 index 00000000..835b16b0 --- /dev/null +++ b/policy/modules/contrib/kerneloops.if @@ -0,0 +1,115 @@ +## <summary>Service for reporting kernel oopses to kerneloops.org</summary> + +######################################## +## <summary> +## Execute a domain transition to run kerneloops. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kerneloops_domtrans',` + gen_require(` + type kerneloops_t; + type kerneloops_exec_t; + ') + + domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) +') + +######################################## +## <summary> +## Send and receive messages from +## kerneloops over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerneloops_dbus_chat',` + gen_require(` + type kerneloops_t; + class dbus send_msg; + ') + + allow $1 kerneloops_t:dbus send_msg; + allow kerneloops_t $1:dbus send_msg; +') + +######################################## +## <summary> +## dontaudit attempts to Send and receive messages from +## kerneloops over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`kerneloops_dontaudit_dbus_chat',` + gen_require(` + type kerneloops_t; + class dbus send_msg; + ') + + dontaudit $1 kerneloops_t:dbus send_msg; + dontaudit kerneloops_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Allow domain to manage kerneloops tmp files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kerneloops_manage_tmp_files',` + gen_require(` + type kerneloops_tmp_t; + ') + + manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t) + files_search_tmp($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an kerneloops environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the kerneloops domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`kerneloops_admin',` + gen_require(` + type kerneloops_t, kerneloops_initrc_exec_t; + type kerneloops_tmp_t; + ') + + allow $1 kerneloops_t:process { ptrace signal_perms }; + ps_process_pattern($1, kerneloops_t) + + init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 kerneloops_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, kerneloops_tmp_t) +') diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te new file mode 100644 index 00000000..6b355479 --- /dev/null +++ b/policy/modules/contrib/kerneloops.te @@ -0,0 +1,54 @@ +policy_module(kerneloops, 1.4.0) + +######################################## +# +# Declarations +# + +type kerneloops_t; +type kerneloops_exec_t; +init_daemon_domain(kerneloops_t, kerneloops_exec_t) + +type kerneloops_initrc_exec_t; +init_script_file(kerneloops_initrc_exec_t) + +type kerneloops_tmp_t; +files_tmp_file(kerneloops_tmp_t) + +######################################## +# +# kerneloops local policy +# + +allow kerneloops_t self:capability sys_nice; +allow kerneloops_t self:process { getcap setcap setsched getsched signal }; +allow kerneloops_t self:fifo_file rw_file_perms; + +manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) +files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file) + +kernel_read_ring_buffer(kerneloops_t) + +# Init script handling +domain_use_interactive_fds(kerneloops_t) + +corenet_all_recvfrom_unlabeled(kerneloops_t) +corenet_all_recvfrom_netlabel(kerneloops_t) +corenet_tcp_sendrecv_generic_if(kerneloops_t) +corenet_tcp_sendrecv_generic_node(kerneloops_t) +corenet_tcp_sendrecv_all_ports(kerneloops_t) +corenet_tcp_bind_http_port(kerneloops_t) +corenet_tcp_connect_http_port(kerneloops_t) + +files_read_etc_files(kerneloops_t) + +auth_use_nsswitch(kerneloops_t) + +logging_send_syslog_msg(kerneloops_t) +logging_read_generic_logs(kerneloops_t) + +miscfiles_read_localization(kerneloops_t) + +optional_policy(` + dbus_system_domain(kerneloops_t, kerneloops_exec_t) +') diff --git a/policy/modules/contrib/kismet.fc b/policy/modules/contrib/kismet.fc new file mode 100644 index 00000000..dae60e5e --- /dev/null +++ b/policy/modules/contrib/kismet.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0) + +/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) +/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) +/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) +/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if new file mode 100644 index 00000000..c18c920c --- /dev/null +++ b/policy/modules/contrib/kismet.if @@ -0,0 +1,247 @@ +## <summary>Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.</summary> + +######################################## +## <summary> +## Execute a domain transition to run kismet. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kismet_domtrans',` + gen_require(` + type kismet_t, kismet_exec_t; + ') + + domtrans_pattern($1, kismet_exec_t, kismet_t) + allow kismet_t $1:process signull; +') + +######################################## +## <summary> +## Execute kismet in the kismet domain, and +## allow the specified role the kismet domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`kismet_run',` + gen_require(` + type kismet_t; + ') + + kismet_domtrans($1) + role $2 types kismet_t; +') + +######################################## +## <summary> +## Read kismet PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_read_pid_files',` + gen_require(` + type kismet_var_run_t; + ') + + allow $1 kismet_var_run_t:file read_file_perms; + files_search_pids($1) +') + +######################################## +## <summary> +## Manage kismet var_run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_manage_pid_files',` + gen_require(` + type kismet_var_run_t; + ') + + allow $1 kismet_var_run_t:file manage_file_perms; + files_search_pids($1) +') + +######################################## +## <summary> +## Search kismet lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_search_lib',` + gen_require(` + type kismet_var_lib_t; + ') + + allow $1 kismet_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read kismet lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_read_lib_files',` + gen_require(` + type kismet_var_lib_t; + ') + + allow $1 kismet_var_lib_t:file read_file_perms; + allow $1 kismet_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## kismet lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_manage_lib_files',` + gen_require(` + type kismet_var_lib_t; + ') + + manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## Manage kismet var_lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_manage_lib',` + gen_require(` + type kismet_var_lib_t; + ') + + manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t) + manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) + manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) +') + +######################################## +## <summary> +## Allow the specified domain to read kismet's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kismet_read_log',` + gen_require(` + type kismet_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, kismet_log_t, kismet_log_t) +') + +######################################## +## <summary> +## Allow the specified domain to append +## kismet log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_append_log',` + gen_require(` + type kismet_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, kismet_log_t, kismet_log_t) +') + +######################################## +## <summary> +## Allow domain to manage kismet log files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_manage_log',` + gen_require(` + type kismet_log_t; + ') + + manage_dirs_pattern($1, kismet_log_t, kismet_log_t) + manage_files_pattern($1, kismet_log_t, kismet_log_t) + manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t) + logging_search_logs($1) +') + +######################################## +## <summary> +## All of the rules required to administrate an kismet environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kismet_admin',` + gen_require(` + type kismet_t; + ') + + ps_process_pattern($1, kismet_t) + allow $1 kismet_t:process { ptrace signal_perms }; + + kismet_manage_pid_files($1) + kismet_manage_lib($1) + kismet_manage_log($1) +') diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te new file mode 100644 index 00000000..9dd6880e --- /dev/null +++ b/policy/modules/contrib/kismet.te @@ -0,0 +1,101 @@ +policy_module(kismet, 1.6.0) + +######################################## +# +# Declarations +# + +type kismet_t; +type kismet_exec_t; +application_domain(kismet_t, kismet_exec_t) +role system_r types kismet_t; + +type kismet_home_t; +userdom_user_home_content(kismet_home_t) + +type kismet_log_t; +logging_log_file(kismet_log_t) + +type kismet_tmp_t; +files_tmp_file(kismet_tmp_t) + +type kismet_tmpfs_t; +files_tmp_file(kismet_tmpfs_t) + +type kismet_var_lib_t; +files_type(kismet_var_lib_t) + +type kismet_var_run_t; +files_pid_file(kismet_var_run_t) + +######################################## +# +# kismet local policy +# + +allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; +allow kismet_t self:process signal_perms; +allow kismet_t self:fifo_file rw_file_perms; +allow kismet_t self:packet_socket create_socket_perms; +allow kismet_t self:unix_dgram_socket { create_socket_perms sendto }; +allow kismet_t self:unix_stream_socket create_stream_socket_perms; +allow kismet_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) +manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) +manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t) +userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir }) +userdom_search_user_home_dirs(kismet_t) + +manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) +allow kismet_t kismet_log_t:dir setattr; +logging_log_filetrans(kismet_t, kismet_log_t, { file dir }) + +manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) +manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) +manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) +files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file }) + +manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) +manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) +fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file }) + +allow kismet_t kismet_var_lib_t:file manage_file_perms; +allow kismet_t kismet_var_lib_t:dir manage_dir_perms; +files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir }) + +allow kismet_t kismet_var_run_t:file manage_file_perms; +allow kismet_t kismet_var_run_t:dir manage_dir_perms; +files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) + +kernel_search_debugfs(kismet_t) +kernel_read_system_state(kismet_t) +kernel_read_network_state(kismet_t) + +corecmd_exec_bin(kismet_t) + +corenet_all_recvfrom_unlabeled(kismet_t) +corenet_all_recvfrom_netlabel(kismet_t) +corenet_tcp_sendrecv_generic_if(kismet_t) +corenet_tcp_sendrecv_generic_node(kismet_t) +corenet_tcp_sendrecv_all_ports(kismet_t) +corenet_tcp_bind_generic_node(kismet_t) +corenet_tcp_bind_kismet_port(kismet_t) +corenet_tcp_connect_kismet_port(kismet_t) +corenet_tcp_connect_pulseaudio_port(kismet_t) + +auth_use_nsswitch(kismet_t) + +files_read_etc_files(kismet_t) +files_read_usr_files(kismet_t) + +miscfiles_read_localization(kismet_t) + +userdom_use_user_terminals(kismet_t) +userdom_read_user_tmpfs_files(kismet_t) + +optional_policy(` + dbus_system_bus_client(kismet_t) + + networkmanager_dbus_chat(kismet_t) +') diff --git a/policy/modules/contrib/ksmtuned.fc b/policy/modules/contrib/ksmtuned.fc new file mode 100644 index 00000000..9c0c8354 --- /dev/null +++ b/policy/modules/contrib/ksmtuned.fc @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) + +/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) + +/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if new file mode 100644 index 00000000..6fd0b4c0 --- /dev/null +++ b/policy/modules/contrib/ksmtuned.if @@ -0,0 +1,74 @@ +## <summary>Kernel Samepage Merging (KSM) Tuning Daemon</summary> + +######################################## +## <summary> +## Execute a domain transition to run ksmtuned. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ksmtuned_domtrans',` + gen_require(` + type ksmtuned_t, ksmtuned_exec_t; + ') + + domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t) +') + +######################################## +## <summary> +## Execute ksmtuned server in the ksmtuned domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ksmtuned_initrc_domtrans',` + gen_require(` + type ksmtuned_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an ksmtuned environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ksmtuned_admin',` + gen_require(` + type ksmtuned_t, ksmtuned_var_run_t; + type ksmtuned_initrc_exec_t; + ') + + allow $1 ksmtuned_t:process { ptrace signal_perms }; + ps_process_pattern(ksmtumed_t) + + files_list_pids($1) + admin_pattern($1, ksmtuned_var_run_t) + + # Allow ksmtuned_t to restart the apache service + ksmtuned_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ksmtuned_initrc_exec_t system_r; + allow $2 system_r; + +') diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te new file mode 100644 index 00000000..a73b7a12 --- /dev/null +++ b/policy/modules/contrib/ksmtuned.te @@ -0,0 +1,39 @@ +policy_module(ksmtuned, 1.0.0) + +######################################## +# +# Declarations +# + +type ksmtuned_t; +type ksmtuned_exec_t; +init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) + +type ksmtuned_initrc_exec_t; +init_script_file(ksmtuned_initrc_exec_t) + +type ksmtuned_var_run_t; +files_pid_file(ksmtuned_var_run_t) + +######################################## +# +# ksmtuned local policy +# + +allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; +allow ksmtuned_t self:fifo_file rw_file_perms; + +manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) +files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) + +kernel_read_system_state(ksmtuned_t) + +dev_rw_sysfs(ksmtuned_t) + +domain_read_all_domains_state(ksmtuned_t) + +corecmd_exec_bin(ksmtuned_t) + +files_read_etc_files(ksmtuned_t) + +miscfiles_read_localization(ksmtuned_t) diff --git a/policy/modules/contrib/ktalk.fc b/policy/modules/contrib/ktalk.fc new file mode 100644 index 00000000..47d0bf31 --- /dev/null +++ b/policy/modules/contrib/ktalk.fc @@ -0,0 +1,7 @@ + +/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) + +/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) + +/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0) diff --git a/policy/modules/contrib/ktalk.if b/policy/modules/contrib/ktalk.if new file mode 100644 index 00000000..5ba36dbf --- /dev/null +++ b/policy/modules/contrib/ktalk.if @@ -0,0 +1 @@ +## <summary>KDE Talk daemon</summary> diff --git a/policy/modules/contrib/ktalk.te b/policy/modules/contrib/ktalk.te new file mode 100644 index 00000000..ca5cfdfe --- /dev/null +++ b/policy/modules/contrib/ktalk.te @@ -0,0 +1,79 @@ +policy_module(ktalk, 1.8.0) + +######################################## +# +# Declarations +# + +type ktalkd_t; +type ktalkd_exec_t; +inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) +role system_r types ktalkd_t; + +type ktalkd_log_t; +logging_log_file(ktalkd_log_t) + +type ktalkd_tmp_t; +files_tmp_file(ktalkd_tmp_t) + +type ktalkd_var_run_t; +files_pid_file(ktalkd_var_run_t) + +######################################## +# +# Local policy +# + +allow ktalkd_t self:process signal_perms; +allow ktalkd_t self:fifo_file rw_fifo_file_perms; +allow ktalkd_t self:tcp_socket connected_stream_socket_perms; +allow ktalkd_t self:udp_socket create_socket_perms; +# for identd +# cjp: this should probably only be inetd_child rules? +allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow ktalkd_t self:capability { setuid setgid }; +files_search_home(ktalkd_t) +optional_policy(` + kerberos_use(ktalkd_t) +') +#end for identd + +allow ktalkd_t ktalkd_log_t:file manage_file_perms; +logging_log_filetrans(ktalkd_t, ktalkd_log_t, file) + +manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) +manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) +files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir }) + +manage_files_pattern(ktalkd_t, ktalkd_var_run_t, ktalkd_var_run_t) +files_pid_filetrans(ktalkd_t, ktalkd_var_run_t, file) + +kernel_read_kernel_sysctls(ktalkd_t) +kernel_read_system_state(ktalkd_t) +kernel_read_network_state(ktalkd_t) + +corenet_all_recvfrom_unlabeled(ktalkd_t) +corenet_all_recvfrom_netlabel(ktalkd_t) +corenet_tcp_sendrecv_generic_if(ktalkd_t) +corenet_udp_sendrecv_generic_if(ktalkd_t) +corenet_tcp_sendrecv_generic_node(ktalkd_t) +corenet_udp_sendrecv_generic_node(ktalkd_t) +corenet_tcp_sendrecv_all_ports(ktalkd_t) +corenet_udp_sendrecv_all_ports(ktalkd_t) + +dev_read_urand(ktalkd_t) + +fs_getattr_xattr_fs(ktalkd_t) + +files_read_etc_files(ktalkd_t) + +term_search_ptys(ktalkd_t) +term_use_all_terms(ktalkd_t) + +auth_use_nsswitch(ktalkd_t) + +init_read_utmp(ktalkd_t) + +logging_send_syslog_msg(ktalkd_t) + +miscfiles_read_localization(ktalkd_t) diff --git a/policy/modules/contrib/kudzu.fc b/policy/modules/contrib/kudzu.fc new file mode 100644 index 00000000..dd88f746 --- /dev/null +++ b/policy/modules/contrib/kudzu.fc @@ -0,0 +1,5 @@ + +/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) +/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) + +/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if new file mode 100644 index 00000000..65bcaffa --- /dev/null +++ b/policy/modules/contrib/kudzu.if @@ -0,0 +1,64 @@ +## <summary>Hardware detection and configuration tools</summary> + +######################################## +## <summary> +## Execute kudzu in the kudzu domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kudzu_domtrans',` + gen_require(` + type kudzu_t, kudzu_exec_t; + ') + + domtrans_pattern($1, kudzu_exec_t, kudzu_t) +') + +######################################## +## <summary> +## Execute kudzu in the kudzu domain, and +## allow the specified role the kudzu domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kudzu_run',` + gen_require(` + type kudzu_t; + ') + + kudzu_domtrans($1) + role $2 types kudzu_t; +') + +######################################## +## <summary> +## Get attributes of kudzu executable. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# cjp: added for ddcprobe +interface(`kudzu_getattr_exec_files',` + gen_require(` + type kudzu_exec_t; + ') + + allow $1 kudzu_exec_t:file getattr; +') diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te new file mode 100644 index 00000000..4f7bd3c3 --- /dev/null +++ b/policy/modules/contrib/kudzu.te @@ -0,0 +1,145 @@ +policy_module(kudzu, 1.8.0) + +######################################## +# +# Declarations +# + +type kudzu_t; +type kudzu_exec_t; +init_system_domain(kudzu_t, kudzu_exec_t) + +type kudzu_tmp_t; +files_tmp_file(kudzu_tmp_t) + +type kudzu_var_run_t; +files_pid_file(kudzu_var_run_t) + +######################################## +# +# Local policy +# + +allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod }; +dontaudit kudzu_t self:capability sys_tty_config; +allow kudzu_t self:process { signal_perms execmem }; +allow kudzu_t self:fifo_file rw_fifo_file_perms; +allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow kudzu_t self:unix_dgram_socket create_socket_perms; +allow kudzu_t self:udp_socket { create ioctl }; + +manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) +manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) +manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) +files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file }) + +manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) +manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) +files_pid_filetrans(kudzu_t, kudzu_var_run_t, file) + +kernel_change_ring_buffer_level(kudzu_t) +kernel_list_proc(kudzu_t) +kernel_read_device_sysctls(kudzu_t) +kernel_read_kernel_sysctls(kudzu_t) +kernel_read_proc_symlinks(kudzu_t) +kernel_read_network_state(kudzu_t) +kernel_read_system_state(kudzu_t) +kernel_rw_hotplug_sysctls(kudzu_t) +kernel_rw_kernel_sysctl(kudzu_t) + +files_read_kernel_modules(kudzu_t) + +dev_list_sysfs(kudzu_t) +dev_read_usbfs(kudzu_t) +dev_read_sysfs(kudzu_t) +dev_rx_raw_memory(kudzu_t) +dev_wx_raw_memory(kudzu_t) +dev_rw_mouse(kudzu_t) +dev_rwx_zero(kudzu_t) + +fs_search_auto_mountpoints(kudzu_t) +fs_search_ramfs(kudzu_t) +fs_write_ramfs_sockets(kudzu_t) + +mls_file_read_all_levels(kudzu_t) +mls_file_write_all_levels(kudzu_t) + +storage_read_scsi_generic(kudzu_t) +storage_read_tape(kudzu_t) +storage_raw_write_fixed_disk(kudzu_t) +storage_raw_write_removable_device(kudzu_t) +storage_raw_read_fixed_disk(kudzu_t) +storage_raw_read_removable_device(kudzu_t) + +term_dontaudit_use_console(kudzu_t) +# so it can write messages to the console +term_use_unallocated_ttys(kudzu_t) + +corecmd_exec_all_executables(kudzu_t) + +domain_use_interactive_fds(kudzu_t) + +files_search_var(kudzu_t) +files_search_locks(kudzu_t) +files_manage_etc_files(kudzu_t) +files_manage_etc_runtime_files(kudzu_t) +files_etc_filetrans_etc_runtime(kudzu_t, file) +files_manage_mnt_files(kudzu_t) +files_manage_mnt_symlinks(kudzu_t) +files_dontaudit_search_src(kudzu_t) +# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux +files_read_usr_files(kudzu_t) +# for /etc/sysconfig/hwconf - probably need a new type +files_rw_etc_runtime_files(kudzu_t) +# for file systems that are not yet mounted +files_dontaudit_search_isid_type_dirs(kudzu_t) + +init_use_fds(kudzu_t) +init_use_script_ptys(kudzu_t) +init_stream_connect_script(kudzu_t) +init_read_state(kudzu_t) +init_ptrace(kudzu_t) +# kudzu will telinit to make init re-read +# the inittab after configuring serial consoles +init_telinit(kudzu_t) + +# Read /usr/lib/gconv/gconv-modules.* +libs_read_lib_files(kudzu_t) + +logging_send_syslog_msg(kudzu_t) + +miscfiles_read_hwdata(kudzu_t) +miscfiles_read_localization(kudzu_t) + +modutils_read_module_config(kudzu_t) +modutils_read_module_deps(kudzu_t) +modutils_rename_module_config(kudzu_t) +modutils_delete_module_config(kudzu_t) +modutils_domtrans_insmod(kudzu_t) + +sysnet_read_config(kudzu_t) + +userdom_use_user_terminals(kudzu_t) +userdom_dontaudit_use_unpriv_user_fds(kudzu_t) +userdom_search_user_home_dirs(kudzu_t) + +optional_policy(` + gpm_getattr_gpmctl(kudzu_t) +') + +optional_policy(` + nscd_socket_use(kudzu_t) +') + +optional_policy(` + seutil_sigchld_newrole(kudzu_t) +') + +optional_policy(` + udev_read_db(kudzu_t) +') + +optional_policy(` + unconfined_domtrans(kudzu_t) + unconfined_domain(kudzu_t) +') diff --git a/policy/modules/contrib/ldap.fc b/policy/modules/contrib/ldap.fc new file mode 100644 index 00000000..ba8ba951 --- /dev/null +++ b/policy/modules/contrib/ldap.fc @@ -0,0 +1,21 @@ + +/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) +/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + +/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + +/usr/lib(64)?/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) +ifdef(`distro_debian',` +/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) +') + +/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) +/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) +/var/lib/openldap-data(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) +/var/lib/openldap-ldbm(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) +/var/lib/openldap-slurpd(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + +/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if new file mode 100644 index 00000000..e131cfae --- /dev/null +++ b/policy/modules/contrib/ldap.if @@ -0,0 +1,123 @@ +## <summary>OpenLDAP directory server</summary> + +######################################## +## <summary> +## Read the contents of the OpenLDAP +## database directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ldap_list_db',` + gen_require(` + type slapd_db_t; + ') + + allow $1 slapd_db_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Read the OpenLDAP configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ldap_read_config',` + gen_require(` + type slapd_etc_t; + ') + + files_search_etc($1) + allow $1 slapd_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Use LDAP over TCP connection. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ldap_use',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Connect to slapd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ldap_stream_connect',` + gen_require(` + type slapd_t, slapd_var_run_t; + ') + + files_search_pids($1) + allow $1 slapd_var_run_t:sock_file write; + allow $1 slapd_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an ldap environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the ldap domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`ldap_admin',` + gen_require(` + type slapd_t, slapd_tmp_t, slapd_replog_t; + type slapd_lock_t, slapd_etc_t, slapd_var_run_t; + type slapd_initrc_exec_t, slapd_exec_t; + ') + + allow $1 slapd_t:process { ptrace signal_perms }; + ps_process_pattern($1, slapd_t) + + init_labeled_script_domtrans($1, slapd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 slapd_initrc_exec_t system_r; + allow $2 system_r; + + role $2 types slapd_t; + domtrans_pattern($1, slapd_exec_t, slapd_t) + + files_list_etc($1) + admin_pattern($1, slapd_etc_t) + + admin_pattern($1, slapd_lock_t) + + admin_pattern($1, slapd_replog_t) + + files_list_tmp($1) + admin_pattern($1, slapd_tmp_t) + + files_list_pids($1) + admin_pattern($1, slapd_var_run_t) +') diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te new file mode 100644 index 00000000..116bbe27 --- /dev/null +++ b/policy/modules/contrib/ldap.te @@ -0,0 +1,134 @@ +policy_module(ldap, 1.10.0) + +######################################## +# +# Declarations +# + +type slapd_t; +type slapd_exec_t; +init_daemon_domain(slapd_t, slapd_exec_t) + +type slapd_cert_t; +files_type(slapd_cert_t) + +type slapd_db_t; +files_type(slapd_db_t) + +type slapd_etc_t; +files_config_file(slapd_etc_t) + +type slapd_initrc_exec_t; +init_script_file(slapd_initrc_exec_t) + +type slapd_lock_t; +files_lock_file(slapd_lock_t) + +type slapd_replog_t; +files_type(slapd_replog_t) + +type slapd_tmp_t; +files_tmp_file(slapd_tmp_t) + +type slapd_var_run_t; +files_pid_file(slapd_var_run_t) + +######################################## +# +# Local policy +# + +# should not need kill +# cjp: why net_raw? +allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; +dontaudit slapd_t self:capability sys_tty_config; +allow slapd_t self:process { setsched signal }; +allow slapd_t self:fifo_file rw_fifo_file_perms; +allow slapd_t self:udp_socket create_socket_perms; +allow slapd_t self:unix_stream_socket listen; +#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) +allow slapd_t self:tcp_socket create_stream_socket_perms; + +allow slapd_t slapd_cert_t:dir list_dir_perms; +read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) +read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) + +# Allow access to the slapd databases +manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t) +manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t) +manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) + +allow slapd_t slapd_etc_t:file read_file_perms; + +allow slapd_t slapd_lock_t:file manage_file_perms; +files_lock_filetrans(slapd_t, slapd_lock_t, file) + +# Allow access to write the replication log (should tighten this) +manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) +manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) +manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) + +manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) +manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) +files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) + +manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) +manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) +files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) + +kernel_read_system_state(slapd_t) +kernel_read_kernel_sysctls(slapd_t) + +corenet_all_recvfrom_unlabeled(slapd_t) +corenet_all_recvfrom_netlabel(slapd_t) +corenet_tcp_sendrecv_generic_if(slapd_t) +corenet_udp_sendrecv_generic_if(slapd_t) +corenet_tcp_sendrecv_generic_node(slapd_t) +corenet_udp_sendrecv_generic_node(slapd_t) +corenet_tcp_sendrecv_all_ports(slapd_t) +corenet_udp_sendrecv_all_ports(slapd_t) +corenet_tcp_bind_generic_node(slapd_t) +corenet_tcp_bind_ldap_port(slapd_t) +corenet_tcp_connect_all_ports(slapd_t) +corenet_sendrecv_ldap_server_packets(slapd_t) +corenet_sendrecv_all_client_packets(slapd_t) + +dev_read_urand(slapd_t) +dev_read_sysfs(slapd_t) + +fs_getattr_all_fs(slapd_t) +fs_search_auto_mountpoints(slapd_t) + +domain_use_interactive_fds(slapd_t) + +files_read_etc_files(slapd_t) +files_read_etc_runtime_files(slapd_t) +files_read_usr_files(slapd_t) +files_list_var_lib(slapd_t) + +auth_use_nsswitch(slapd_t) + +logging_send_syslog_msg(slapd_t) + +miscfiles_read_generic_certs(slapd_t) +miscfiles_read_localization(slapd_t) + +userdom_dontaudit_use_unpriv_user_fds(slapd_t) +userdom_dontaudit_search_user_home_dirs(slapd_t) +userdom_use_user_terminals(slapd_t) + +optional_policy(` + kerberos_keytab_template(slapd, slapd_t) +') + +optional_policy(` + sasl_connect(slapd_t) +') + +optional_policy(` + seutil_sigchld_newrole(slapd_t) +') + +optional_policy(` + udev_read_db(slapd_t) +') diff --git a/policy/modules/contrib/likewise.fc b/policy/modules/contrib/likewise.fc new file mode 100644 index 00000000..057a4e45 --- /dev/null +++ b/policy/modules/contrib/likewise.fc @@ -0,0 +1,54 @@ +/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) +/etc/likewise-open/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) +/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0) + +/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) + +/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) +/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) +/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) +/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) +/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) +/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) +/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) +/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) + +/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) +/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) +/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) +/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) +/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) +/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) +/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0) +/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) +/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) +/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) +/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) +/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) +/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) +/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) +/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0) +/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0) + +/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0) +/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) +/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) +/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) +/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) +/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) + diff --git a/policy/modules/contrib/likewise.if b/policy/modules/contrib/likewise.if new file mode 100644 index 00000000..771e04b6 --- /dev/null +++ b/policy/modules/contrib/likewise.if @@ -0,0 +1,105 @@ +## <summary>Likewise Active Directory support for UNIX.</summary> +## <desc> +## <p> +## Likewise Open is a free, open source application that joins Linux, Unix, +## and Mac machines to Microsoft Active Directory to securely authenticate +## users with their domain credentials. +## </p> +## </desc> + +####################################### +## <summary> +## The template to define a likewise domain. +## </summary> +## <desc> +## <p> +## This template creates a domain to be used for +## a new likewise daemon. +## </p> +## </desc> +## <param name="userdomain_prefix"> +## <summary> +## The type of daemon to be used. +## </summary> +## </param> +# +template(`likewise_domain_template',` + + gen_require(` + attribute likewise_domains; + type likewise_var_lib_t; + ') + + ######################################## + # + # Declarations + # + + type $1_t; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + domain_use_interactive_fds($1_t) + + typeattribute $1_t likewise_domains; + + type $1_var_run_t; + files_pid_file($1_var_run_t) + + type $1_var_socket_t; + files_type($1_var_socket_t) + + type $1_var_lib_t; + files_type($1_var_lib_t) + + #################################### + # + # Local Policy + # + + allow $1_t self:process { signal_perms getsched setsched }; + allow $1_t self:fifo_file rw_fifo_file_perms; + allow $1_t self:unix_dgram_socket create_socket_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + + allow $1_t likewise_var_lib_t:dir setattr; + + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, file) + + manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t) + filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file) + + manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) + filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) + + dev_read_rand($1_t) + dev_read_urand($1_t) + + files_read_etc_files($1_t) + files_search_var_lib($1_t) + + logging_send_syslog_msg($1_t) + + miscfiles_read_localization($1_t) +') + +######################################## +## <summary> +## Connect to lsassd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`likewise_stream_connect_lsassd',` + gen_require(` + type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) +') diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te new file mode 100644 index 00000000..5ba6cc2a --- /dev/null +++ b/policy/modules/contrib/likewise.te @@ -0,0 +1,238 @@ +policy_module(likewise, 1.2.0) + +################################# +# +# Declarations +# + +attribute likewise_domains; + +type likewise_etc_t; +files_config_file(likewise_etc_t) + +type likewise_initrc_exec_t; +init_script_file(likewise_initrc_exec_t) + +type likewise_var_lib_t; +files_type(likewise_var_lib_t) + +type likewise_pstore_lock_t; +files_type(likewise_pstore_lock_t) + +type likewise_krb5_ad_t; +files_type(likewise_krb5_ad_t) + +likewise_domain_template(dcerpcd) + +likewise_domain_template(eventlogd) + +likewise_domain_template(lsassd) + +type lsassd_tmp_t; +files_tmp_file(lsassd_tmp_t) + +likewise_domain_template(lwiod) + +likewise_domain_template(lwregd) + +likewise_domain_template(lwsmd) + +likewise_domain_template(netlogond) + +likewise_domain_template(srvsvcd) + +################################# +# +# Likewise dcerpcd personal policy +# + +stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +corenet_all_recvfrom_netlabel(dcerpcd_t) +corenet_all_recvfrom_unlabeled(dcerpcd_t) +corenet_sendrecv_generic_client_packets(dcerpcd_t) +corenet_sendrecv_generic_server_packets(dcerpcd_t) +corenet_tcp_sendrecv_generic_if(dcerpcd_t) +corenet_tcp_sendrecv_generic_node(dcerpcd_t) +corenet_tcp_sendrecv_generic_port(dcerpcd_t) +corenet_tcp_bind_generic_node(dcerpcd_t) +corenet_tcp_bind_epmap_port(dcerpcd_t) +corenet_tcp_connect_generic_port(dcerpcd_t) +corenet_udp_bind_generic_node(dcerpcd_t) +corenet_udp_bind_epmap_port(dcerpcd_t) +corenet_udp_sendrecv_generic_if(dcerpcd_t) +corenet_udp_sendrecv_generic_node(dcerpcd_t) +corenet_udp_sendrecv_generic_port(dcerpcd_t) + +################################# +# +# Likewise Auditing and Logging service policy +# + +stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) +stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +corenet_all_recvfrom_netlabel(eventlogd_t) +corenet_all_recvfrom_unlabeled(eventlogd_t) +corenet_sendrecv_generic_server_packets(eventlogd_t) +corenet_tcp_sendrecv_generic_if(eventlogd_t) +corenet_tcp_sendrecv_generic_node(eventlogd_t) +corenet_tcp_sendrecv_generic_port(eventlogd_t) +corenet_tcp_bind_generic_node(eventlogd_t) +corenet_udp_bind_generic_node(eventlogd_t) +corenet_udp_sendrecv_generic_if(eventlogd_t) +corenet_udp_sendrecv_generic_node(eventlogd_t) +corenet_udp_sendrecv_generic_port(eventlogd_t) + +################################# +# +# Likewise Authentication service local policy +# + +allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time }; +allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; + +allow lsassd_t likewise_krb5_ad_t:file read_file_perms; +allow lsassd_t netlogond_var_lib_t:file read_file_perms; + +manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t) + +manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t) +files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file) + +stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) +stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) + +kernel_read_system_state(lsassd_t) +kernel_getattr_proc_files(lsassd_t) +kernel_list_all_proc(lsassd_t) +kernel_list_proc(lsassd_t) + +corecmd_exec_bin(lsassd_t) +corecmd_exec_shell(lsassd_t) + +corenet_all_recvfrom_netlabel(lsassd_t) +corenet_all_recvfrom_unlabeled(lsassd_t) +corenet_tcp_sendrecv_generic_if(lsassd_t) +corenet_tcp_sendrecv_generic_node(lsassd_t) +corenet_tcp_sendrecv_generic_port(lsassd_t) +corenet_tcp_bind_generic_node(lsassd_t) +corenet_tcp_connect_epmap_port(lsassd_t) +corenet_tcp_sendrecv_epmap_port(lsassd_t) + +domain_obj_id_change_exemption(lsassd_t) + +files_manage_etc_files(lsassd_t) +files_manage_etc_symlinks(lsassd_t) +files_manage_etc_runtime_files(lsassd_t) +files_relabelto_home(lsassd_t) + +selinux_get_fs_mount(lsassd_t) +selinux_validate_context(lsassd_t) + +seutil_read_config(lsassd_t) +seutil_read_default_contexts(lsassd_t) +seutil_read_file_contexts(lsassd_t) +seutil_run_semanage(lsassd_t, system_r) + +sysnet_use_ldap(lsassd_t) +sysnet_read_config(lsassd_t) + +userdom_home_filetrans_user_home_dir(lsassd_t) +userdom_manage_user_home_content_files(lsassd_t) + +optional_policy(` + kerberos_rw_keytab(lsassd_t) + kerberos_use(lsassd_t) +') + +################################# +# +# Likewise I/O service local policy +# + +allow lwiod_t self:capability { fowner chown fsetid dac_override }; +allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; + +allow lwiod_t likewise_krb5_ad_t:file read_file_perms; +allow lwiod_t netlogond_var_lib_t:file read_file_perms; + +stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) +stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) + +corenet_all_recvfrom_netlabel(lwiod_t) +corenet_all_recvfrom_unlabeled(lwiod_t) +corenet_sendrecv_smbd_server_packets(lwiod_t) +corenet_sendrecv_smbd_client_packets(lwiod_t) +corenet_tcp_sendrecv_generic_if(lwiod_t) +corenet_tcp_sendrecv_generic_node(lwiod_t) +corenet_tcp_sendrecv_generic_port(lwiod_t) +corenet_tcp_bind_generic_node(lwiod_t) +corenet_tcp_bind_smbd_port(lwiod_t) +corenet_tcp_connect_smbd_port(lwiod_t) + +sysnet_read_config(lwiod_t) + +optional_policy(` + kerberos_rw_config(lwiod_t) + kerberos_use(lwiod_t) +') + +################################# +# +# Likewise Service Manager service local policy +# + +allow lwsmd_t likewise_domains:process signal; + +domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t) +domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t) +domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t) +domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t) +domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t) +domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t) +domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t) + +stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) +stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +################################# +# +# Likewise DC location service local policy +# + +allow netlogond_t self:capability {dac_override}; + +manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) + +stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +sysnet_dns_name_resolve(netlogond_t) +sysnet_use_ldap(netlogond_t) + +################################# +# +# Likewise Srv service local policy +# + +allow srvsvcd_t likewise_etc_t:dir search_dir_perms; + +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + +corenet_all_recvfrom_netlabel(srvsvcd_t) +corenet_all_recvfrom_unlabeled(srvsvcd_t) +corenet_sendrecv_generic_server_packets(srvsvcd_t) +corenet_tcp_sendrecv_generic_if(srvsvcd_t) +corenet_tcp_sendrecv_generic_node(srvsvcd_t) +corenet_tcp_sendrecv_generic_port(srvsvcd_t) +corenet_tcp_bind_generic_node(srvsvcd_t) + +optional_policy(` + kerberos_use(srvsvcd_t) +') diff --git a/policy/modules/contrib/links.fc b/policy/modules/contrib/links.fc new file mode 100644 index 00000000..d973b307 --- /dev/null +++ b/policy/modules/contrib/links.fc @@ -0,0 +1,2 @@ +/usr/bin/links -- gen_context(system_u:object_r:links_exec_t,s0) +HOME_DIR/\.links(/.*)? gen_context(system_u:object_r:links_home_t,s0) diff --git a/policy/modules/contrib/links.if b/policy/modules/contrib/links.if new file mode 100644 index 00000000..61254fc3 --- /dev/null +++ b/policy/modules/contrib/links.if @@ -0,0 +1,46 @@ +## <summary>Links web browser</summary> + +####################################### +## <summary> +## The role interface for the links module. +## </summary> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +interface(`links_role',` + gen_require(` + type links_t, links_exec_t, links_tmpfs_t, links_home_t; + ') + + ####################################### + # + # Declarations + # + + role $1 types links_t; + + ############################ + # + # Policy + # + + manage_dirs_pattern($2, links_home_t, links_home_t) + manage_files_pattern($2, links_home_t, links_home_t) + manage_lnk_files_pattern($2, links_home_t, links_home_t) + + relabel_dirs_pattern($2, links_home_t, links_home_t) + relabel_files_pattern($2, links_home_t, links_home_t) + relabel_lnk_files_pattern($2, links_home_t, links_home_t) + + domtrans_pattern($2, links_exec_t, links_t) + + ps_process_pattern($2, links_t) +') diff --git a/policy/modules/contrib/links.te b/policy/modules/contrib/links.te new file mode 100644 index 00000000..a36703f2 --- /dev/null +++ b/policy/modules/contrib/links.te @@ -0,0 +1,67 @@ +policy_module(links, 1.0.0) + +############################ +# +# Declarations +# + +## <desc> +## <p> +## Allow links to manage files in users home directories (download files) +## </p> +## </desc> +gen_tunable(links_manage_user_files, false) + +type links_t; +type links_exec_t; +userdom_user_application_domain(links_t, links_exec_t) + +type links_home_t; +userdom_user_home_content(links_home_t) + +type links_tmpfs_t; +userdom_user_tmpfs_file(links_tmpfs_t) + +############################ +# +# Policy +# + +allow links_t self:process signal_perms; +allow links_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(links_t, links_home_t, links_home_t) +manage_files_pattern(links_t, links_home_t, links_home_t) +manage_lnk_files_pattern(links_t, links_home_t, links_home_t) +manage_sock_files_pattern(links_t, links_home_t, links_home_t) +manage_fifo_files_pattern(links_t, links_home_t, links_home_t) +userdom_user_home_dir_filetrans(links_t, links_home_t, dir) + +manage_fifo_files_pattern(links_t, links_t, links_t) + +manage_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +manage_lnk_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +manage_fifo_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +manage_sock_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t) +fs_tmpfs_filetrans(links_t, links_tmpfs_t, { file lnk_file sock_file fifo_file }) + + +domain_use_interactive_fds(links_t) + +auth_use_nsswitch(links_t) + +userdom_use_user_terminals(links_t) + +corenet_tcp_connect_http_port(links_t) + +miscfiles_read_localization(links_t) + +tunable_policy(`links_manage_user_files',` + userdom_manage_user_home_content_dirs(links_t) + userdom_manage_user_home_content_files(links_t) +') + + +optional_policy(` + xserver_user_x_domain_template(links, links_t, links_tmpfs_t) +') diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc new file mode 100644 index 00000000..49e04e58 --- /dev/null +++ b/policy/modules/contrib/lircd.fc @@ -0,0 +1,10 @@ +/dev/lircd -s gen_context(system_u:object_r:lircd_sock_t,s0) + +/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) +/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) + +/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) + +/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if new file mode 100644 index 00000000..418cc811 --- /dev/null +++ b/policy/modules/contrib/lircd.if @@ -0,0 +1,96 @@ +## <summary>Linux infared remote control daemon</summary> + +######################################## +## <summary> +## Execute a domain transition to run lircd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`lircd_domtrans',` + gen_require(` + type lircd_t, lircd_exec_t; + ') + + domain_auto_trans($1, lircd_exec_t, lircd_t) + +') + +###################################### +## <summary> +## Connect to lircd over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lircd_stream_connect',` + gen_require(` + type lircd_var_run_t, lircd_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t) +') + +####################################### +## <summary> +## Read lircd etc file +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lircd_read_config',` + gen_require(` + type lircd_etc_t; + ') + + read_files_pattern($1, lircd_etc_t, lircd_etc_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## a lircd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`lircd_admin',` + gen_require(` + type lircd_t, lircd_var_run_t; + type lircd_initrc_exec_t, lircd_etc_t; + ') + + allow $1 lircd_t:process { ptrace signal_perms }; + ps_process_pattern($1, lircd_t) + + init_labeled_script_domtrans($1, lircd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 lircd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, lircd_etc_t) + + files_search_pids($1) + admin_pattern($1, lircd_var_run_t) +') diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te new file mode 100644 index 00000000..6a78de1e --- /dev/null +++ b/policy/modules/contrib/lircd.te @@ -0,0 +1,64 @@ +policy_module(lircd, 1.1.0) + +######################################## +# +# Declarations +# + +type lircd_t; +type lircd_exec_t; +init_daemon_domain(lircd_t, lircd_exec_t) + +type lircd_initrc_exec_t; +init_script_file(lircd_initrc_exec_t) + +type lircd_etc_t; +files_type(lircd_etc_t) + +type lircd_var_run_t alias lircd_sock_t; +files_pid_file(lircd_var_run_t) + +######################################## +# +# lircd local policy +# + +allow lircd_t self:capability { chown kill sys_admin }; +allow lircd_t self:fifo_file rw_fifo_file_perms; +allow lircd_t self:unix_dgram_socket create_socket_perms; +allow lircd_t self:tcp_socket create_stream_socket_perms; + +# etc file +read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) + +manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) +manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) +manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) +files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) +# /dev/lircd socket +dev_filetrans(lircd_t, lircd_var_run_t, sock_file) + +corenet_tcp_sendrecv_generic_if(lircd_t) +corenet_tcp_bind_generic_node(lircd_t) +corenet_tcp_bind_lirc_port(lircd_t) +corenet_tcp_sendrecv_all_ports(lircd_t) +corenet_tcp_connect_lirc_port(lircd_t) + +dev_read_generic_usb_dev(lircd_t) +dev_read_mouse(lircd_t) +dev_filetrans_lirc(lircd_t) +dev_rw_lirc(lircd_t) +dev_rw_input_dev(lircd_t) + +files_read_etc_files(lircd_t) +files_list_var(lircd_t) +files_manage_generic_locks(lircd_t) +files_read_all_locks(lircd_t) + +term_use_ptmx(lircd_t) + +logging_send_syslog_msg(lircd_t) + +miscfiles_read_localization(lircd_t) + +sysnet_dns_name_resolve(lircd_t) diff --git a/policy/modules/contrib/livecd.fc b/policy/modules/contrib/livecd.fc new file mode 100644 index 00000000..34937fcf --- /dev/null +++ b/policy/modules/contrib/livecd.fc @@ -0,0 +1 @@ +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff --git a/policy/modules/contrib/livecd.if b/policy/modules/contrib/livecd.if new file mode 100644 index 00000000..ae29d9f6 --- /dev/null +++ b/policy/modules/contrib/livecd.if @@ -0,0 +1,100 @@ +## <summary>Livecd tool for building alternate livecd for different os and policy versions.</summary> + +######################################## +## <summary> +## Execute a domain transition to run livecd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`livecd_domtrans',` + gen_require(` + type livecd_t, livecd_exec_t; + ') + + domtrans_pattern($1, livecd_exec_t, livecd_t) +') + +######################################## +## <summary> +## Execute livecd in the livecd domain, and +## allow the specified role the livecd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`livecd_run',` + gen_require(` + attribute_role livecd_roles; + ') + + livecd_domtrans($1) + roleattribute $2 livecd_roles; +') + +######################################## +## <summary> +## Read livecd temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`livecd_read_tmp_files',` + gen_require(` + type livecd_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, livecd_tmp_t, livecd_tmp_t) +') + +######################################## +## <summary> +## Read and write livecd temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`livecd_rw_tmp_files',` + gen_require(` + type livecd_tmp_t; + ') + + files_search_tmp($1) + rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t) +') + +######################################## +## <summary> +## Allow read and write access to livecd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`livecd_rw_semaphores',` + gen_require(` + type livecd_t; + ') + + allow $1 livecd_t:sem { unix_read unix_write associate read write }; +') diff --git a/policy/modules/contrib/livecd.te b/policy/modules/contrib/livecd.te new file mode 100644 index 00000000..008f7186 --- /dev/null +++ b/policy/modules/contrib/livecd.te @@ -0,0 +1,43 @@ +policy_module(livecd, 1.2.0) + +######################################## +# +# Declarations +# + +attribute_role livecd_roles; +roleattribute system_r livecd_roles; + +type livecd_t; +type livecd_exec_t; +application_domain(livecd_t, livecd_exec_t) +role livecd_roles types livecd_t; + +type livecd_tmp_t; +files_tmp_file(livecd_tmp_t) + +######################################## +# +# livecd local policy +# + +dontaudit livecd_t self:capability2 mac_admin; + +domain_ptrace_all_domains(livecd_t) + +manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) +manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) +files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file }) + +optional_policy(` + mount_run(livecd_t, livecd_roles) +') + +optional_policy(` + hal_dbus_chat(livecd_t) +') + +optional_policy(` + unconfined_domain(livecd_t) +') + diff --git a/policy/modules/contrib/loadkeys.fc b/policy/modules/contrib/loadkeys.fc new file mode 100644 index 00000000..8549f9fe --- /dev/null +++ b/policy/modules/contrib/loadkeys.fc @@ -0,0 +1,3 @@ + +/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) +/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) diff --git a/policy/modules/contrib/loadkeys.if b/policy/modules/contrib/loadkeys.if new file mode 100644 index 00000000..b55edd05 --- /dev/null +++ b/policy/modules/contrib/loadkeys.if @@ -0,0 +1,67 @@ +## <summary>Load keyboard mappings.</summary> + +######################################## +## <summary> +## Execute the loadkeys program in the loadkeys domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`loadkeys_domtrans',` + gen_require(` + type loadkeys_t, loadkeys_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) + + ifdef(`hide_broken_symptoms',` + dontaudit loadkeys_t $1:socket_class_set { read write }; + ') +') + +######################################## +## <summary> +## Execute the loadkeys program in the loadkeys domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the loadkeys domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`loadkeys_run',` + gen_require(` + type loadkeys_t; + ') + + loadkeys_domtrans($1) + role $2 types loadkeys_t; +') + +######################################## +## <summary> +## Execute the loadkeys program in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`loadkeys_exec',` + gen_require(` + type loadkeys_exec_t; + ') + + can_exec($1, loadkeys_exec_t) +') diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te new file mode 100644 index 00000000..2523758c --- /dev/null +++ b/policy/modules/contrib/loadkeys.te @@ -0,0 +1,50 @@ +policy_module(loadkeys, 1.8.0) + +######################################## +# +# Declarations +# + +# cjp: this should probably be rewritten +# per user domain, since it can rw +# all user domain ttys +type loadkeys_t; +type loadkeys_exec_t; +init_system_domain(loadkeys_t, loadkeys_exec_t) + +######################################## +# +# Local policy +# + +allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config }; +allow loadkeys_t self:fifo_file rw_fifo_file_perms; + +kernel_read_system_state(loadkeys_t) + +corecmd_exec_bin(loadkeys_t) +corecmd_exec_shell(loadkeys_t) + +files_read_etc_files(loadkeys_t) +files_read_etc_runtime_files(loadkeys_t) + +term_dontaudit_use_console(loadkeys_t) +term_use_unallocated_ttys(loadkeys_t) + +init_dontaudit_use_fds(loadkeys_t) +init_dontaudit_use_script_ptys(loadkeys_t) + +locallogin_use_fds(loadkeys_t) + +miscfiles_read_localization(loadkeys_t) + +userdom_use_user_ttys(loadkeys_t) +userdom_list_user_home_content(loadkeys_t) + +ifdef(`hide_broken_symptoms',` + dev_dontaudit_rw_lvm_control(loadkeys_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(loadkeys_t) +') diff --git a/policy/modules/contrib/lockdev.fc b/policy/modules/contrib/lockdev.fc new file mode 100644 index 00000000..8b5ce032 --- /dev/null +++ b/policy/modules/contrib/lockdev.fc @@ -0,0 +1,2 @@ + +/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0) diff --git a/policy/modules/contrib/lockdev.if b/policy/modules/contrib/lockdev.if new file mode 100644 index 00000000..8e7d279a --- /dev/null +++ b/policy/modules/contrib/lockdev.if @@ -0,0 +1,33 @@ +## <summary>device locking policy for lockdev</summary> + +######################################## +## <summary> +## Role access for lockdev +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`lockdev_role',` + gen_require(` + type lockdev_t, lockdev_exec_t; + type lockdev_lock_t; + ') + + role $1 types lockdev_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, lockdev_exec_t, lockdev_t) + allow lockdev_t $2:process signull; + + # allow ps to show lockdev + ps_process_pattern($2, lockdev_t) + allow $2 lockdev_t:process signal; +') diff --git a/policy/modules/contrib/lockdev.te b/policy/modules/contrib/lockdev.te new file mode 100644 index 00000000..572b5dbb --- /dev/null +++ b/policy/modules/contrib/lockdev.te @@ -0,0 +1,37 @@ +policy_module(lockdev, 1.4.0) + +######################################## +# +# Declarations +# + +type lockdev_t; +type lockdev_exec_t; +typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t }; +typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t }; +userdom_user_application_domain(lockdev_t, lockdev_exec_t) + +type lockdev_lock_t; +typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t }; +typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t }; +files_lock_file(lockdev_lock_t) +ubac_constrained(lockdev_lock_t) + +######################################## +# +# Local policy +# + +# Use capabilities. +allow lockdev_t self:capability setgid; + +allow lockdev_t lockdev_lock_t:file manage_file_perms; +files_lock_filetrans(lockdev_t, lockdev_lock_t, file) + +files_read_all_locks(lockdev_t) + +fs_getattr_xattr_fs(lockdev_t) + +logging_send_syslog_msg(lockdev_t) + +userdom_use_user_terminals(lockdev_t) diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc new file mode 100644 index 00000000..36c8de7f --- /dev/null +++ b/policy/modules/contrib/logrotate.fc @@ -0,0 +1,9 @@ +/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) + +/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) + +ifdef(`distro_debian', ` +/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) +', ` +/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) +') diff --git a/policy/modules/contrib/logrotate.if b/policy/modules/contrib/logrotate.if new file mode 100644 index 00000000..9cd6b0b8 --- /dev/null +++ b/policy/modules/contrib/logrotate.if @@ -0,0 +1,120 @@ +## <summary>Rotate and archive system logs</summary> + +######################################## +## <summary> +## Execute logrotate in the logrotate domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`logrotate_domtrans',` + gen_require(` + type logrotate_t, logrotate_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, logrotate_exec_t, logrotate_t) +') + +######################################## +## <summary> +## Execute logrotate in the logrotate domain, and +## allow the specified role the logrotate domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`logrotate_run',` + gen_require(` + type logrotate_t; + ') + + logrotate_domtrans($1) + role $2 types logrotate_t; +') + +######################################## +## <summary> +## Execute logrotate in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logrotate_exec',` + gen_require(` + type logrotate_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, logrotate_exec_t) +') + +######################################## +## <summary> +## Inherit and use logrotate file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logrotate_use_fds',` + gen_require(` + type logrotate_t; + ') + + allow $1 logrotate_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to inherit logrotate file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`logrotate_dontaudit_use_fds',` + gen_require(` + type logrotate_t; + ') + + dontaudit $1 logrotate_t:fd use; +') + +######################################## +## <summary> +## Read a logrotate temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logrotate_read_tmp_files',` + gen_require(` + type logrotate_tmp_t; + ') + + files_search_tmp($1) + allow $1 logrotate_tmp_t:file read_file_perms; +') diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te new file mode 100644 index 00000000..7090dae7 --- /dev/null +++ b/policy/modules/contrib/logrotate.te @@ -0,0 +1,230 @@ +policy_module(logrotate, 1.14.0) + +######################################## +# +# Declarations +# + +type logrotate_t; +domain_type(logrotate_t) +domain_obj_id_change_exemption(logrotate_t) +domain_system_change_exemption(logrotate_t) +role system_r types logrotate_t; + +type logrotate_exec_t; +domain_entry_file(logrotate_t, logrotate_exec_t) + +type logrotate_lock_t; +files_lock_file(logrotate_lock_t) + +type logrotate_tmp_t; +files_tmp_file(logrotate_tmp_t) + +type logrotate_var_lib_t; +files_type(logrotate_var_lib_t) + +######################################## +# +# Local policy +# + +# Change ownership on log files. +allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; +# for mailx +dontaudit logrotate_t self:capability { setuid setgid sys_ptrace }; + +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + +# Set a context other than the default one for newly created files. +allow logrotate_t self:process setfscreate; + +allow logrotate_t self:fd use; +allow logrotate_t self:fifo_file rw_fifo_file_perms; +allow logrotate_t self:unix_dgram_socket create_socket_perms; +allow logrotate_t self:unix_stream_socket create_stream_socket_perms; +allow logrotate_t self:unix_dgram_socket sendto; +allow logrotate_t self:unix_stream_socket connectto; +allow logrotate_t self:shm create_shm_perms; +allow logrotate_t self:sem create_sem_perms; +allow logrotate_t self:msgq create_msgq_perms; +allow logrotate_t self:msg { send receive }; + +allow logrotate_t logrotate_lock_t:file manage_file_perms; +files_lock_filetrans(logrotate_t, logrotate_lock_t, file) + +can_exec(logrotate_t, logrotate_tmp_t) + +manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) +manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) +files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) + +# for /var/lib/logrotate.status and /var/lib/logcheck +create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) +manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) +files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) + +kernel_read_system_state(logrotate_t) +kernel_read_kernel_sysctls(logrotate_t) + +dev_read_urand(logrotate_t) + +fs_search_auto_mountpoints(logrotate_t) +fs_getattr_xattr_fs(logrotate_t) +fs_list_inotifyfs(logrotate_t) + +mls_file_read_all_levels(logrotate_t) +mls_file_write_all_levels(logrotate_t) +mls_file_upgrade(logrotate_t) + +selinux_get_fs_mount(logrotate_t) +selinux_get_enforce_mode(logrotate_t) + +auth_manage_login_records(logrotate_t) +auth_use_nsswitch(logrotate_t) + +# Run helper programs. +corecmd_exec_bin(logrotate_t) +corecmd_exec_shell(logrotate_t) + +domain_signal_all_domains(logrotate_t) +domain_use_interactive_fds(logrotate_t) +domain_getattr_all_entry_files(logrotate_t) +# Read /proc/PID directories for all domains. +domain_read_all_domains_state(logrotate_t) + +files_read_usr_files(logrotate_t) +files_read_etc_files(logrotate_t) +files_read_etc_runtime_files(logrotate_t) +files_read_all_pids(logrotate_t) +files_search_all(logrotate_t) +files_read_var_lib_files(logrotate_t) +# Write to /var/spool/slrnpull - should be moved into its own type. +files_manage_generic_spool(logrotate_t) +files_manage_generic_spool_dirs(logrotate_t) +files_getattr_generic_locks(logrotate_t) + +# cjp: why is this needed? +init_domtrans_script(logrotate_t) + +logging_manage_all_logs(logrotate_t) +logging_send_syslog_msg(logrotate_t) +logging_send_audit_msgs(logrotate_t) +# cjp: why is this needed? +logging_exec_all_logs(logrotate_t) + +miscfiles_read_localization(logrotate_t) + +seutil_dontaudit_read_config(logrotate_t) + +userdom_use_user_terminals(logrotate_t) +userdom_list_user_home_dirs(logrotate_t) +userdom_use_unpriv_users_fds(logrotate_t) + +cron_system_entry(logrotate_t, logrotate_exec_t) +cron_search_spool(logrotate_t) + +mta_send_mail(logrotate_t) + +ifdef(`distro_debian', ` + allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; + # for savelog + can_exec(logrotate_t, logrotate_exec_t) + + # for syslogd-listfiles + logging_read_syslog_config(logrotate_t) + + # for "test -x /sbin/syslogd" + logging_check_exec_syslog(logrotate_t) +') + +optional_policy(` + abrt_cache_manage(logrotate_t) +') + +optional_policy(` + acct_domtrans(logrotate_t) + acct_manage_data(logrotate_t) + acct_exec_data(logrotate_t) +') + +optional_policy(` + apache_read_config(logrotate_t) + apache_domtrans(logrotate_t) + apache_signull(logrotate_t) +') + +optional_policy(` + asterisk_domtrans(logrotate_t) +') + +optional_policy(` + bind_manage_cache(logrotate_t) +') + +optional_policy(` + consoletype_exec(logrotate_t) +') + +optional_policy(` + cups_domtrans(logrotate_t) +') + +optional_policy(` + fail2ban_stream_connect(logrotate_t) +') + +optional_policy(` + hostname_exec(logrotate_t) +') + +optional_policy(` + icecast_signal(logrotate_t) +') + +optional_policy(` + mailman_domtrans(logrotate_t) + mailman_search_data(logrotate_t) + mailman_manage_log(logrotate_t) +') + +optional_policy(` + munin_read_config(logrotate_t) + munin_stream_connect(logrotate_t) + munin_search_lib(logrotate_t) +') + +optional_policy(` + mysql_read_config(logrotate_t) + mysql_search_db(logrotate_t) + mysql_stream_connect(logrotate_t) +') + +optional_policy(` + psad_domtrans(logrotate_t) +') + + +optional_policy(` + samba_exec_log(logrotate_t) +') + +optional_policy(` + sssd_domtrans(logrotate_t) +') + +optional_policy(` + slrnpull_manage_spool(logrotate_t) +') + +optional_policy(` + squid_domtrans(logrotate_t) +') + +optional_policy(` + #Red Hat bug 564565 + su_exec(logrotate_t) +') + +optional_policy(` + varnishd_manage_log(logrotate_t) +') diff --git a/policy/modules/contrib/logwatch.fc b/policy/modules/contrib/logwatch.fc new file mode 100644 index 00000000..3c7b1e8b --- /dev/null +++ b/policy/modules/contrib/logwatch.fc @@ -0,0 +1,7 @@ +/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) + +/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0) + +/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0) +/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) +/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0) diff --git a/policy/modules/contrib/logwatch.if b/policy/modules/contrib/logwatch.if new file mode 100644 index 00000000..d878e752 --- /dev/null +++ b/policy/modules/contrib/logwatch.if @@ -0,0 +1,38 @@ +## <summary>System log analyzer and reporter</summary> + +######################################## +## <summary> +## Read logwatch temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logwatch_read_tmp_files',` + gen_require(` + type logwatch_tmp_t; + ') + + files_search_tmp($1) + allow $1 logwatch_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Search logwatch cache directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logwatch_search_cache_dir',` + gen_require(` + type logwatch_cache_t; + ') + + allow $1 logwatch_cache_t:dir search_dir_perms; +') diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te new file mode 100644 index 00000000..75ce30f3 --- /dev/null +++ b/policy/modules/contrib/logwatch.te @@ -0,0 +1,147 @@ +policy_module(logwatch, 1.11.0) + +################################# +# +# Declarations +# + +type logwatch_t; +type logwatch_exec_t; +application_domain(logwatch_t, logwatch_exec_t) +role system_r types logwatch_t; + +type logwatch_cache_t; +files_type(logwatch_cache_t) + +type logwatch_lock_t; +files_lock_file(logwatch_lock_t) + +type logwatch_tmp_t; +files_tmp_file(logwatch_tmp_t) + +######################################## +# +# Local policy +# + +allow logwatch_t self:capability { dac_override dac_read_search setgid }; +allow logwatch_t self:process signal; +allow logwatch_t self:fifo_file rw_file_perms; +allow logwatch_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) +manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) + +allow logwatch_t logwatch_lock_t:file manage_file_perms; +files_lock_filetrans(logwatch_t, logwatch_lock_t, file) + +manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) +manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) +files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) + +kernel_read_fs_sysctls(logwatch_t) +kernel_read_kernel_sysctls(logwatch_t) +kernel_read_system_state(logwatch_t) +kernel_read_net_sysctls(logwatch_t) +kernel_read_network_state(logwatch_t) + +corecmd_exec_bin(logwatch_t) +corecmd_exec_shell(logwatch_t) + +dev_read_urand(logwatch_t) +dev_read_sysfs(logwatch_t) + +# Read /proc/PID directories for all domains. +domain_read_all_domains_state(logwatch_t) + +files_list_var(logwatch_t) +files_read_var_symlinks(logwatch_t) +files_read_etc_files(logwatch_t) +files_read_etc_runtime_files(logwatch_t) +files_read_usr_files(logwatch_t) +files_search_spool(logwatch_t) +files_search_mnt(logwatch_t) +files_dontaudit_search_home(logwatch_t) +files_dontaudit_search_boot(logwatch_t) +# Execs df and if file system mounted with a context avc raised +files_dontaudit_search_all_dirs(logwatch_t) + +fs_getattr_all_fs(logwatch_t) +fs_dontaudit_list_auto_mountpoints(logwatch_t) +fs_list_inotifyfs(logwatch_t) + +term_dontaudit_getattr_pty_dirs(logwatch_t) +term_dontaudit_list_ptys(logwatch_t) + +auth_use_nsswitch(logwatch_t) +auth_dontaudit_read_shadow(logwatch_t) + +init_read_utmp(logwatch_t) +init_dontaudit_write_utmp(logwatch_t) + +libs_read_lib_files(logwatch_t) + +logging_read_all_logs(logwatch_t) +logging_send_syslog_msg(logwatch_t) + +miscfiles_read_localization(logwatch_t) + +selinux_dontaudit_getattr_dir(logwatch_t) + +sysnet_dns_name_resolve(logwatch_t) +sysnet_exec_ifconfig(logwatch_t) + +userdom_dontaudit_search_user_home_dirs(logwatch_t) + +mta_send_mail(logwatch_t) + +ifdef(`distro_redhat',` + files_search_all(logwatch_t) + files_getattr_all_file_type_fs(logwatch_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(logwatch_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(logwatch_t) +') + +optional_policy(` + apache_read_log(logwatch_t) +') + +optional_policy(` + avahi_dontaudit_search_pid(logwatch_t) +') + +optional_policy(` + bind_read_config(logwatch_t) + bind_read_zone(logwatch_t) +') + +optional_policy(` + cron_system_entry(logwatch_t, logwatch_exec_t) +') + +optional_policy(` + hostname_exec(logwatch_t) +') + +optional_policy(` + mta_getattr_spool(logwatch_t) +') + +optional_policy(` + ntp_domtrans(logwatch_t) +') + +optional_policy(` + rpc_search_nfs_state_data(logwatch_t) +') + +optional_policy(` + samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) +') diff --git a/policy/modules/contrib/lpd.fc b/policy/modules/contrib/lpd.fc new file mode 100644 index 00000000..5c9eb683 --- /dev/null +++ b/policy/modules/contrib/lpd.fc @@ -0,0 +1,37 @@ +# +# /dev +# +/dev/printer -s gen_context(system_u:object_r:printer_t,s0) + +/opt/gutenprint/s?bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0) + +# +# /usr +# +/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) + +/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0) +/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0) +/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) + +/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) + +/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) + +# +# /var +# +/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) +/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) +/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) +/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) diff --git a/policy/modules/contrib/lpd.if b/policy/modules/contrib/lpd.if new file mode 100644 index 00000000..a4f32f54 --- /dev/null +++ b/policy/modules/contrib/lpd.if @@ -0,0 +1,214 @@ +## <summary>Line printer daemon</summary> + +######################################## +## <summary> +## Role access for lpd +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`lpd_role',` + gen_require(` + type lpr_t, lpr_exec_t, print_spool_t; + ') + + role $1 types lpr_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, lpr_exec_t, lpr_t) + dontaudit lpr_t $2:unix_stream_socket { read write }; + + ps_process_pattern($2, lpr_t) + allow $2 lpr_t:process signull; + + optional_policy(` + cups_read_config($2) + ') +') + +######################################## +## <summary> +## Execute lpd in the lpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`lpd_domtrans_checkpc',` + gen_require(` + type checkpc_t, checkpc_exec_t; + ') + + domtrans_pattern($1, checkpc_exec_t, checkpc_t) +') + +######################################## +## <summary> +## Execute amrecover in the lpd domain, and +## allow the specified role the lpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`lpd_run_checkpc',` + gen_require(` + type checkpc_t; + ') + + lpd_domtrans_checkpc($1) + role $2 types checkpc_t; +') + +######################################## +## <summary> +## List the contents of the printer spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lpd_list_spool',` + gen_require(` + type print_spool_t; + ') + + files_search_spool($1) + allow $1 print_spool_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Read the printer spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lpd_read_spool',` + gen_require(` + type print_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, print_spool_t, print_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete printer spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lpd_manage_spool',` + gen_require(` + type print_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, print_spool_t, print_spool_t) + manage_files_pattern($1, print_spool_t, print_spool_t) + manage_lnk_files_pattern($1, print_spool_t, print_spool_t) +') + +######################################## +## <summary> +## Relabel from and to the spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lpd_relabel_spool',` + gen_require(` + type print_spool_t; + ') + + files_search_spool($1) + allow $1 print_spool_t:file { relabelto relabelfrom }; +') + +######################################## +## <summary> +## List the contents of the printer spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`lpd_read_config',` + gen_require(` + type printconf_t; + ') + + allow $1 printconf_t:dir list_dir_perms; + read_files_pattern($1, printconf_t, printconf_t) +') + +######################################## +## <summary> +## Transition to a user lpr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +template(`lpd_domtrans_lpr',` + gen_require(` + type lpr_t, lpr_exec_t; + ') + + domtrans_pattern($1, lpr_exec_t, lpr_t) +') + +######################################## +## <summary> +## Allow the specified domain to execute lpr +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lpd_exec_lpr',` + gen_require(` + type lpr_exec_t; + ') + + can_exec($1, lpr_exec_t) +') diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te new file mode 100644 index 00000000..a03b63a9 --- /dev/null +++ b/policy/modules/contrib/lpd.te @@ -0,0 +1,328 @@ +policy_module(lpd, 1.13.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Use lpd server instead of cups +## </p> +## </desc> +gen_tunable(use_lpd_server, false) + +type checkpc_t; +type checkpc_exec_t; +init_system_domain(checkpc_t, checkpc_exec_t) +role system_r types checkpc_t; + +type checkpc_log_t; +logging_log_file(checkpc_log_t) + +type lpd_t; +type lpd_exec_t; +init_daemon_domain(lpd_t, lpd_exec_t) + +type lpd_tmp_t; +files_tmp_file(lpd_tmp_t) + +type lpd_var_run_t; +files_pid_file(lpd_var_run_t) + +type lpr_t; +type lpr_exec_t; +typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t }; +typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t }; +userdom_user_application_domain(lpr_t, lpr_exec_t) + +type lpr_tmp_t; +typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t }; +typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t }; +userdom_user_tmp_file(lpr_tmp_t) + +# Type for spool files. +type print_spool_t; +typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; +typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; +files_type(print_spool_t) +ubac_constrained(print_spool_t) + +type printer_t; +files_type(printer_t) + +type printconf_t; +files_type(printconf_t) + +######################################## +# +# Checkpc local policy +# + +# Allow checkpc to access the lpd spool so it can check & fix it. +# This requires that /usr/sbin/checkpc have type checkpc_t. + +allow checkpc_t self:capability { setgid setuid dac_override }; +allow checkpc_t self:process signal_perms; +allow checkpc_t self:unix_stream_socket create_socket_perms; +allow checkpc_t self:tcp_socket create_socket_perms; +allow checkpc_t self:udp_socket create_socket_perms; + +allow checkpc_t checkpc_log_t:file manage_file_perms; +logging_log_filetrans(checkpc_t, checkpc_log_t, file) + +allow checkpc_t lpd_var_run_t:dir search_dir_perms; +files_search_pids(checkpc_t) + +rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) +delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) +files_search_spool(checkpc_t) + +allow checkpc_t printconf_t:file getattr; +allow checkpc_t printconf_t:dir list_dir_perms; + +kernel_read_system_state(checkpc_t) + +corenet_all_recvfrom_unlabeled(checkpc_t) +corenet_all_recvfrom_netlabel(checkpc_t) +corenet_tcp_sendrecv_generic_if(checkpc_t) +corenet_udp_sendrecv_generic_if(checkpc_t) +corenet_tcp_sendrecv_generic_node(checkpc_t) +corenet_udp_sendrecv_generic_node(checkpc_t) +corenet_tcp_sendrecv_all_ports(checkpc_t) +corenet_udp_sendrecv_all_ports(checkpc_t) +corenet_tcp_connect_all_ports(checkpc_t) +corenet_sendrecv_all_client_packets(checkpc_t) + +dev_append_printer(checkpc_t) + +# This is less desirable, but checkpc demands /bin/bash and /bin/chown: +corecmd_exec_shell(checkpc_t) +corecmd_exec_bin(checkpc_t) + +domain_use_interactive_fds(checkpc_t) + +files_read_etc_files(checkpc_t) +files_read_etc_runtime_files(checkpc_t) + +init_use_script_ptys(checkpc_t) +# Allow access to /dev/console through the fd: +init_use_fds(checkpc_t) + +sysnet_read_config(checkpc_t) + +userdom_use_user_terminals(checkpc_t) + +optional_policy(` + cron_system_entry(checkpc_t, checkpc_exec_t) +') + +optional_policy(` + logging_send_syslog_msg(checkpc_t) +') + +optional_policy(` + nis_use_ypbind(checkpc_t) +') + +######################################## +# +# Lpd local policy +# + +allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; +dontaudit lpd_t self:capability sys_tty_config; +allow lpd_t self:process signal_perms; +allow lpd_t self:fifo_file rw_fifo_file_perms; +allow lpd_t self:unix_stream_socket create_stream_socket_perms; +allow lpd_t self:unix_dgram_socket create_socket_perms; +allow lpd_t self:tcp_socket create_stream_socket_perms; +allow lpd_t self:udp_socket create_stream_socket_perms; + +manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) +manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) +files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) + +manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) +manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) +files_pid_filetrans(lpd_t, lpd_var_run_t, file) + +# Write to /var/spool/lpd. +manage_files_pattern(lpd_t, print_spool_t, print_spool_t) +files_search_spool(lpd_t) + +# lpd must be able to execute the filter utilities in /usr/share/printconf. +allow lpd_t printconf_t:dir list_dir_perms; +can_exec(lpd_t, printconf_t) + +# Create and bind to /dev/printer. +allow lpd_t printer_t:lnk_file manage_lnk_file_perms; +dev_filetrans(lpd_t, printer_t, lnk_file) + +kernel_read_kernel_sysctls(lpd_t) +# bash wants access to /proc/meminfo +kernel_read_system_state(lpd_t) + +corenet_all_recvfrom_unlabeled(lpd_t) +corenet_all_recvfrom_netlabel(lpd_t) +corenet_tcp_sendrecv_generic_if(lpd_t) +corenet_udp_sendrecv_generic_if(lpd_t) +corenet_tcp_sendrecv_generic_node(lpd_t) +corenet_udp_sendrecv_generic_node(lpd_t) +corenet_tcp_sendrecv_all_ports(lpd_t) +corenet_udp_sendrecv_all_ports(lpd_t) +corenet_tcp_bind_generic_node(lpd_t) +corenet_tcp_bind_printer_port(lpd_t) +corenet_sendrecv_printer_server_packets(lpd_t) + +dev_read_sysfs(lpd_t) +dev_rw_printer(lpd_t) + +fs_getattr_all_fs(lpd_t) +fs_search_auto_mountpoints(lpd_t) + +# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp +corecmd_exec_bin(lpd_t) +corecmd_exec_shell(lpd_t) + +domain_use_interactive_fds(lpd_t) + +files_read_etc_runtime_files(lpd_t) +files_read_usr_files(lpd_t) +# for defoma +files_list_world_readable(lpd_t) +files_read_world_readable_files(lpd_t) +files_read_world_readable_symlinks(lpd_t) +files_list_var_lib(lpd_t) +files_read_var_lib_files(lpd_t) +files_read_var_lib_symlinks(lpd_t) +# config files for lpd are of type etc_t, probably should change this +files_read_etc_files(lpd_t) + +logging_send_syslog_msg(lpd_t) + +miscfiles_read_fonts(lpd_t) +miscfiles_read_localization(lpd_t) + +sysnet_read_config(lpd_t) + +userdom_dontaudit_use_unpriv_user_fds(lpd_t) +userdom_dontaudit_search_user_home_dirs(lpd_t) + +optional_policy(` + nis_use_ypbind(lpd_t) +') + +optional_policy(` + seutil_sigchld_newrole(lpd_t) +') + +optional_policy(` + udev_read_db(lpd_t) +') + +############################## +# +# Local policy +# + +allow lpr_t self:capability { setuid dac_override net_bind_service chown }; +allow lpr_t self:unix_stream_socket create_stream_socket_perms; +allow lpr_t self:tcp_socket create_socket_perms; +allow lpr_t self:udp_socket create_socket_perms; + +can_exec(lpr_t, lpr_exec_t) + +# Allow lpd to read, rename, and unlink spool files. +allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; + +kernel_read_kernel_sysctls(lpr_t) + +corenet_all_recvfrom_unlabeled(lpr_t) +corenet_all_recvfrom_netlabel(lpr_t) +corenet_tcp_sendrecv_generic_if(lpr_t) +corenet_udp_sendrecv_generic_if(lpr_t) +corenet_tcp_sendrecv_generic_node(lpr_t) +corenet_udp_sendrecv_generic_node(lpr_t) +corenet_tcp_sendrecv_all_ports(lpr_t) +corenet_udp_sendrecv_all_ports(lpr_t) +corenet_tcp_connect_all_ports(lpr_t) +corenet_sendrecv_all_client_packets(lpr_t) + +dev_read_rand(lpr_t) +dev_read_urand(lpr_t) + +domain_use_interactive_fds(lpr_t) + +files_search_spool(lpr_t) +# for lpd config files (should have a new type) +files_read_etc_files(lpr_t) +# for test print +files_read_usr_files(lpr_t) +#Added to cover read_content macro +files_list_home(lpr_t) +files_read_generic_tmp_files(lpr_t) + +fs_getattr_xattr_fs(lpr_t) + +# Access the terminal. +term_use_controlling_term(lpr_t) +term_use_generic_ptys(lpr_t) + +auth_use_nsswitch(lpr_t) + +miscfiles_read_localization(lpr_t) + +userdom_read_user_tmp_symlinks(lpr_t) +# Write to the user domain tty. +userdom_use_user_terminals(lpr_t) +userdom_read_user_home_content_files(lpr_t) +userdom_read_user_tmp_files(lpr_t) + +tunable_policy(`use_lpd_server',` + # lpr can run in lightweight mode, without a local print spooler. + allow lpr_t lpd_var_run_t:dir search; + allow lpr_t lpd_var_run_t:sock_file write; + files_read_var_files(lpr_t) + + # Connect to lpd via a Unix domain socket. + allow lpr_t printer_t:sock_file rw_sock_file_perms; + allow lpr_t lpd_t:unix_stream_socket connectto; + # Send SIGHUP to lpd. + allow lpr_t lpd_t:process signal; + + manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir }) + + manage_files_pattern(lpr_t, print_spool_t, print_spool_t) + filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file) + # Read and write shared files in the spool directory. + allow lpr_t print_spool_t:file rw_file_perms; + + allow lpr_t printconf_t:dir list_dir_perms; + read_files_pattern(lpr_t, printconf_t, printconf_t) + read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(lpr_t) + fs_read_nfs_files(lpr_t) + fs_read_nfs_symlinks(lpr_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_auto_mountpoints(lpr_t) + fs_read_cifs_files(lpr_t) + fs_read_cifs_symlinks(lpr_t) +') + +optional_policy(` + cups_read_config(lpr_t) + cups_stream_connect(lpr_t) + cups_read_pid_files(lpr_t) +') + +optional_policy(` + logging_send_syslog_msg(lpr_t) +') diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc new file mode 100644 index 00000000..14ad1896 --- /dev/null +++ b/policy/modules/contrib/mailman.fc @@ -0,0 +1,34 @@ +/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) + +/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) +/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) +/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) +/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0) +/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) + +# +# distro_debian +# +ifdef(`distro_debian', ` +/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) + +/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +') + +# +# distro_redhat +# +ifdef(`distro_redhat', ` +/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + +/usr/lib(64)?/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + +/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) +') diff --git a/policy/modules/contrib/mailman.if b/policy/modules/contrib/mailman.if new file mode 100644 index 00000000..67c7fddf --- /dev/null +++ b/policy/modules/contrib/mailman.if @@ -0,0 +1,352 @@ +## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary> + +####################################### +## <summary> +## The template to define a mailmain domain. +## </summary> +## <desc> +## <p> +## This template creates a domain to be used for +## a new mailman daemon. +## </p> +## </desc> +## <param name="userdomain_prefix"> +## <summary> +## The type of daemon to be used eg, cgi would give mailman_cgi_ +## </summary> +## </param> +# +template(`mailman_domain_template', ` + type mailman_$1_t; + domain_type(mailman_$1_t) + role system_r types mailman_$1_t; + + type mailman_$1_exec_t; + domain_entry_file(mailman_$1_t, mailman_$1_exec_t) + + type mailman_$1_tmp_t; + files_tmp_file(mailman_$1_tmp_t) + + allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; + allow mailman_$1_t self:tcp_socket create_stream_socket_perms; + allow mailman_$1_t self:udp_socket create_socket_perms; + + files_search_spool(mailman_$1_t) + + manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + + manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) + manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) + manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) + + manage_files_pattern(mailman_$1_t, mailman_lock_t, mailman_lock_t) + files_lock_filetrans(mailman_$1_t, mailman_lock_t, file) + + manage_files_pattern(mailman_$1_t, mailman_log_t, mailman_log_t) + logging_log_filetrans(mailman_$1_t, mailman_log_t, file) + + manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) + manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) + files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) + + kernel_read_kernel_sysctls(mailman_$1_t) + kernel_read_system_state(mailman_$1_t) + + corenet_all_recvfrom_unlabeled(mailman_$1_t) + corenet_all_recvfrom_netlabel(mailman_$1_t) + corenet_tcp_sendrecv_generic_if(mailman_$1_t) + corenet_udp_sendrecv_generic_if(mailman_$1_t) + corenet_raw_sendrecv_generic_if(mailman_$1_t) + corenet_tcp_sendrecv_generic_node(mailman_$1_t) + corenet_udp_sendrecv_generic_node(mailman_$1_t) + corenet_raw_sendrecv_generic_node(mailman_$1_t) + corenet_tcp_sendrecv_all_ports(mailman_$1_t) + corenet_udp_sendrecv_all_ports(mailman_$1_t) + corenet_tcp_bind_generic_node(mailman_$1_t) + corenet_udp_bind_generic_node(mailman_$1_t) + corenet_tcp_connect_smtp_port(mailman_$1_t) + corenet_sendrecv_smtp_client_packets(mailman_$1_t) + + fs_getattr_xattr_fs(mailman_$1_t) + + corecmd_exec_all_executables(mailman_$1_t) + + files_exec_etc_files(mailman_$1_t) + files_list_usr(mailman_$1_t) + files_list_var(mailman_$1_t) + files_list_var_lib(mailman_$1_t) + files_read_var_lib_symlinks(mailman_$1_t) + files_read_etc_runtime_files(mailman_$1_t) + + auth_use_nsswitch(mailman_$1_t) + + libs_exec_ld_so(mailman_$1_t) + libs_exec_lib_files(mailman_$1_t) + + logging_send_syslog_msg(mailman_$1_t) + + miscfiles_read_localization(mailman_$1_t) +') + +####################################### +## <summary> +## Execute mailman in the mailman domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mailman_domtrans',` + gen_require(` + type mailman_mail_exec_t, mailman_mail_t; + ') + + domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) +') + +####################################### +## <summary> +## Execute mailman CGI scripts in the +## mailman CGI domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mailman_domtrans_cgi',` + gen_require(` + type mailman_cgi_exec_t, mailman_cgi_t; + ') + + domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) +') + +####################################### +## <summary> +## Execute mailman in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowd access. +## </summary> +## </param> +# +interface(`mailman_exec',` + gen_require(` + type mailman_mail_exec_t; + ') + + can_exec($1, mailman_mail_exec_t) +') + +####################################### +## <summary> +## Send generic signals to the mailman cgi domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_signal_cgi',` + gen_require(` + type mailman_cgi_t; + ') + + allow $1 mailman_cgi_t:process signal; +') + +####################################### +## <summary> +## Allow domain to search data directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_search_data',` + gen_require(` + type mailman_data_t; + ') + + allow $1 mailman_data_t:dir search_dir_perms; +') + +####################################### +## <summary> +## Allow domain to to read mailman data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_read_data_files',` + gen_require(` + type mailman_data_t; + ') + + list_dirs_pattern($1, mailman_data_t, mailman_data_t) + read_files_pattern($1, mailman_data_t, mailman_data_t) + read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) +') + +####################################### +## <summary> +## Allow domain to to create mailman data files +## and write the directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_manage_data_files',` + gen_require(` + type mailman_data_t; + ') + + manage_dirs_pattern($1, mailman_data_t, mailman_data_t) + manage_files_pattern($1, mailman_data_t, mailman_data_t) +') + +####################################### +## <summary> +## List the contents of mailman data directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_list_data',` + gen_require(` + type mailman_data_t; + ') + + allow $1 mailman_data_t:dir list_dir_perms; +') + +####################################### +## <summary> +## Allow read acces to mailman data symbolic links. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_read_data_symlinks',` + gen_require(` + type mailman_data_t; + ') + + read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) +') + +####################################### +## <summary> +## Read mailman logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_read_log',` + gen_require(` + type mailman_log_t; + ') + + read_files_pattern($1, mailman_log_t, mailman_log_t) +') + +####################################### +## <summary> +## Append to mailman logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_append_log',` + gen_require(` + type mailman_log_t; + ') + + append_files_pattern($1, mailman_log_t, mailman_log_t) +') + +####################################### +## <summary> +## Create, read, write, and delete +## mailman logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_manage_log',` + gen_require(` + type mailman_log_t; + ') + + manage_files_pattern($1, mailman_log_t, mailman_log_t) + manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) +') + +####################################### +## <summary> +## Allow domain to read mailman archive files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_read_archive',` + gen_require(` + type mailman_archive_t; + ') + + allow $1 mailman_archive_t:dir list_dir_perms; + read_files_pattern($1, mailman_archive_t, mailman_archive_t) + read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) +') + +####################################### +## <summary> +## Execute mailman_queue in the mailman_queue domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mailman_domtrans_queue',` + gen_require(` + type mailman_queue_exec_t, mailman_queue_t; + ') + + domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) +') diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te new file mode 100644 index 00000000..af4d5728 --- /dev/null +++ b/policy/modules/contrib/mailman.te @@ -0,0 +1,128 @@ +policy_module(mailman, 1.8.0) + +######################################## +# +# Declarations +# + +mailman_domain_template(cgi) + +type mailman_data_t; +files_type(mailman_data_t) + +type mailman_archive_t; +files_type(mailman_archive_t) + +type mailman_log_t; +logging_log_file(mailman_log_t) + +type mailman_lock_t; +files_lock_file(mailman_lock_t) + +mailman_domain_template(mail) +init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) + +mailman_domain_template(queue) + +######################################## +# +# Mailman CGI local policy +# + +# cjp: the template invocation for cgi should be +# in the below optional policy; however, there are no +# optionals for file contexts yet, so it is promoted +# to global scope until such facilities exist. + +optional_policy(` + dev_read_urand(mailman_cgi_t) + + manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) + manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) + manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) + + files_search_spool(mailman_cgi_t) + + term_use_controlling_term(mailman_cgi_t) + + # for python pre-compile foolishness + libs_dontaudit_write_lib_dirs(mailman_cgi_t) + + apache_sigchld(mailman_cgi_t) + apache_use_fds(mailman_cgi_t) + apache_dontaudit_append_log(mailman_cgi_t) + apache_search_sys_script_state(mailman_cgi_t) + apache_read_config(mailman_cgi_t) + apache_dontaudit_rw_stream_sockets(mailman_cgi_t) +') + +######################################## +# +# Mailman mail local policy +# + +allow mailman_mail_t self:unix_dgram_socket create_socket_perms; +allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; + +manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) +manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) +manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) + +files_search_spool(mailman_mail_t) + +fs_rw_anon_inodefs_files(mailman_mail_t) + +mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) +mta_dontaudit_rw_queue(mailman_mail_t) + +optional_policy(` + courier_read_spool(mailman_mail_t) +') + +optional_policy(` + cron_read_pipes(mailman_mail_t) +') + +optional_policy(` + postfix_search_spool(mailman_mail_t) +') + +######################################## +# +# Mailman queue local policy +# + +allow mailman_queue_t self:capability { setgid setuid }; +allow mailman_queue_t self:process signal; +allow mailman_queue_t self:fifo_file rw_fifo_file_perms; +allow mailman_queue_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) +manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) +manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) + +kernel_read_proc_symlinks(mailman_queue_t) + +auth_domtrans_chk_passwd(mailman_queue_t) + +files_dontaudit_search_pids(mailman_queue_t) + +# for su +seutil_dontaudit_search_config(mailman_queue_t) + +# some of the following could probably be changed to dontaudit, someone who +# knows mailman well should test this out and send the changes +userdom_search_user_home_dirs(mailman_queue_t) + +optional_policy(` + apache_read_config(mailman_queue_t) +') + +optional_policy(` + cron_system_entry(mailman_queue_t, mailman_queue_exec_t) +') + +optional_policy(` + su_exec(mailman_queue_t) +')
\ No newline at end of file diff --git a/policy/modules/contrib/mcelog.fc b/policy/modules/contrib/mcelog.fc new file mode 100644 index 00000000..56c43c08 --- /dev/null +++ b/policy/modules/contrib/mcelog.fc @@ -0,0 +1 @@ +/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) diff --git a/policy/modules/contrib/mcelog.if b/policy/modules/contrib/mcelog.if new file mode 100644 index 00000000..3d4cb1ae --- /dev/null +++ b/policy/modules/contrib/mcelog.if @@ -0,0 +1,20 @@ +## <summary>policy for mcelog</summary> + +######################################## +## <summary> +## Execute a domain transition to run mcelog. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mcelog_domtrans',` + gen_require(` + type mcelog_t, mcelog_exec_t; + ') + + domtrans_pattern($1, mcelog_exec_t, mcelog_t) +') + diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te new file mode 100644 index 00000000..56719779 --- /dev/null +++ b/policy/modules/contrib/mcelog.te @@ -0,0 +1,32 @@ +policy_module(mcelog, 1.1.0) + +######################################## +# +# Declarations +# + +type mcelog_t; +type mcelog_exec_t; +application_domain(mcelog_t, mcelog_exec_t) +cron_system_entry(mcelog_t, mcelog_exec_t) + +######################################## +# +# mcelog local policy +# + +allow mcelog_t self:capability sys_admin; + +kernel_read_system_state(mcelog_t) + +dev_read_raw_memory(mcelog_t) +dev_read_kmsg(mcelog_t) + +files_read_etc_files(mcelog_t) + +# for /dev/mem access +mls_file_read_all_levels(mcelog_t) + +logging_send_syslog_msg(mcelog_t) + +miscfiles_read_localization(mcelog_t) diff --git a/policy/modules/contrib/mediawiki.fc b/policy/modules/contrib/mediawiki.fc new file mode 100644 index 00000000..a78b34ae --- /dev/null +++ b/policy/modules/contrib/mediawiki.fc @@ -0,0 +1,8 @@ +/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) +/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) +/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) + +/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) + +/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) +/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) diff --git a/policy/modules/contrib/mediawiki.if b/policy/modules/contrib/mediawiki.if new file mode 100644 index 00000000..98d28b42 --- /dev/null +++ b/policy/modules/contrib/mediawiki.if @@ -0,0 +1 @@ +## <summary>Mediawiki policy</summary> diff --git a/policy/modules/contrib/mediawiki.te b/policy/modules/contrib/mediawiki.te new file mode 100644 index 00000000..d7cb9e4c --- /dev/null +++ b/policy/modules/contrib/mediawiki.te @@ -0,0 +1,17 @@ +policy_module(mediawiki, 1.0.0) + +######################################## +# +# Declarations +# + +apache_content_template(mediawiki) + +######################################## +# +# mediawiki local policy +# + +files_search_var_lib(httpd_mediawiki_script_t) + +miscfiles_read_tetex_data(httpd_mediawiki_script_t) diff --git a/policy/modules/contrib/memcached.fc b/policy/modules/contrib/memcached.fc new file mode 100644 index 00000000..4d694775 --- /dev/null +++ b/policy/modules/contrib/memcached.fc @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0) + +/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) + +/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if new file mode 100644 index 00000000..db4fd6fb --- /dev/null +++ b/policy/modules/contrib/memcached.if @@ -0,0 +1,73 @@ +## <summary>high-performance memory object caching system</summary> + +######################################## +## <summary> +## Execute a domain transition to run memcached. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`memcached_domtrans',` + gen_require(` + type memcached_t; + type memcached_exec_t; + ') + + domtrans_pattern($1, memcached_exec_t, memcached_t) +') + +######################################## +## <summary> +## Read memcached PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`memcached_read_pid_files',` + gen_require(` + type memcached_var_run_t; + ') + + files_search_pids($1) + allow $1 memcached_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an memcached environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the memcached domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`memcached_admin',` + gen_require(` + type memcached_t; + type memcached_initrc_exec_t; + ') + + allow $1 memcached_t:process { ptrace signal_perms }; + ps_process_pattern($1, memcached_t) + + init_labeled_script_domtrans($1, memcached_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 memcached_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, memcached_var_run_t) +') diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te new file mode 100644 index 00000000..b6816087 --- /dev/null +++ b/policy/modules/contrib/memcached.te @@ -0,0 +1,58 @@ +policy_module(memcached, 1.2.0) + +######################################## +# +# Declarations +# + +type memcached_t; +type memcached_exec_t; +init_daemon_domain(memcached_t, memcached_exec_t) + +type memcached_initrc_exec_t; +init_script_file(memcached_initrc_exec_t) + +type memcached_var_run_t; +files_pid_file(memcached_var_run_t) + +######################################## +# +# memcached local policy +# + +allow memcached_t self:capability { setuid setgid }; +dontaudit memcached_t self:capability sys_tty_config; +allow memcached_t self:process { setrlimit signal_perms }; +allow memcached_t self:tcp_socket create_stream_socket_perms; +allow memcached_t self:udp_socket { create_socket_perms listen }; +allow memcached_t self:fifo_file rw_fifo_file_perms; +allow memcached_t self:unix_stream_socket create_stream_socket_perms; + +corenet_all_recvfrom_unlabeled(memcached_t) +corenet_udp_sendrecv_generic_if(memcached_t) +corenet_udp_sendrecv_generic_node(memcached_t) +corenet_udp_sendrecv_all_ports(memcached_t) +corenet_udp_bind_generic_node(memcached_t) +corenet_tcp_sendrecv_generic_if(memcached_t) +corenet_tcp_sendrecv_generic_node(memcached_t) +corenet_tcp_sendrecv_all_ports(memcached_t) +corenet_tcp_bind_generic_node(memcached_t) +corenet_tcp_bind_memcache_port(memcached_t) +corenet_udp_bind_memcache_port(memcached_t) + +manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(memcached_t) +kernel_read_system_state(memcached_t) + +files_read_etc_files(memcached_t) + +term_dontaudit_use_all_ptys(memcached_t) +term_dontaudit_use_all_ttys(memcached_t) +term_dontaudit_use_console(memcached_t) + +auth_use_nsswitch(memcached_t) + +miscfiles_read_localization(memcached_t) diff --git a/policy/modules/contrib/metadata.xml b/policy/modules/contrib/metadata.xml new file mode 100644 index 00000000..71d9e256 --- /dev/null +++ b/policy/modules/contrib/metadata.xml @@ -0,0 +1 @@ +<summary>Contributed Reference Policy modules.</summary> diff --git a/policy/modules/contrib/milter.fc b/policy/modules/contrib/milter.fc new file mode 100644 index 00000000..1ec5a6cd --- /dev/null +++ b/policy/modules/contrib/milter.fc @@ -0,0 +1,15 @@ +/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) + +/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) + +/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) + +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) +/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --git a/policy/modules/contrib/milter.if b/policy/modules/contrib/milter.if new file mode 100644 index 00000000..ee72cbed --- /dev/null +++ b/policy/modules/contrib/milter.if @@ -0,0 +1,106 @@ +## <summary>Milter mail filters</summary> + +######################################## +## <summary> +## Create a set of derived types for various +## mail filter applications using the milter interface. +## </summary> +## <param name="milter_name"> +## <summary> +## The name to be used for deriving type names. +## </summary> +## </param> +# +template(`milter_template',` + # attributes common to all milters + gen_require(` + attribute milter_data_type, milter_domains; + ') + + type $1_milter_t, milter_domains; + type $1_milter_exec_t; + init_daemon_domain($1_milter_t, $1_milter_exec_t) + role system_r types $1_milter_t; + + # Type for the milter data (e.g. the socket used to communicate with the MTA) + type $1_milter_data_t, milter_data_type; + files_type($1_milter_data_t) + + allow $1_milter_t self:fifo_file rw_fifo_file_perms; + # Allow communication with MTA over a TCP socket + allow $1_milter_t self:tcp_socket create_stream_socket_perms; + + # Allow communication with MTA over a unix-domain socket + manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + + # Create other data files and directories in the data directory + manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + + corenet_tcp_bind_generic_node($1_milter_t) + corenet_tcp_bind_milter_port($1_milter_t) + + files_read_etc_files($1_milter_t) + + miscfiles_read_localization($1_milter_t) + + logging_send_syslog_msg($1_milter_t) +') + +######################################## +## <summary> +## MTA communication with milter sockets +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_stream_connect_all',` + gen_require(` + attribute milter_data_type, milter_domains; + ') + + getattr_dirs_pattern($1, milter_data_type, milter_data_type) + stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) +') + +######################################## +## <summary> +## Allow getattr of milter sockets +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_getattr_all_sockets',` + gen_require(` + attribute milter_data_type; + ') + + getattr_dirs_pattern($1, milter_data_type, milter_data_type) + getattr_sock_files_pattern($1, milter_data_type, milter_data_type) +') + +######################################## +## <summary> +## Manage spamassassin milter state +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_manage_spamass_state',` + gen_require(` + type spamass_milter_state_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) +') diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te new file mode 100644 index 00000000..26101cbb --- /dev/null +++ b/policy/modules/contrib/milter.te @@ -0,0 +1,96 @@ +policy_module(milter, 1.4.0) + +######################################## +# +# Declarations +# + +# attributes common to all milters +attribute milter_domains; +attribute milter_data_type; + +# currently-supported milters are milter-greylist, milter-regex and spamass-milter +milter_template(greylist) +milter_template(regex) +milter_template(spamass) + +# Type for the spamass-milter home directory, under which spamassassin will +# store system-wide preferences, bayes databases etc. if not configured to +# use per-user configuration +type spamass_milter_state_t; +files_type(spamass_milter_state_t) + +######################################## +# +# milter-greylist local policy +# ensure smtp clients retry mail like real MTAs and not spamware +# http://hcpnet.free.fr/milter-greylist/ +# + +# It removes any existing socket (not owned by root) whilst running as root, +# fixes permissions, renices itself and then calls setgid() and setuid() to +# drop privileges +allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; +allow greylist_milter_t self:process { setsched getsched }; + +# It creates a pid file /var/run/milter-greylist.pid +files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) + +kernel_read_kernel_sysctls(greylist_milter_t) + +# Allow the milter to read a GeoIP database in /usr/share +files_read_usr_files(greylist_milter_t) +# The milter runs from /var/lib/milter-greylist and maintains files there +files_search_var_lib(greylist_milter_t) + +# Look up username for dropping privs +auth_use_nsswitch(greylist_milter_t) + +# Config is in /etc/mail/greylist.conf +mta_read_config(greylist_milter_t) + +######################################## +# +# milter-regex local policy +# filter emails using regular expressions +# http://www.benzedrine.cx/milter-regex.html +# + +# It removes any existing socket (not owned by root) whilst running as root +# and then calls setgid() and setuid() to drop privileges +allow regex_milter_t self:capability { setuid setgid dac_override }; + +# The milter's socket directory lives under /var/spool +files_search_spool(regex_milter_t) + +# Look up username for dropping privs +auth_use_nsswitch(regex_milter_t) + +# Config is in /etc/mail/milter-regex.conf +mta_read_config(regex_milter_t) + +######################################## +# +# spamass-milter local policy +# pipe emails through SpamAssassin +# http://savannah.nongnu.org/projects/spamass-milt/ +# + +# The milter runs from /var/lib/spamass-milter +allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; +files_search_var_lib(spamass_milter_t) + +kernel_read_system_state(spamass_milter_t) + +# When used with -b or -B options, the milter invokes sendmail to send mail +# to a spamtrap address, using popen() +corecmd_exec_shell(spamass_milter_t) +corecmd_read_bin_symlinks(spamass_milter_t) +corecmd_search_bin(spamass_milter_t) + +mta_send_mail(spamass_milter_t) + +# The main job of the milter is to pipe spam through spamc and act on the result +optional_policy(` + spamassassin_domtrans_client(spamass_milter_t) +') diff --git a/policy/modules/contrib/modemmanager.fc b/policy/modules/contrib/modemmanager.fc new file mode 100644 index 00000000..a83894c6 --- /dev/null +++ b/policy/modules/contrib/modemmanager.fc @@ -0,0 +1 @@ +/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) diff --git a/policy/modules/contrib/modemmanager.if b/policy/modules/contrib/modemmanager.if new file mode 100644 index 00000000..33686991 --- /dev/null +++ b/policy/modules/contrib/modemmanager.if @@ -0,0 +1,40 @@ +## <summary>Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.</summary> + +######################################## +## <summary> +## Execute a domain transition to run modemmanager. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`modemmanager_domtrans',` + gen_require(` + type modemmanager_t, modemmanager_exec_t; + ') + + domtrans_pattern($1, modemmanager_exec_t, modemmanager_t) +') + +######################################## +## <summary> +## Send and receive messages from +## modemmanager over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`modemmanager_dbus_chat',` + gen_require(` + type modemmanager_t; + class dbus send_msg; + ') + + allow $1 modemmanager_t:dbus send_msg; + allow modemmanager_t $1:dbus send_msg; +') diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te new file mode 100644 index 00000000..b3ace161 --- /dev/null +++ b/policy/modules/contrib/modemmanager.te @@ -0,0 +1,41 @@ +policy_module(modemmanager, 1.1.0) + +######################################## +# +# Declarations +# + +type modemmanager_t; +type modemmanager_exec_t; +dbus_system_domain(modemmanager_t, modemmanager_exec_t) +typealias modemmanager_t alias ModemManager_t; +typealias modemmanager_exec_t alias ModemManager_exec_t; + +######################################## +# +# ModemManager local policy +# + +allow modemmanager_t self:process signal; +allow modemmanager_t self:fifo_file rw_file_perms; +allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; +allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; + +kernel_read_system_state(modemmanager_t) + +dev_read_sysfs(modemmanager_t) +dev_rw_modem(modemmanager_t) + +files_read_etc_files(modemmanager_t) + +term_use_unallocated_ttys(modemmanager_t) + +miscfiles_read_localization(modemmanager_t) + +logging_send_syslog_msg(modemmanager_t) + +networkmanager_dbus_chat(modemmanager_t) + +optional_policy(` + udev_read_db(modemmanager_t) +') diff --git a/policy/modules/contrib/mojomojo.fc b/policy/modules/contrib/mojomojo.fc new file mode 100644 index 00000000..824c9793 --- /dev/null +++ b/policy/modules/contrib/mojomojo.fc @@ -0,0 +1,5 @@ +/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) + +/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) + +/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) diff --git a/policy/modules/contrib/mojomojo.if b/policy/modules/contrib/mojomojo.if new file mode 100644 index 00000000..657a9fc2 --- /dev/null +++ b/policy/modules/contrib/mojomojo.if @@ -0,0 +1,40 @@ +## <summary>MojoMojo Wiki</summary> + +######################################## +## <summary> +## All of the rules required to administrate +## an mojomojo environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mojomojo_admin',` + gen_require(` + type httpd_mojomojo_script_t; + type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; + type httpd_mojomojo_rw_content_t; + type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; + ') + + allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; + ps_process_pattern($1, httpd_mojomojo_script_t) + + files_search_var_lib(httpd_mojomojo_script_t) + + apache_search_sys_content($1) + admin_pattern($1, httpd_mojomojo_script_exec_t) + admin_pattern($1, httpd_mojomojo_script_t) + admin_pattern($1, httpd_mojomojo_content_t) + admin_pattern($1, httpd_mojomojo_htaccess_t) + admin_pattern($1, httpd_mojomojo_rw_content_t) + admin_pattern($1, httpd_mojomojo_ra_content_t) +') diff --git a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te new file mode 100644 index 00000000..83f002c3 --- /dev/null +++ b/policy/modules/contrib/mojomojo.te @@ -0,0 +1,36 @@ +policy_module(mojomojo, 1.0.0) + +######################################## +# +# Declarations +# + +apache_content_template(mojomojo) + +######################################## +# +# mojomojo local policy +# + +allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; + +corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) +corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) +corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) +corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) +corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) +corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) + +files_search_var_lib(httpd_mojomojo_script_t) + +sysnet_dns_name_resolve(httpd_mojomojo_script_t) + +mta_send_mail(httpd_mojomojo_script_t) + +optional_policy(` + mysql_stream_connect(httpd_mojomojo_script_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_mojomojo_script_t) +') diff --git a/policy/modules/contrib/mono.fc b/policy/modules/contrib/mono.fc new file mode 100644 index 00000000..b01bc913 --- /dev/null +++ b/policy/modules/contrib/mono.fc @@ -0,0 +1 @@ +/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) diff --git a/policy/modules/contrib/mono.if b/policy/modules/contrib/mono.if new file mode 100644 index 00000000..7b08e138 --- /dev/null +++ b/policy/modules/contrib/mono.if @@ -0,0 +1,138 @@ +## <summary>Run .NET server and client applications on Linux.</summary> + +####################################### +## <summary> +## The role template for the mono module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for mono applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`mono_role_template',` + gen_require(` + type mono_exec_t; + ') + + type $1_mono_t; + domain_type($1_mono_t) + domain_entry_file($1_mono_t, mono_exec_t) + role $2 types $1_mono_t; + + domain_interactive_fd($1_mono_t) + application_type($1_mono_t) + + allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; + + allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; + + domtrans_pattern($3, mono_exec_t, $1_mono_t) + + fs_dontaudit_rw_tmpfs_files($1_mono_t) + corecmd_bin_domtrans($1_mono_t, $1_t) + + userdom_manage_user_tmpfs_files($1_mono_t) + + optional_policy(` + xserver_role($1_r, $1_mono_t) + ') +') + +######################################## +## <summary> +## Execute the mono program in the mono domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mono_domtrans',` + gen_require(` + type mono_t, mono_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mono_exec_t, mono_t) +') + +######################################## +## <summary> +## Execute mono in the mono domain, and +## allow the specified role the mono domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`mono_run',` + gen_require(` + type mono_t; + ') + + mono_domtrans($1) + role $2 types mono_t; +') + +######################################## +## <summary> +## Execute the mono program in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mono_exec',` + gen_require(` + type mono_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, mono_exec_t) +') + +######################################## +## <summary> +## Read and write to mono shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mono_rw_shm',` + gen_require(` + type mono_t; + ') + + allow $1 mono_t:shm rw_shm_perms; +') diff --git a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te new file mode 100644 index 00000000..dff0f127 --- /dev/null +++ b/policy/modules/contrib/mono.te @@ -0,0 +1,52 @@ +policy_module(mono, 1.8.0) + +######################################## +# +# Declarations +# + +type mono_t; +type mono_exec_t; +application_type(mono_t) +init_system_domain(mono_t, mono_exec_t) + +######################################## +# +# Local policy +# + +allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; + +init_dbus_chat_script(mono_t) + +userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) + +optional_policy(` + avahi_dbus_chat(mono_t) +') + +optional_policy(` + cups_dbus_chat(mono_t) +') + +optional_policy(` + hal_dbus_chat(mono_t) +') + +optional_policy(` + networkmanager_dbus_chat(mono_t) +') + +optional_policy(` + rpm_dbus_chat(mono_t) +') + +optional_policy(` + unconfined_domain(mono_t) + unconfined_dbus_chat(mono_t) + unconfined_dbus_connect(mono_t) +') + +optional_policy(` + xserver_rw_shm(mono_t) +') diff --git a/policy/modules/contrib/monop.fc b/policy/modules/contrib/monop.fc new file mode 100644 index 00000000..9ee40284 --- /dev/null +++ b/policy/modules/contrib/monop.fc @@ -0,0 +1,4 @@ +/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0) + +/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0) +/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0) diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if new file mode 100644 index 00000000..2611351e --- /dev/null +++ b/policy/modules/contrib/monop.if @@ -0,0 +1 @@ +## <summary>Monopoly daemon</summary> diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te new file mode 100644 index 00000000..6647a356 --- /dev/null +++ b/policy/modules/contrib/monop.te @@ -0,0 +1,85 @@ +policy_module(monop, 1.7.0) + +######################################## +# +# Declarations +# + +type monopd_t; +type monopd_exec_t; +init_daemon_domain(monopd_t, monopd_exec_t) + +type monopd_etc_t; +files_config_file(monopd_etc_t) + +type monopd_share_t; +files_type(monopd_share_t) + +type monopd_var_run_t; +files_pid_file(monopd_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit monopd_t self:capability sys_tty_config; +allow monopd_t self:process signal_perms; +allow monopd_t self:tcp_socket create_stream_socket_perms; +allow monopd_t self:udp_socket create_socket_perms; + +allow monopd_t monopd_etc_t:file read_file_perms; +files_search_etc(monopd_t) + +allow monopd_t monopd_share_t:dir list_dir_perms; +read_files_pattern(monopd_t, monopd_share_t, monopd_share_t) +read_lnk_files_pattern(monopd_t, monopd_share_t, monopd_share_t) + +manage_files_pattern(monopd_t, monopd_var_run_t, monopd_var_run_t) +files_pid_filetrans(monopd_t, monopd_var_run_t, file) + +kernel_read_kernel_sysctls(monopd_t) +kernel_list_proc(monopd_t) +kernel_read_proc_symlinks(monopd_t) + +corenet_all_recvfrom_unlabeled(monopd_t) +corenet_all_recvfrom_netlabel(monopd_t) +corenet_tcp_sendrecv_generic_if(monopd_t) +corenet_udp_sendrecv_generic_if(monopd_t) +corenet_tcp_sendrecv_generic_node(monopd_t) +corenet_udp_sendrecv_generic_node(monopd_t) +corenet_tcp_sendrecv_all_ports(monopd_t) +corenet_udp_sendrecv_all_ports(monopd_t) +corenet_tcp_bind_generic_node(monopd_t) +corenet_tcp_bind_monopd_port(monopd_t) +corenet_sendrecv_monopd_server_packets(monopd_t) + +dev_read_sysfs(monopd_t) + +domain_use_interactive_fds(monopd_t) + +files_read_etc_files(monopd_t) + +fs_getattr_all_fs(monopd_t) +fs_search_auto_mountpoints(monopd_t) + +logging_send_syslog_msg(monopd_t) + +miscfiles_read_localization(monopd_t) + +sysnet_read_config(monopd_t) + +userdom_dontaudit_use_unpriv_user_fds(monopd_t) +userdom_dontaudit_search_user_home_dirs(monopd_t) + +optional_policy(` + nis_use_ypbind(monopd_t) +') + +optional_policy(` + seutil_sigchld_newrole(monopd_t) +') + +optional_policy(` + udev_read_db(monopd_t) +') diff --git a/policy/modules/contrib/mozilla.fc b/policy/modules/contrib/mozilla.fc new file mode 100644 index 00000000..1847b92c --- /dev/null +++ b/policy/modules/contrib/mozilla.fc @@ -0,0 +1,47 @@ +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + +# +# /bin +# +/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) + +ifdef(`distro_debian',` +/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) +') + +# +# /lib +# +/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/lib64/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) + + +# +# /opt +# +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/contrib/mozilla.if b/policy/modules/contrib/mozilla.if new file mode 100644 index 00000000..b397fde5 --- /dev/null +++ b/policy/modules/contrib/mozilla.if @@ -0,0 +1,302 @@ +## <summary>Policy for Mozilla and related web browsers</summary> + +######################################## +## <summary> +## Role access for mozilla +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`mozilla_role',` + gen_require(` + type mozilla_t, mozilla_exec_t, mozilla_home_t; + attribute_role mozilla_roles; + ') + + roleattribute $1 mozilla_roles; + + domain_auto_trans($2, mozilla_exec_t, mozilla_t) + # Unrestricted inheritance from the caller. + allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; + allow mozilla_t $2:fd use; + allow mozilla_t $2:process { sigchld signull }; + allow mozilla_t $2:unix_stream_socket connectto; + + # Allow the user domain to signal/ps. + ps_process_pattern($2, mozilla_t) + allow $2 mozilla_t:process signal_perms; + + allow $2 mozilla_t:fd use; + allow $2 mozilla_t:shm { associate getattr }; + allow $2 mozilla_t:shm { unix_read unix_write }; + allow $2 mozilla_t:unix_stream_socket connectto; + + # X access, Home files + manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) + manage_files_pattern($2, mozilla_home_t, mozilla_home_t) + manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) + relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) + relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) + relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) + + mozilla_dbus_chat($2) +') + +######################################## +## <summary> +## Read mozilla home directory content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_read_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + allow $1 mozilla_home_t:dir list_dir_perms; + allow $1 mozilla_home_t:file read_file_perms; + allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Write mozilla home directory content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_write_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + write_files_pattern($1, mozilla_home_t, mozilla_home_t) + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Dontaudit attempts to read/write mozilla home directory content +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mozilla_dontaudit_rw_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + dontaudit $1 mozilla_home_t:file rw_file_perms; +') + +######################################## +## <summary> +## Dontaudit attempts to write mozilla home directory content +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mozilla_dontaudit_manage_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + dontaudit $1 mozilla_home_t:dir manage_dir_perms; + dontaudit $1 mozilla_home_t:file manage_file_perms; +') + +######################################## +## <summary> +## Execute mozilla home directory content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_exec_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + can_exec($1, mozilla_home_t) +') + +######################################## +## <summary> +## Execmod mozilla home directory content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_execmod_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + allow $1 mozilla_home_t:file execmod; +') + +######################################## +## <summary> +## Run mozilla in the mozilla domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mozilla_domtrans',` + gen_require(` + type mozilla_t, mozilla_exec_t; + ') + + domtrans_pattern($1, mozilla_exec_t, mozilla_t) +') + +######################################## +## <summary> +## Execute a domain transition to run mozilla_plugin. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_domtrans_plugin',` + gen_require(` + type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t; + class dbus send_msg; + ') + + domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) + allow mozilla_plugin_t $1:process signull; +') + +######################################## +## <summary> +## Execute mozilla_plugin in the mozilla_plugin domain, and +## allow the specified role the mozilla_plugin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the mozilla_plugin domain. +## </summary> +## </param> +# +interface(`mozilla_run_plugin',` + gen_require(` + type mozilla_plugin_t; + ') + + mozilla_domtrans_plugin($1) + role $2 types mozilla_plugin_t; +') + +######################################## +## <summary> +## Send and receive messages from +## mozilla over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_dbus_chat',` + gen_require(` + type mozilla_t; + class dbus send_msg; + ') + + allow $1 mozilla_t:dbus send_msg; + allow mozilla_t $1:dbus send_msg; +') + +######################################## +## <summary> +## read/write mozilla per user tcp_socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mozilla_rw_tcp_sockets',` + gen_require(` + type mozilla_t; + ') + + allow $1 mozilla_t:tcp_socket rw_socket_perms; +') + +######################################## +## <summary> +## Read mozilla_plugin tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`mozilla_plugin_read_tmpfs_files',` + gen_require(` + type mozilla_plugin_tmpfs_t; + ') + + allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; +') + +######################################## +## <summary> +## Delete mozilla_plugin tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`mozilla_plugin_delete_tmpfs_files',` + gen_require(` + type mozilla_plugin_tmpfs_t; + ') + + allow $1 mozilla_plugin_tmpfs_t:file unlink; +') diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te new file mode 100644 index 00000000..6a85b282 --- /dev/null +++ b/policy/modules/contrib/mozilla.te @@ -0,0 +1,480 @@ +policy_module(mozilla, 2.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow confined web browsers to read home directory content +## </p> +## </desc> +gen_tunable(mozilla_read_content, false) + +attribute_role mozilla_roles; + +type mozilla_t; +type mozilla_exec_t; +typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; +typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; +userdom_user_application_domain(mozilla_t, mozilla_exec_t) +role mozilla_roles types mozilla_t; + +type mozilla_conf_t; +files_config_file(mozilla_conf_t) + +type mozilla_home_t; +typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; +typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; +userdom_user_home_content(mozilla_home_t) + +type mozilla_plugin_t; +type mozilla_plugin_exec_t; +application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) +role mozilla_roles types mozilla_plugin_t; + +type mozilla_plugin_tmp_t; +userdom_user_tmp_file(mozilla_plugin_tmp_t) + +type mozilla_plugin_tmpfs_t; +userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) + +type mozilla_tmp_t; +userdom_user_tmp_file(mozilla_tmp_t) + +type mozilla_tmpfs_t; +typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t }; +typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; +userdom_user_tmpfs_file(mozilla_tmpfs_t) + +######################################## +# +# Local policy +# + +allow mozilla_t self:capability { sys_nice setgid setuid }; +allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; +allow mozilla_t self:fifo_file rw_fifo_file_perms; +allow mozilla_t self:shm { unix_read unix_write read write destroy create }; +allow mozilla_t self:sem create_sem_perms; +allow mozilla_t self:socket create_socket_perms; +allow mozilla_t self:unix_stream_socket { listen accept }; +# Browse the web, connect to printer +allow mozilla_t self:tcp_socket create_socket_perms; +allow mozilla_t self:netlink_route_socket r_netlink_socket_perms; +# Make sure plugin works +allow mozilla_t mozilla_plugin_t:process { rlimitinh siginh noatsecure }; +allow mozilla_t mozilla_plugin_t:fd { use }; +allow mozilla_t mozilla_plugin_t:unix_stream_socket { read write }; + +# for bash - old mozilla binary +can_exec(mozilla_t, mozilla_exec_t) + +# X access, Home files +manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) +manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) +userdom_search_user_home_dirs(mozilla_t) +userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir) + +# Mozpluggerrc +allow mozilla_t mozilla_conf_t:file read_file_perms; + +manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) + +manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(mozilla_t) +kernel_read_network_state(mozilla_t) +# Access /proc, sysctl +kernel_read_system_state(mozilla_t) +kernel_read_net_sysctls(mozilla_t) + +# Look for plugins +corecmd_list_bin(mozilla_t) +# for bash - old mozilla binary +corecmd_exec_shell(mozilla_t) +corecmd_exec_bin(mozilla_t) + +# Browse the web, connect to printer +corenet_all_recvfrom_unlabeled(mozilla_t) +corenet_all_recvfrom_netlabel(mozilla_t) +corenet_tcp_sendrecv_generic_if(mozilla_t) +corenet_raw_sendrecv_generic_if(mozilla_t) +corenet_tcp_sendrecv_generic_node(mozilla_t) +corenet_raw_sendrecv_generic_node(mozilla_t) +corenet_tcp_sendrecv_http_port(mozilla_t) +corenet_tcp_sendrecv_http_cache_port(mozilla_t) +corenet_tcp_sendrecv_squid_port(mozilla_t) +corenet_tcp_sendrecv_ftp_port(mozilla_t) +corenet_tcp_sendrecv_ipp_port(mozilla_t) +corenet_tcp_sendrecv_tor_port(mozilla_t) +corenet_tcp_connect_http_port(mozilla_t) +corenet_tcp_connect_http_cache_port(mozilla_t) +corenet_tcp_connect_squid_port(mozilla_t) +corenet_tcp_connect_ftp_port(mozilla_t) +corenet_tcp_connect_ipp_port(mozilla_t) +corenet_tcp_connect_generic_port(mozilla_t) +corenet_tcp_connect_soundd_port(mozilla_t) +corenet_tcp_connect_tor_port(mozilla_t) +corenet_sendrecv_http_client_packets(mozilla_t) +corenet_sendrecv_http_cache_client_packets(mozilla_t) +corenet_sendrecv_squid_client_packets(mozilla_t) +corenet_sendrecv_ftp_client_packets(mozilla_t) +corenet_sendrecv_ipp_client_packets(mozilla_t) +corenet_sendrecv_generic_client_packets(mozilla_t) +corenet_sendrecv_tor_client_packets(mozilla_t) +# Should not need other ports +corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) +corenet_dontaudit_tcp_bind_generic_port(mozilla_t) +corenet_tcp_connect_speech_port(mozilla_t) + +dev_read_urand(mozilla_t) +dev_read_rand(mozilla_t) +dev_write_sound(mozilla_t) +dev_read_sound(mozilla_t) +dev_dontaudit_rw_dri(mozilla_t) +dev_getattr_sysfs_dirs(mozilla_t) + +domain_dontaudit_read_all_domains_state(mozilla_t) + +files_read_etc_runtime_files(mozilla_t) +files_read_usr_files(mozilla_t) +files_read_etc_files(mozilla_t) +# /var/lib +files_read_var_lib_files(mozilla_t) +# interacting with gstreamer +files_read_var_files(mozilla_t) +files_read_var_symlinks(mozilla_t) +files_dontaudit_getattr_boot_dirs(mozilla_t) + +fs_dontaudit_getattr_all_fs(mozilla_t) +fs_search_auto_mountpoints(mozilla_t) +fs_list_inotifyfs(mozilla_t) +fs_rw_tmpfs_files(mozilla_t) + +term_dontaudit_getattr_pty_dirs(mozilla_t) + +logging_send_syslog_msg(mozilla_t) + +miscfiles_read_fonts(mozilla_t) +miscfiles_read_localization(mozilla_t) +miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) + +# Browse the web, connect to printer +sysnet_dns_name_resolve(mozilla_t) + +userdom_use_user_ptys(mozilla_t) + +mozilla_run_plugin(mozilla_t, mozilla_roles) + + +xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) +xserver_dontaudit_read_xdm_tmp_files(mozilla_t) +xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) + +tunable_policy(`allow_execmem',` + allow mozilla_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mozilla_t) + fs_manage_nfs_files(mozilla_t) + fs_manage_nfs_symlinks(mozilla_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mozilla_t) + fs_manage_cifs_files(mozilla_t) + fs_manage_cifs_symlinks(mozilla_t) +') + +# Uploads, local html +tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` + fs_list_auto_mountpoints(mozilla_t) + files_list_home(mozilla_t) + fs_read_nfs_files(mozilla_t) + fs_read_nfs_symlinks(mozilla_t) + +',` + files_dontaudit_list_home(mozilla_t) + fs_dontaudit_list_auto_mountpoints(mozilla_t) + fs_dontaudit_read_nfs_files(mozilla_t) + fs_dontaudit_list_nfs(mozilla_t) +') + +tunable_policy(`mozilla_read_content && use_samba_home_dirs',` + fs_list_auto_mountpoints(mozilla_t) + files_list_home(mozilla_t) + fs_read_cifs_files(mozilla_t) + fs_read_cifs_symlinks(mozilla_t) +',` + files_dontaudit_list_home(mozilla_t) + fs_dontaudit_list_auto_mountpoints(mozilla_t) + fs_dontaudit_read_cifs_files(mozilla_t) + fs_dontaudit_list_cifs(mozilla_t) +') + +tunable_policy(`mozilla_read_content',` + userdom_list_user_tmp(mozilla_t) + userdom_read_user_tmp_files(mozilla_t) + userdom_read_user_tmp_symlinks(mozilla_t) + userdom_read_user_home_content_files(mozilla_t) + userdom_read_user_home_content_symlinks(mozilla_t) + + ifndef(`enable_mls',` + fs_search_removable(mozilla_t) + fs_read_removable_files(mozilla_t) + fs_read_removable_symlinks(mozilla_t) + ') +',` + files_dontaudit_list_tmp(mozilla_t) + files_dontaudit_list_home(mozilla_t) + fs_dontaudit_list_removable(mozilla_t) + fs_dontaudit_read_removable_files(mozilla_t) + userdom_dontaudit_list_user_tmp(mozilla_t) + userdom_dontaudit_read_user_tmp_files(mozilla_t) + userdom_dontaudit_list_user_home_dirs(mozilla_t) + userdom_dontaudit_read_user_home_content_files(mozilla_t) +') + +optional_policy(` + apache_read_user_scripts(mozilla_t) + apache_read_user_content(mozilla_t) +') + +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(mozilla_t) +') + +optional_policy(` + cups_read_rw_config(mozilla_t) + cups_dbus_chat(mozilla_t) +') + +optional_policy(` + dbus_system_bus_client(mozilla_t) + dbus_session_bus_client(mozilla_t) + + optional_policy(` + networkmanager_dbus_chat(mozilla_t) + ') +') + +optional_policy(` + gnome_stream_connect_gconf(mozilla_t) + gnome_manage_config(mozilla_t) +') + +optional_policy(` + java_domtrans(mozilla_t) +') + +optional_policy(` + lpd_domtrans_lpr(mozilla_t) +') + +optional_policy(` + mplayer_domtrans(mozilla_t) + mplayer_read_user_home_files(mozilla_t) +') + +optional_policy(` + nscd_socket_use(mozilla_t) +') + +optional_policy(` + pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_stream_connect(mozilla_t) + pulseaudio_manage_home_files(mozilla_t) +') + +optional_policy(` + thunderbird_domtrans(mozilla_t) +') + +optional_policy(` + xdg_read_generic_config_home_files(mozilla_t) + xdg_read_generic_data_home_files(mozilla_t) +') + +######################################## +# +# mozilla_plugin local policy +# + +dontaudit mozilla_plugin_t self:capability { sys_ptrace }; +allow mozilla_plugin_t self:process { getsched setsched signal_perms execmem }; +allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; +allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; +allow mozilla_plugin_t self:udp_socket create_socket_perms; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; +allow mozilla_plugin_t self:sem create_sem_perms; +allow mozilla_plugin_t self:shm create_shm_perms; + +allow mozilla_plugin_t mozilla_t:unix_stream_socket { read write }; + +can_exec(mozilla_plugin_t, mozilla_home_t) +manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) + +manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) +userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) + +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) +manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) +manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) +fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) + + +can_exec(mozilla_plugin_t, mozilla_exec_t) + +kernel_read_kernel_sysctls(mozilla_plugin_t) +kernel_read_system_state(mozilla_plugin_t) +kernel_read_network_state(mozilla_plugin_t) +kernel_request_load_module(mozilla_plugin_t) + +corecmd_exec_bin(mozilla_plugin_t) +corecmd_exec_shell(mozilla_plugin_t) + +corenet_all_recvfrom_netlabel(mozilla_plugin_t) +corenet_all_recvfrom_unlabeled(mozilla_plugin_t) +corenet_tcp_sendrecv_generic_if(mozilla_plugin_t) +corenet_tcp_sendrecv_generic_node(mozilla_plugin_t) +corenet_tcp_connect_generic_port(mozilla_plugin_t) +corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) +corenet_tcp_connect_http_port(mozilla_plugin_t) +corenet_tcp_connect_http_cache_port(mozilla_plugin_t) +corenet_tcp_connect_squid_port(mozilla_plugin_t) +corenet_tcp_connect_ipp_port(mozilla_plugin_t) +corenet_tcp_connect_mmcc_port(mozilla_plugin_t) +corenet_tcp_connect_speech_port(mozilla_plugin_t) + +dev_read_rand(mozilla_plugin_t) +dev_read_urand(mozilla_plugin_t) +dev_read_video_dev(mozilla_plugin_t) +dev_write_video_dev(mozilla_plugin_t) +dev_read_sysfs(mozilla_plugin_t) +dev_read_sound(mozilla_plugin_t) +dev_write_sound(mozilla_plugin_t) +# for nvidia driver +dev_rw_xserver_misc(mozilla_plugin_t) +dev_dontaudit_rw_dri(mozilla_plugin_t) + +domain_use_interactive_fds(mozilla_plugin_t) +domain_dontaudit_read_all_domains_state(mozilla_plugin_t) + +files_read_config_files(mozilla_plugin_t) +files_read_usr_files(mozilla_plugin_t) +files_list_mnt(mozilla_plugin_t) + +fs_getattr_all_fs(mozilla_plugin_t) +fs_list_dos(mozilla_plugin_t) +fs_read_dos_files(mozilla_plugin_t) + +application_dontaudit_signull(mozilla_plugin_t) + +auth_use_nsswitch(mozilla_plugin_t) + +logging_send_syslog_msg(mozilla_plugin_t) + +miscfiles_read_localization(mozilla_plugin_t) +miscfiles_read_fonts(mozilla_plugin_t) +miscfiles_read_generic_certs(mozilla_plugin_t) +miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) +miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) + +sysnet_dns_name_resolve(mozilla_plugin_t) + +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) + +userdom_rw_user_tmpfs_files(mozilla_plugin_t) +userdom_dontaudit_use_user_terminals(mozilla_plugin_t) +userdom_manage_user_tmp_sockets(mozilla_plugin_t) +userdom_manage_user_tmp_dirs(mozilla_plugin_t) +userdom_read_user_tmp_files(mozilla_plugin_t) +userdom_read_user_tmp_symlinks(mozilla_plugin_t) +userdom_read_user_home_content_files(mozilla_plugin_t) +userdom_read_user_home_content_symlinks(mozilla_plugin_t) + + +xserver_user_x_domain_template(mozilla_plugin_t, mozilla_plugin_t, mozilla_plugin_tmpfs_t) + +tunable_policy(`allow_execmem',` + allow mozilla_plugin_t self:process { execmem execstack }; +') + +tunable_policy(`allow_execstack',` + allow mozilla_plugin_t self:process { execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mozilla_plugin_t) + fs_manage_nfs_files(mozilla_plugin_t) + fs_manage_nfs_symlinks(mozilla_plugin_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mozilla_plugin_t) + fs_manage_cifs_files(mozilla_plugin_t) + fs_manage_cifs_symlinks(mozilla_plugin_t) +') + +optional_policy(` + alsa_read_rw_config(mozilla_plugin_t) + alsa_read_home_files(mozilla_plugin_t) +') + +optional_policy(` + dbus_system_bus_client(mozilla_plugin_t) + dbus_session_bus_client(mozilla_plugin_t) + dbus_read_lib_files(mozilla_plugin_t) +') + +optional_policy(` + gnome_manage_config(mozilla_plugin_t) +') + +optional_policy(` + java_exec(mozilla_plugin_t) +') + +optional_policy(` + mplayer_exec(mozilla_plugin_t) + mplayer_read_user_home_files(mozilla_plugin_t) +') + +optional_policy(` + pcscd_stream_connect(mozilla_plugin_t) +') + +optional_policy(` + pulseaudio_exec(mozilla_plugin_t) + pulseaudio_stream_connect(mozilla_plugin_t) + pulseaudio_setattr_home_dir(mozilla_plugin_t) + pulseaudio_manage_home_files(mozilla_plugin_t) +') + +optional_policy(` + xdg_read_generic_config_home_files(mozilla_plugin_t) +') + +optional_policy(` + xserver_read_xdm_pid(mozilla_plugin_t) + xserver_stream_connect(mozilla_plugin_t) + xserver_use_user_fonts(mozilla_plugin_t) +') diff --git a/policy/modules/contrib/mpd.fc b/policy/modules/contrib/mpd.fc new file mode 100644 index 00000000..ddc14d6b --- /dev/null +++ b/policy/modules/contrib/mpd.fc @@ -0,0 +1,8 @@ +/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) +/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0) + +/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0) + +/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) +/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) +/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if new file mode 100644 index 00000000..d72276ff --- /dev/null +++ b/policy/modules/contrib/mpd.if @@ -0,0 +1,267 @@ +## <summary>Music Player Daemon</summary> + +######################################## +## <summary> +## Execute a domain transition to run mpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mpd_domtrans',` + gen_require(` + type mpd_t, mpd_exec_t; + ') + + domtrans_pattern($1, mpd_exec_t, mpd_t) +') + +######################################## +## <summary> +## Execute mpd server in the mpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mpd_initrc_domtrans',` + gen_require(` + type mpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, mpd_initrc_exec_t) +') + +####################################### +## <summary> +## Read mpd data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_read_data_files',` + gen_require(` + type mpd_data_t; + ') + + mpd_search_lib($1) + read_files_pattern($1, mpd_data_t, mpd_data_t) +') + +###################################### +## <summary> +## Manage mpd data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_data_files',` + gen_require(` + type mpd_data_t; + ') + + mpd_search_lib($1) + manage_files_pattern($1, mpd_data_t, mpd_data_t) +') + +####################################### +## <summary> +## Read mpd tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_read_tmpfs_files',` + gen_require(` + type mpd_tmpfs_t; + ') + + fs_search_tmpfs($1) + read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +################################### +## <summary> +## Manage mpd tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_tmpfs_files',` + gen_require(` + type mpd_tmpfs_t; + ') + + fs_search_tmpfs($1) + manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) + manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +######################################## +## <summary> +## Search mpd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_search_lib',` + gen_require(` + type mpd_var_lib_t; + ') + + allow $1 mpd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read mpd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_read_lib_files',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## mpd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_lib_files',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +####################################### +## <summary> +## Create an object in the root directory, with a private +## type using a type transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +# +interface(`mpd_var_lib_filetrans',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + filetrans_pattern($1, mpd_var_lib_t, $2, $3) +') + +######################################## +## <summary> +## Manage mpd lib dirs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_lib_dirs',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an mpd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mpd_admin',` + gen_require(` + type mpd_t, mpd_initrc_exec_t, mpd_etc_t; + type mpd_data_t, mpd_log_t, mpd_var_lib_t; + type mpd_tmpfs_t; + ') + + allow $1 mpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, mpd_t) + + mpd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 mpd_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, mpd_etc_t) + files_list_etc($1) + + files_list_var_lib($1) + admin_pattern($1, mpd_var_lib_t) + + admin_pattern($1, mpd_data_t) + + admin_pattern($1, mpd_log_t) + + fs_list_tmpfs($1) + admin_pattern($1, mpd_tmpfs_t) +') diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te new file mode 100644 index 00000000..7f688728 --- /dev/null +++ b/policy/modules/contrib/mpd.te @@ -0,0 +1,126 @@ +policy_module(mpd, 1.0.0) + +######################################## +# +# Declarations +# + +type mpd_t; +type mpd_exec_t; +init_daemon_domain(mpd_t, mpd_exec_t) + +# type for music content +type mpd_data_t; +files_type(mpd_data_t) + +type mpd_etc_t; +files_config_file(mpd_etc_t) + +type mpd_initrc_exec_t; +init_script_file(mpd_initrc_exec_t) + +type mpd_log_t; +logging_log_file(mpd_log_t) + +type mpd_tmp_t; +files_tmp_file(mpd_tmp_t) + +type mpd_tmpfs_t; +files_tmpfs_file(mpd_tmpfs_t) + +type mpd_var_lib_t; +files_type(mpd_var_lib_t) + +######################################## +# +# mpd local policy +# + +# dac_override bug in mpd relating to mpd.log file +allow mpd_t self:capability { dac_override kill setgid setuid }; +allow mpd_t self:process { getsched setsched setrlimit signal signull }; +allow mpd_t self:fifo_file rw_fifo_file_perms; +allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow mpd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow mpd_t self:tcp_socket create_stream_socket_perms; +allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t) +manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t) +manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t) + +read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) + +manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file }) + +manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t) +manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t) +fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file ) + +manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file }) + +# needed by pulseaudio +kernel_getattr_proc(mpd_t) +kernel_read_system_state(mpd_t) +kernel_read_kernel_sysctls(mpd_t) + +corecmd_exec_bin(mpd_t) + +corenet_all_recvfrom_unlabeled(mpd_t) +corenet_all_recvfrom_netlabel(mpd_t) +corenet_tcp_sendrecv_generic_if(mpd_t) +corenet_tcp_sendrecv_generic_node(mpd_t) +corenet_tcp_bind_mpd_port(mpd_t) +corenet_tcp_bind_soundd_port(mpd_t) +corenet_tcp_connect_http_port(mpd_t) +corenet_tcp_connect_http_cache_port(mpd_t) +corenet_tcp_connect_pulseaudio_port(mpd_t) +corenet_tcp_connect_soundd_port(mpd_t) +corenet_sendrecv_http_client_packets(mpd_t) +corenet_sendrecv_http_cache_client_packets(mpd_t) +corenet_sendrecv_pulseaudio_client_packets(mpd_t) +corenet_sendrecv_soundd_client_packets(mpd_t) + +dev_read_sound(mpd_t) +dev_write_sound(mpd_t) +dev_read_sysfs(mpd_t) + +files_read_usr_files(mpd_t) + +fs_getattr_tmpfs(mpd_t) +fs_list_inotifyfs(mpd_t) +fs_rw_anon_inodefs_files(mpd_t) + +auth_use_nsswitch(mpd_t) + +logging_send_syslog_msg(mpd_t) + +miscfiles_read_localization(mpd_t) + +optional_policy(` + alsa_read_rw_config(mpd_t) +') + +optional_policy(` + consolekit_dbus_chat(mpd_t) +') + +optional_policy(` + dbus_system_bus_client(mpd_t) +') + +optional_policy(` + pulseaudio_exec(mpd_t) + pulseaudio_stream_connect(mpd_t) + pulseaudio_signull(mpd_t) +') + +optional_policy(` + udev_read_db(mpd_t) +') diff --git a/policy/modules/contrib/mplayer.fc b/policy/modules/contrib/mplayer.fc new file mode 100644 index 00000000..5a37c50d --- /dev/null +++ b/policy/modules/contrib/mplayer.fc @@ -0,0 +1,14 @@ +# +# /etc +# +/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0) + +# +# /usr +# +/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) +/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) +/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0) +/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) + +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) diff --git a/policy/modules/contrib/mplayer.if b/policy/modules/contrib/mplayer.if new file mode 100644 index 00000000..d8ea41d1 --- /dev/null +++ b/policy/modules/contrib/mplayer.if @@ -0,0 +1,104 @@ +## <summary>Mplayer media player and encoder</summary> + +######################################## +## <summary> +## Role access for mplayer +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`mplayer_role',` + gen_require(` + type mencoder_t, mencoder_exec_t; + type mplayer_t, mplayer_exec_t; + type mplayer_home_t; + ') + + role $1 types { mencoder_t mplayer_t }; + + # domain transition + domtrans_pattern($2, mencoder_exec_t, mencoder_t) + + # Allow the user domain to signal/ps. + ps_process_pattern($2, mencoder_t) + allow $2 mencoder_t:process signal_perms; + + # Home access + manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t) + manage_files_pattern($2, mplayer_home_t, mplayer_home_t) + manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) + relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t) + relabel_files_pattern($2, mplayer_home_t, mplayer_home_t) + relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) + + # domain transition + domtrans_pattern($2, mplayer_exec_t, mplayer_t) + + # Allow the user domain to signal/ps. + ps_process_pattern($2, mplayer_t) + allow $2 mplayer_t:process signal_perms; +') + +######################################## +## <summary> +## Run mplayer in mplayer domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mplayer_domtrans',` + gen_require(` + type mplayer_t, mplayer_exec_t; + ') + + domtrans_pattern($1, mplayer_exec_t, mplayer_t) +') + +######################################## +## <summary> +## Execute mplayer in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`mplayer_exec',` + gen_require(` + type mplayer_exec_t; + ') + + can_exec($1, mplayer_exec_t) +') + +######################################## +## <summary> +## Read mplayer per user homedir +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mplayer_read_user_home_files',` + gen_require(` + type mplayer_home_t; + ') + + read_files_pattern($1, mplayer_home_t, mplayer_home_t) + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te new file mode 100644 index 00000000..0cdea57a --- /dev/null +++ b/policy/modules/contrib/mplayer.te @@ -0,0 +1,311 @@ +policy_module(mplayer, 2.4.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow mplayer executable stack +## </p> +## </desc> +gen_tunable(allow_mplayer_execstack, false) + +type mencoder_t; +type mencoder_exec_t; +typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t }; +typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t }; +userdom_user_application_domain(mencoder_t, mencoder_exec_t) + +type mplayer_t; +type mplayer_exec_t; +typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t }; +typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t }; +userdom_user_application_domain(mplayer_t, mplayer_exec_t) + +type mplayer_etc_t; +files_config_file(mplayer_etc_t) + +type mplayer_home_t; +typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t }; +typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t }; +userdom_user_home_content(mplayer_home_t) + +type mplayer_tmpfs_t; +typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t }; +typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t }; +userdom_user_tmpfs_file(mplayer_tmpfs_t) + +######################################## +# +# mencoder local policy +# + +manage_dirs_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) +manage_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) +manage_lnk_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) + +# Read global config +allow mencoder_t mplayer_etc_t:dir list_dir_perms; +read_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t) +read_lnk_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t) + +# Read /proc files and directories +# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. +kernel_read_system_state(mencoder_t) +# Sysctl on kernel version +kernel_read_kernel_sysctls(mencoder_t) + +# Required for win32 binary loader +dev_rwx_zero(mencoder_t) +# Access to DVD/CD/V4L +dev_read_video_dev(mencoder_t) + +# Read data in /usr/share (fonts, icons..) +files_read_usr_files(mencoder_t) +files_read_usr_symlinks(mencoder_t) + +fs_search_auto_mountpoints(mencoder_t) + +# Access to DVD/CD/V4L +storage_raw_read_removable_device(mencoder_t) + +miscfiles_read_localization(mencoder_t) + +userdom_use_user_terminals(mencoder_t) +# Handle removable media, /tmp, and /home +userdom_list_user_tmp(mencoder_t) +userdom_read_user_tmp_files(mencoder_t) +userdom_read_user_tmp_symlinks(mencoder_t) +userdom_read_user_home_content_files(mencoder_t) +userdom_read_user_home_content_symlinks(mencoder_t) + +# Read content to encode +ifndef(`enable_mls',` + fs_search_removable(mencoder_t) + fs_read_removable_files(mencoder_t) + fs_read_removable_symlinks(mencoder_t) +') + +tunable_policy(`allow_execmem',` + allow mencoder_t self:process execmem; +') + +tunable_policy(`allow_execmod',` + dev_execmod_zero(mencoder_t) +') + +tunable_policy(`allow_mplayer_execstack',` + allow mencoder_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mencoder_t) + fs_manage_nfs_files(mencoder_t) + fs_manage_nfs_symlinks(mencoder_t) + +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mencoder_t) + fs_manage_cifs_files(mencoder_t) + fs_manage_cifs_symlinks(mencoder_t) + +') + +# Read content to encode +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(mencoder_t) + files_list_home(mencoder_t) + fs_read_nfs_files(mencoder_t) + fs_read_nfs_symlinks(mencoder_t) + +',` + files_dontaudit_list_home(mencoder_t) + fs_dontaudit_list_auto_mountpoints(mencoder_t) + fs_dontaudit_read_nfs_files(mencoder_t) + fs_dontaudit_list_nfs(mencoder_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_auto_mountpoints(mencoder_t) + files_list_home(mencoder_t) + fs_read_cifs_files(mencoder_t) + fs_read_cifs_symlinks(mencoder_t) +',` + files_dontaudit_list_home(mencoder_t) + fs_dontaudit_list_auto_mountpoints(mencoder_t) + fs_dontaudit_read_cifs_files(mencoder_t) + fs_dontaudit_list_cifs(mencoder_t) +') + +######################################## +# +# mplayer local policy +# + +allow mplayer_t self:process { signal_perms getsched }; +allow mplayer_t self:fifo_file rw_fifo_file_perms; +allow mplayer_t self:sem create_sem_perms; +allow mplayer_t self:netlink_route_socket create_netlink_socket_perms; +allow mplayer_t self:tcp_socket create_socket_perms; +allow mplayer_t self:unix_dgram_socket sendto; + +manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) +manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) +manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) +userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir) + +manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) +fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +# Read global config +allow mplayer_t mplayer_etc_t:dir list_dir_perms; +read_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t) +read_lnk_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t) + +kernel_dontaudit_list_unlabeled(mplayer_t) +kernel_dontaudit_getattr_unlabeled_files(mplayer_t) +kernel_dontaudit_read_unlabeled_files(mplayer_t) +# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. +kernel_read_system_state(mplayer_t) +# Sysctl on kernel version +kernel_read_kernel_sysctls(mplayer_t) + +corenet_all_recvfrom_netlabel(mplayer_t) +corenet_all_recvfrom_unlabeled(mplayer_t) +corenet_tcp_sendrecv_generic_if(mplayer_t) +corenet_tcp_sendrecv_generic_node(mplayer_t) +corenet_tcp_bind_generic_node(mplayer_t) +corenet_tcp_connect_pulseaudio_port(mplayer_t) +corenet_sendrecv_pulseaudio_client_packets(mplayer_t) + +# Run bash/sed (??) +corecmd_exec_bin(mplayer_t) +corecmd_exec_shell(mplayer_t) + +dev_read_rand(mplayer_t) +dev_read_urand(mplayer_t) +# Required for win32 binary loader +dev_rwx_zero(mplayer_t) +# Access to DVD/CD/V4L +dev_read_video_dev(mplayer_t) +dev_write_video_dev(mplayer_t) +# Audio, alsa.conf +dev_read_sound_mixer(mplayer_t) +dev_write_sound_mixer(mplayer_t) +# RTC clock +dev_read_realtime_clock(mplayer_t) + +domain_use_interactive_fds(mplayer_t) + +# Access to DVD/CD/V4L +storage_raw_read_removable_device(mplayer_t) + +files_read_etc_files(mplayer_t) +files_dontaudit_list_non_security(mplayer_t) +files_dontaudit_getattr_non_security_files(mplayer_t) +files_read_non_security_files(mplayer_t) +# Unfortunately the ancient file dialog starts in / +files_list_home(mplayer_t) +# Read /etc/mtab +files_read_etc_runtime_files(mplayer_t) +# Read data in /usr/share (fonts, icons..) +files_read_usr_files(mplayer_t) +files_read_usr_symlinks(mplayer_t) + +fs_dontaudit_getattr_all_fs(mplayer_t) +fs_search_auto_mountpoints(mplayer_t) +fs_list_inotifyfs(mplayer_t) + +miscfiles_read_localization(mplayer_t) +miscfiles_read_fonts(mplayer_t) + +userdom_use_user_terminals(mplayer_t) +# Read media files +userdom_list_user_tmp(mplayer_t) +userdom_read_user_tmp_files(mplayer_t) +userdom_read_user_tmp_symlinks(mplayer_t) +userdom_read_user_home_content_files(mplayer_t) +userdom_read_user_home_content_symlinks(mplayer_t) +userdom_write_user_tmp_sockets(mplayer_t) + +xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) + +# Read songs +ifdef(`enable_mls',`',` + fs_search_removable(mplayer_t) + fs_read_removable_files(mplayer_t) + fs_read_removable_symlinks(mplayer_t) +') + +tunable_policy(`allow_execmem',` + allow mplayer_t self:process execmem; +') + +tunable_policy(`allow_execmod',` + dev_execmod_zero(mplayer_t) +') + +tunable_policy(`allow_mplayer_execstack',` + allow mplayer_t self:process { execmem execstack }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mplayer_t) + fs_manage_nfs_files(mplayer_t) + fs_manage_nfs_symlinks(mplayer_t) +') +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mplayer_t) + fs_manage_cifs_files(mplayer_t) + fs_manage_cifs_symlinks(mplayer_t) +') + +# Legacy domain issues +tunable_policy(`allow_mplayer_execstack',` + allow mplayer_t mplayer_tmpfs_t:file execute; +') + +# Read songs +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(mplayer_t) + files_list_home(mplayer_t) + fs_read_nfs_files(mplayer_t) + fs_read_nfs_symlinks(mplayer_t) + +',` + files_dontaudit_list_home(mplayer_t) + fs_dontaudit_list_auto_mountpoints(mplayer_t) + fs_dontaudit_read_nfs_files(mplayer_t) + fs_dontaudit_list_nfs(mplayer_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_auto_mountpoints(mplayer_t) + files_list_home(mplayer_t) + fs_read_cifs_files(mplayer_t) + fs_read_cifs_symlinks(mplayer_t) +',` + files_dontaudit_list_home(mplayer_t) + fs_dontaudit_list_auto_mountpoints(mplayer_t) + fs_dontaudit_read_cifs_files(mplayer_t) + fs_dontaudit_list_cifs(mplayer_t) +') + +optional_policy(` + alsa_read_rw_config(mplayer_t) +') + +optional_policy(` + nscd_socket_use(mplayer_t) +') + +optional_policy(` + pulseaudio_exec(mplayer_t) + pulseaudio_stream_connect(mplayer_t) +') diff --git a/policy/modules/contrib/mrtg.fc b/policy/modules/contrib/mrtg.fc new file mode 100644 index 00000000..37fb9536 --- /dev/null +++ b/policy/modules/contrib/mrtg.fc @@ -0,0 +1,18 @@ +# +# /etc +# +/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0) + +# +# /usr +# +/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0) +/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0) + +# +# /var +# +/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0) +/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) +/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0) +/var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0) diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if new file mode 100644 index 00000000..5970b9c0 --- /dev/null +++ b/policy/modules/contrib/mrtg.if @@ -0,0 +1,20 @@ +## <summary>Network traffic graphing</summary> + +######################################## +## <summary> +## Create and append mrtg logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mrtg_append_create_logs',` + gen_require(` + type mrtg_log_t; + ') + + append_files_pattern($1, mrtg_log_t, mrtg_log_t) + create_files_pattern($1, mrtg_log_t, mrtg_log_t) +') diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te new file mode 100644 index 00000000..0e19d802 --- /dev/null +++ b/policy/modules/contrib/mrtg.te @@ -0,0 +1,160 @@ +policy_module(mrtg, 1.8.0) + +######################################## +# +# Declarations +# + +type mrtg_t; +type mrtg_exec_t; +init_system_domain(mrtg_t, mrtg_exec_t) + +type mrtg_etc_t; +files_config_file(mrtg_etc_t) + +type mrtg_lock_t; +files_lock_file(mrtg_lock_t) + +type mrtg_log_t; +logging_log_file(mrtg_log_t) + +type mrtg_var_lib_t; +files_type(mrtg_var_lib_t) + +type mrtg_var_run_t; +files_pid_file(mrtg_var_run_t) + +######################################## +# +# Local policy +# + +allow mrtg_t self:capability { setgid setuid chown }; +dontaudit mrtg_t self:capability sys_tty_config; +allow mrtg_t self:process signal_perms; +allow mrtg_t self:fifo_file rw_fifo_file_perms; +allow mrtg_t self:unix_stream_socket create_socket_perms; +allow mrtg_t self:tcp_socket create_socket_perms; +allow mrtg_t self:udp_socket create_socket_perms; + +allow mrtg_t mrtg_etc_t:dir list_dir_perms; +read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) +read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) +dontaudit mrtg_t mrtg_etc_t:dir write; +dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; + +manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) +manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) + +manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) +logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir }) + +manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) +manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) + +allow mrtg_t mrtg_var_run_t:file manage_file_perms; +files_pid_filetrans(mrtg_t, mrtg_var_run_t, file) + +kernel_read_system_state(mrtg_t) +kernel_read_network_state(mrtg_t) +kernel_read_kernel_sysctls(mrtg_t) + +corecmd_exec_bin(mrtg_t) +corecmd_exec_shell(mrtg_t) + +corenet_all_recvfrom_unlabeled(mrtg_t) +corenet_all_recvfrom_netlabel(mrtg_t) +corenet_tcp_sendrecv_generic_if(mrtg_t) +corenet_udp_sendrecv_generic_if(mrtg_t) +corenet_tcp_sendrecv_generic_node(mrtg_t) +corenet_udp_sendrecv_generic_node(mrtg_t) +corenet_tcp_sendrecv_all_ports(mrtg_t) +corenet_udp_sendrecv_all_ports(mrtg_t) +corenet_tcp_connect_all_ports(mrtg_t) +corenet_sendrecv_all_client_packets(mrtg_t) + +dev_read_sysfs(mrtg_t) +dev_read_urand(mrtg_t) + +domain_use_interactive_fds(mrtg_t) +domain_dontaudit_search_all_domains_state(mrtg_t) + +files_read_usr_files(mrtg_t) +files_search_var(mrtg_t) +files_search_locks(mrtg_t) +files_search_var_lib(mrtg_t) +files_search_spool(mrtg_t) +files_getattr_tmp_dirs(mrtg_t) +# for uptime +files_read_etc_runtime_files(mrtg_t) +# read config files +files_read_etc_files(mrtg_t) + +fs_search_auto_mountpoints(mrtg_t) +fs_getattr_xattr_fs(mrtg_t) +fs_list_inotifyfs(mrtg_t) + +term_dontaudit_use_console(mrtg_t) + +init_use_fds(mrtg_t) +init_use_script_ptys(mrtg_t) +# for uptime +init_read_utmp(mrtg_t) +init_dontaudit_write_utmp(mrtg_t) + +auth_use_nsswitch(mrtg_t) + +libs_read_lib_files(mrtg_t) + +logging_send_syslog_msg(mrtg_t) + +miscfiles_read_localization(mrtg_t) + +selinux_dontaudit_getattr_dir(mrtg_t) + +userdom_use_user_terminals(mrtg_t) +userdom_dontaudit_read_user_home_content_files(mrtg_t) +userdom_dontaudit_use_unpriv_user_fds(mrtg_t) + +netutils_domtrans_ping(mrtg_t) + +ifdef(`enable_mls',` + corenet_udp_sendrecv_lo_if(mrtg_t) +') + +ifdef(`distro_redhat',` + allow mrtg_t mrtg_lock_t:file manage_file_perms; + filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file) +') + +optional_policy(` + apache_manage_sys_content(mrtg_t) +') + +optional_policy(` + cron_system_entry(mrtg_t, mrtg_exec_t) +') + +optional_policy(` + hostname_exec(mrtg_t) +') + +optional_policy(` + hddtemp_domtrans(mrtg_t) +') + +optional_policy(` + seutil_sigchld_newrole(mrtg_t) +') + +optional_policy(` + quota_dontaudit_getattr_db(mrtg_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(mrtg_t) +') + +optional_policy(` + udev_read_db(mrtg_t) +') diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc new file mode 100644 index 00000000..256166a9 --- /dev/null +++ b/policy/modules/contrib/mta.fc @@ -0,0 +1,30 @@ +HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) + +/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) +/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +ifdef(`distro_redhat',` +/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) +') + +/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + +/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if new file mode 100644 index 00000000..4e2a5bad --- /dev/null +++ b/policy/modules/contrib/mta.if @@ -0,0 +1,903 @@ +## <summary>Policy common to all email tranfer agents.</summary> + +######################################## +## <summary> +## MTA stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_stub',` + gen_require(` + type sendmail_exec_t; + ') +') + +####################################### +## <summary> +## Basic mail transfer agent domain template. +## </summary> +## <desc> +## <p> +## This template creates a derived domain which is +## a email transfer agent, which sends mail on +## behalf of the user. +## </p> +## <p> +## This is the basic types and rules, common +## to the system agent and user agents. +## </p> +## </desc> +## <param name="domain_prefix"> +## <summary> +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +# +template(`mta_base_mail_template',` + + gen_require(` + attribute user_mail_domain; + type sendmail_exec_t; + ') + + ############################## + # + # $1_mail_t declarations + # + + type $1_mail_t, user_mail_domain; + application_domain($1_mail_t, sendmail_exec_t) + + type $1_mail_tmp_t; + files_tmp_file($1_mail_tmp_t) + + ############################## + # + # $1_mail_t local policy + # + + allow $1_mail_t self:capability { setuid setgid chown }; + allow $1_mail_t self:process { signal_perms setrlimit }; + allow $1_mail_t self:tcp_socket create_socket_perms; + + # re-exec itself + can_exec($1_mail_t, sendmail_exec_t) + allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; + + kernel_read_system_state($1_mail_t) + kernel_read_kernel_sysctls($1_mail_t) + + corenet_all_recvfrom_unlabeled($1_mail_t) + corenet_all_recvfrom_netlabel($1_mail_t) + corenet_tcp_sendrecv_generic_if($1_mail_t) + corenet_tcp_sendrecv_generic_node($1_mail_t) + corenet_tcp_sendrecv_all_ports($1_mail_t) + corenet_tcp_connect_all_ports($1_mail_t) + corenet_tcp_connect_smtp_port($1_mail_t) + corenet_sendrecv_smtp_client_packets($1_mail_t) + + corecmd_exec_bin($1_mail_t) + + files_read_etc_files($1_mail_t) + files_search_spool($1_mail_t) + # It wants to check for nscd + files_dontaudit_search_pids($1_mail_t) + + auth_use_nsswitch($1_mail_t) + + init_dontaudit_rw_utmp($1_mail_t) + + logging_send_syslog_msg($1_mail_t) + + miscfiles_read_localization($1_mail_t) + + optional_policy(` + exim_read_log($1_mail_t) + exim_append_log($1_mail_t) + exim_manage_spool_files($1_mail_t) + ') + + optional_policy(` + postfix_domtrans_user_mail_handler($1_mail_t) + ') + + optional_policy(` + procmail_exec($1_mail_t) + ') + + optional_policy(` + qmail_domtrans_inject($1_mail_t) + ') + + optional_policy(` + gen_require(` + type etc_mail_t, mail_spool_t, mqueue_spool_t; + ') + + manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) + manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) + files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) + + allow $1_mail_t etc_mail_t:dir search_dir_perms; + + # Write to /var/spool/mail and /var/spool/mqueue. + manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) + manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t) + + # Check available space. + fs_getattr_xattr_fs($1_mail_t) + + files_read_etc_runtime_files($1_mail_t) + + # Write to /var/log/sendmail.st + sendmail_manage_log($1_mail_t) + sendmail_create_log($1_mail_t) + ') + + optional_policy(` + uucp_manage_spool($1_mail_t) + ') +') + +######################################## +## <summary> +## Role access for mta +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`mta_role',` + gen_require(` + attribute mta_user_agent; + type user_mail_t, sendmail_exec_t; + ') + + role $1 types { user_mail_t mta_user_agent }; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, sendmail_exec_t, user_mail_t) + allow $2 sendmail_exec_t:lnk_file { getattr read }; + + allow mta_user_agent $2:fd use; + allow mta_user_agent $2:process sigchld; + allow mta_user_agent $2:fifo_file { read write }; +') + +######################################## +## <summary> +## Make the specified domain usable for a mail server. +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a mail server domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +# +interface(`mta_mailserver',` + gen_require(` + attribute mailserver_domain; + ') + + init_daemon_domain($1, $2) + typeattribute $1 mailserver_domain; +') + +######################################## +## <summary> +## Make the specified type a MTA executable file. +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a mail client. +## </summary> +## </param> +# +interface(`mta_agent_executable',` + gen_require(` + attribute mta_exec_type; + ') + + typeattribute $1 mta_exec_type; + + application_executable_file($1) +') + +######################################## +## <summary> +## Make the specified type by a system MTA. +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a mail client. +## </summary> +## </param> +# +interface(`mta_system_content',` + gen_require(` + attribute mailcontent_type; + ') + + typeattribute $1 mailcontent_type; +') + +######################################## +## <summary> +## Modified mailserver interface for +## sendmail daemon use. +## </summary> +## <desc> +## <p> +## A modified MTA mail server interface for +## the sendmail program. It's design does +## not fit well with policy, and using the +## regular interface causes a type_transition +## conflict if direct running of init scripts +## is enabled. +## </p> +## <p> +## This interface should most likely only be used +## by the sendmail policy. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## The type to be used for the mail server. +## </summary> +## </param> +# +interface(`mta_sendmail_mailserver',` + gen_require(` + attribute mailserver_domain; + type sendmail_exec_t; + ') + + init_system_domain($1, sendmail_exec_t) + typeattribute $1 mailserver_domain; +') + +####################################### +## <summary> +## Make a type a mailserver type used +## for sending mail. +## </summary> +## <param name="domain"> +## <summary> +## Mail server domain type used for sending mail. +## </summary> +## </param> +# +interface(`mta_mailserver_sender',` + gen_require(` + attribute mailserver_sender; + ') + + typeattribute $1 mailserver_sender; +') + +####################################### +## <summary> +## Make a type a mailserver type used +## for delivering mail to local users. +## </summary> +## <param name="domain"> +## <summary> +## Mail server domain type used for delivering mail. +## </summary> +## </param> +# +interface(`mta_mailserver_delivery',` + gen_require(` + attribute mailserver_delivery; + type mail_spool_t; + ') + + typeattribute $1 mailserver_delivery; +') + +####################################### +## <summary> +## Make a type a mailserver type used +## for sending mail on behalf of local +## users to the local mail spool. +## </summary> +## <param name="domain"> +## <summary> +## Mail server domain type used for sending local mail. +## </summary> +## </param> +# +interface(`mta_mailserver_user_agent',` + gen_require(` + attribute mta_user_agent; + ') + + typeattribute $1 mta_user_agent; + + optional_policy(` + # apache should set close-on-exec + apache_dontaudit_rw_stream_sockets($1) + apache_dontaudit_rw_sys_script_stream_sockets($1) + ') +') + +######################################## +## <summary> +## Send mail from the system. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mta_send_mail',` + gen_require(` + attribute mta_user_agent; + type system_mail_t; + attribute mta_exec_type; + ') + + allow $1 mta_exec_type:lnk_file read_lnk_file_perms; + corecmd_read_bin_symlinks($1) + domtrans_pattern($1, mta_exec_type, system_mail_t) + + allow mta_user_agent $1:fd use; + allow mta_user_agent $1:process sigchld; + allow mta_user_agent $1:fifo_file rw_fifo_file_perms; + + dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms; +') + +######################################## +## <summary> +## Execute send mail in a specified domain. +## </summary> +## <desc> +## <p> +## Execute send mail in a specified domain. +## </p> +## <p> +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +## </p> +## </desc> +## <param name="source_domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="target_domain"> +## <summary> +## Domain to transition to. +## </summary> +## </param> +# +interface(`mta_sendmail_domtrans',` + gen_require(` + type sendmail_exec_t; + ') + + files_search_usr($1) + corecmd_read_bin_symlinks($1) + domain_auto_trans($1, sendmail_exec_t, $2) +') + +######################################## +## <summary> +## Send system mail client a signal +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`mta_signal_system_mail',` + gen_require(` + type system_mail_t; + ') + + allow $1 system_mail_t:process signal; +') + +######################################## +## <summary> +## Execute sendmail in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_sendmail_exec',` + gen_require(` + type sendmail_exec_t; + ') + + can_exec($1, sendmail_exec_t) +') + +######################################## +## <summary> +## Read mail server configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mta_read_config',` + gen_require(` + type etc_mail_t; + ') + + files_search_etc($1) + allow $1 etc_mail_t:dir list_dir_perms; + read_files_pattern($1, etc_mail_t, etc_mail_t) + read_lnk_files_pattern($1, etc_mail_t, etc_mail_t) +') + +######################################## +## <summary> +## write mail server configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mta_write_config',` + gen_require(` + type etc_mail_t; + ') + + write_files_pattern($1, etc_mail_t, etc_mail_t) +') + +######################################## +## <summary> +## Read mail address aliases. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_read_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) + allow $1 etc_aliases_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete mail address aliases. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_manage_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) + manage_files_pattern($1, etc_aliases_t, etc_aliases_t) + manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) +') + +######################################## +## <summary> +## Type transition files created in /etc +## to the mail address aliases type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_etc_filetrans_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_etc_filetrans($1, etc_aliases_t, file) +') + +######################################## +## <summary> +## Read and write mail aliases. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mta_rw_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) + allow $1 etc_aliases_t:file { rw_file_perms setattr }; +') + +####################################### +## <summary> +## Do not audit attempts to read and write TCP +## sockets of mail delivery domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mta_dontaudit_rw_delivery_tcp_sockets',` + gen_require(` + attribute mailserver_delivery; + ') + + dontaudit $1 mailserver_delivery:tcp_socket { read write }; +') + +####################################### +## <summary> +## Connect to all mail servers over TCP. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_tcp_connect_all_mailservers',` + refpolicywarn(`$0($*) has been deprecated.') +') + +####################################### +## <summary> +## Do not audit attempts to read a symlink +## in the mail spool. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mta_dontaudit_read_spool_symlinks',` + gen_require(` + type mail_spool_t; + ') + + dontaudit $1 mail_spool_t:lnk_file read; +') + +######################################## +## <summary> +## Get the attributes of mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_getattr_spool',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; + getattr_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) +') + +######################################## +## <summary> +## Do not audit attempts to get the attributes +## of mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mta_dontaudit_getattr_spool_files',` + gen_require(` + type mail_spool_t; + ') + + files_dontaudit_search_spool($1) + dontaudit $1 mail_spool_t:dir search_dir_perms; + dontaudit $1 mail_spool_t:lnk_file read; + dontaudit $1 mail_spool_t:file getattr; +') + +####################################### +## <summary> +## Create private objects in the +## mail spool directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +# +interface(`mta_spool_filetrans',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + filetrans_pattern($1, mail_spool_t, $2, $3) +') + +######################################## +## <summary> +## Read and write the mail spool. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_rw_spool',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; + allow $1 mail_spool_t:file setattr; + rw_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) +') + +####################################### +## <summary> +## Create, read, and write the mail spool. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_append_spool',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; + create_files_pattern($1, mail_spool_t, mail_spool_t) + write_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) +') + +####################################### +## <summary> +## Delete from the mail spool. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_delete_spool',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + delete_files_pattern($1, mail_spool_t, mail_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_manage_spool',` + gen_require(` + type mail_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, mail_spool_t, mail_spool_t) + manage_files_pattern($1, mail_spool_t, mail_spool_t) + manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) +') + +######################################## +## <summary> +## Search mail queue dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_search_queue',` + gen_require(` + type mqueue_spool_t; + ') + + files_search_spool($1) + allow $1 mqueue_spool_t:dir search_dir_perms; +') + +####################################### +## <summary> +## List the mail queue. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_list_queue',` + gen_require(` + type mqueue_spool_t; + ') + + allow $1 mqueue_spool_t:dir list_dir_perms; + files_search_spool($1) +') + +####################################### +## <summary> +## Read the mail queue. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_read_queue',` + gen_require(` + type mqueue_spool_t; + ') + + read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) + files_search_spool($1) +') + +####################################### +## <summary> +## Do not audit attempts to read and +## write the mail queue. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mta_dontaudit_rw_queue',` + gen_require(` + type mqueue_spool_t; + ') + + dontaudit $1 mqueue_spool_t:dir search_dir_perms; + dontaudit $1 mqueue_spool_t:file { getattr read write }; +') + +######################################## +## <summary> +## Create, read, write, and delete +## mail queue files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_manage_queue',` + gen_require(` + type mqueue_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) + manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) +') + +####################################### +## <summary> +## Read sendmail binary. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# cjp: added for postfix +interface(`mta_read_sendmail_bin',` + gen_require(` + type sendmail_exec_t; + ') + + allow $1 sendmail_exec_t:file read_file_perms; +') + +####################################### +## <summary> +## Read and write unix domain stream sockets +## of user mail domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_rw_user_mail_stream_sockets',` + gen_require(` + attribute user_mail_domain; + ') + + allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; +') diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te new file mode 100644 index 00000000..51be8ac7 --- /dev/null +++ b/policy/modules/contrib/mta.te @@ -0,0 +1,294 @@ +policy_module(mta, 2.4.0) + +######################################## +# +# Declarations +# + +attribute mailcontent_type; +attribute mta_exec_type; +attribute mta_user_agent; +attribute mailserver_delivery; +attribute mailserver_domain; +attribute mailserver_sender; + +attribute user_mail_domain; + +type etc_aliases_t; +files_type(etc_aliases_t) + +type etc_mail_t; +files_config_file(etc_mail_t) + +type mail_forward_t; +files_type(mail_forward_t) + +type mqueue_spool_t; +files_mountpoint(mqueue_spool_t) + +type mail_spool_t; +files_mountpoint(mail_spool_t) + +type sendmail_exec_t; +mta_agent_executable(sendmail_exec_t) + +mta_base_mail_template(system) +role system_r types system_mail_t; + +mta_base_mail_template(user) +typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; +typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; +typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; +typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; +userdom_user_application_type(user_mail_t) +userdom_user_tmp_file(user_mail_tmp_t) + +######################################## +# +# System mail local policy +# + +# newalias required this, not sure if it is needed in 'if' file +allow system_mail_t self:capability { dac_override fowner }; +allow system_mail_t self:fifo_file rw_fifo_file_perms; + +read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) + +read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) + +allow system_mail_t mail_forward_t:file read_file_perms; + +allow system_mail_t mta_exec_type:file entrypoint; + +can_exec(system_mail_t, mta_exec_type) + +kernel_read_system_state(system_mail_t) +kernel_read_network_state(system_mail_t) +kernel_request_load_module(system_mail_t) + +dev_read_sysfs(system_mail_t) +dev_read_rand(system_mail_t) +dev_read_urand(system_mail_t) + +files_read_usr_files(system_mail_t) + +fs_rw_anon_inodefs_files(system_mail_t) + +selinux_getattr_fs(system_mail_t) + +term_dontaudit_use_unallocated_ttys(system_mail_t) + +init_use_script_ptys(system_mail_t) + +userdom_use_user_terminals(system_mail_t) +userdom_dontaudit_search_user_home_dirs(system_mail_t) + +optional_policy(` + apache_read_squirrelmail_data(system_mail_t) + apache_append_squirrelmail_data(system_mail_t) + + # apache should set close-on-exec + apache_dontaudit_append_log(system_mail_t) + apache_dontaudit_rw_stream_sockets(system_mail_t) + apache_dontaudit_rw_tcp_sockets(system_mail_t) + apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) +') + +optional_policy(` + arpwatch_manage_tmp_files(system_mail_t) + + ifdef(`hide_broken_symptoms', ` + arpwatch_dontaudit_rw_packet_sockets(system_mail_t) + ') +') + +optional_policy(` + clamav_stream_connect(system_mail_t) + clamav_append_log(system_mail_t) +') + +optional_policy(` + cron_read_system_job_tmp_files(system_mail_t) + cron_dontaudit_write_pipes(system_mail_t) + cron_rw_system_job_stream_sockets(system_mail_t) +') + +optional_policy(` + courier_manage_spool_dirs(system_mail_t) + courier_manage_spool_files(system_mail_t) + courier_rw_spool_pipes(system_mail_t) +') + +optional_policy(` + cvs_read_data(system_mail_t) +') + +optional_policy(` + exim_domtrans(system_mail_t) + exim_manage_log(system_mail_t) +') + +optional_policy(` + fail2ban_append_log(system_mail_t) +') + +optional_policy(` + logrotate_read_tmp_files(system_mail_t) +') + +optional_policy(` + logwatch_read_tmp_files(system_mail_t) +') + +optional_policy(` + # newaliases runs as system_mail_t when the sendmail initscript does a restart + milter_getattr_all_sockets(system_mail_t) +') + +optional_policy(` + nagios_read_tmp_files(system_mail_t) +') + +optional_policy(` + manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) + + domain_use_interactive_fds(system_mail_t) + + # postfix needs this for newaliases + files_getattr_tmp_dirs(system_mail_t) + + postfix_exec_master(system_mail_t) + postfix_read_config(system_mail_t) + postfix_search_spool(system_mail_t) + + ifdef(`distro_redhat',` + # compatability for old default main.cf + postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) + ') +') + +optional_policy(` + qmail_domtrans_inject(system_mail_t) +') + +optional_policy(` + sxid_read_log(system_mail_t) +') + +optional_policy(` + userdom_dontaudit_use_user_ptys(system_mail_t) + + optional_policy(` + cron_dontaudit_append_system_job_tmp_files(system_mail_t) + ') +') + +optional_policy(` + smartmon_read_tmp_files(system_mail_t) +') + +# should break this up among sections: + +optional_policy(` + # why is mail delivered to a directory of type arpwatch_data_t? + arpwatch_search_data(mailserver_delivery) + arpwatch_manage_tmp_files(mta_user_agent) + + ifdef(`hide_broken_symptoms', ` + arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) + ') + + optional_policy(` + cron_read_system_job_tmp_files(mta_user_agent) + ') +') + +######################################## +# +# Mailserver delivery local policy +# + +allow mailserver_delivery mail_spool_t:dir list_dir_perms; +create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) + +read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) + +read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mailserver_delivery) + fs_manage_cifs_files(mailserver_delivery) + fs_manage_cifs_symlinks(mailserver_delivery) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mailserver_delivery) + fs_manage_nfs_files(mailserver_delivery) + fs_manage_nfs_symlinks(mailserver_delivery) +') + +optional_policy(` + dovecot_manage_spool(mailserver_delivery) + dovecot_domtrans_deliver(mailserver_delivery) +') + +optional_policy(` + # so MTA can access /var/lib/mailman/mail/wrapper + files_search_var_lib(mailserver_delivery) + + mailman_domtrans(mailserver_delivery) + mailman_read_data_symlinks(mailserver_delivery) +') + +######################################## +# +# User send mail local policy +# + +domain_use_interactive_fds(user_mail_t) + +userdom_use_user_terminals(user_mail_t) +# Write to the user domain tty. cjp: why? +userdom_use_user_terminals(mta_user_agent) +# Create dead.letter in user home directories. +userdom_manage_user_home_content_files(user_mail_t) +userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) +# for reading .forward - maybe we need a new type for it? +# also for delivering mail to maildir +userdom_manage_user_home_content_dirs(mailserver_delivery) +userdom_manage_user_home_content_files(mailserver_delivery) +userdom_manage_user_home_content_symlinks(mailserver_delivery) +userdom_manage_user_home_content_pipes(mailserver_delivery) +userdom_manage_user_home_content_sockets(mailserver_delivery) +userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) +# Read user temporary files. +userdom_read_user_tmp_files(user_mail_t) +userdom_dontaudit_append_user_tmp_files(user_mail_t) +# cjp: this should probably be read all user tmp +# files in an appropriate place for mta_user_agent +userdom_read_user_tmp_files(mta_user_agent) + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(user_mail_t) + fs_manage_cifs_symlinks(user_mail_t) +') + +optional_policy(` + allow user_mail_t self:capability dac_override; + + # Read user temporary files. + # postfix seems to need write access if the file handle is opened read/write + userdom_rw_user_tmp_files(user_mail_t) + + postfix_read_config(user_mail_t) + postfix_list_spool(user_mail_t) +') diff --git a/policy/modules/contrib/munin.fc b/policy/modules/contrib/munin.fc new file mode 100644 index 00000000..fd71d69f --- /dev/null +++ b/policy/modules/contrib/munin.fc @@ -0,0 +1,69 @@ +/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) +/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) + +/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) + +# disk plugins +/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) + +# mail plugins +/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) + +# services plugins +/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + +# system plugins +/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + +/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) +/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if new file mode 100644 index 00000000..c358d8fb --- /dev/null +++ b/policy/modules/contrib/munin.if @@ -0,0 +1,203 @@ +## <summary>Munin network-wide load graphing (formerly LRRD)</summary> + +######################################## +## <summary> +## Create a set of derived types for various +## munin plugins, +## </summary> +## <param name="prefix"> +## <summary> +## The name to be used for deriving type names. +## </summary> +## </param> +# +template(`munin_plugin_template',` + gen_require(` + type munin_t, munin_exec_t, munin_etc_t; + ') + + type $1_munin_plugin_t; + type $1_munin_plugin_exec_t; + typealias $1_munin_plugin_t alias munin_$1_plugin_t; + typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; + application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t) + role system_r types $1_munin_plugin_t; + + type $1_munin_plugin_tmp_t; + typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t; + files_tmp_file($1_munin_plugin_tmp_t) + + allow $1_munin_plugin_t self:fifo_file rw_fifo_file_perms; + + manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) + manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) + files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) + + # automatic transition rules from munin domain + # to specific munin plugin domain + domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) + + allow $1_munin_plugin_t munin_exec_t:file read_file_perms; + allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms; + + read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t) + + kernel_read_system_state($1_munin_plugin_t) + + corecmd_exec_bin($1_munin_plugin_t) + + miscfiles_read_localization($1_munin_plugin_t) +') + +######################################## +## <summary> +## Connect to munin over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`munin_stream_connect',` + gen_require(` + type munin_var_run_t, munin_t; + ') + + allow $1 munin_t:unix_stream_socket connectto; + allow $1 munin_var_run_t:sock_file { getattr write }; + files_search_pids($1) +') + +####################################### +## <summary> +## Read munin configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`munin_read_config',` + gen_require(` + type munin_etc_t; + ') + + allow $1 munin_etc_t:dir list_dir_perms; + allow $1 munin_etc_t:file read_file_perms; + allow $1 munin_etc_t:lnk_file { getattr read }; + files_search_etc($1) +') + +####################################### +## <summary> +## Append to the munin log. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`munin_append_log',` + gen_require(` + type munin_log_t; + ') + + logging_search_logs($1) + allow $1 munin_log_t:dir list_dir_perms; + append_files_pattern($1, munin_log_t, munin_log_t) +') + +####################################### +## <summary> +## Search munin library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`munin_search_lib',` + gen_require(` + type munin_var_lib_t; + ') + + allow $1 munin_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +####################################### +## <summary> +## Do not audit attempts to search +## munin library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`munin_dontaudit_search_lib',` + gen_require(` + type munin_var_lib_t; + ') + + dontaudit $1 munin_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an munin environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the munin domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`munin_admin',` + gen_require(` + type munin_t, munin_etc_t, munin_tmp_t; + type munin_log_t, munin_var_lib_t, munin_var_run_t; + type httpd_munin_content_t; + type munin_initrc_exec_t; + ') + + allow $1 munin_t:process { ptrace signal_perms }; + ps_process_pattern($1, munin_t) + + init_labeled_script_domtrans($1, munin_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 munin_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, munin_tmp_t) + + logging_list_logs($1) + admin_pattern($1, munin_log_t) + + files_list_etc($1) + admin_pattern($1, munin_etc_t) + + files_list_var_lib($1) + admin_pattern($1, munin_var_lib_t) + + files_list_pids($1) + admin_pattern($1, munin_var_run_t) + + admin_pattern($1, httpd_munin_content_t) +') diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te new file mode 100644 index 00000000..f17583b6 --- /dev/null +++ b/policy/modules/contrib/munin.te @@ -0,0 +1,315 @@ +policy_module(munin, 1.8.0) + +######################################## +# +# Declarations +# + +type munin_t alias lrrd_t; +type munin_exec_t alias lrrd_exec_t; +init_daemon_domain(munin_t, munin_exec_t) + +type munin_etc_t alias lrrd_etc_t; +files_config_file(munin_etc_t) + +type munin_initrc_exec_t; +init_script_file(munin_initrc_exec_t) + +type munin_log_t alias lrrd_log_t; +logging_log_file(munin_log_t) + +type munin_tmp_t alias lrrd_tmp_t; +files_tmp_file(munin_tmp_t) + +type munin_var_lib_t alias lrrd_var_lib_t; +files_type(munin_var_lib_t) + +type munin_var_run_t alias lrrd_var_run_t; +files_pid_file(munin_var_run_t) + +munin_plugin_template(disk) + +munin_plugin_template(mail) + +munin_plugin_template(services) + +munin_plugin_template(system) + +######################################## +# +# Local policy +# + +allow munin_t self:capability { chown dac_override setgid setuid }; +dontaudit munin_t self:capability sys_tty_config; +allow munin_t self:process { getsched setsched signal_perms }; +allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; +allow munin_t self:tcp_socket create_stream_socket_perms; +allow munin_t self:udp_socket create_socket_perms; +allow munin_t self:fifo_file manage_fifo_file_perms; + +allow munin_t munin_etc_t:dir list_dir_perms; +read_files_pattern(munin_t, munin_etc_t, munin_etc_t) +read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) +files_search_etc(munin_t) + +can_exec(munin_t, munin_exec_t) + +manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) +manage_files_pattern(munin_t, munin_log_t, munin_log_t) +logging_log_filetrans(munin_t, munin_log_t, { file dir }) + +manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) +manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) +manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) +files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file }) + +# Allow access to the munin databases +manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +files_search_var_lib(munin_t) + +manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) +manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) +files_pid_filetrans(munin_t, munin_var_run_t, file) + +kernel_read_system_state(munin_t) +kernel_read_network_state(munin_t) +kernel_read_all_sysctls(munin_t) + +corecmd_exec_bin(munin_t) +corecmd_exec_shell(munin_t) + +corenet_all_recvfrom_unlabeled(munin_t) +corenet_all_recvfrom_netlabel(munin_t) +corenet_tcp_sendrecv_generic_if(munin_t) +corenet_udp_sendrecv_generic_if(munin_t) +corenet_tcp_sendrecv_generic_node(munin_t) +corenet_udp_sendrecv_generic_node(munin_t) +corenet_tcp_sendrecv_all_ports(munin_t) +corenet_udp_sendrecv_all_ports(munin_t) +corenet_tcp_bind_generic_node(munin_t) +corenet_tcp_bind_munin_port(munin_t) +corenet_tcp_connect_munin_port(munin_t) +corenet_tcp_connect_http_port(munin_t) + +dev_read_sysfs(munin_t) +dev_read_urand(munin_t) + +domain_use_interactive_fds(munin_t) +domain_read_all_domains_state(munin_t) + +files_read_etc_files(munin_t) +files_read_etc_runtime_files(munin_t) +files_read_usr_files(munin_t) +files_list_spool(munin_t) + +fs_getattr_all_fs(munin_t) +fs_search_auto_mountpoints(munin_t) + +auth_use_nsswitch(munin_t) + +logging_send_syslog_msg(munin_t) +logging_read_all_logs(munin_t) + +miscfiles_read_fonts(munin_t) +miscfiles_read_localization(munin_t) + +sysnet_exec_ifconfig(munin_t) + +userdom_dontaudit_use_unpriv_user_fds(munin_t) +userdom_dontaudit_search_user_home_dirs(munin_t) + +optional_policy(` + apache_content_template(munin) + + manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + apache_search_sys_content(munin_t) +') + +optional_policy(` + cron_system_entry(munin_t, munin_exec_t) +') + +optional_policy(` + fstools_domtrans(munin_t) +') + +optional_policy(` + lpd_domtrans_lpr(munin_t) +') + +optional_policy(` + mta_read_config(munin_t) + mta_send_mail(munin_t) + mta_read_queue(munin_t) +') + +optional_policy(` + mysql_read_config(munin_t) + mysql_stream_connect(munin_t) +') + +optional_policy(` + netutils_domtrans_ping(munin_t) +') + +optional_policy(` + postfix_list_spool(munin_t) +') + +optional_policy(` + rpc_search_nfs_state_data(munin_t) +') + +optional_policy(` + sendmail_read_log(munin_t) +') + +optional_policy(` + seutil_sigchld_newrole(munin_t) +') + +optional_policy(` + udev_read_db(munin_t) +') + +################################### +# +# local policy for disk plugins +# + +allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; + +rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) + +corecmd_exec_shell(disk_munin_plugin_t) + +corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) + +files_read_etc_files(disk_munin_plugin_t) +files_read_etc_runtime_files(disk_munin_plugin_t) + +fs_getattr_all_fs(disk_munin_plugin_t) + +dev_read_sysfs(disk_munin_plugin_t) +dev_read_urand(disk_munin_plugin_t) + +storage_getattr_fixed_disk_dev(disk_munin_plugin_t) + +sysnet_read_config(disk_munin_plugin_t) + +optional_policy(` + hddtemp_exec(disk_munin_plugin_t) +') + +optional_policy(` + fstools_exec(disk_munin_plugin_t) +') + +#################################### +# +# local policy for mail plugins +# + +allow mail_munin_plugin_t self:capability dac_override; + +rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) + +dev_read_urand(mail_munin_plugin_t) + +files_read_etc_files(mail_munin_plugin_t) + +fs_getattr_all_fs(mail_munin_plugin_t) + +logging_read_generic_logs(mail_munin_plugin_t) + +mta_read_config(mail_munin_plugin_t) +mta_send_mail(mail_munin_plugin_t) +mta_read_queue(mail_munin_plugin_t) + +optional_policy(` + postfix_read_config(mail_munin_plugin_t) + postfix_list_spool(mail_munin_plugin_t) +') + +optional_policy(` + sendmail_read_log(mail_munin_plugin_t) +') + +################################### +# +# local policy for service plugins +# + +allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; +allow services_munin_plugin_t self:udp_socket create_socket_perms; +allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; + +corenet_tcp_connect_all_ports(services_munin_plugin_t) +corenet_tcp_connect_http_port(services_munin_plugin_t) + +dev_read_urand(services_munin_plugin_t) +dev_read_rand(services_munin_plugin_t) + +fs_getattr_all_fs(services_munin_plugin_t) + +files_read_etc_files(services_munin_plugin_t) + +sysnet_read_config(services_munin_plugin_t) + +optional_policy(` + cups_stream_connect(services_munin_plugin_t) +') + +optional_policy(` + lpd_exec_lpr(services_munin_plugin_t) +') + +optional_policy(` + mysql_read_config(services_munin_plugin_t) + mysql_stream_connect(services_munin_plugin_t) +') + +optional_policy(` + netutils_domtrans_ping(services_munin_plugin_t) +') + +optional_policy(` + postgresql_stream_connect(services_munin_plugin_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(services_munin_plugin_t) +') + +################################## +# +# local policy for system plugins +# + +allow system_munin_plugin_t self:udp_socket create_socket_perms; + +rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) + +kernel_read_network_state(system_munin_plugin_t) +kernel_read_all_sysctls(system_munin_plugin_t) + +corecmd_exec_shell(system_munin_plugin_t) + +fs_getattr_all_fs(system_munin_plugin_t) + +dev_read_sysfs(system_munin_plugin_t) +dev_read_urand(system_munin_plugin_t) + +domain_read_all_domains_state(system_munin_plugin_t) + +# needed by users plugin +init_read_utmp(system_munin_plugin_t) + +sysnet_exec_ifconfig(system_munin_plugin_t) + +term_getattr_unallocated_ttys(system_munin_plugin_t) diff --git a/policy/modules/contrib/mutt.fc b/policy/modules/contrib/mutt.fc new file mode 100644 index 00000000..9d645292 --- /dev/null +++ b/policy/modules/contrib/mutt.fc @@ -0,0 +1,10 @@ +HOME_DIR/\.mutt(/.*)? gen_context(system_u:object_r:mutt_home_t,s0) +HOME_DIR/\.muttrc -- gen_context(system_u:object_r:mutt_conf_t,s0) +HOME_DIR/\.mutt_cache -- gen_context(system_u:object_r:mutt_home_t,s0) +HOME_DIR/\.mutt_certificates -- gen_context(system_u:object_r:mutt_home_t,s0) + +/etc/Muttrc -- gen_context(system_u:object_r:mutt_etc_t,s0) +/etc/Muttrc\.local -- gen_context(system_u:object_r:mutt_etc_t,s0) +/etc/mutt(/.*)? gen_context(system_u:object_r:mutt_etc_t,s0) + +/usr/bin/mutt -- gen_context(system_u:object_r:mutt_exec_t,s0) diff --git a/policy/modules/contrib/mutt.if b/policy/modules/contrib/mutt.if new file mode 100644 index 00000000..5327f866 --- /dev/null +++ b/policy/modules/contrib/mutt.if @@ -0,0 +1,104 @@ +## <summary>Mutt e-mail client</summary> + +####################################### +## <summary> +## The role for using the mutt application. +## </summary> +## <param name="role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## The user domain. +## </summary> +## </param> +# +interface(`mutt_role',` + gen_require(` + type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t; + type mutt_tmp_t; + ') + + role $1 types mutt_t; + + domtrans_pattern($2, mutt_exec_t, mutt_t) + + allow $2 mutt_t:process { ptrace signal_perms }; + + manage_dirs_pattern($2, mutt_home_t, mutt_home_t) + manage_files_pattern($2, mutt_home_t, mutt_home_t) + + manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t) + manage_files_pattern($2, mutt_conf_t, mutt_conf_t) + + relabel_dirs_pattern($2, mutt_home_t, mutt_home_t) + relabel_files_pattern($2, mutt_home_t, mutt_home_t) + + relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t) + relabel_files_pattern($2, mutt_conf_t, mutt_conf_t) + + relabel_dirs_pattern($2, mutt_tmp_t, mutt_tmp_t) + relabel_files_pattern($2, mutt_tmp_t, mutt_tmp_t) + + ps_process_pattern($2, mutt_t) +') + +####################################### +## <summary> +## Allow other domains to read mutt's home files +## </summary> +## <param name="domain"> +## <summary> +## The domain that is allowed read access to the mutt_home_t files +## </summary> +## </param> +# +interface(`mutt_read_home_files',` + gen_require(` + type mutt_home_t; + ') + + read_files_pattern($1, mutt_home_t, mutt_home_t) +') + +####################################### +## <summary> +## Allow other domains to read mutt's temporary files +## </summary> +## <param name="domain"> +## <summary> +## The domain that is allowed read access to the temporary files +## </summary> +## </param> +# +interface(`mutt_read_tmp_files',` + gen_require(` + type mutt_tmp_t; + ') + + read_files_pattern($1, mutt_tmp_t, mutt_tmp_t) +') + +####################################### +## <summary> +## Allow other domains to handle mutt's temporary files (used for instance +## for e-mail drafts) +## </summary> +## <param name="domain"> +## <summary> +## The domain that is allowed read/write access to the temporary files +## </summary> +## </param> +# +interface(`mutt_rw_tmp_files',` + gen_require(` + type mutt_tmp_t; + ') + + # The use of rw_files_pattern here is not needed, since this incurs the open privilege as well + allow $1 mutt_tmp_t:dir search_dir_perms; + allow $1 mutt_tmp_t:file { read write }; + files_search_tmp($1) +') diff --git a/policy/modules/contrib/mutt.te b/policy/modules/contrib/mutt.te new file mode 100644 index 00000000..e73ad17a --- /dev/null +++ b/policy/modules/contrib/mutt.te @@ -0,0 +1,101 @@ +policy_module(mutt, 1.0.0) + +############################ +# +# Declarations +# + +## <desc> +## <p> +## Be able to manage user files (needed to support attachment handling) +## </p> +## </desc> +gen_tunable(mutt_manage_user_content, false) + +type mutt_t; +type mutt_exec_t; +application_domain(mutt_t, mutt_exec_t) +ubac_constrained(mutt_t) + +type mutt_conf_t; +userdom_user_home_content(mutt_conf_t) + +type mutt_etc_t; +files_config_file(mutt_etc_t) + +type mutt_home_t; +userdom_user_home_content(mutt_home_t) + +type mutt_tmp_t; +files_tmp_file(mutt_tmp_t) +ubac_constrained(mutt_tmp_t) + +############################ +# +# Local Policy Rules +# + +allow mutt_t self:process signal_perms; +allow mutt_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t) +manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t) +userdom_user_home_dir_filetrans(mutt_t, mutt_home_t, { dir file }) + +manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t) +manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t) +files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir }) + +read_files_pattern(mutt_t, mutt_etc_t, mutt_etc_t) + +read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t) + + +kernel_read_system_state(mutt_t) +kernel_dontaudit_search_sysctl(mutt_t) + +corecmd_exec_bin(mutt_t) +corecmd_exec_shell(mutt_t) + +corenet_all_recvfrom_netlabel(mutt_t) +corenet_all_recvfrom_unlabeled(mutt_t) +corenet_sendrecv_pop_client_packets(mutt_t) +corenet_sendrecv_smtp_client_packets(mutt_t) +corenet_tcp_bind_generic_node(mutt_t) +corenet_tcp_connect_pop_port(mutt_t) +corenet_tcp_connect_smtp_port(mutt_t) +corenet_tcp_sendrecv_generic_if(mutt_t) +corenet_tcp_sendrecv_generic_node(mutt_t) +corenet_tcp_sendrecv_pop_port(mutt_t) +corenet_tcp_sendrecv_smtp_port(mutt_t) + +dev_read_rand(mutt_t) +dev_read_urand(mutt_t) + +domain_use_interactive_fds(mutt_t) + +files_read_usr_files(mutt_t) + + +auth_use_nsswitch(mutt_t) + +miscfiles_read_localization(mutt_t) + +userdom_search_user_home_content(mutt_t) +userdom_use_user_terminals(mutt_t) + +optional_policy(` + gpg_domtrans(mutt_t) +') + +optional_policy(` + xdg_manage_generic_cache_home_content(mutt_t) + xdg_read_generic_config_home_files(mutt_t) +') + +tunable_policy(`mutt_manage_user_content',` + # Needed for handling attachments + userdom_manage_user_home_content_files(mutt_t) + userdom_manage_user_home_content_dirs(mutt_t) +') + diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc new file mode 100644 index 00000000..716d6667 --- /dev/null +++ b/policy/modules/contrib/mysql.fc @@ -0,0 +1,32 @@ +# mysql database server + +# +# /etc +# +/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) +/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) + +# +# /usr +# +/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) +/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) +/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +# +# /var +# +/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) +/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) + +/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) + +/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) +/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if new file mode 100644 index 00000000..e9c09824 --- /dev/null +++ b/policy/modules/contrib/mysql.if @@ -0,0 +1,355 @@ +## <summary>Policy for MySQL</summary> + +###################################### +## <summary> +## Execute MySQL in the mysql domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mysql_domtrans',` + gen_require(` + type mysqld_t, mysqld_exec_t; + ') + + domtrans_pattern($1, mysqld_exec_t, mysqld_t) +') + +######################################## +## <summary> +## Send a generic signal to MySQL. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_signal',` + gen_require(` + type mysqld_t; + ') + + allow $1 mysqld_t:process signal; +') + +######################################## +## <summary> +## Allow the specified domain to connect to postgresql with a tcp socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_tcp_connect',` + gen_require(` + type mysqld_t; + ') + + corenet_tcp_recvfrom_labeled($1, mysqld_t) + corenet_tcp_sendrecv_mysqld_port($1) + corenet_tcp_connect_mysqld_port($1) + corenet_sendrecv_mysqld_client_packets($1) +') + +######################################## +## <summary> +## Connect to MySQL using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mysql_stream_connect',` + gen_require(` + type mysqld_t, mysqld_var_run_t, mysqld_db_t; + ') + + stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) + stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) +') + +######################################## +## <summary> +## Read MySQL configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mysql_read_config',` + gen_require(` + type mysqld_etc_t; + ') + + allow $1 mysqld_etc_t:dir list_dir_perms; + allow $1 mysqld_etc_t:file read_file_perms; + allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Search the directories that contain MySQL +## database storage. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# cjp: "_dir" in the name is added to clarify that this +# is not searching the database itself. +interface(`mysql_search_db',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + allow $1 mysqld_db_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read and write to the MySQL database directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_rw_db_dirs',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + allow $1 mysqld_db_t:dir rw_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete MySQL database directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_manage_db_dirs',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + allow $1 mysqld_db_t:dir manage_dir_perms; +') + +####################################### +## <summary> +## Append to the MySQL database directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_append_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + append_files_pattern($1, mysqld_db_t, mysqld_db_t) +') + +####################################### +## <summary> +## Read and write to the MySQL database directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_rw_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, mysqld_db_t, mysqld_db_t) +') + +####################################### +## <summary> +## Create, read, write, and delete MySQL database files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_manage_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, mysqld_db_t, mysqld_db_t) +') + +######################################## +## <summary> +## Read and write to the MySQL database +## named socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_rw_db_sockets',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + allow $1 mysqld_db_t:dir search_dir_perms; + allow $1 mysqld_db_t:sock_file rw_sock_file_perms; +') + +######################################## +## <summary> +## Write to the MySQL log. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_write_log',` + gen_require(` + type mysqld_log_t; + ') + + logging_search_logs($1) + allow $1 mysqld_log_t:file { write_file_perms setattr }; +') + +###################################### +## <summary> +## Execute MySQL server in the mysql domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mysql_domtrans_mysql_safe',` + gen_require(` + type mysqld_safe_t, mysqld_safe_exec_t; + ') + + domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) +') + +##################################### +## <summary> +## Read MySQL PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_read_pid_files',` + gen_require(` + type mysqld_var_run_t; + ') + + mysql_search_pid_files($1) + read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + +##################################### +## <summary> +## Search MySQL PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## +# +interface(`mysql_search_pid_files',` + gen_require(` + type mysqld_var_run_t; + ') + + search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to administrate an mysql environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the mysql domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`mysql_admin',` + gen_require(` + type mysqld_t, mysqld_var_run_t; + type mysqld_tmp_t, mysqld_db_t; + type mysqld_etc_t, mysqld_log_t; + type mysqld_initrc_exec_t; + ') + + allow $1 mysqld_t:process { ptrace signal_perms }; + ps_process_pattern($1, mysqld_t) + + init_labeled_script_domtrans($1, mysqld_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 mysqld_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, mysqld_var_run_t) + + admin_pattern($1, mysqld_db_t) + + admin_pattern($1, mysqld_etc_t) + + admin_pattern($1, mysqld_log_t) + + admin_pattern($1, mysqld_tmp_t) +') diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te new file mode 100644 index 00000000..1cf05a3a --- /dev/null +++ b/policy/modules/contrib/mysql.te @@ -0,0 +1,239 @@ +policy_module(mysql, 1.13.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow mysqld to connect to all ports +## </p> +## </desc> +gen_tunable(mysql_connect_any, false) + +type mysqld_t; +type mysqld_exec_t; +init_daemon_domain(mysqld_t, mysqld_exec_t) + +type mysqld_safe_t; +type mysqld_safe_exec_t; +init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) + +type mysqld_var_run_t; +files_pid_file(mysqld_var_run_t) + +type mysqld_db_t; +files_type(mysqld_db_t) + +type mysqld_etc_t alias etc_mysqld_t; +files_config_file(mysqld_etc_t) + +type mysqld_initrc_exec_t; +init_script_file(mysqld_initrc_exec_t) + +type mysqld_log_t; +logging_log_file(mysqld_log_t) + +type mysqld_tmp_t; +files_tmp_file(mysqld_tmp_t) + +type mysqlmanagerd_t; +type mysqlmanagerd_exec_t; +init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t) + +type mysqlmanagerd_initrc_exec_t; +init_script_file(mysqlmanagerd_initrc_exec_t) + +type mysqlmanagerd_var_run_t; +files_pid_file(mysqlmanagerd_var_run_t) + +######################################## +# +# Local policy +# + +allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service }; +dontaudit mysqld_t self:capability sys_tty_config; +allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; +allow mysqld_t self:fifo_file rw_fifo_file_perms; +allow mysqld_t self:shm create_shm_perms; +allow mysqld_t self:unix_stream_socket create_stream_socket_perms; +allow mysqld_t self:tcp_socket create_stream_socket_perms; +allow mysqld_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) +manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) +manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) +files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) + +allow mysqld_t mysqld_etc_t:file read_file_perms; +allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; +allow mysqld_t mysqld_etc_t:dir list_dir_perms; + +allow mysqld_t mysqld_log_t:file manage_file_perms; +logging_log_filetrans(mysqld_t, mysqld_log_t, file) + +manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) + +manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file }) + +kernel_read_system_state(mysqld_t) +kernel_read_kernel_sysctls(mysqld_t) + +corenet_all_recvfrom_unlabeled(mysqld_t) +corenet_all_recvfrom_netlabel(mysqld_t) +corenet_tcp_sendrecv_generic_if(mysqld_t) +corenet_udp_sendrecv_generic_if(mysqld_t) +corenet_tcp_sendrecv_generic_node(mysqld_t) +corenet_udp_sendrecv_generic_node(mysqld_t) +corenet_tcp_sendrecv_all_ports(mysqld_t) +corenet_udp_sendrecv_all_ports(mysqld_t) +corenet_tcp_bind_generic_node(mysqld_t) +corenet_tcp_bind_mysqld_port(mysqld_t) +corenet_tcp_connect_mysqld_port(mysqld_t) +corenet_sendrecv_mysqld_client_packets(mysqld_t) +corenet_sendrecv_mysqld_server_packets(mysqld_t) + +dev_read_sysfs(mysqld_t) +dev_read_urand(mysqld_t) + +fs_getattr_all_fs(mysqld_t) +fs_search_auto_mountpoints(mysqld_t) +fs_rw_hugetlbfs_files(mysqld_t) + +domain_use_interactive_fds(mysqld_t) + +files_getattr_var_lib_dirs(mysqld_t) +files_read_etc_runtime_files(mysqld_t) +files_read_etc_files(mysqld_t) +files_read_usr_files(mysqld_t) +files_search_var_lib(mysqld_t) + +auth_use_nsswitch(mysqld_t) + +logging_send_syslog_msg(mysqld_t) + +miscfiles_read_localization(mysqld_t) + +sysnet_read_config(mysqld_t) + +userdom_dontaudit_use_unpriv_user_fds(mysqld_t) +# for /root/.my.cnf - should not be needed: +userdom_read_user_home_content_files(mysqld_t) + +ifdef(`distro_redhat',` + # because Fedora has the sock_file in the database directory + type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; +') + +tunable_policy(`mysql_connect_any',` + corenet_tcp_connect_all_ports(mysqld_t) + corenet_sendrecv_all_client_packets(mysqld_t) +') + +optional_policy(` + daemontools_service_domain(mysqld_t, mysqld_exec_t) +') + +optional_policy(` + seutil_sigchld_newrole(mysqld_t) +') + +optional_policy(` + udev_read_db(mysqld_t) +') + +####################################### +# +# Local mysqld_safe policy +# + +allow mysqld_safe_t self:capability { chown dac_override fowner kill }; +dontaudit mysqld_safe_t self:capability sys_ptrace; +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + +read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) + +domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) + +allow mysqld_safe_t mysqld_log_t:file manage_file_perms; + +manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) +delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) + +kernel_read_system_state(mysqld_safe_t) +kernel_read_kernel_sysctls(mysqld_safe_t) + +corecmd_exec_bin(mysqld_safe_t) + +dev_list_sysfs(mysqld_safe_t) + +domain_read_all_domains_state(mysqld_safe_t) + +files_read_etc_files(mysqld_safe_t) +files_read_usr_files(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) + +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) + +hostname_exec(mysqld_safe_t) + +miscfiles_read_localization(mysqld_safe_t) + +mysql_manage_db_files(mysqld_safe_t) +mysql_read_config(mysqld_safe_t) +mysql_search_pid_files(mysqld_safe_t) +mysql_write_log(mysqld_safe_t) + +######################################## +# +# MySQL Manager Policy +# + +allow mysqlmanagerd_t self:capability { dac_override kill }; +allow mysqlmanagerd_t self:process signal; +allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; +allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; + +mysql_read_config(initrc_t) +mysql_read_config(mysqlmanagerd_t) +mysql_read_pid_files(mysqlmanagerd_t) +mysql_search_db(mysqlmanagerd_t) +mysql_signal(mysqlmanagerd_t) +mysql_stream_connect(mysqlmanagerd_t) + +domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) + +manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) + +kernel_read_system_state(mysqlmanagerd_t) + +corecmd_exec_shell(mysqlmanagerd_t) + +corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) +corenet_all_recvfrom_netlabel(mysqlmanagerd_t) +corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) +corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) +corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t) +corenet_tcp_bind_generic_node(mysqlmanagerd_t) +corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) +corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) +corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) +corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) + +dev_read_urand(mysqlmanagerd_t) + +files_read_etc_files(mysqlmanagerd_t) +files_read_usr_files(mysqlmanagerd_t) + +miscfiles_read_localization(mysqlmanagerd_t) + +userdom_getattr_user_home_dirs(mysqlmanagerd_t) diff --git a/policy/modules/contrib/nagios.fc b/policy/modules/contrib/nagios.fc new file mode 100644 index 00000000..1fc99057 --- /dev/null +++ b/policy/modules/contrib/nagios.fc @@ -0,0 +1,88 @@ +/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) +/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) + +/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) + +/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + +/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) + +/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) + +/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) + +ifdef(`distro_debian',` +/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + +# admin plugins +/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) + +# check disk plugins +/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + +# mail plugins +/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) + +# system plugins +/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + +# services plugins +/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + +# unconfined plugins +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) diff --git a/policy/modules/contrib/nagios.if b/policy/modules/contrib/nagios.if new file mode 100644 index 00000000..8581040e --- /dev/null +++ b/policy/modules/contrib/nagios.if @@ -0,0 +1,229 @@ +## <summary>Net Saint / NAGIOS - network monitoring server</summary> + +######################################## +## <summary> +## Create a set of derived types for various +## nagios plugins, +## </summary> +## <param name="plugins_group_name"> +## <summary> +## The name to be used for deriving type names. +## </summary> +## </param> +# +template(`nagios_plugin_template',` + + gen_require(` + type nagios_t, nrpe_t; + type nagios_log_t; + ') + + type nagios_$1_plugin_t; + type nagios_$1_plugin_exec_t; + application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) + role system_r types nagios_$1_plugin_t; + + allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms; + + domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) + + # needed by command.cfg + domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) + + allow nagios_t nagios_$1_plugin_t:process signal_perms; + + # cjp: leaked file descriptor + dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; + dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; + + miscfiles_read_localization(nagios_$1_plugin_t) +') + +######################################## +## <summary> +## Do not audit attempts to read or write nagios +## unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +## <rolecap/> +# +interface(`nagios_dontaudit_rw_pipes',` + gen_require(` + type nagios_t; + ') + + dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Allow the specified domain to read +## nagios configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nagios_read_config',` + gen_require(` + type nagios_etc_t; + ') + + allow $1 nagios_etc_t:dir list_dir_perms; + allow $1 nagios_etc_t:file read_file_perms; + files_search_etc($1) +') + +###################################### +## <summary> +## Read nagios logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nagios_read_log',` + gen_require(` + type nagios_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, nagios_log_t, nagios_log_t) +') + +######################################## +## <summary> +## Do not audit attempts to read or write nagios logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`nagios_dontaudit_rw_log',` + gen_require(` + type nagios_log_t; + ') + + dontaudit $1 nagios_log_t:file rw_file_perms; +') + +######################################## +## <summary> +## Search nagios spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nagios_search_spool',` + gen_require(` + type nagios_spool_t; + ') + + allow $1 nagios_spool_t:dir search_dir_perms; + files_search_spool($1) +') + +######################################## +## <summary> +## Allow the specified domain to read +## nagios temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nagios_read_tmp_files',` + gen_require(` + type nagios_tmp_t; + ') + + allow $1 nagios_tmp_t:file read_file_perms; + files_search_tmp($1) +') + +######################################## +## <summary> +## Execute the nagios NRPE with +## a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nagios_domtrans_nrpe',` + gen_require(` + type nrpe_t, nrpe_exec_t; + ') + + domtrans_pattern($1, nrpe_exec_t, nrpe_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an nagios environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the nagios domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`nagios_admin',` + gen_require(` + type nagios_t, nrpe_t; + type nagios_tmp_t, nagios_log_t; + type nagios_etc_t, nrpe_etc_t; + type nagios_spool_t, nagios_var_run_t; + type nagios_initrc_exec_t; + ') + + allow $1 nagios_t:process { ptrace signal_perms }; + ps_process_pattern($1, nagios_t) + + init_labeled_script_domtrans($1, nagios_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 nagios_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, nagios_tmp_t) + + logging_list_logs($1) + admin_pattern($1, nagios_log_t) + + files_list_etc($1) + admin_pattern($1, nagios_etc_t) + + files_list_spool($1) + admin_pattern($1, nagios_spool_t) + + files_list_pids($1) + admin_pattern($1, nagios_var_run_t) + + admin_pattern($1, nrpe_etc_t) +') diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te new file mode 100644 index 00000000..e3e005b0 --- /dev/null +++ b/policy/modules/contrib/nagios.te @@ -0,0 +1,393 @@ +policy_module(nagios, 1.11.0) + +######################################## +# +# Declarations +# + +type nagios_t; +type nagios_exec_t; +init_daemon_domain(nagios_t, nagios_exec_t) + +type nagios_etc_t; +files_config_file(nagios_etc_t) + +type nagios_initrc_exec_t; +init_script_file(nagios_initrc_exec_t) + +type nagios_log_t; +logging_log_file(nagios_log_t) + +type nagios_tmp_t; +files_tmp_file(nagios_tmp_t) + +type nagios_var_run_t; +files_pid_file(nagios_var_run_t) + +type nagios_spool_t; +files_type(nagios_spool_t) + +nagios_plugin_template(admin) +nagios_plugin_template(checkdisk) +nagios_plugin_template(mail) +nagios_plugin_template(services) +nagios_plugin_template(system) +nagios_plugin_template(unconfined) + +type nagios_system_plugin_tmp_t; +files_tmp_file(nagios_system_plugin_tmp_t) + +type nrpe_t; +type nrpe_exec_t; +init_daemon_domain(nrpe_t, nrpe_exec_t) + +type nrpe_etc_t; +files_config_file(nrpe_etc_t) + +type nrpe_var_run_t; +files_pid_file(nrpe_var_run_t) + +######################################## +# +# Nagios local policy +# + +allow nagios_t self:capability { dac_override setgid setuid }; +dontaudit nagios_t self:capability sys_tty_config; +allow nagios_t self:process { setpgid signal_perms }; +allow nagios_t self:fifo_file rw_file_perms; +allow nagios_t self:tcp_socket create_stream_socket_perms; +allow nagios_t self:udp_socket create_socket_perms; + +read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) +allow nagios_t nagios_etc_t:dir list_dir_perms; + +manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +logging_log_filetrans(nagios_t, nagios_log_t, { file dir }) + +manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) +manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) +files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir }) + +manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) +files_pid_filetrans(nagios_t, nagios_var_run_t, file) + +manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) +files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) + +kernel_read_system_state(nagios_t) +kernel_read_kernel_sysctls(nagios_t) + +corecmd_exec_bin(nagios_t) +corecmd_exec_shell(nagios_t) + +corenet_all_recvfrom_unlabeled(nagios_t) +corenet_all_recvfrom_netlabel(nagios_t) +corenet_tcp_sendrecv_generic_if(nagios_t) +corenet_udp_sendrecv_generic_if(nagios_t) +corenet_tcp_sendrecv_generic_node(nagios_t) +corenet_udp_sendrecv_generic_node(nagios_t) +corenet_tcp_sendrecv_all_ports(nagios_t) +corenet_udp_sendrecv_all_ports(nagios_t) +corenet_tcp_connect_all_ports(nagios_t) + +corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t) +corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) + +dev_read_sysfs(nagios_t) +dev_read_urand(nagios_t) + +domain_use_interactive_fds(nagios_t) +# for ps +domain_read_all_domains_state(nagios_t) + +files_read_etc_files(nagios_t) +files_read_etc_runtime_files(nagios_t) +files_read_kernel_symbol_table(nagios_t) +files_search_spool(nagios_t) + +fs_getattr_all_fs(nagios_t) +fs_search_auto_mountpoints(nagios_t) + +# for who +init_read_utmp(nagios_t) + +auth_use_nsswitch(nagios_t) + +logging_send_syslog_msg(nagios_t) + +miscfiles_read_localization(nagios_t) + +userdom_dontaudit_use_unpriv_user_fds(nagios_t) +userdom_dontaudit_search_user_home_dirs(nagios_t) + +mta_send_mail(nagios_t) + +optional_policy(` + netutils_domtrans_ping(nagios_t) + netutils_signal_ping(nagios_t) + netutils_kill_ping(nagios_t) +') + +optional_policy(` + seutil_sigchld_newrole(nagios_t) +') + +optional_policy(` + udev_read_db(nagios_t) +') + +######################################## +# +# Nagios CGI local policy +# +optional_policy(` + apache_content_template(nagios) + typealias httpd_nagios_script_t alias nagios_cgi_t; + typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; + + allow httpd_nagios_script_t self:process signal_perms; + + read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + + files_search_spool(httpd_nagios_script_t) + rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) + + allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; + read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) + read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) + + allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; + read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) + read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) + + kernel_read_system_state(httpd_nagios_script_t) + + domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) + + files_read_etc_runtime_files(httpd_nagios_script_t) + files_read_kernel_symbol_table(httpd_nagios_script_t) + + logging_send_syslog_msg(httpd_nagios_script_t) +') + +######################################## +# +# Nagios remote plugin executor local policy +# + +allow nrpe_t self:capability { setuid setgid }; +dontaudit nrpe_t self:capability {sys_tty_config sys_resource}; +allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; +allow nrpe_t self:fifo_file rw_fifo_file_perms; +allow nrpe_t self:tcp_socket create_stream_socket_perms; + +domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) + +read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t) +files_search_etc(nrpe_t) + +manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) +files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) + +kernel_read_kernel_sysctls(nrpe_t) +kernel_read_software_raid_state(nrpe_t) +kernel_read_system_state(nrpe_t) + +corecmd_exec_bin(nrpe_t) +corecmd_exec_shell(nrpe_t) + +corenet_tcp_bind_generic_node(nrpe_t) +corenet_tcp_bind_inetd_child_port(nrpe_t) +corenet_sendrecv_unlabeled_packets(nrpe_t) + +dev_read_sysfs(nrpe_t) +dev_read_urand(nrpe_t) + +domain_use_interactive_fds(nrpe_t) +domain_read_all_domains_state(nrpe_t) + +files_read_etc_runtime_files(nrpe_t) +files_read_etc_files(nrpe_t) + +fs_getattr_all_fs(nrpe_t) +fs_search_auto_mountpoints(nrpe_t) + +auth_use_nsswitch(nrpe_t) + +logging_send_syslog_msg(nrpe_t) + +miscfiles_read_localization(nrpe_t) + +userdom_dontaudit_use_unpriv_user_fds(nrpe_t) + +optional_policy(` + inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) +') + +optional_policy(` + mta_send_mail(nrpe_t) +') + +optional_policy(` + seutil_sigchld_newrole(nrpe_t) +') + +optional_policy(` + tcpd_wrapped_domain(nrpe_t, nrpe_exec_t) +') + +optional_policy(` + udev_read_db(nrpe_t) +') + +##################################### +# +# local policy for admin check plugins +# + +corecmd_read_bin_files(nagios_admin_plugin_t) +corecmd_read_bin_symlinks(nagios_admin_plugin_t) + +dev_read_urand(nagios_admin_plugin_t) +dev_getattr_all_chr_files(nagios_admin_plugin_t) +dev_getattr_all_blk_files(nagios_admin_plugin_t) + +files_read_etc_files(nagios_admin_plugin_t) +# for check_file_age plugin +files_getattr_all_dirs(nagios_admin_plugin_t) +files_getattr_all_files(nagios_admin_plugin_t) +files_getattr_all_symlinks(nagios_admin_plugin_t) +files_getattr_all_pipes(nagios_admin_plugin_t) +files_getattr_all_sockets(nagios_admin_plugin_t) +files_getattr_all_file_type_fs(nagios_admin_plugin_t) + +###################################### +# +# local policy for mail check plugins +# + +allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; + +allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; +allow nagios_mail_plugin_t self:udp_socket create_socket_perms; + +kernel_read_system_state(nagios_mail_plugin_t) +kernel_read_kernel_sysctls(nagios_mail_plugin_t) + +corecmd_read_bin_files(nagios_mail_plugin_t) +corecmd_read_bin_symlinks(nagios_mail_plugin_t) + +dev_read_urand(nagios_mail_plugin_t) + +files_read_etc_files(nagios_mail_plugin_t) + +logging_send_syslog_msg(nagios_mail_plugin_t) + +sysnet_read_config(nagios_mail_plugin_t) + +optional_policy(` + mta_send_mail(nagios_mail_plugin_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(nagios_mail_plugin_t) +') + +optional_policy(` + postfix_stream_connect_master(nagios_mail_plugin_t) + posftix_exec_postqueue(nagios_mail_plugin_t) +') + +###################################### +# +# local policy for disk check plugins +# + +# needed by ioctl() +allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; + +files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) +files_read_etc_runtime_files(nagios_checkdisk_plugin_t) + +fs_getattr_all_fs(nagios_checkdisk_plugin_t) + +storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) + +####################################### +# +# local policy for service check plugins +# + +allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; +allow nagios_services_plugin_t self:process { signal sigkill }; + +allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; +allow nagios_services_plugin_t self:udp_socket create_socket_perms; + +corecmd_exec_bin(nagios_services_plugin_t) + +corenet_tcp_connect_all_ports(nagios_services_plugin_t) +corenet_udp_bind_dhcpc_port(nagios_services_plugin_t) + +auth_use_nsswitch(nagios_services_plugin_t) + +domain_read_all_domains_state(nagios_services_plugin_t) + +files_read_usr_files(nagios_services_plugin_t) + +optional_policy(` + netutils_domtrans_ping(nagios_services_plugin_t) +') + +optional_policy(` + mysql_stream_connect(nagios_services_plugin_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(nagios_services_plugin_t) +') + +###################################### +# +# local policy for system check plugins +# + +allow nagios_system_plugin_t self:capability dac_override; +dontaudit nagios_system_plugin_t self:capability { setuid setgid }; + +# check_log +manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) +manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) +files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) + +kernel_read_system_state(nagios_system_plugin_t) +kernel_read_kernel_sysctls(nagios_system_plugin_t) + +corecmd_exec_bin(nagios_system_plugin_t) +corecmd_exec_shell(nagios_system_plugin_t) + +dev_read_sysfs(nagios_system_plugin_t) +dev_read_urand(nagios_system_plugin_t) + +domain_read_all_domains_state(nagios_system_plugin_t) + +files_read_etc_files(nagios_system_plugin_t) + +# needed by check_users plugin +optional_policy(` + init_read_utmp(nagios_system_plugin_t) +') + +######################################## +# +# Unconfined plugin policy +# + +optional_policy(` + unconfined_domain(nagios_unconfined_plugin_t) +') diff --git a/policy/modules/contrib/ncftool.fc b/policy/modules/contrib/ncftool.fc new file mode 100644 index 00000000..ca1a0e28 --- /dev/null +++ b/policy/modules/contrib/ncftool.fc @@ -0,0 +1 @@ +/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) diff --git a/policy/modules/contrib/ncftool.if b/policy/modules/contrib/ncftool.if new file mode 100644 index 00000000..a648982c --- /dev/null +++ b/policy/modules/contrib/ncftool.if @@ -0,0 +1,44 @@ +## <summary>Netcf network configuration tool (ncftool).</summary> + +######################################## +## <summary> +## Execute a domain transition to run ncftool. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ncftool_domtrans',` + gen_require(` + type ncftool_t, ncftool_exec_t; + ') + + domtrans_pattern($1, ncftool_exec_t, ncftool_t) +') + +######################################## +## <summary> +## Execute ncftool in the ncftool domain, and +## allow the specified role the ncftool domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the ncftool domain. +## </summary> +## </param> +# +interface(`ncftool_run',` + gen_require(` + attribute_role ncftool_roles; + ') + + ncftool_domtrans($1) + roleattribute $2 ncftool_roles; +') diff --git a/policy/modules/contrib/ncftool.te b/policy/modules/contrib/ncftool.te new file mode 100644 index 00000000..f19ca0bf --- /dev/null +++ b/policy/modules/contrib/ncftool.te @@ -0,0 +1,81 @@ +policy_module(ncftool, 1.1.0) + +######################################## +# +# Declarations +# + +attribute_role ncftool_roles; +roleattribute system_r ncftool_roles; + +type ncftool_t; +type ncftool_exec_t; +application_domain(ncftool_t, ncftool_exec_t) +domain_obj_id_change_exemption(ncftool_t) +domain_system_change_exemption(ncftool_t) +role ncftool_roles types ncftool_t; + +######################################## +# +# ncftool local policy +# + +allow ncftool_t self:capability { net_admin sys_ptrace }; +allow ncftool_t self:process signal; +allow ncftool_t self:fifo_file manage_fifo_file_perms; +allow ncftool_t self:unix_stream_socket create_stream_socket_perms; +allow ncftool_t self:tcp_socket create_stream_socket_perms; +allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; + +kernel_read_kernel_sysctls(ncftool_t) +kernel_read_modprobe_sysctls(ncftool_t) +kernel_read_network_state(ncftool_t) +kernel_read_system_state(ncftool_t) +kernel_request_load_module(ncftool_t) +kernel_rw_net_sysctls(ncftool_t) + +corecmd_exec_bin(ncftool_t) +corecmd_exec_shell(ncftool_t) + +domain_read_all_domains_state(ncftool_t) + +dev_read_sysfs(ncftool_t) + +files_read_etc_files(ncftool_t) +files_read_etc_runtime_files(ncftool_t) +files_read_usr_files(ncftool_t) + +miscfiles_read_localization(ncftool_t) + +sysnet_delete_dhcpc_pid(ncftool_t) +sysnet_run_dhcpc(ncftool_t, ncftool_roles) +sysnet_run_ifconfig(ncftool_t, ncftool_roles) +sysnet_etc_filetrans_config(ncftool_t) +sysnet_manage_config(ncftool_t) +sysnet_read_dhcpc_state(ncftool_t) +sysnet_read_dhcpc_pid(ncftool_t) +sysnet_signal_dhcpc(ncftool_t) + +userdom_use_user_terminals(ncftool_t) +userdom_read_user_tmp_files(ncftool_t) + +optional_policy(` + consoletype_exec(ncftool_t) +') + +optional_policy(` + dbus_system_bus_client(ncftool_t) +') + +optional_policy(` + iptables_initrc_domtrans(ncftool_t) +') + +optional_policy(` + modutils_read_module_config(ncftool_t) + modutils_run_insmod(ncftool_t, ncftool_roles) +') + +optional_policy(` + netutils_run(ncftool_t, ncftool_roles) +') diff --git a/policy/modules/contrib/nessus.fc b/policy/modules/contrib/nessus.fc new file mode 100644 index 00000000..74da57f8 --- /dev/null +++ b/policy/modules/contrib/nessus.fc @@ -0,0 +1,10 @@ + +/etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0) + +/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0) + +/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) + +/var/lib/nessus(/.*)? gen_context(system_u:object_r:nessusd_db_t,s0) + +/var/log/nessus(/.*)? gen_context(system_u:object_r:nessusd_log_t,s0) diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if new file mode 100644 index 00000000..6ec80038 --- /dev/null +++ b/policy/modules/contrib/nessus.if @@ -0,0 +1,15 @@ +## <summary>Nessus network scanning daemon</summary> + +######################################## +## <summary> +## Connect to nessus over a TCP socket (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nessus_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te new file mode 100644 index 00000000..b16c3873 --- /dev/null +++ b/policy/modules/contrib/nessus.te @@ -0,0 +1,105 @@ +policy_module(nessus, 1.7.0) + +######################################## +# +# Local policy +# + +type nessusd_t; +type nessusd_exec_t; +init_daemon_domain(nessusd_t, nessusd_exec_t) + +type nessusd_db_t; +files_type(nessusd_db_t) + +type nessusd_etc_t; +files_config_file(nessusd_etc_t) + +type nessusd_log_t; +logging_log_file(nessusd_log_t) + +type nessusd_var_run_t; +files_pid_file(nessusd_var_run_t) + +######################################## +# +# Declarations +# + +allow nessusd_t self:capability net_raw; +dontaudit nessusd_t self:capability sys_tty_config; +allow nessusd_t self:process { setsched signal_perms }; +allow nessusd_t self:fifo_file rw_fifo_file_perms; +allow nessusd_t self:tcp_socket create_stream_socket_perms; +allow nessusd_t self:udp_socket create_socket_perms; +allow nessusd_t self:rawip_socket create_socket_perms; +allow nessusd_t self:packet_socket create_socket_perms; + +# Allow access to the nessusd authentication database +manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) +manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) +manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) +files_list_var_lib(nessusd_t) + +allow nessusd_t nessusd_etc_t:file read_file_perms; +files_search_etc(nessusd_t) + +manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) +logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir }) + +manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t) +files_pid_filetrans(nessusd_t, nessusd_var_run_t, file) + +kernel_read_system_state(nessusd_t) +kernel_read_kernel_sysctls(nessusd_t) + +# for nmap etc +corecmd_exec_bin(nessusd_t) + +corenet_all_recvfrom_unlabeled(nessusd_t) +corenet_all_recvfrom_netlabel(nessusd_t) +corenet_tcp_sendrecv_generic_if(nessusd_t) +corenet_udp_sendrecv_generic_if(nessusd_t) +corenet_raw_sendrecv_generic_if(nessusd_t) +corenet_tcp_sendrecv_generic_node(nessusd_t) +corenet_udp_sendrecv_generic_node(nessusd_t) +corenet_raw_sendrecv_generic_node(nessusd_t) +corenet_tcp_sendrecv_all_ports(nessusd_t) +corenet_udp_sendrecv_all_ports(nessusd_t) +corenet_tcp_bind_generic_node(nessusd_t) +corenet_tcp_bind_nessus_port(nessusd_t) +corenet_tcp_connect_all_ports(nessusd_t) +corenet_sendrecv_all_client_packets(nessusd_t) +corenet_sendrecv_nessus_server_packets(nessusd_t) + +dev_read_sysfs(nessusd_t) +dev_read_urand(nessusd_t) + +domain_use_interactive_fds(nessusd_t) + +files_read_etc_files(nessusd_t) +files_read_etc_runtime_files(nessusd_t) + +fs_getattr_all_fs(nessusd_t) +fs_search_auto_mountpoints(nessusd_t) + +logging_send_syslog_msg(nessusd_t) + +miscfiles_read_localization(nessusd_t) + +sysnet_read_config(nessusd_t) + +userdom_dontaudit_use_unpriv_user_fds(nessusd_t) +userdom_dontaudit_search_user_home_dirs(nessusd_t) + +optional_policy(` + nis_use_ypbind(nessusd_t) +') + +optional_policy(` + seutil_sigchld_newrole(nessusd_t) +') + +optional_policy(` + udev_read_db(nessusd_t) +') diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc new file mode 100644 index 00000000..fdd48780 --- /dev/null +++ b/policy/modules/contrib/networkmanager.fc @@ -0,0 +1,28 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + +/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + +/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) +/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) +/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) + +/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) +/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) + +/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0) +/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if new file mode 100644 index 00000000..adb90d4e --- /dev/null +++ b/policy/modules/contrib/networkmanager.if @@ -0,0 +1,258 @@ +## <summary>Manager for dynamically switching between networks.</summary> + +######################################## +## <summary> +## Read and write NetworkManager UDP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# cjp: added for named. +interface(`networkmanager_rw_udp_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:udp_socket { read write }; +') + +######################################## +## <summary> +## Read and write NetworkManager packet sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# cjp: added for named. +interface(`networkmanager_rw_packet_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:packet_socket { read write }; +') + +####################################### +## <summary> +## Allow caller to relabel tun_socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_attach_tun_iface',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') + +######################################## +## <summary> +## Read and write NetworkManager netlink +## routing sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# cjp: added for named. +interface(`networkmanager_rw_routing_sockets',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:netlink_route_socket { read write }; +') + +######################################## +## <summary> +## Execute NetworkManager with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`networkmanager_domtrans',` + gen_require(` + type NetworkManager_t, NetworkManager_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) +') + +######################################## +## <summary> +## Execute NetworkManager scripts with an automatic domain transition to initrc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`networkmanager_initrc_domtrans',` + gen_require(` + type NetworkManager_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) +') + +######################################## +## <summary> +## Send and receive messages from +## NetworkManager over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_dbus_chat',` + gen_require(` + type NetworkManager_t; + class dbus send_msg; + ') + + allow $1 NetworkManager_t:dbus send_msg; + allow NetworkManager_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send a generic signal to NetworkManager +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_signal',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:process signal; +') + +######################################## +## <summary> +## Read NetworkManager lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_read_lib_files',` + gen_require(` + type NetworkManager_var_lib_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +') + +######################################## +## <summary> +## Read NetworkManager PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`networkmanager_read_pid_files',` + gen_require(` + type NetworkManager_var_run_t; + ') + + files_search_pids($1) + allow $1 NetworkManager_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit use of wpa_cli file descriptors +## </summary> +## <param name="domain"> +## <summary> +## Domain to dontaudit access. +## </summary> +## </param> +# +interface(`networkmanager_dontaudit_use_wpa_cli_fds',` + gen_require(` + type wpa_cli_t; + ') + + dontaudit $1 wpa_cli_t:fd use; +') + + +######################################## +## <summary> +## Execute wpa_cli in the wpa_cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`networkmanager_domtrans_wpa_cli',` + gen_require(` + type wpa_cli_t, wpa_cli_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t) +') + +######################################## +## <summary> +## Execute wpa cli in the wpa_cli domain, and +## allow the specified role the wpa_cli domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`networkmanager_run_wpa_cli',` + gen_require(` + type wpa_cli_exec_t; + ') + + networkmanager_domtrans_wpa_cli($1) + role $2 types wpa_cli_t; +') + diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te new file mode 100644 index 00000000..8c101a8e --- /dev/null +++ b/policy/modules/contrib/networkmanager.te @@ -0,0 +1,319 @@ +policy_module(networkmanager, 1.14.0) + +######################################## +# +# Declarations +# + +type NetworkManager_t; +type NetworkManager_exec_t; +init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) + +type NetworkManager_initrc_exec_t; +init_script_file(NetworkManager_initrc_exec_t) + +type NetworkManager_log_t; +logging_log_file(NetworkManager_log_t) + +type NetworkManager_tmp_t; +files_tmp_file(NetworkManager_tmp_t) + +type NetworkManager_var_lib_t; +files_type(NetworkManager_var_lib_t) + +type NetworkManager_var_run_t; +files_pid_file(NetworkManager_var_run_t) + +type wpa_cli_t; +type wpa_cli_exec_t; +init_system_domain(wpa_cli_t, wpa_cli_exec_t) + +type wpa_cli_var_run_t; +files_pid_file(wpa_cli_var_run_t) + +######################################## +# +# Local policy +# + +# networkmanager will ptrace itself if gdb is installed +# and it receives a unexpected signal (rh bug #204161) +allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; +dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; +allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; +allow NetworkManager_t self:fifo_file rw_fifo_file_perms; +allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; +allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; +allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; +allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; +allow NetworkManager_t self:tcp_socket create_stream_socket_perms; +allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom }; +allow NetworkManager_t self:udp_socket create_socket_perms; +allow NetworkManager_t self:packet_socket create_socket_perms; + +allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; + +can_exec(NetworkManager_t, NetworkManager_exec_t) + +manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) +logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) + +manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) + +manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir) + +manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t) +manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t) +manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t) +files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file sock_file }) + +kernel_read_system_state(NetworkManager_t) +kernel_read_network_state(NetworkManager_t) +kernel_read_kernel_sysctls(NetworkManager_t) +kernel_request_load_module(NetworkManager_t) +kernel_read_debugfs(NetworkManager_t) +kernel_rw_net_sysctls(NetworkManager_t) + +corenet_all_recvfrom_unlabeled(NetworkManager_t) +corenet_all_recvfrom_netlabel(NetworkManager_t) +corenet_tcp_sendrecv_generic_if(NetworkManager_t) +corenet_udp_sendrecv_generic_if(NetworkManager_t) +corenet_raw_sendrecv_generic_if(NetworkManager_t) +corenet_tcp_sendrecv_generic_node(NetworkManager_t) +corenet_udp_sendrecv_generic_node(NetworkManager_t) +corenet_raw_sendrecv_generic_node(NetworkManager_t) +corenet_tcp_sendrecv_all_ports(NetworkManager_t) +corenet_udp_sendrecv_all_ports(NetworkManager_t) +corenet_udp_bind_generic_node(NetworkManager_t) +corenet_udp_bind_isakmp_port(NetworkManager_t) +corenet_udp_bind_dhcpc_port(NetworkManager_t) +corenet_tcp_connect_all_ports(NetworkManager_t) +corenet_sendrecv_isakmp_server_packets(NetworkManager_t) +corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) +corenet_sendrecv_all_client_packets(NetworkManager_t) +corenet_rw_tun_tap_dev(NetworkManager_t) +corenet_getattr_ppp_dev(NetworkManager_t) + +dev_read_sysfs(NetworkManager_t) +dev_read_rand(NetworkManager_t) +dev_read_urand(NetworkManager_t) +dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +dev_getattr_all_chr_files(NetworkManager_t) + +fs_getattr_all_fs(NetworkManager_t) +fs_search_auto_mountpoints(NetworkManager_t) +fs_list_inotifyfs(NetworkManager_t) + +mls_file_read_all_levels(NetworkManager_t) + +selinux_dontaudit_search_fs(NetworkManager_t) + +corecmd_exec_shell(NetworkManager_t) +corecmd_exec_bin(NetworkManager_t) + +domain_use_interactive_fds(NetworkManager_t) +domain_read_confined_domains_state(NetworkManager_t) + +files_read_etc_files(NetworkManager_t) +files_read_etc_runtime_files(NetworkManager_t) +files_read_usr_files(NetworkManager_t) +files_read_usr_src_files(NetworkManager_t) + +storage_getattr_fixed_disk_dev(NetworkManager_t) + +init_read_utmp(NetworkManager_t) +init_dontaudit_write_utmp(NetworkManager_t) +init_domtrans_script(NetworkManager_t) +init_domtrans_script(wpa_cli_t) + +auth_use_nsswitch(NetworkManager_t) + +logging_send_syslog_msg(NetworkManager_t) +logging_send_syslog_msg(wpa_cli_t) + +miscfiles_read_localization(NetworkManager_t) +miscfiles_read_generic_certs(NetworkManager_t) + +modutils_domtrans_insmod(NetworkManager_t) + +seutil_read_config(NetworkManager_t) + +sysnet_domtrans_ifconfig(NetworkManager_t) +sysnet_domtrans_dhcpc(NetworkManager_t) +sysnet_signal_dhcpc(NetworkManager_t) +sysnet_read_dhcpc_pid(NetworkManager_t) +sysnet_delete_dhcpc_pid(NetworkManager_t) +sysnet_search_dhcp_state(NetworkManager_t) +# in /etc created by NetworkManager will be labelled net_conf_t. +sysnet_manage_config(NetworkManager_t) +sysnet_etc_filetrans_config(NetworkManager_t) + +userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) +userdom_dontaudit_use_user_ttys(NetworkManager_t) +userdom_use_user_ttys(wpa_cli_t) +userdom_use_user_ptys(wpa_cli_t) +# Read gnome-keyring +userdom_read_user_home_content_files(NetworkManager_t) + +optional_policy(` + avahi_domtrans(NetworkManager_t) + avahi_kill(NetworkManager_t) + avahi_signal(NetworkManager_t) + avahi_signull(NetworkManager_t) +') + +optional_policy(` + bind_domtrans(NetworkManager_t) + bind_manage_cache(NetworkManager_t) + bind_kill(NetworkManager_t) + bind_signal(NetworkManager_t) + bind_signull(NetworkManager_t) +') + +optional_policy(` + bluetooth_dontaudit_read_helper_state(NetworkManager_t) +') + +optional_policy(` + consoletype_exec(NetworkManager_t) +') + +optional_policy(` + dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) + + optional_policy(` + consolekit_dbus_chat(NetworkManager_t) + ') +') + +optional_policy(` + dnsmasq_read_pid_files(NetworkManager_t) + dnsmasq_delete_pid_files(NetworkManager_t) + dnsmasq_domtrans(NetworkManager_t) + dnsmasq_initrc_domtrans(NetworkManager_t) + dnsmasq_kill(NetworkManager_t) + dnsmasq_signal(NetworkManager_t) + dnsmasq_signull(NetworkManager_t) +') + +optional_policy(` + hal_write_log(NetworkManager_t) +') + +optional_policy(` + howl_signal(NetworkManager_t) +') + +optional_policy(` + iptables_domtrans(NetworkManager_t) +') + +optional_policy(` + nscd_domtrans(NetworkManager_t) + nscd_signal(NetworkManager_t) + nscd_signull(NetworkManager_t) + nscd_kill(NetworkManager_t) + nscd_initrc_domtrans(NetworkManager_t) +') + +optional_policy(` + # Dispatcher starting and stoping ntp + ntp_initrc_domtrans(NetworkManager_t) +') + +optional_policy(` + openvpn_domtrans(NetworkManager_t) + openvpn_kill(NetworkManager_t) + openvpn_signal(NetworkManager_t) + openvpn_signull(NetworkManager_t) +') + +optional_policy(` + policykit_dbus_chat(NetworkManager_t) + policykit_domtrans_auth(NetworkManager_t) + policykit_read_lib(NetworkManager_t) + policykit_read_reload(NetworkManager_t) + userdom_read_all_users_state(NetworkManager_t) +') + +optional_policy(` + ppp_initrc_domtrans(NetworkManager_t) + ppp_domtrans(NetworkManager_t) + ppp_manage_pid_files(NetworkManager_t) + ppp_kill(NetworkManager_t) + ppp_signal(NetworkManager_t) + ppp_signull(NetworkManager_t) + ppp_read_config(NetworkManager_t) +') + +optional_policy(` + rpm_exec(NetworkManager_t) + rpm_read_db(NetworkManager_t) + rpm_dontaudit_manage_db(NetworkManager_t) +') + +optional_policy(` + seutil_sigchld_newrole(NetworkManager_t) +') + +optional_policy(` + udev_exec(NetworkManager_t) + udev_read_db(NetworkManager_t) +') + +optional_policy(` + vpn_domtrans(NetworkManager_t) + vpn_kill(NetworkManager_t) + vpn_signal(NetworkManager_t) + vpn_signull(NetworkManager_t) +') + +######################################## +# +# wpa_cli local policy +# + +allow wpa_cli_t self:capability dac_override; +allow wpa_cli_t self:unix_dgram_socket create_socket_perms; + +allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; + +manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file) + +list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) + +init_dontaudit_use_fds(wpa_cli_t) +init_use_script_ptys(wpa_cli_t) + +miscfiles_read_localization(wpa_cli_t) + +term_dontaudit_use_console(wpa_cli_t) + +fs_search_tmpfs(wpa_cli_t) +fs_search_tmpfs(NetworkManager_t) +fs_rw_tmpfs_files(wpa_cli_t) +fs_rw_tmpfs_files(NetworkManager_t) +fs_manage_tmpfs_dirs(wpa_cli_t) +fs_manage_tmpfs_sockets(wpa_cli_t) +fs_manage_tmpfs_sockets(NetworkManager_t) +getty_use_fds(wpa_cli_t) +files_search_pids(wpa_cli_t) +corecmd_exec_shell(wpa_cli_t) +corecmd_exec_bin(wpa_cli_t) +domain_use_interactive_fds(wpa_cli_t) + +ifdef(`distro_gentoo',` + sysnet_domtrans_dhcpc(wpa_cli_t) + allow wpa_cli_t etc_t:file { getattr }; +') diff --git a/policy/modules/contrib/nginx.fc b/policy/modules/contrib/nginx.fc new file mode 100644 index 00000000..8a1cc51d --- /dev/null +++ b/policy/modules/contrib/nginx.fc @@ -0,0 +1,63 @@ +############################################################################### +# SELinux module for the NGINX Web Server +# +# Project Contact Information: +# Stuart Cianos +# Email: scianos@alphavida.com +# +############################################################################### +# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. +# +# +# Stuart Cianos licenses this file to You under the GNU General Public License, +# Version 3.0 (the "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.gnu.org/licenses/gpl.txt +# +# or in the COPYING file included in the original archive. +# +# Disclaimer of Warranty. +# +# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. +# +# Limitation of Liability. +# +# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGES. +############################################################################### +# nginx executable will have: +# label: system_u:object_r:nginx_exec_t +# MLS sensitivity: s0 +# MCS categories: <none> + +# +# /etc +# +/etc/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) +/etc/ssl/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) + +# +# /usr +# +/usr/sbin/nginx -- gen_context(system_u:object_r:nginx_exec_t,s0) + +# +# /var +# +/var/log/nginx(/.*)? gen_context(system_u:object_r:nginx_log_t,s0) +/var/tmp/nginx(/.*)? gen_context(system_u:object_r:nginx_tmp_t,s0) diff --git a/policy/modules/contrib/nginx.if b/policy/modules/contrib/nginx.if new file mode 100644 index 00000000..8b41b378 --- /dev/null +++ b/policy/modules/contrib/nginx.if @@ -0,0 +1,101 @@ +############################################################################### +# SELinux module for the NGINX Web Server +# +# Project Contact Information: +# Stuart Cianos +# Email: scianos@alphavida.com +# +############################################################################### +# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. +# +# +# Stuart Cianos licenses this file to You under the GNU General Public License, +# Version 3.0 (the "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.gnu.org/licenses/gpl.txt +# +# or in the COPYING file included in the original archive. +# +# Disclaimer of Warranty. +# +# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. +# +# Limitation of Liability. +# +# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGES. +############################################################################### +## <summary>policy for nginx</summary> + +######################################## +## <summary> +## Execute a domain transition to run nginx. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nginx_domtrans',` + gen_require(` + type nginx_t, nginx_exec_t; + ') + allow nginx_t $1:fd use; + allow nginx_t $1:fifo_file rw_file_perms; + allow nginx_t $1:process sigchld; + + domain_auto_trans($1,nginx_exec_t,nginx_t) +') + +######################################## +## <summary> +## Administer the nginx domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the nginx domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`nginx_admin',` + gen_require(` + type nginx_t, nginx_conf_t, nginx_log_t, nginx_var_lib_t, nginx_var_run_t; + ') + + allow $1 nginx_t:process { ptrace signal_perms }; + ps_process_pattern($1, nginx_t) + + files_list_etc($1) + admin_pattern($1, nginx_conf_t) + + files_list_var_lib($1) + admin_pattern($1, nginx_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, nginx_log_t) + + files_list_pids($1) + admin_pattern($1, nginx_var_run_t) +') diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te new file mode 100644 index 00000000..8b21d760 --- /dev/null +++ b/policy/modules/contrib/nginx.te @@ -0,0 +1,193 @@ +# SELinux module for the NGINX Web Server +# +# Project Contact Information: +# Stuart Cianos +# Email: scianos@alphavida.com +# +# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. +# +# +# Stuart Cianos licenses this file to You under the GNU General Public License, +# Version 3.0 (the "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.gnu.org/licenses/gpl.txt +# +# or in the COPYING file included in the original archive. +# +# Disclaimer of Warranty. +# +# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. +# +# Limitation of Liability. +# +# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGES. +############################################################################### +policy_module(nginx,1.0.10) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow nginx to serve HTTP content (act as an http server) +## </p> +## </desc> +gen_tunable(gentoo_nginx_enable_http_server, false) + +## <desc> +## <p> +## Allow nginx to act as an imap proxy server) +## </p> +## </desc> +gen_tunable(gentoo_nginx_enable_imap_server, false) + +## <desc> +## <p> +## Allow nginx to act as a pop3 server) +## </p> +## </desc> +gen_tunable(gentoo_nginx_enable_pop3_server, false) + +## <desc> +## <p> +## Allow nginx to act as an smtp server) +## </p> +## </desc> +gen_tunable(gentoo_nginx_enable_smtp_server, false) + +## <desc> +## <p> +## Allow nginx to connect to remote HTTP servers +## </p> +## </desc> +gen_tunable(gentoo_nginx_can_network_connect_http, false) + +## <desc> +## <p> +## Allow nginx to connect to remote servers (regardless of protocol) +## </p> +## </desc> +gen_tunable(gentoo_nginx_can_network_connect, false) + +type nginx_t; +type nginx_exec_t; +init_daemon_domain(nginx_t, nginx_exec_t) + +# conf files +type nginx_conf_t; +files_type(nginx_conf_t) + +# log files +type nginx_log_t; +logging_log_file(nginx_log_t) + +# tmp files +type nginx_tmp_t; +files_tmp_file(nginx_tmp_t) + +# var/lib files +type nginx_var_lib_t; +files_type(nginx_var_lib_t) + +# pid files +type nginx_var_run_t; +files_pid_file(nginx_var_run_t) + +######################################## +# +# nginx local policy +# + +allow nginx_t self:fifo_file { read write }; +allow nginx_t self:unix_stream_socket create_stream_socket_perms; +allow nginx_t self:tcp_socket { listen accept }; +allow nginx_t self:capability { setuid net_bind_service setgid chown }; + +# conf files +list_dirs_pattern(nginx_t, nginx_conf_t, nginx_conf_t) +read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t) + +# log files +manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t) +logging_log_filetrans(nginx_t, nginx_log_t, { file dir }) + + +# pid file +manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) +manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) +files_pid_filetrans(nginx_t, nginx_var_run_t, file) + +# tmp files +manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) +manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) +files_tmp_filetrans(nginx_t, nginx_tmp_t, dir) + +# var/lib files +create_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t) +create_sock_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t) +files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file }) + + +kernel_read_kernel_sysctls(nginx_t) +corenet_tcp_bind_generic_node(nginx_t) +corenet_tcp_sendrecv_generic_if(nginx_t) +corenet_tcp_sendrecv_generic_node(nginx_t) + +dev_read_rand(nginx_t) +dev_read_urand(nginx_t) + +domain_use_interactive_fds(nginx_t) + +files_read_etc_files(nginx_t) + + +miscfiles_read_localization(nginx_t) +sysnet_dns_name_resolve(nginx_t) + + +tunable_policy(`gentoo_nginx_enable_http_server',` + corenet_tcp_bind_http_port(nginx_t) + apache_read_sys_content(nginx_t) +') + +# We enable both binding and connecting, since nginx acts here as a reverse proxy +tunable_policy(`gentoo_nginx_enable_imap_server',` + corenet_tcp_bind_pop_port(nginx_t) + corenet_tcp_connect_pop_port(nginx_t) +') + +tunable_policy(`gentoo_nginx_enable_pop3_server',` + corenet_tcp_bind_pop_port(nginx_t) + corenet_tcp_connect_pop_port(nginx_t) +') + +tunable_policy(`gentoo_nginx_enable_smtp_server',` + corenet_tcp_bind_smtp_port(nginx_t) + corenet_tcp_connect_smtp_port(nginx_t) +') + +tunable_policy(`gentoo_nginx_can_network_connect_http',` + corenet_tcp_connect_http_port(nginx_t) +') + +tunable_policy(`gentoo_nginx_can_network_connect',` + corenet_tcp_connect_all_ports(nginx_t) +') diff --git a/policy/modules/contrib/nis.fc b/policy/modules/contrib/nis.fc new file mode 100644 index 00000000..15448d53 --- /dev/null +++ b/policy/modules/contrib/nis.fc @@ -0,0 +1,21 @@ +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) +/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) + +/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) + +/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) + +/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) +/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) + +/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) + +/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) +/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) +/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if new file mode 100644 index 00000000..abe3f7f3 --- /dev/null +++ b/policy/modules/contrib/nis.if @@ -0,0 +1,396 @@ +## <summary>Policy for NIS (YP) servers and clients</summary> + +######################################## +## <summary> +## Use the ypbind service to access NIS services +## unconditionally. +## </summary> +## <desc> +## <p> +## Use the ypbind service to access NIS services +## unconditionally. +## </p> +## <p> +## This interface was added because of apache and +## spamassassin, to fix a nested conditionals problem. +## When that support is added, this should be removed, +## and the regular interface should be used. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_use_ypbind_uncond',` + gen_require(` + type var_yp_t; + ') + + allow $1 self:capability net_bind_service; + + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; + + allow $1 var_yp_t:dir list_dir_perms; + allow $1 var_yp_t:lnk_file { getattr read }; + allow $1 var_yp_t:file read_file_perms; + + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_all_ports($1) + corenet_udp_sendrecv_all_ports($1) + corenet_tcp_bind_generic_node($1) + corenet_udp_bind_generic_node($1) + corenet_tcp_bind_generic_port($1) + corenet_udp_bind_generic_port($1) + corenet_dontaudit_tcp_bind_all_reserved_ports($1) + corenet_dontaudit_udp_bind_all_reserved_ports($1) + corenet_dontaudit_tcp_bind_all_ports($1) + corenet_dontaudit_udp_bind_all_ports($1) + corenet_tcp_connect_portmap_port($1) + corenet_tcp_connect_reserved_port($1) + corenet_tcp_connect_generic_port($1) + corenet_dontaudit_tcp_connect_all_ports($1) + corenet_sendrecv_portmap_client_packets($1) + corenet_sendrecv_generic_client_packets($1) + corenet_sendrecv_generic_server_packets($1) + + sysnet_read_config($1) +') + +######################################## +## <summary> +## Use the ypbind service to access NIS services. +## </summary> +## <desc> +## <p> +## Allow the specified domain to use the ypbind service +## to access Network Information Service (NIS) services. +## Information that can be retreived from NIS includes +## usernames, passwords, home directories, and groups. +## If the network is configured to have a single sign-on +## using NIS, it is likely that any program that does +## authentication will need this access. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <infoflow type="both" weight="10"/> +## <rolecap/> +# +interface(`nis_use_ypbind',` + tunable_policy(`allow_ypbind',` + nis_use_ypbind_uncond($1) + ') +') + +######################################## +## <summary> +## Use the nis to authenticate passwords +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nis_authenticate',` + tunable_policy(`allow_ypbind',` + nis_use_ypbind_uncond($1) + corenet_tcp_bind_all_rpc_ports($1) + corenet_udp_bind_all_rpc_ports($1) + ') +') + +######################################## +## <summary> +## Execute ypbind in the ypbind domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nis_domtrans_ypbind',` + gen_require(` + type ypbind_t, ypbind_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ypbind_exec_t, ypbind_t) +') + +######################################## +## <summary> +## Execute ypbind in the ypbind domain, and +## allow the specified role the ypbind domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nis_run_ypbind',` + gen_require(` + type ypbind_t; + ') + + nis_domtrans_ypbind($1) + role $2 types ypbind_t; +') + +######################################## +## <summary> +## Send generic signals to ypbind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_signal_ypbind',` + gen_require(` + type ypbind_t; + ') + + allow $1 ypbind_t:process signal; +') + +######################################## +## <summary> +## List the contents of the NIS data directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_list_var_yp',` + gen_require(` + type var_yp_t; + ') + + files_search_var($1) + allow $1 var_yp_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Send UDP network traffic to NIS clients. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_udp_send_ypbind',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Connect to ypbind over TCP. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_tcp_connect_ypbind',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Read ypbind pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_read_ypbind_pid',` + gen_require(` + type ypbind_var_run_t; + ') + + files_search_pids($1) + allow $1 ypbind_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Delete ypbind pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_delete_ypbind_pid',` + gen_require(` + type ypbind_t; + ') + + # TODO: add delete pid from dir call to files + allow $1 ypbind_t:file unlink; +') + +######################################## +## <summary> +## Read ypserv configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nis_read_ypserv_config',` + gen_require(` + type ypserv_conf_t; + ') + + files_search_etc($1) + allow $1 ypserv_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## Execute ypxfr in the ypxfr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nis_domtrans_ypxfr',` + gen_require(` + type ypxfr_t, ypxfr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) +') + +######################################## +## <summary> +## Execute nis server in the nis domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +# +interface(`nis_initrc_domtrans',` + gen_require(` + type nis_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, nis_initrc_exec_t) +') + +######################################## +## <summary> +## Execute nis server in the nis domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nis_initrc_domtrans_ypbind',` + gen_require(` + type ypbind_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ypbind_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an nis environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nis_admin',` + gen_require(` + type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; + type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; + type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; + type ypbind_initrc_exec_t, nis_initrc_exec_t; + ') + + allow $1 ypbind_t:process { ptrace signal_perms }; + ps_process_pattern($1, ypbind_t) + + allow $1 yppasswdd_t:process { ptrace signal_perms }; + ps_process_pattern($1, yppasswdd_t) + + allow $1 ypserv_t:process { ptrace signal_perms }; + ps_process_pattern($1, ypserv_t) + + allow $1 ypxfr_t:process { ptrace signal_perms }; + ps_process_pattern($1, ypxfr_t) + + nis_initrc_domtrans($1) + nis_initrc_domtrans_ypbind($1) + domain_system_change_exemption($1) + role_transition $2 nis_initrc_exec_t system_r; + role_transition $2 ypbind_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, ypbind_tmp_t) + + files_list_pids($1) + admin_pattern($1, ypbind_var_run_t) + + admin_pattern($1, yppasswdd_var_run_t) + + files_list_etc($1) + admin_pattern($1, ypserv_conf_t) + + admin_pattern($1, ypserv_tmp_t) + + admin_pattern($1, ypserv_var_run_t) +') diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te new file mode 100644 index 00000000..4876caec --- /dev/null +++ b/policy/modules/contrib/nis.te @@ -0,0 +1,347 @@ +policy_module(nis, 1.10.0) + +######################################## +# +# Declarations +# + +type nis_initrc_exec_t; +init_script_file(nis_initrc_exec_t) + +type var_yp_t; +files_type(var_yp_t) + +type ypbind_t; +type ypbind_exec_t; +init_daemon_domain(ypbind_t, ypbind_exec_t) + +type ypbind_initrc_exec_t; +init_script_file(ypbind_initrc_exec_t) + +type ypbind_tmp_t; +files_tmp_file(ypbind_tmp_t) + +type ypbind_var_run_t; +files_pid_file(ypbind_var_run_t) + +type yppasswdd_t; +type yppasswdd_exec_t; +init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) +domain_obj_id_change_exemption(yppasswdd_t) + +type yppasswdd_var_run_t; +files_pid_file(yppasswdd_var_run_t) + +type ypserv_t; +type ypserv_exec_t; +init_daemon_domain(ypserv_t, ypserv_exec_t) + +type ypserv_conf_t; +files_type(ypserv_conf_t) + +type ypserv_tmp_t; +files_tmp_file(ypserv_tmp_t) + +type ypserv_var_run_t; +files_pid_file(ypserv_var_run_t) + +type ypxfr_t; +type ypxfr_exec_t; +init_daemon_domain(ypxfr_t, ypxfr_exec_t) + +type ypxfr_var_run_t; +files_pid_file(ypxfr_var_run_t) + +######################################## +# +# ypbind local policy + +dontaudit ypbind_t self:capability { net_admin sys_tty_config }; +allow ypbind_t self:fifo_file rw_fifo_file_perms; +allow ypbind_t self:process signal_perms; +allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; +allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; +allow ypbind_t self:tcp_socket create_stream_socket_perms; +allow ypbind_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) +manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) +files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir }) + +manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t) +files_pid_filetrans(ypbind_t, ypbind_var_run_t, file) + +manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) + +kernel_read_system_state(ypbind_t) +kernel_read_kernel_sysctls(ypbind_t) + +corenet_all_recvfrom_unlabeled(ypbind_t) +corenet_all_recvfrom_netlabel(ypbind_t) +corenet_tcp_sendrecv_generic_if(ypbind_t) +corenet_udp_sendrecv_generic_if(ypbind_t) +corenet_tcp_sendrecv_generic_node(ypbind_t) +corenet_udp_sendrecv_generic_node(ypbind_t) +corenet_tcp_sendrecv_all_ports(ypbind_t) +corenet_udp_sendrecv_all_ports(ypbind_t) +corenet_tcp_bind_generic_node(ypbind_t) +corenet_udp_bind_generic_node(ypbind_t) +corenet_tcp_bind_generic_port(ypbind_t) +corenet_udp_bind_generic_port(ypbind_t) +corenet_tcp_bind_reserved_port(ypbind_t) +corenet_udp_bind_reserved_port(ypbind_t) +corenet_tcp_bind_all_rpc_ports(ypbind_t) +corenet_udp_bind_all_rpc_ports(ypbind_t) +corenet_tcp_connect_all_ports(ypbind_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) +corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) +corenet_sendrecv_all_client_packets(ypbind_t) +corenet_sendrecv_generic_server_packets(ypbind_t) + +dev_read_sysfs(ypbind_t) + +fs_getattr_all_fs(ypbind_t) +fs_search_auto_mountpoints(ypbind_t) + +domain_use_interactive_fds(ypbind_t) + +files_read_etc_files(ypbind_t) +files_list_var(ypbind_t) + +logging_send_syslog_msg(ypbind_t) + +miscfiles_read_localization(ypbind_t) + +sysnet_read_config(ypbind_t) + +userdom_dontaudit_use_unpriv_user_fds(ypbind_t) +userdom_dontaudit_search_user_home_dirs(ypbind_t) + +optional_policy(` + dbus_system_bus_client(ypbind_t) + dbus_connect_system_bus(ypbind_t) + init_dbus_chat_script(ypbind_t) + + optional_policy(` + networkmanager_dbus_chat(ypbind_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(ypbind_t) +') + +optional_policy(` + udev_read_db(ypbind_t) +') + +######################################## +# +# yppasswdd local policy +# + +allow yppasswdd_t self:capability dac_override; +dontaudit yppasswdd_t self:capability sys_tty_config; +allow yppasswdd_t self:fifo_file rw_fifo_file_perms; +allow yppasswdd_t self:process { getsched setfscreate signal_perms }; +allow yppasswdd_t self:unix_dgram_socket create_socket_perms; +allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; +allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; +allow yppasswdd_t self:tcp_socket create_stream_socket_perms; +allow yppasswdd_t self:udp_socket create_socket_perms; + +manage_files_pattern(yppasswdd_t, yppasswdd_var_run_t, yppasswdd_var_run_t) +files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) + +manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) +manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) + +kernel_list_proc(yppasswdd_t) +kernel_read_proc_symlinks(yppasswdd_t) +kernel_getattr_proc_files(yppasswdd_t) +kernel_read_kernel_sysctls(yppasswdd_t) + +corenet_all_recvfrom_unlabeled(yppasswdd_t) +corenet_all_recvfrom_netlabel(yppasswdd_t) +corenet_tcp_sendrecv_generic_if(yppasswdd_t) +corenet_udp_sendrecv_generic_if(yppasswdd_t) +corenet_tcp_sendrecv_generic_node(yppasswdd_t) +corenet_udp_sendrecv_generic_node(yppasswdd_t) +corenet_tcp_sendrecv_all_ports(yppasswdd_t) +corenet_udp_sendrecv_all_ports(yppasswdd_t) +corenet_tcp_bind_generic_node(yppasswdd_t) +corenet_udp_bind_generic_node(yppasswdd_t) +corenet_tcp_bind_all_rpc_ports(yppasswdd_t) +corenet_udp_bind_all_rpc_ports(yppasswdd_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) +corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) +corenet_sendrecv_generic_server_packets(yppasswdd_t) + +dev_read_sysfs(yppasswdd_t) + +fs_getattr_all_fs(yppasswdd_t) +fs_search_auto_mountpoints(yppasswdd_t) + +selinux_get_fs_mount(yppasswdd_t) + +auth_manage_shadow(yppasswdd_t) +auth_relabel_shadow(yppasswdd_t) +auth_etc_filetrans_shadow(yppasswdd_t) + +corecmd_exec_bin(yppasswdd_t) +corecmd_exec_shell(yppasswdd_t) + +domain_use_interactive_fds(yppasswdd_t) + +files_read_etc_files(yppasswdd_t) +files_read_etc_runtime_files(yppasswdd_t) +files_relabel_etc_files(yppasswdd_t) + +logging_send_syslog_msg(yppasswdd_t) + +miscfiles_read_localization(yppasswdd_t) + +sysnet_read_config(yppasswdd_t) + +userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t) +userdom_dontaudit_search_user_home_dirs(yppasswdd_t) + +optional_policy(` + hostname_exec(yppasswdd_t) +') + +optional_policy(` + seutil_sigchld_newrole(yppasswdd_t) +') + +optional_policy(` + udev_read_db(yppasswdd_t) +') + +######################################## +# +# ypserv local policy +# + +dontaudit ypserv_t self:capability sys_tty_config; +allow ypserv_t self:fifo_file rw_fifo_file_perms; +allow ypserv_t self:process signal_perms; +allow ypserv_t self:unix_dgram_socket create_socket_perms; +allow ypserv_t self:unix_stream_socket create_stream_socket_perms; +allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; +allow ypserv_t self:tcp_socket connected_stream_socket_perms; +allow ypserv_t self:udp_socket create_socket_perms; + +manage_files_pattern(ypserv_t, var_yp_t, var_yp_t) + +allow ypserv_t ypserv_conf_t:file read_file_perms; + +manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) +manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) +files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir }) + +manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t) +files_pid_filetrans(ypserv_t, ypserv_var_run_t, file) + +kernel_read_kernel_sysctls(ypserv_t) +kernel_list_proc(ypserv_t) +kernel_read_proc_symlinks(ypserv_t) + +corenet_all_recvfrom_unlabeled(ypserv_t) +corenet_all_recvfrom_netlabel(ypserv_t) +corenet_tcp_sendrecv_generic_if(ypserv_t) +corenet_udp_sendrecv_generic_if(ypserv_t) +corenet_tcp_sendrecv_generic_node(ypserv_t) +corenet_udp_sendrecv_generic_node(ypserv_t) +corenet_tcp_sendrecv_all_ports(ypserv_t) +corenet_udp_sendrecv_all_ports(ypserv_t) +corenet_tcp_bind_generic_node(ypserv_t) +corenet_udp_bind_generic_node(ypserv_t) +corenet_tcp_bind_reserved_port(ypserv_t) +corenet_udp_bind_reserved_port(ypserv_t) +corenet_tcp_bind_all_rpc_ports(ypserv_t) +corenet_udp_bind_all_rpc_ports(ypserv_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) +corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) +corenet_sendrecv_generic_server_packets(ypserv_t) + +dev_read_sysfs(ypserv_t) + +fs_getattr_all_fs(ypserv_t) +fs_search_auto_mountpoints(ypserv_t) + +corecmd_exec_bin(ypserv_t) + +domain_use_interactive_fds(ypserv_t) + +files_read_var_files(ypserv_t) +files_read_etc_files(ypserv_t) + +logging_send_syslog_msg(ypserv_t) + +miscfiles_read_localization(ypserv_t) + +nis_domtrans_ypxfr(ypserv_t) + +sysnet_read_config(ypserv_t) + +userdom_dontaudit_use_unpriv_user_fds(ypserv_t) +userdom_dontaudit_search_user_home_dirs(ypserv_t) + +optional_policy(` + seutil_sigchld_newrole(ypserv_t) +') + +optional_policy(` + udev_read_db(ypserv_t) +') + +######################################## +# +# ypxfr local policy +# + +allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; +allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms; +allow ypxfr_t self:tcp_socket create_stream_socket_perms; +allow ypxfr_t self:udp_socket create_socket_perms; +allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; + +manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t) + +allow ypxfr_t ypserv_t:tcp_socket { read write }; +allow ypxfr_t ypserv_t:udp_socket { read write }; + +allow ypxfr_t ypserv_conf_t:file read_file_perms; + +manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) +files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) + +corenet_all_recvfrom_unlabeled(ypxfr_t) +corenet_all_recvfrom_netlabel(ypxfr_t) +corenet_tcp_sendrecv_generic_if(ypxfr_t) +corenet_udp_sendrecv_generic_if(ypxfr_t) +corenet_tcp_sendrecv_generic_node(ypxfr_t) +corenet_udp_sendrecv_generic_node(ypxfr_t) +corenet_tcp_sendrecv_all_ports(ypxfr_t) +corenet_udp_sendrecv_all_ports(ypxfr_t) +corenet_tcp_bind_generic_node(ypxfr_t) +corenet_udp_bind_generic_node(ypxfr_t) +corenet_tcp_bind_reserved_port(ypxfr_t) +corenet_udp_bind_reserved_port(ypxfr_t) +corenet_tcp_bind_all_rpc_ports(ypxfr_t) +corenet_udp_bind_all_rpc_ports(ypxfr_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) +corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) +corenet_tcp_connect_all_ports(ypxfr_t) +corenet_sendrecv_generic_server_packets(ypxfr_t) +corenet_sendrecv_all_client_packets(ypxfr_t) + +files_read_etc_files(ypxfr_t) +files_search_usr(ypxfr_t) + +logging_send_syslog_msg(ypxfr_t) + +miscfiles_read_localization(ypxfr_t) + +sysnet_read_config(ypxfr_t) diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc new file mode 100644 index 00000000..623b7312 --- /dev/null +++ b/policy/modules/contrib/nscd.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) + +/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) + +/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + +/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) + +/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) +/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) + +/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if new file mode 100644 index 00000000..85188dc7 --- /dev/null +++ b/policy/modules/contrib/nscd.if @@ -0,0 +1,291 @@ +## <summary>Name service cache daemon</summary> + +######################################## +## <summary> +## Send generic signals to NSCD. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_signal',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:process signal; +') + +######################################## +## <summary> +## Send NSCD the kill signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_kill',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:process sigkill; +') + +######################################## +## <summary> +## Send signulls to NSCD. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_signull',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:process signull; +') + +######################################## +## <summary> +## Execute NSCD in the nscd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nscd_domtrans',` + gen_require(` + type nscd_t, nscd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nscd_exec_t, nscd_t) +') + +######################################## +## <summary> +## Allow the specified domain to execute nscd +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_exec',` + gen_require(` + type nscd_exec_t; + ') + + can_exec($1, nscd_exec_t) +') + +######################################## +## <summary> +## Use NSCD services by connecting using +## a unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_socket_use',` + gen_require(` + type nscd_t, nscd_var_run_t; + class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; + ') + + allow $1 self:unix_stream_socket create_socket_perms; + + allow $1 nscd_t:nscd { getpwd getgrp gethost }; + dontaudit $1 nscd_t:fd use; + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; + files_search_pids($1) + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + dontaudit $1 nscd_var_run_t:file { getattr read }; +') + +######################################## +## <summary> +## Use NSCD services by mapping the database from +## an inherited NSCD file descriptor. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_shm_use',` + gen_require(` + type nscd_t, nscd_var_run_t; + class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + ') + + allow $1 nscd_var_run_t:dir list_dir_perms; + allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; + + # Receive fd from nscd and map the backing file with read access. + allow $1 nscd_t:fd use; + + # cjp: these were originally inherited from the + # nscd_socket_domain macro. need to investigate + # if they are all actually required + allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 nscd_t:unix_stream_socket connectto; + allow $1 nscd_var_run_t:sock_file rw_file_perms; + files_search_pids($1) + allow $1 nscd_t:nscd { getpwd getgrp gethost }; + dontaudit $1 nscd_var_run_t:file { getattr read }; +') + +######################################## +## <summary> +## Do not audit attempts to search the NSCD pid directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`nscd_dontaudit_search_pid',` + gen_require(` + type nscd_var_run_t; + ') + + dontaudit $1 nscd_var_run_t:dir search; +') + +######################################## +## <summary> +## Read NSCD pid file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_read_pid',` + gen_require(` + type nscd_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, nscd_var_run_t, nscd_var_run_t) +') + +######################################## +## <summary> +## Unconfined access to NSCD services. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nscd_unconfined',` + gen_require(` + type nscd_t; + class nscd all_nscd_perms; + ') + + allow $1 nscd_t:nscd *; +') + +######################################## +## <summary> +## Execute nscd in the nscd domain, and +## allow the specified role the nscd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`nscd_run',` + gen_require(` + type nscd_t; + ') + + nscd_domtrans($1) + role $2 types nscd_t; +') + +######################################## +## <summary> +## Execute the nscd server init script. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nscd_initrc_domtrans',` + gen_require(` + type nscd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, nscd_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an nscd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the nscd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`nscd_admin',` + gen_require(` + type nscd_t, nscd_log_t, nscd_var_run_t; + type nscd_initrc_exec_t; + ') + + allow $1 nscd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nscd_t) + + init_labeled_script_domtrans($1, nscd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 nscd_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, nscd_log_t) + + files_list_pids($1) + admin_pattern($1, nscd_var_run_t) +') diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te new file mode 100644 index 00000000..7936e09c --- /dev/null +++ b/policy/modules/contrib/nscd.te @@ -0,0 +1,129 @@ +policy_module(nscd, 1.10.0) + +gen_require(` + class nscd all_nscd_perms; +') + +######################################## +# +# Declarations +# + +# cjp: this is out of order because of an +# ordering problem with loadable modules +type nscd_var_run_t; +files_pid_file(nscd_var_run_t) + +# nscd is both the client program and the daemon. +type nscd_t; +type nscd_exec_t; +init_daemon_domain(nscd_t, nscd_exec_t) + +type nscd_initrc_exec_t; +init_script_file(nscd_initrc_exec_t) + +type nscd_log_t; +logging_log_file(nscd_log_t) + +######################################## +# +# Local policy +# + +allow nscd_t self:capability { kill setgid setuid }; +dontaudit nscd_t self:capability sys_tty_config; +allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; +allow nscd_t self:fifo_file read_fifo_file_perms; +allow nscd_t self:unix_stream_socket create_stream_socket_perms; +allow nscd_t self:unix_dgram_socket create_socket_perms; +allow nscd_t self:netlink_selinux_socket create_socket_perms; +allow nscd_t self:tcp_socket create_socket_perms; +allow nscd_t self:udp_socket create_socket_perms; + +# For client program operation, invoked from sysadm_t. +# Transition occurs to nscd_t due to direct_sysadm_daemon. +allow nscd_t self:nscd { admin getstat }; + +allow nscd_t nscd_log_t:file manage_file_perms; +logging_log_filetrans(nscd_t, nscd_log_t, file) + +manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) +manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) +files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) + +corecmd_search_bin(nscd_t) +can_exec(nscd_t, nscd_exec_t) + +kernel_read_kernel_sysctls(nscd_t) +kernel_list_proc(nscd_t) +kernel_read_proc_symlinks(nscd_t) + +dev_read_sysfs(nscd_t) +dev_read_rand(nscd_t) +dev_read_urand(nscd_t) + +fs_getattr_all_fs(nscd_t) +fs_search_auto_mountpoints(nscd_t) +fs_list_inotifyfs(nscd_t) + +# for when /etc/passwd has just been updated and has the wrong type +auth_getattr_shadow(nscd_t) +auth_use_nsswitch(nscd_t) + +corenet_all_recvfrom_unlabeled(nscd_t) +corenet_all_recvfrom_netlabel(nscd_t) +corenet_tcp_sendrecv_generic_if(nscd_t) +corenet_udp_sendrecv_generic_if(nscd_t) +corenet_tcp_sendrecv_generic_node(nscd_t) +corenet_udp_sendrecv_generic_node(nscd_t) +corenet_tcp_sendrecv_all_ports(nscd_t) +corenet_udp_sendrecv_all_ports(nscd_t) +corenet_udp_bind_generic_node(nscd_t) +corenet_tcp_connect_all_ports(nscd_t) +corenet_sendrecv_all_client_packets(nscd_t) +corenet_rw_tun_tap_dev(nscd_t) + +selinux_get_fs_mount(nscd_t) +selinux_validate_context(nscd_t) +selinux_compute_access_vector(nscd_t) +selinux_compute_create_context(nscd_t) +selinux_compute_relabel_context(nscd_t) +selinux_compute_user_contexts(nscd_t) +domain_use_interactive_fds(nscd_t) + +files_read_etc_files(nscd_t) +files_read_generic_tmp_symlinks(nscd_t) +# Needed to read files created by firstboot "/etc/hesiod.conf" +files_read_etc_runtime_files(nscd_t) + +logging_send_audit_msgs(nscd_t) +logging_send_syslog_msg(nscd_t) + +miscfiles_read_localization(nscd_t) + +seutil_read_config(nscd_t) +seutil_read_default_contexts(nscd_t) +seutil_sigchld_newrole(nscd_t) + +sysnet_read_config(nscd_t) + +userdom_dontaudit_use_user_terminals(nscd_t) +userdom_dontaudit_use_unpriv_user_fds(nscd_t) +userdom_dontaudit_search_user_home_dirs(nscd_t) + +optional_policy(` + cron_read_system_job_tmp_files(nscd_t) +') + +optional_policy(` + kerberos_use(nscd_t) +') + +optional_policy(` + udev_read_db(nscd_t) +') + +optional_policy(` + xen_dontaudit_rw_unix_stream_sockets(nscd_t) + xen_append_log(nscd_t) +') diff --git a/policy/modules/contrib/nsd.fc b/policy/modules/contrib/nsd.fc new file mode 100644 index 00000000..53cc8004 --- /dev/null +++ b/policy/modules/contrib/nsd.fc @@ -0,0 +1,14 @@ + +/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) +/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) +/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) +/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) + +/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) + +/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) +/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) +/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if new file mode 100644 index 00000000..a1371d53 --- /dev/null +++ b/policy/modules/contrib/nsd.if @@ -0,0 +1,29 @@ +## <summary>Authoritative only name server</summary> + +######################################## +## <summary> +## Send and receive datagrams from NSD. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nsd_udp_chat',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Connect to NSD over a TCP socket (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nsd_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te new file mode 100644 index 00000000..4b15536c --- /dev/null +++ b/policy/modules/contrib/nsd.te @@ -0,0 +1,180 @@ +policy_module(nsd, 1.7.0) + +######################################## +# +# Declarations +# + +type nsd_t; +type nsd_exec_t; +init_daemon_domain(nsd_t, nsd_exec_t) + +# A type for configuration files of nsd +type nsd_conf_t; +files_type(nsd_conf_t) + +type nsd_crond_t; +domain_type(nsd_crond_t) +domain_entry_file(nsd_crond_t, nsd_exec_t) +role system_r types nsd_crond_t; + +# a type for nsd.db +type nsd_db_t; +files_type(nsd_db_t) + +type nsd_var_run_t; +files_pid_file(nsd_var_run_t) + +# A type for zone files +type nsd_zone_t; +files_type(nsd_zone_t) + +######################################## +# +# NSD Local policy +# + +allow nsd_t self:capability { dac_override chown setuid setgid }; +dontaudit nsd_t self:capability sys_tty_config; +allow nsd_t self:process signal_perms; +allow nsd_t self:tcp_socket create_stream_socket_perms; +allow nsd_t self:udp_socket create_socket_perms; + +allow nsd_t nsd_conf_t:dir list_dir_perms; +read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) +read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) + +allow nsd_t nsd_db_t:file manage_file_perms; +filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) + +manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) +files_pid_filetrans(nsd_t, nsd_var_run_t, file) + +allow nsd_t nsd_zone_t:dir list_dir_perms; +read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) +read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) + +can_exec(nsd_t, nsd_exec_t) + +kernel_read_system_state(nsd_t) +kernel_read_kernel_sysctls(nsd_t) + +corecmd_exec_bin(nsd_t) + +corenet_all_recvfrom_unlabeled(nsd_t) +corenet_all_recvfrom_netlabel(nsd_t) +corenet_tcp_sendrecv_generic_if(nsd_t) +corenet_udp_sendrecv_generic_if(nsd_t) +corenet_tcp_sendrecv_generic_node(nsd_t) +corenet_udp_sendrecv_generic_node(nsd_t) +corenet_tcp_sendrecv_all_ports(nsd_t) +corenet_udp_sendrecv_all_ports(nsd_t) +corenet_tcp_bind_generic_node(nsd_t) +corenet_udp_bind_generic_node(nsd_t) +corenet_tcp_bind_dns_port(nsd_t) +corenet_udp_bind_dns_port(nsd_t) +corenet_sendrecv_dns_server_packets(nsd_t) + +dev_read_sysfs(nsd_t) + +domain_use_interactive_fds(nsd_t) + +files_read_etc_files(nsd_t) +files_read_etc_runtime_files(nsd_t) + +fs_getattr_all_fs(nsd_t) +fs_search_auto_mountpoints(nsd_t) + +logging_send_syslog_msg(nsd_t) + +miscfiles_read_localization(nsd_t) + +sysnet_read_config(nsd_t) + +userdom_dontaudit_use_unpriv_user_fds(nsd_t) +userdom_dontaudit_search_user_home_dirs(nsd_t) + +optional_policy(` + nis_use_ypbind(nsd_t) +') + +optional_policy(` + seutil_sigchld_newrole(nsd_t) +') + +optional_policy(` + udev_read_db(nsd_t) +') + +######################################## +# +# Zone update cron job local policy +# + +# kill capability for root cron job and non-root daemon +allow nsd_crond_t self:capability { dac_override kill }; +dontaudit nsd_crond_t self:capability sys_nice; +allow nsd_crond_t self:process { setsched signal_perms }; +allow nsd_crond_t self:fifo_file rw_fifo_file_perms; +allow nsd_crond_t self:tcp_socket create_socket_perms; +allow nsd_crond_t self:udp_socket create_socket_perms; + +allow nsd_crond_t nsd_conf_t:file read_file_perms; + +allow nsd_crond_t nsd_db_t:file manage_file_perms; +filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file) +files_search_var_lib(nsd_crond_t) + +allow nsd_crond_t nsd_t:process signal; + +ps_process_pattern(nsd_crond_t, nsd_t) + +manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) +filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) + +can_exec(nsd_crond_t, nsd_exec_t) + +kernel_read_system_state(nsd_crond_t) + +corecmd_exec_bin(nsd_crond_t) +corecmd_exec_shell(nsd_crond_t) + +corenet_all_recvfrom_unlabeled(nsd_crond_t) +corenet_all_recvfrom_netlabel(nsd_crond_t) +corenet_tcp_sendrecv_generic_if(nsd_crond_t) +corenet_udp_sendrecv_generic_if(nsd_crond_t) +corenet_tcp_sendrecv_generic_node(nsd_crond_t) +corenet_udp_sendrecv_generic_node(nsd_crond_t) +corenet_tcp_sendrecv_all_ports(nsd_crond_t) +corenet_udp_sendrecv_all_ports(nsd_crond_t) +corenet_tcp_connect_all_ports(nsd_crond_t) +corenet_sendrecv_all_client_packets(nsd_crond_t) + +# for SSP +dev_read_urand(nsd_crond_t) + +domain_dontaudit_read_all_domains_state(nsd_crond_t) + +files_read_etc_files(nsd_crond_t) +files_read_etc_runtime_files(nsd_crond_t) +files_search_var_lib(nsd_t) + +logging_send_syslog_msg(nsd_crond_t) + +miscfiles_read_localization(nsd_crond_t) + +sysnet_read_config(nsd_crond_t) + +userdom_dontaudit_search_user_home_dirs(nsd_crond_t) + +optional_policy(` + cron_system_entry(nsd_crond_t, nsd_exec_t) +') + +optional_policy(` + nis_use_ypbind(nsd_crond_t) +') + +optional_policy(` + nscd_read_pid(nsd_crond_t) +') diff --git a/policy/modules/contrib/nslcd.fc b/policy/modules/contrib/nslcd.fc new file mode 100644 index 00000000..ce913b24 --- /dev/null +++ b/policy/modules/contrib/nslcd.fc @@ -0,0 +1,4 @@ +/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) +/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) +/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) +/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if new file mode 100644 index 00000000..23c769cf --- /dev/null +++ b/policy/modules/contrib/nslcd.if @@ -0,0 +1,114 @@ +## <summary>nslcd - local LDAP name service daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run nslcd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nslcd_domtrans',` + gen_require(` + type nslcd_t, nslcd_exec_t; + ') + + domtrans_pattern($1, nslcd_exec_t, nslcd_t) +') + +######################################## +## <summary> +## Execute nslcd server in the nslcd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nslcd_initrc_domtrans',` + gen_require(` + type nslcd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, nslcd_initrc_exec_t) +') + +######################################## +## <summary> +## Read nslcd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nslcd_read_pid_files',` + gen_require(` + type nslcd_var_run_t; + ') + + files_search_pids($1) + allow $1 nslcd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Connect to nslcd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nslcd_stream_connect',` + gen_require(` + type nslcd_t, nslcd_var_run_t; + ') + + stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) + files_search_pids($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an nslcd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nslcd_admin',` + gen_require(` + type nslcd_t, nslcd_initrc_exec_t; + type nslcd_conf_t, nslcd_var_run_t; + ') + + ps_process_pattern($1, nslcd_t) + allow $1 nslcd_t:process { ptrace signal_perms }; + + # Allow nslcd_t to restart the apache service + nslcd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nslcd_initrc_exec_t system_r; + allow $2 system_r; + + manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t) + + manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t) + manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) + manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) +') diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te new file mode 100644 index 00000000..4e28d582 --- /dev/null +++ b/policy/modules/contrib/nslcd.te @@ -0,0 +1,45 @@ +policy_module(nslcd, 1.2.0) + +######################################## +# +# Declarations +# + +type nslcd_t; +type nslcd_exec_t; +init_daemon_domain(nslcd_t, nslcd_exec_t) + +type nslcd_initrc_exec_t; +init_script_file(nslcd_initrc_exec_t) + +type nslcd_var_run_t; +files_pid_file(nslcd_var_run_t) + +type nslcd_conf_t; +files_type(nslcd_conf_t) + +######################################## +# +# nslcd local policy +# + +allow nslcd_t self:capability { setgid setuid dac_override }; +allow nslcd_t self:process signal; +allow nslcd_t self:unix_stream_socket create_stream_socket_perms; + +allow nslcd_t nslcd_conf_t:file read_file_perms; + +manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) + +kernel_read_system_state(nslcd_t) + +files_read_etc_files(nslcd_t) + +auth_use_nsswitch(nslcd_t) + +logging_send_syslog_msg(nslcd_t) + +miscfiles_read_localization(nslcd_t) diff --git a/policy/modules/contrib/ntop.fc b/policy/modules/contrib/ntop.fc new file mode 100644 index 00000000..18384324 --- /dev/null +++ b/policy/modules/contrib/ntop.fc @@ -0,0 +1,6 @@ +/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) + +/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0) + +/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) +/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) diff --git a/policy/modules/contrib/ntop.if b/policy/modules/contrib/ntop.if new file mode 100644 index 00000000..4bf0a141 --- /dev/null +++ b/policy/modules/contrib/ntop.if @@ -0,0 +1 @@ +## <summary>Network Top</summary> diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te new file mode 100644 index 00000000..ded9fb67 --- /dev/null +++ b/policy/modules/contrib/ntop.te @@ -0,0 +1,114 @@ +policy_module(ntop, 1.9.0) + +######################################## +# +# Declarations +# + +type ntop_t; +type ntop_exec_t; +init_daemon_domain(ntop_t, ntop_exec_t) +application_domain(ntop_t, ntop_exec_t) + +type ntop_initrc_exec_t; +init_script_file(ntop_initrc_exec_t) + +type ntop_etc_t; +files_config_file(ntop_etc_t) + +type ntop_tmp_t; +files_tmp_file(ntop_tmp_t) + +type ntop_var_lib_t; +files_type(ntop_var_lib_t) + +type ntop_var_run_t; +files_pid_file(ntop_var_run_t) + +######################################## +# +# Local Policy +# + +allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; +dontaudit ntop_t self:capability sys_tty_config; +allow ntop_t self:process signal_perms; +allow ntop_t self:fifo_file rw_fifo_file_perms; +allow ntop_t self:tcp_socket create_stream_socket_perms; +allow ntop_t self:udp_socket create_socket_perms; +allow ntop_t self:unix_dgram_socket create_socket_perms; +allow ntop_t self:unix_stream_socket create_stream_socket_perms; +allow ntop_t self:packet_socket create_socket_perms; +allow ntop_t self:socket create_socket_perms; + +allow ntop_t ntop_etc_t:dir list_dir_perms; +read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t) +read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t) + +manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) +manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) +files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir }) + +manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) +manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) +files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } ) + +manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) +files_pid_filetrans(ntop_t, ntop_var_run_t, file) + +kernel_request_load_module(ntop_t) +kernel_read_system_state(ntop_t) +kernel_read_network_state(ntop_t) +kernel_read_kernel_sysctls(ntop_t) +kernel_list_proc(ntop_t) +kernel_read_proc_symlinks(ntop_t) + +corenet_all_recvfrom_unlabeled(ntop_t) +corenet_all_recvfrom_netlabel(ntop_t) +corenet_tcp_sendrecv_generic_if(ntop_t) +corenet_udp_sendrecv_generic_if(ntop_t) +corenet_raw_sendrecv_generic_if(ntop_t) +corenet_tcp_sendrecv_generic_node(ntop_t) +corenet_udp_sendrecv_generic_node(ntop_t) +corenet_raw_sendrecv_generic_node(ntop_t) +corenet_tcp_sendrecv_all_ports(ntop_t) +corenet_udp_sendrecv_all_ports(ntop_t) +corenet_tcp_bind_ntop_port(ntop_t) +corenet_tcp_connect_ntop_port(ntop_t) +corenet_tcp_connect_http_port(ntop_t) +corenet_sendrecv_http_client_packets(ntop_t) +corenet_sendrecv_ntop_client_packets(ntop_t) +corenet_sendrecv_ntop_server_packets(ntop_t) + +dev_read_sysfs(ntop_t) +dev_rw_generic_usb_dev(ntop_t) + +domain_use_interactive_fds(ntop_t) + +files_read_etc_files(ntop_t) +files_read_usr_files(ntop_t) + +fs_getattr_all_fs(ntop_t) +fs_search_auto_mountpoints(ntop_t) + +auth_use_nsswitch(ntop_t) + +logging_send_syslog_msg(ntop_t) + +miscfiles_read_localization(ntop_t) +miscfiles_read_fonts(ntop_t) + +userdom_dontaudit_use_unpriv_user_fds(ntop_t) +userdom_dontaudit_search_user_home_dirs(ntop_t) + +optional_policy(` + apache_read_sys_content(ntop_t) +') + +optional_policy(` + seutil_sigchld_newrole(ntop_t) +') + +optional_policy(` + udev_read_db(ntop_t) +') diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc new file mode 100644 index 00000000..e79dccce --- /dev/null +++ b/policy/modules/contrib/ntp.fc @@ -0,0 +1,22 @@ + +/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) +/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) + +/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) +/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) +/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0) + +/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) + +/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) +/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + +/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) + +/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) +/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) +/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) + +/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if new file mode 100644 index 00000000..e80f8c06 --- /dev/null +++ b/policy/modules/contrib/ntp.if @@ -0,0 +1,165 @@ +## <summary>Network time protocol daemon</summary> + +######################################## +## <summary> +## NTP stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_stub',` + gen_require(` + type ntpd_t; + ') +') + +######################################## +## <summary> +## Execute ntp server in the ntpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ntp_domtrans',` + gen_require(` + type ntpd_t, ntpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ntpd_exec_t, ntpd_t) +') + +######################################## +## <summary> +## Execute ntp in the ntp domain, and +## allow the specified role the ntp domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ntp_run',` + gen_require(` + type ntpd_t; + ') + + ntp_domtrans($1) + role $2 types ntpd_t; +') + +######################################## +## <summary> +## Execute ntp server in the ntpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ntp_domtrans_ntpdate',` + gen_require(` + type ntpd_t, ntpdate_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ntpdate_exec_t, ntpd_t) +') + +######################################## +## <summary> +## Execute ntp server in the ntpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ntp_initrc_domtrans',` + gen_require(` + type ntpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) +') + +######################################## +## <summary> +## Read and write ntpd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_rw_shm',` + gen_require(` + type ntpd_t, ntpd_tmpfs_t; + ') + + allow $1 ntpd_t:shm rw_shm_perms; + list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an ntp environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the ntp domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`ntp_admin',` + gen_require(` + type ntpd_t, ntpd_tmp_t, ntpd_log_t; + type ntpd_key_t, ntpd_var_run_t; + type ntpd_initrc_exec_t; + ') + + allow $1 ntpd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, ntpd_t) + + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ntpd_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, ntpd_key_t) + + logging_list_logs($1) + admin_pattern($1, ntpd_log_t) + + files_list_tmp($1) + admin_pattern($1, ntpd_tmp_t) + + files_list_pids($1) + admin_pattern($1, ntpd_var_run_t) +') diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te new file mode 100644 index 00000000..c61adc8d --- /dev/null +++ b/policy/modules/contrib/ntp.te @@ -0,0 +1,156 @@ +policy_module(ntp, 1.10.0) + +######################################## +# +# Declarations +# + +type ntp_drift_t; +files_type(ntp_drift_t) + +type ntpd_t; +type ntpd_exec_t; +init_daemon_domain(ntpd_t, ntpd_exec_t) + +type ntpd_initrc_exec_t; +init_script_file(ntpd_initrc_exec_t) + +type ntpd_key_t; +files_type(ntpd_key_t) + +type ntpd_log_t; +logging_log_file(ntpd_log_t) + +type ntpd_tmp_t; +files_tmp_file(ntpd_tmp_t) + +type ntpd_tmpfs_t; +files_tmpfs_file(ntpd_tmpfs_t) + +type ntpd_var_run_t; +files_pid_file(ntpd_var_run_t) + +type ntpdate_exec_t; +init_system_domain(ntpd_t, ntpdate_exec_t) + +######################################## +# +# Local policy +# + +# sys_resource and setrlimit is for locking memory +# ntpdate wants sys_nice +allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; +dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; +allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; +allow ntpd_t self:fifo_file rw_fifo_file_perms; +allow ntpd_t self:shm create_shm_perms; +allow ntpd_t self:unix_dgram_socket create_socket_perms; +allow ntpd_t self:unix_stream_socket create_socket_perms; +allow ntpd_t self:tcp_socket create_stream_socket_perms; +allow ntpd_t self:udp_socket create_socket_perms; + +manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) + +can_exec(ntpd_t, ntpd_exec_t) + +read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) +read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + +allow ntpd_t ntpd_log_t:dir setattr; +manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) +logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) + +# for some reason it creates a file in /tmp +manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) +manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) +files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) + +manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) +manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) +fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) + +manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) +files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) + +kernel_read_kernel_sysctls(ntpd_t) +kernel_read_system_state(ntpd_t) +kernel_read_network_state(ntpd_t) +kernel_request_load_module(ntpd_t) + +corenet_all_recvfrom_unlabeled(ntpd_t) +corenet_all_recvfrom_netlabel(ntpd_t) +corenet_tcp_sendrecv_generic_if(ntpd_t) +corenet_udp_sendrecv_generic_if(ntpd_t) +corenet_tcp_sendrecv_generic_node(ntpd_t) +corenet_udp_sendrecv_generic_node(ntpd_t) +corenet_tcp_sendrecv_all_ports(ntpd_t) +corenet_udp_sendrecv_all_ports(ntpd_t) +corenet_tcp_bind_generic_node(ntpd_t) +corenet_udp_bind_generic_node(ntpd_t) +corenet_udp_bind_ntp_port(ntpd_t) +corenet_tcp_connect_ntp_port(ntpd_t) +corenet_sendrecv_ntp_server_packets(ntpd_t) +corenet_sendrecv_ntp_client_packets(ntpd_t) + +dev_read_sysfs(ntpd_t) +# for SSP +dev_read_urand(ntpd_t) + +fs_getattr_all_fs(ntpd_t) +fs_search_auto_mountpoints(ntpd_t) + +term_use_ptmx(ntpd_t) + +auth_use_nsswitch(ntpd_t) + +corecmd_exec_bin(ntpd_t) +corecmd_exec_shell(ntpd_t) + +domain_use_interactive_fds(ntpd_t) +domain_dontaudit_list_all_domains_state(ntpd_t) + +files_read_etc_files(ntpd_t) +files_read_etc_runtime_files(ntpd_t) +files_read_usr_files(ntpd_t) +files_list_var_lib(ntpd_t) + +init_exec_script_files(ntpd_t) + +logging_send_syslog_msg(ntpd_t) + +miscfiles_read_localization(ntpd_t) + +userdom_dontaudit_use_unpriv_user_fds(ntpd_t) +userdom_list_user_home_dirs(ntpd_t) + +optional_policy(` + # for cron jobs + cron_system_entry(ntpd_t, ntpdate_exec_t) +') + +optional_policy(` + gpsd_rw_shm(ntpd_t) +') + +optional_policy(` + firstboot_dontaudit_use_fds(ntpd_t) + firstboot_dontaudit_rw_pipes(ntpd_t) + firstboot_dontaudit_rw_stream_sockets(ntpd_t) +') + +optional_policy(` + hal_dontaudit_write_log(ntpd_t) +') + +optional_policy(` + logrotate_exec(ntpd_t) +') + +optional_policy(` + seutil_sigchld_newrole(ntpd_t) +') + +optional_policy(` + udev_read_db(ntpd_t) +') diff --git a/policy/modules/contrib/nut.fc b/policy/modules/contrib/nut.fc new file mode 100644 index 00000000..0a929ef4 --- /dev/null +++ b/policy/modules/contrib/nut.fc @@ -0,0 +1,12 @@ +/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) + +/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) + +/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) +/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) + +/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) + +/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if new file mode 100644 index 00000000..56660c51 --- /dev/null +++ b/policy/modules/contrib/nut.if @@ -0,0 +1 @@ +## <summary>nut - Network UPS Tools </summary> diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te new file mode 100644 index 00000000..ff962dd0 --- /dev/null +++ b/policy/modules/contrib/nut.te @@ -0,0 +1,171 @@ +policy_module(nut, 1.2.0) + +######################################## +# +# Declarations +# + +type nut_conf_t; +files_config_file(nut_conf_t) + +type nut_upsd_t; +type nut_upsd_exec_t; +init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) + +type nut_upsmon_t; +type nut_upsmon_exec_t; +init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) + +type nut_upsdrvctl_t; +type nut_upsdrvctl_exec_t; +init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) + +type nut_var_run_t; +files_pid_file(nut_var_run_t) + +######################################## +# +# Local policy for upsd +# + +allow nut_upsd_t self:capability { setgid setuid dac_override }; + +allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; + +allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; + +read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) + +# pid file +manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) + +kernel_read_kernel_sysctls(nut_upsd_t) + +corenet_tcp_bind_ups_port(nut_upsd_t) +corenet_tcp_bind_generic_port(nut_upsd_t) +corenet_tcp_bind_all_nodes(nut_upsd_t) + +files_read_usr_files(nut_upsd_t) + +auth_use_nsswitch(nut_upsd_t) + +logging_send_syslog_msg(nut_upsd_t) + +miscfiles_read_localization(nut_upsd_t) + +######################################## +# +# Local policy for upsmon +# + +allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; +allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; +allow nut_upsmon_t self:tcp_socket create_socket_perms; + +read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + +# pid file +manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) +manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) + +kernel_read_kernel_sysctls(nut_upsmon_t) +kernel_read_system_state(nut_upsmon_t) + +corecmd_exec_bin(nut_upsmon_t) +corecmd_exec_shell(nut_upsmon_t) + +corenet_tcp_connect_ups_port(nut_upsmon_t) +corenet_tcp_connect_generic_port(nut_upsmon_t) + +# Creates /etc/killpower +files_manage_etc_runtime_files(nut_upsmon_t) +files_etc_filetrans_etc_runtime(nut_upsmon_t, file) +files_search_usr(nut_upsmon_t) + +# /usr/bin/wall +term_write_all_terms(nut_upsmon_t) + +# upsmon runs shutdown, probably need a shutdown domain +init_rw_utmp(nut_upsmon_t) +init_telinit(nut_upsmon_t) + +logging_send_syslog_msg(nut_upsmon_t) + +auth_use_nsswitch(nut_upsmon_t) + +miscfiles_read_localization(nut_upsmon_t) + +mta_send_mail(nut_upsmon_t) + +optional_policy(` + shutdown_domtrans(nut_upsmon_t) +') + +######################################## +# +# Local policy for upsdrvctl +# + +allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; +allow nut_upsdrvctl_t self:process { sigchld signal signull }; +allow nut_upsdrvctl_t self:fd use; +allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; +allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsdrvctl_t self:udp_socket create_socket_perms; + +read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) + +# pid file +manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) +manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) +manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(nut_upsdrvctl_t) + +# /sbin/upsdrvctl executes other drivers +corecmd_exec_bin(nut_upsdrvctl_t) + +dev_read_urand(nut_upsdrvctl_t) +dev_rw_generic_usb_dev(nut_upsdrvctl_t) + +term_use_unallocated_ttys(nut_upsdrvctl_t) + +auth_use_nsswitch(nut_upsdrvctl_t) + +init_sigchld(nut_upsdrvctl_t) + +logging_send_syslog_msg(nut_upsdrvctl_t) + +miscfiles_read_localization(nut_upsdrvctl_t) + +####################################### +# +# Local policy for upscgi scripts +# requires httpd_enable_cgi and httpd_can_network_connect +# + +optional_policy(` + apache_content_template(nutups_cgi) + + read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) + + corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) + corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) + corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) + + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) +') diff --git a/policy/modules/contrib/nx.fc b/policy/modules/contrib/nx.fc new file mode 100644 index 00000000..c4d2dca8 --- /dev/null +++ b/policy/modules/contrib/nx.fc @@ -0,0 +1,12 @@ +/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) +/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) +/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) +/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) + +/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) +/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) +/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) +/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) + +/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) +/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) diff --git a/policy/modules/contrib/nx.if b/policy/modules/contrib/nx.if new file mode 100644 index 00000000..79a225ca --- /dev/null +++ b/policy/modules/contrib/nx.if @@ -0,0 +1,85 @@ +## <summary>NX remote desktop</summary> + +######################################## +## <summary> +## Transition to NX server. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nx_spec_domtrans_server',` + gen_require(` + type nx_server_t, nx_server_exec_t; + ') + + spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) +') + +######################################## +## <summary> +## Read nx home directory content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nx_read_home_files',` + gen_require(` + type nx_server_home_ssh_t, nx_server_var_lib_t; + ') + + allow $1 nx_server_var_lib_t:dir search_dir_perms; + read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) +') + +######################################## +## <summary> +## Read nx /var/lib content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nx_search_var_lib',` + gen_require(` + type nx_server_var_lib_t; + ') + + allow $1 nx_server_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create an object in the root directory, with a private +## type using a type transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +# +interface(`nx_var_lib_filetrans',` + gen_require(` + type nx_server_var_lib_t; + ') + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3) +') diff --git a/policy/modules/contrib/nx.te b/policy/modules/contrib/nx.te new file mode 100644 index 00000000..58e2972f --- /dev/null +++ b/policy/modules/contrib/nx.te @@ -0,0 +1,98 @@ +policy_module(nx, 1.6.0) + +######################################## +# +# Declarations +# + +type nx_server_t; +type nx_server_exec_t; +domain_type(nx_server_t) +domain_entry_file(nx_server_t, nx_server_exec_t) +domain_user_exemption_target(nx_server_t) +# we need an extra role because nxserver is called from sshd +# cjp: do we really need this? +role nx_server_r; +role nx_server_r types nx_server_t; +allow system_r nx_server_r; + +type nx_server_devpts_t; +term_user_pty(nx_server_t, nx_server_devpts_t) + +type nx_server_tmp_t; +files_tmp_file(nx_server_tmp_t) + +type nx_server_var_lib_t; +files_type(nx_server_var_lib_t) + +type nx_server_var_run_t; +files_pid_file(nx_server_var_run_t) + +######################################## +# +# NX server local policy +# + +allow nx_server_t self:fifo_file rw_fifo_file_perms; +allow nx_server_t self:tcp_socket create_socket_perms; +allow nx_server_t self:udp_socket create_socket_perms; + +allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr }; +term_create_pty(nx_server_t, nx_server_devpts_t) + +manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) +manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) +files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir }) + +manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) +manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) +files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) + +manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) +files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) + +kernel_read_system_state(nx_server_t) +kernel_read_kernel_sysctls(nx_server_t) + +# nxserver is a shell script --> call other programs +corecmd_exec_shell(nx_server_t) +corecmd_exec_bin(nx_server_t) + +corenet_all_recvfrom_unlabeled(nx_server_t) +corenet_all_recvfrom_netlabel(nx_server_t) +corenet_tcp_sendrecv_generic_if(nx_server_t) +corenet_udp_sendrecv_generic_if(nx_server_t) +corenet_tcp_sendrecv_generic_node(nx_server_t) +corenet_udp_sendrecv_generic_node(nx_server_t) +corenet_tcp_sendrecv_all_ports(nx_server_t) +corenet_udp_sendrecv_all_ports(nx_server_t) +corenet_tcp_connect_all_ports(nx_server_t) +corenet_sendrecv_all_client_packets(nx_server_t) + +dev_read_urand(nx_server_t) + +files_read_etc_files(nx_server_t) +files_read_etc_runtime_files(nx_server_t) +# for reading the config files; maybe a separate type, +# but users need to be able to also read the config +files_read_usr_files(nx_server_t) + +miscfiles_read_localization(nx_server_t) + +seutil_dontaudit_search_config(nx_server_t) + +sysnet_read_config(nx_server_t) + +ifdef(`TODO',` +# clients already have create permissions; the nxclient wants to also have unlink rights +allow userdomain xdm_tmp_t:sock_file unlink; +# for a lockfile created by the client process +allow nx_server_t user_tmpfile:file getattr; +') + +######################################## +# +# SSH component local policy +# + +ssh_basic_client_template(nx_server, nx_server_t, nx_server_r) diff --git a/policy/modules/contrib/oav.fc b/policy/modules/contrib/oav.fc new file mode 100644 index 00000000..0a664745 --- /dev/null +++ b/policy/modules/contrib/oav.fc @@ -0,0 +1,9 @@ +/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0) +/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0) + +/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0) +/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0) + +/var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0) +/var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0) +/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) diff --git a/policy/modules/contrib/oav.if b/policy/modules/contrib/oav.if new file mode 100644 index 00000000..7f0d6444 --- /dev/null +++ b/policy/modules/contrib/oav.if @@ -0,0 +1,46 @@ +## <summary>Open AntiVirus scannerdaemon and signature update</summary> + +######################################## +## <summary> +## Execute oav_update in the oav_update domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`oav_domtrans_update',` + gen_require(` + type oav_update_t, oav_update_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, oav_update_exec_t, oav_update_t) +') + +######################################## +## <summary> +## Execute oav_update in the oav_update domain, and +## allow the specified role the oav_update domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`oav_run_update',` + gen_require(` + type oav_update_t; + ') + + oav_domtrans_update($1) + role $2 types oav_update_t; +') diff --git a/policy/modules/contrib/oav.te b/policy/modules/contrib/oav.te new file mode 100644 index 00000000..b4c5f863 --- /dev/null +++ b/policy/modules/contrib/oav.te @@ -0,0 +1,146 @@ +policy_module(oav, 1.9.0) + +######################################## +# +# Declarations +# + +type oav_update_t; +type oav_update_exec_t; +application_domain(oav_update_t, oav_update_exec_t) + +# cjp: may be collapsable to etc_t +type oav_update_etc_t; +files_config_file(oav_update_etc_t) + +type oav_update_var_lib_t; +files_type(oav_update_var_lib_t) + +type scannerdaemon_t; +type scannerdaemon_exec_t; +init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t) + +type scannerdaemon_etc_t; +files_config_file(scannerdaemon_etc_t) + +type scannerdaemon_log_t; +logging_log_file(scannerdaemon_log_t) + +type scannerdaemon_var_run_t; +files_pid_file(scannerdaemon_var_run_t) + +######################################## +# +# OAV update local policy +# + +allow oav_update_t self:tcp_socket create_stream_socket_perms; +allow oav_update_t self:udp_socket create_socket_perms; + +# Can read /etc/oav-update/* files +allow oav_update_t oav_update_etc_t:dir list_dir_perms; +allow oav_update_t oav_update_etc_t:file read_file_perms; + +# Can read /var/lib/oav-update/current +manage_dirs_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) +manage_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) +read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) + +corecmd_exec_all_executables(oav_update_t) + +corenet_all_recvfrom_unlabeled(oav_update_t) +corenet_all_recvfrom_netlabel(oav_update_t) +corenet_tcp_sendrecv_generic_if(oav_update_t) +corenet_udp_sendrecv_generic_if(oav_update_t) +corenet_tcp_sendrecv_generic_node(oav_update_t) +corenet_udp_sendrecv_generic_node(oav_update_t) +corenet_tcp_sendrecv_all_ports(oav_update_t) +corenet_udp_sendrecv_all_ports(oav_update_t) + +files_exec_etc_files(oav_update_t) + +libs_exec_ld_so(oav_update_t) +libs_exec_lib_files(oav_update_t) + +logging_send_syslog_msg(oav_update_t) + +sysnet_read_config(oav_update_t) + +userdom_use_user_terminals(oav_update_t) + +optional_policy(` + cron_system_entry(oav_update_t, oav_update_exec_t) +') + +######################################## +# +# Scannerdaemon local policy +# + +dontaudit scannerdaemon_t self:capability sys_tty_config; +allow scannerdaemon_t self:process signal_perms; +allow scannerdaemon_t self:fifo_file rw_fifo_file_perms; +allow scannerdaemon_t self:tcp_socket create_stream_socket_perms; +allow scannerdaemon_t self:udp_socket create_socket_perms; + +allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms; +allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms; +files_search_var_lib(scannerdaemon_t) + +allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms; + +allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms; +logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file) + +manage_files_pattern(scannerdaemon_t, scannerdaemon_var_run_t, scannerdaemon_var_run_t) +files_pid_filetrans(scannerdaemon_t, scannerdaemon_var_run_t, file) + +kernel_read_system_state(scannerdaemon_t) +kernel_read_kernel_sysctls(scannerdaemon_t) + +# Can run kaffe +corecmd_exec_all_executables(scannerdaemon_t) + +corenet_all_recvfrom_unlabeled(scannerdaemon_t) +corenet_all_recvfrom_netlabel(scannerdaemon_t) +corenet_tcp_sendrecv_generic_if(scannerdaemon_t) +corenet_udp_sendrecv_generic_if(scannerdaemon_t) +corenet_tcp_sendrecv_generic_node(scannerdaemon_t) +corenet_udp_sendrecv_generic_node(scannerdaemon_t) +corenet_tcp_sendrecv_all_ports(scannerdaemon_t) +corenet_udp_sendrecv_all_ports(scannerdaemon_t) + +dev_read_sysfs(scannerdaemon_t) + +domain_use_interactive_fds(scannerdaemon_t) + +files_read_etc_files(scannerdaemon_t) +files_read_etc_runtime_files(scannerdaemon_t) +# Can run kaffe +files_exec_etc_files(scannerdaemon_t) + +fs_getattr_all_fs(scannerdaemon_t) +fs_search_auto_mountpoints(scannerdaemon_t) + +auth_dontaudit_read_shadow(scannerdaemon_t) + +# Can run kaffe +libs_exec_ld_so(scannerdaemon_t) +libs_exec_lib_files(scannerdaemon_t) + +logging_send_syslog_msg(scannerdaemon_t) + +miscfiles_read_localization(scannerdaemon_t) + +sysnet_read_config(scannerdaemon_t) + +userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t) +userdom_dontaudit_search_user_home_dirs(scannerdaemon_t) + +optional_policy(` + seutil_sigchld_newrole(scannerdaemon_t) +') + +optional_policy(` + udev_read_db(scannerdaemon_t) +') diff --git a/policy/modules/contrib/oddjob.fc b/policy/modules/contrib/oddjob.fc new file mode 100644 index 00000000..734253ee --- /dev/null +++ b/policy/modules/contrib/oddjob.fc @@ -0,0 +1,7 @@ +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + +/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) + +/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + +/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/policy/modules/contrib/oddjob.if b/policy/modules/contrib/oddjob.if new file mode 100644 index 00000000..bd76ec26 --- /dev/null +++ b/policy/modules/contrib/oddjob.if @@ -0,0 +1,111 @@ +## <summary> +## Oddjob provides a mechanism by which unprivileged applications can +## request that specified privileged operations be performed on their +## behalf. +## </summary> + +######################################## +## <summary> +## Execute a domain transition to run oddjob. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`oddjob_domtrans',` + gen_require(` + type oddjob_t, oddjob_exec_t; + ') + + domtrans_pattern($1, oddjob_exec_t, oddjob_t) +') + +######################################## +## <summary> +## Make the specified program domain accessable +## from the oddjob. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process to transition to. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type of the file used as an entrypoint to this domain. +## </summary> +## </param> +# +interface(`oddjob_system_entry',` + gen_require(` + type oddjob_t; + ') + + domtrans_pattern(oddjob_t, $2, $1) +') + +######################################## +## <summary> +## Send and receive messages from +## oddjob over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`oddjob_dbus_chat',` + gen_require(` + type oddjob_t; + class dbus send_msg; + ') + + allow $1 oddjob_t:dbus send_msg; + allow oddjob_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute a domain transition to run oddjob_mkhomedir. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`oddjob_domtrans_mkhomedir',` + gen_require(` + type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; + ') + + domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) +') + +######################################## +## <summary> +## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`oddjob_run_mkhomedir',` + gen_require(` + type oddjob_mkhomedir_t; + ') + + oddjob_domtrans_mkhomedir($1) + role $2 types oddjob_mkhomedir_t; +') diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te new file mode 100644 index 00000000..f0535b91 --- /dev/null +++ b/policy/modules/contrib/oddjob.te @@ -0,0 +1,106 @@ +policy_module(oddjob, 1.8.0) + +######################################## +# +# Declarations +# + +type oddjob_t; +type oddjob_exec_t; +domain_type(oddjob_t) +init_daemon_domain(oddjob_t, oddjob_exec_t) +domain_obj_id_change_exemption(oddjob_t) +domain_role_change_exemption(oddjob_t) +domain_subj_id_change_exemption(oddjob_t) + +type oddjob_mkhomedir_t; +type oddjob_mkhomedir_exec_t; +domain_type(oddjob_mkhomedir_t) +domain_obj_id_change_exemption(oddjob_mkhomedir_t) +init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + +# pid files +type oddjob_var_run_t; +files_pid_file(oddjob_var_run_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) +') + +######################################## +# +# oddjob local policy +# + +allow oddjob_t self:capability setgid; +allow oddjob_t self:process { setexec signal }; +allow oddjob_t self:fifo_file rw_fifo_file_perms; +allow oddjob_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) +manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) +files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) + +kernel_read_system_state(oddjob_t) + +corecmd_exec_bin(oddjob_t) +corecmd_exec_shell(oddjob_t) + +mcs_process_set_categories(oddjob_t) + +selinux_compute_create_context(oddjob_t) + +files_read_etc_files(oddjob_t) + +miscfiles_read_localization(oddjob_t) + +locallogin_dontaudit_use_fds(oddjob_t) + +optional_policy(` + dbus_system_bus_client(oddjob_t) + dbus_connect_system_bus(oddjob_t) +') + +optional_policy(` + unconfined_domtrans(oddjob_t) +') + +######################################## +# +# oddjob_mkhomedir local policy +# + +allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; +allow oddjob_mkhomedir_t self:process setfscreate; +allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; +allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_system_state(oddjob_mkhomedir_t) + +files_read_etc_files(oddjob_mkhomedir_t) + +auth_use_nsswitch(oddjob_mkhomedir_t) + +logging_send_syslog_msg(oddjob_mkhomedir_t) + +miscfiles_read_localization(oddjob_mkhomedir_t) + +selinux_get_fs_mount(oddjob_mkhomedir_t) +selinux_validate_context(oddjob_mkhomedir_t) +selinux_compute_access_vector(oddjob_mkhomedir_t) +selinux_compute_create_context(oddjob_mkhomedir_t) +selinux_compute_relabel_context(oddjob_mkhomedir_t) +selinux_compute_user_contexts(oddjob_mkhomedir_t) + +seutil_read_config(oddjob_mkhomedir_t) +seutil_read_file_contexts(oddjob_mkhomedir_t) +seutil_read_default_contexts(oddjob_mkhomedir_t) + +# Add/remove user home directories +userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content_files(oddjob_mkhomedir_t) +userdom_manage_user_home_dirs(oddjob_mkhomedir_t) +userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) + diff --git a/policy/modules/contrib/oident.fc b/policy/modules/contrib/oident.fc new file mode 100644 index 00000000..5840ea87 --- /dev/null +++ b/policy/modules/contrib/oident.fc @@ -0,0 +1,8 @@ +HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:oidentd_home_t, s0) + +/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) +/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) + +/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0) + +/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0) diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if new file mode 100644 index 00000000..bb4fae51 --- /dev/null +++ b/policy/modules/contrib/oident.if @@ -0,0 +1,68 @@ +## <summary>SELinux policy for Oident daemon.</summary> +## <desc> +## <p> +## Oident daemon is a server that implements the TCP/IP +## standard IDENT user identification protocol as +## specified in the RFC 1413 document. +## </p> +## </desc> + +######################################## +## <summary> +## Allow the specified domain to read +## Oidentd personal configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`oident_read_user_content', ` + gen_require(` + type oidentd_home_t; + ') + + allow $1 oidentd_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Allow the specified domain to create, read, write, and delete +## Oidentd personal configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`oident_manage_user_content', ` + gen_require(` + type oidentd_home_t; + ') + + allow $1 oidentd_home_t:file manage_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Allow the specified domain to relabel +## Oidentd personal configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`oident_relabel_user_content', ` + gen_require(` + type oidentd_home_t; + ') + + allow $1 oidentd_home_t:file relabel_file_perms; + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te new file mode 100644 index 00000000..8845174e --- /dev/null +++ b/policy/modules/contrib/oident.te @@ -0,0 +1,75 @@ +policy_module(oident, 2.2.0) + +######################################## +# +# Oident daemon private declarations +# + +type oidentd_t; +type oidentd_exec_t; +init_daemon_domain(oidentd_t, oidentd_exec_t) + +type oidentd_home_t; +typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t }; +typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t }; +userdom_user_home_content(oidentd_home_t) + +type oidentd_initrc_exec_t; +init_script_file(oidentd_initrc_exec_t) + +type oidentd_config_t; +files_config_file(oidentd_config_t) + +######################################## +# +# Oident daemon private policy +# + +allow oidentd_t self:capability { setuid setgid }; +allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; +allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read }; +allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen }; +allow oidentd_t self:udp_socket { write read create connect getattr ioctl }; +allow oidentd_t self:unix_dgram_socket { create connect }; + +allow oidentd_t oidentd_config_t:file read_file_perms; + +corenet_all_recvfrom_unlabeled(oidentd_t) +corenet_all_recvfrom_netlabel(oidentd_t) +corenet_tcp_sendrecv_generic_if(oidentd_t) +corenet_tcp_sendrecv_generic_node(oidentd_t) +corenet_tcp_bind_generic_node(oidentd_t) +corenet_tcp_bind_auth_port(oidentd_t) +corenet_sendrecv_auth_server_packets(oidentd_t) + +files_read_etc_files(oidentd_t) + +kernel_read_kernel_sysctls(oidentd_t) +kernel_read_network_state(oidentd_t) +kernel_read_network_state_symlinks(oidentd_t) +kernel_read_sysctl(oidentd_t) +# oidentd requests the tcp_diag kernel module, otherwise +# it will be stuck using the slow /proc/net/tcp interface +kernel_request_load_module(oidentd_t) + +logging_send_syslog_msg(oidentd_t) + +miscfiles_read_localization(oidentd_t) + +sysnet_read_config(oidentd_t) + +oident_read_user_content(oidentd_t) + +optional_policy(` + nis_use_ypbind(oidentd_t) +') + +tunable_policy(`use_samba_home_dirs', ` + fs_list_cifs(oidentd_t) + fs_read_cifs_files(oidentd_t) +') + +tunable_policy(`use_nfs_home_dirs', ` + fs_list_nfs(oidentd_t) + fs_read_nfs_files(oidentd_t) +') diff --git a/policy/modules/contrib/openca.fc b/policy/modules/contrib/openca.fc new file mode 100644 index 00000000..72a2db6d --- /dev/null +++ b/policy/modules/contrib/openca.fc @@ -0,0 +1,9 @@ +/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0) +/etc/openca/.*\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0) +/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0) + +/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0) +/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0) + +/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0) +/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0) diff --git a/policy/modules/contrib/openca.if b/policy/modules/contrib/openca.if new file mode 100644 index 00000000..a8c1eefa --- /dev/null +++ b/policy/modules/contrib/openca.if @@ -0,0 +1,76 @@ +## <summary>OpenCA - Open Certificate Authority</summary> + +######################################## +## <summary> +## Execute the OpenCA program with +## a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`openca_domtrans',` + gen_require(` + type openca_ca_t, openca_ca_exec_t, openca_usr_share_t; + ') + + domtrans_pattern($1, openca_ca_exec_t, openca_ca_t) + allow $1 openca_usr_share_t:dir search_dir_perms; + files_search_usr($1) +') + +######################################## +## <summary> +## Send OpenCA generic signals. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openca_signal',` + gen_require(` + type openca_ca_t; + ') + + allow $1 openca_ca_t:process signal; +') + +######################################## +## <summary> +## Send OpenCA stop signals. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openca_sigstop',` + gen_require(` + type openca_ca_t; + ') + + allow $1 openca_ca_t:process sigstop; +') + +######################################## +## <summary> +## Kill OpenCA. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openca_kill',` + gen_require(` + type openca_ca_t; + ') + + allow $1 openca_ca_t:process sigkill; +') diff --git a/policy/modules/contrib/openca.te b/policy/modules/contrib/openca.te new file mode 100644 index 00000000..2df8170d --- /dev/null +++ b/policy/modules/contrib/openca.te @@ -0,0 +1,82 @@ +policy_module(openca, 1.2.0) + +######################################## +# +# Declarations +# + +type openca_ca_t; +type openca_ca_exec_t; +domain_type(openca_ca_t) +domain_entry_file(openca_ca_t, openca_ca_exec_t) +role system_r types openca_ca_t; + +# cjp: seems like some of these types +# can be removed and replaced with generic +# etc or usr files. + +# /etc/openca standard files +type openca_etc_t; +files_config_file(openca_etc_t) + +# /etc/openca template files +type openca_etc_in_t; +files_type(openca_etc_in_t) + +# /etc/openca writeable (from CGI script) files +type openca_etc_writeable_t; +files_type(openca_etc_writeable_t) + +# /usr/share/openca/crypto/keys +type openca_usr_share_t; +files_type(openca_usr_share_t) + +# /var/lib/openca +type openca_var_lib_t; +files_type(openca_var_lib_t) + +# /var/lib/openca/crypto/keys +type openca_var_lib_keys_t; +files_type(openca_var_lib_keys_t) + +######################################## +# +# Local policy +# + +# Allow access to other files under /etc/openca +allow openca_ca_t openca_etc_t:file read_file_perms; +allow openca_ca_t openca_etc_t:dir list_dir_perms; + +# Allow access to writeable files under /etc/openca +manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) +manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) + +# Allow access to other /var/lib/openca files +manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) +manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) + +# Allow access to private CA key +manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) +manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) + +# Allow access to other /usr/share/openca files +read_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t) +read_lnk_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t) +allow openca_ca_t openca_usr_share_t:dir list_dir_perms; + +# the perl executable will be able to run a perl script +corecmd_exec_bin(openca_ca_t) + +dev_read_rand(openca_ca_t) + +files_list_default(openca_ca_t) + +init_use_fds(openca_ca_t) +init_use_script_fds(openca_ca_t) + +libs_exec_lib_files(openca_ca_t) + +apache_append_log(openca_ca_t) +# Allow the script to return its output +apache_rw_cache_files(openca_ca_t) diff --git a/policy/modules/contrib/openct.fc b/policy/modules/contrib/openct.fc new file mode 100644 index 00000000..58c8816c --- /dev/null +++ b/policy/modules/contrib/openct.fc @@ -0,0 +1,10 @@ +# +# /usr +# +/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0) +/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0) + +# +# /var +# +/var/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0) diff --git a/policy/modules/contrib/openct.if b/policy/modules/contrib/openct.if new file mode 100644 index 00000000..9d0a67bf --- /dev/null +++ b/policy/modules/contrib/openct.if @@ -0,0 +1,95 @@ +## <summary>Service for handling smart card readers.</summary> + +######################################## +## <summary> +## Send openct a null signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_signull',` + gen_require(` + type openct_t; + ') + + allow $1 openct_t:process signull; +') + +######################################## +## <summary> +## Execute openct in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_exec',` + gen_require(` + type openct_t, openct_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, openct_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run openct. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`openct_domtrans',` + gen_require(` + type openct_t, openct_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, openct_exec_t, openct_t) +') + +######################################## +## <summary> +## Read openct PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_read_pid_files',` + gen_require(` + type openct_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, openct_var_run_t, openct_var_run_t) +') + +######################################## +## <summary> +## Connect to openct over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openct_stream_connect',` + gen_require(` + type openct_t, openct_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t) +') diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te new file mode 100644 index 00000000..7f8fdc2c --- /dev/null +++ b/policy/modules/contrib/openct.te @@ -0,0 +1,61 @@ +policy_module(openct, 1.5.0) + +######################################## +# +# Declarations +# + +type openct_t; +type openct_exec_t; +init_daemon_domain(openct_t, openct_exec_t) + +type openct_var_run_t; +files_pid_file(openct_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit openct_t self:capability sys_tty_config; +allow openct_t self:process signal_perms; + +manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) +manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) +manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) +files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) + +kernel_read_kernel_sysctls(openct_t) +kernel_list_proc(openct_t) +kernel_read_proc_symlinks(openct_t) + +dev_read_sysfs(openct_t) +# openct asks for this +dev_rw_usbfs(openct_t) +dev_rw_smartcard(openct_t) +dev_rw_generic_usb_dev(openct_t) + +domain_use_interactive_fds(openct_t) + +# openct asks for this +files_read_etc_files(openct_t) + +fs_getattr_all_fs(openct_t) +fs_search_auto_mountpoints(openct_t) + +logging_send_syslog_msg(openct_t) + +miscfiles_read_localization(openct_t) + +userdom_dontaudit_use_unpriv_user_fds(openct_t) +userdom_dontaudit_search_user_home_dirs(openct_t) + +openct_exec(openct_t) + +optional_policy(` + seutil_sigchld_newrole(openct_t) +') + +optional_policy(` + udev_read_db(openct_t) +') diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc new file mode 100644 index 00000000..1c1086e6 --- /dev/null +++ b/policy/modules/contrib/openvpn.fc @@ -0,0 +1,18 @@ +# +# /etc +# +/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) +/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) +/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) + +# +# /usr +# +/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) + +# +# /var +# +/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) +/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) +/var/run/openvpn\.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if new file mode 100644 index 00000000..d8832142 --- /dev/null +++ b/policy/modules/contrib/openvpn.if @@ -0,0 +1,163 @@ +## <summary>full-featured SSL VPN solution</summary> + +######################################## +## <summary> +## Execute OPENVPN clients in the openvpn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`openvpn_domtrans',` + gen_require(` + type openvpn_t, openvpn_exec_t; + ') + + domtrans_pattern($1, openvpn_exec_t, openvpn_t) +') + +######################################## +## <summary> +## Execute OPENVPN clients in the openvpn domain, and +## allow the specified role the openvpn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`openvpn_run',` + gen_require(` + type openvpn_t; + ') + + openvpn_domtrans($1) + role $2 types openvpn_t; +') + +######################################## +## <summary> +## Send OPENVPN clients the kill signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openvpn_kill',` + gen_require(` + type openvpn_t; + ') + + allow $1 openvpn_t:process sigkill; +') + +######################################## +## <summary> +## Send generic signals to OPENVPN clients. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openvpn_signal',` + gen_require(` + type openvpn_t; + ') + + allow $1 openvpn_t:process signal; +') + +######################################## +## <summary> +## Send signulls to OPENVPN clients. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`openvpn_signull',` + gen_require(` + type openvpn_t; + ') + + allow $1 openvpn_t:process signull; +') + +######################################## +## <summary> +## Allow the specified domain to read +## OpenVPN configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`openvpn_read_config',` + gen_require(` + type openvpn_etc_t; + ') + + files_search_etc($1) + allow $1 openvpn_etc_t:dir list_dir_perms; + read_files_pattern($1, openvpn_etc_t, openvpn_etc_t) + read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an openvpn environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the openvpn domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`openvpn_admin',` + gen_require(` + type openvpn_t, openvpn_etc_t, openvpn_var_log_t; + type openvpn_var_run_t, openvpn_initrc_exec_t; + ') + + allow $1 openvpn_t:process { ptrace signal_perms }; + ps_process_pattern($1, openvpn_t) + + init_labeled_script_domtrans($1, openvpn_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 openvpn_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, openvpn_etc_t) + + logging_list_logs($1) + admin_pattern($1, openvpn_var_log_t) + + files_list_pids($1) + admin_pattern($1, openvpn_var_run_t) +') diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te new file mode 100644 index 00000000..66a52ee0 --- /dev/null +++ b/policy/modules/contrib/openvpn.te @@ -0,0 +1,140 @@ +policy_module(openvpn, 1.11.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow openvpn to read home directories +## </p> +## </desc> +gen_tunable(openvpn_enable_homedirs, false) + +# main openvpn domain +type openvpn_t; +type openvpn_exec_t; +init_daemon_domain(openvpn_t, openvpn_exec_t) + +# configuration files +type openvpn_etc_t; +files_config_file(openvpn_etc_t) + +type openvpn_etc_rw_t; +files_config_file(openvpn_etc_rw_t) + +type openvpn_initrc_exec_t; +init_script_file(openvpn_initrc_exec_t) + +# log files +type openvpn_var_log_t; +logging_log_file(openvpn_var_log_t) + +# pid files +type openvpn_var_run_t; +files_pid_file(openvpn_var_run_t) + +######################################## +# +# openvpn local policy +# + +allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; +allow openvpn_t self:process { signal getsched }; +allow openvpn_t self:fifo_file rw_fifo_file_perms; + +allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; +allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow openvpn_t self:udp_socket create_socket_perms; +allow openvpn_t self:tcp_socket server_stream_socket_perms; +allow openvpn_t self:tun_socket create; +allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; + +can_exec(openvpn_t, openvpn_etc_t) +read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) +read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) + +manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) +filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) + +allow openvpn_t openvpn_var_log_t:file manage_file_perms; +logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) + +manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) +files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(openvpn_t) +kernel_read_net_sysctls(openvpn_t) +kernel_read_network_state(openvpn_t) +kernel_read_system_state(openvpn_t) + +corecmd_exec_bin(openvpn_t) +corecmd_exec_shell(openvpn_t) + +corenet_all_recvfrom_unlabeled(openvpn_t) +corenet_all_recvfrom_netlabel(openvpn_t) +corenet_tcp_sendrecv_generic_if(openvpn_t) +corenet_udp_sendrecv_generic_if(openvpn_t) +corenet_tcp_sendrecv_generic_node(openvpn_t) +corenet_udp_sendrecv_generic_node(openvpn_t) +corenet_tcp_sendrecv_all_ports(openvpn_t) +corenet_udp_sendrecv_all_ports(openvpn_t) +corenet_tcp_bind_generic_node(openvpn_t) +corenet_udp_bind_generic_node(openvpn_t) +corenet_tcp_bind_openvpn_port(openvpn_t) +corenet_udp_bind_openvpn_port(openvpn_t) +corenet_tcp_bind_http_port(openvpn_t) +corenet_tcp_connect_openvpn_port(openvpn_t) +corenet_tcp_connect_http_port(openvpn_t) +corenet_tcp_connect_http_cache_port(openvpn_t) +corenet_rw_tun_tap_dev(openvpn_t) +corenet_sendrecv_openvpn_server_packets(openvpn_t) +corenet_sendrecv_openvpn_client_packets(openvpn_t) +corenet_sendrecv_http_client_packets(openvpn_t) + +dev_search_sysfs(openvpn_t) +dev_read_rand(openvpn_t) +dev_read_urand(openvpn_t) + +files_read_etc_files(openvpn_t) +files_read_etc_runtime_files(openvpn_t) + +auth_use_pam(openvpn_t) + +logging_send_syslog_msg(openvpn_t) + +miscfiles_read_localization(openvpn_t) +miscfiles_read_all_certs(openvpn_t) + +sysnet_dns_name_resolve(openvpn_t) +sysnet_exec_ifconfig(openvpn_t) +sysnet_manage_config(openvpn_t) +sysnet_etc_filetrans_config(openvpn_t) + +userdom_use_user_terminals(openvpn_t) + +tunable_policy(`openvpn_enable_homedirs',` + userdom_read_user_home_content_files(openvpn_t) +') + +tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(openvpn_t) + fs_read_nfs_symlinks(openvpn_t) +') + +tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(openvpn_t) + fs_read_cifs_symlinks(openvpn_t) +') + +optional_policy(` + daemontools_service_domain(openvpn_t, openvpn_exec_t) +') + +optional_policy(` + dbus_system_bus_client(openvpn_t) + dbus_connect_system_bus(openvpn_t) + + networkmanager_dbus_chat(openvpn_t) +') diff --git a/policy/modules/contrib/pads.fc b/policy/modules/contrib/pads.fc new file mode 100644 index 00000000..0870c560 --- /dev/null +++ b/policy/modules/contrib/pads.fc @@ -0,0 +1,10 @@ +/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) +/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) +/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) +/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) + +/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) + +/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) + +/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) diff --git a/policy/modules/contrib/pads.if b/policy/modules/contrib/pads.if new file mode 100644 index 00000000..8ac407e5 --- /dev/null +++ b/policy/modules/contrib/pads.if @@ -0,0 +1,44 @@ +## <summary>Passive Asset Detection System</summary> +## <desc> +## <p> +## PADS is a libpcap based detection engine used to +## passively detect network assets. It is designed to +## complement IDS technology by providing context to IDS +## alerts. +## </p> +## </desc> + +######################################## +## <summary> +## All of the rules required to administrate +## an pads environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pads_admin', ` + gen_require(` + type pads_t, pads_config_t; + type pads_var_run_t, pads_initrc_exec_t; + ') + + allow $1 pads_t:process { ptrace signal_perms }; + ps_process_pattern($1, pads_t) + + init_labeled_script_domtrans($1, pads_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pads_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, pads_var_run_t) + admin_pattern($1, pads_config_t) +') diff --git a/policy/modules/contrib/pads.te b/policy/modules/contrib/pads.te new file mode 100644 index 00000000..b246bdd5 --- /dev/null +++ b/policy/modules/contrib/pads.te @@ -0,0 +1,63 @@ +policy_module(pads, 1.0.0) + +######################################## +# +# Declarations +# + +type pads_t; +type pads_exec_t; +init_daemon_domain(pads_t, pads_exec_t) +role system_r types pads_t; + +type pads_initrc_exec_t; +init_script_file(pads_initrc_exec_t) + +type pads_config_t; +files_config_file(pads_config_t) + +type pads_var_run_t; +files_pid_file(pads_var_run_t) + +######################################## +# +# Declarations +# + +allow pads_t self:capability { dac_override net_raw }; +allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; +allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; +allow pads_t self:udp_socket { create ioctl }; +allow pads_t self:unix_dgram_socket { write create connect }; + +allow pads_t pads_config_t:file manage_file_perms; +files_etc_filetrans(pads_t, pads_config_t, file) + +allow pads_t pads_var_run_t:file manage_file_perms; +files_pid_filetrans(pads_t, pads_var_run_t, file) + +kernel_read_sysctl(pads_t) + +corecmd_search_bin(pads_t) + +corenet_all_recvfrom_unlabeled(pads_t) +corenet_all_recvfrom_netlabel(pads_t) +corenet_tcp_sendrecv_generic_if(pads_t) +corenet_tcp_sendrecv_generic_node(pads_t) +corenet_tcp_connect_prelude_port(pads_t) + +dev_read_rand(pads_t) +dev_read_urand(pads_t) + +files_read_etc_files(pads_t) +files_search_spool(pads_t) + +miscfiles_read_localization(pads_t) + +logging_send_syslog_msg(pads_t) + +sysnet_dns_name_resolve(pads_t) + +optional_policy(` + prelude_manage_spool(pads_t) +') diff --git a/policy/modules/contrib/pan.fc b/policy/modules/contrib/pan.fc new file mode 100644 index 00000000..c2abdfd6 --- /dev/null +++ b/policy/modules/contrib/pan.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.pan2(/.*)? gen_context(system_u:object_r:pan_home_t,s0) + +# +# /usr +# +/usr/bin/pan -- gen_context(system_u:object_r:pan_exec_t,s0) diff --git a/policy/modules/contrib/pan.if b/policy/modules/contrib/pan.if new file mode 100644 index 00000000..e6c8abdc --- /dev/null +++ b/policy/modules/contrib/pan.if @@ -0,0 +1,38 @@ +## <summary>Pan news reader client</summary> + +######################################## +## <summary> +## Role access for pan +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`pan_role',` + gen_require(` + type pan_t, pan_exec_t, pan_home_t; + ') + role $1 types pan_t; + + allow $2 pan_t:process signal_perms; + + domtrans_pattern($2, pan_exec_t, pan_t) + + ps_process_pattern($2, pan_t) + + manage_dirs_pattern($2, pan_home_t, pan_home_t) + manage_files_pattern($2, pan_home_t, pan_home_t) + manage_lnk_files_pattern($2, pan_home_t, pan_home_t) + + relabel_dirs_pattern($2, pan_home_t, pan_home_t) + relabel_files_pattern($2, pan_home_t, pan_home_t) + relabel_lnk_files_pattern($2, pan_home_t, pan_home_t) +') + diff --git a/policy/modules/contrib/pan.te b/policy/modules/contrib/pan.te new file mode 100644 index 00000000..8f738a0c --- /dev/null +++ b/policy/modules/contrib/pan.te @@ -0,0 +1,116 @@ +policy_module(pan, 1.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Be able to manage user files (needed to support sending and downloading +## attachments). Without this boolean set, only files marked as pan_home_t +## can be used for sending and receiving. +## </p> +## </desc> +gen_tunable(pan_manage_user_content, false) + + +type pan_t; +type pan_exec_t; +application_domain(pan_t, pan_exec_t) +ubac_constrained(pan_t) + +type pan_home_t; +userdom_user_home_content(pan_home_t) + +type pan_tmpfs_t; +files_tmpfs_file(pan_tmpfs_t) +ubac_constrained(pan_tmpfs_t) + +######################################## +# +# Pan local policy +# +allow pan_t self:process { getsched signal }; +allow pan_t self:fifo_file rw_fifo_file_perms; +allow pan_t pan_tmpfs_t:file { read write }; + +# Allow pan to work with its ~/.pan2 location +manage_dirs_pattern(pan_t, pan_home_t, pan_home_t) +manage_files_pattern(pan_t, pan_home_t, pan_home_t) +manage_lnk_files_pattern(pan_t, pan_home_t, pan_home_t) + +# Support for shared memory +fs_tmpfs_filetrans(pan_t, pan_tmpfs_t, file) + +kernel_dontaudit_read_system_state(pan_t) + +corenet_all_recvfrom_netlabel(pan_t) +corenet_all_recvfrom_unlabeled(pan_t) +corenet_sendrecv_innd_client_packets(pan_t) +corenet_tcp_connect_innd_port(pan_t) +corenet_tcp_sendrecv_generic_if(pan_t) +corenet_tcp_sendrecv_generic_node(pan_t) +corenet_tcp_sendrecv_innd_port(pan_t) + +domain_dontaudit_use_interactive_fds(pan_t) + +files_read_etc_files(pan_t) +files_read_usr_files(pan_t) + +miscfiles_read_localization(pan_t) + +sysnet_dns_name_resolve(pan_t) + +userdom_dontaudit_use_user_ttys(pan_t) +userdom_use_user_ptys(pan_t) + +xserver_user_x_domain_template(pan, pan_t, pan_tmpfs_t) + +tunable_policy(`pan_manage_user_content',` + userdom_manage_user_home_content_dirs(pan_t) + userdom_manage_user_home_content_files(pan_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(pan_t) + fs_manage_nfs_files(pan_t) + fs_manage_nfs_symlinks(pan_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(pan_t) + fs_manage_cifs_files(pan_t) + fs_manage_cifs_symlinks(pan_t) +') + +optional_policy(` + cups_read_rw_config(pan_t) +') + +optional_policy(` + dbus_system_bus_client(pan_t) + dbus_session_bus_client(pan_t) +') + +optional_policy(` + gnome_stream_connect_gconf(pan_t) +') + +optional_policy(` + gpg_domtrans(pan_t) + gpg_signal(pan_t) +') + +optional_policy(` + lpd_domtrans_lpr(pan_t) +') + +optional_policy(` + mozilla_read_user_home_files(pan_t) + mozilla_domtrans(pan_t) +') + +optional_policy(` + xdg_read_generic_data_home_files(pan_t) +') diff --git a/policy/modules/contrib/passenger.fc b/policy/modules/contrib/passenger.fc new file mode 100644 index 00000000..545518dd --- /dev/null +++ b/policy/modules/contrib/passenger.fc @@ -0,0 +1,11 @@ +/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) + +/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) + +/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0) +/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0) + +/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/policy/modules/contrib/passenger.if b/policy/modules/contrib/passenger.if new file mode 100644 index 00000000..f68b5735 --- /dev/null +++ b/policy/modules/contrib/passenger.if @@ -0,0 +1,39 @@ +## <summary>Ruby on rails deployment for Apache and Nginx servers.</summary> + +###################################### +## <summary> +## Execute passenger in the passenger domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`passenger_domtrans',` + gen_require(` + type passenger_t, passenger_exec_t; + ') + + domtrans_pattern($1, passenger_exec_t, passenger_t) +') + +######################################## +## <summary> +## Read passenger lib files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`passenger_read_lib_files',` + gen_require(` + type passenger_var_lib_t; + ') + + read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) + read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) + files_search_var_lib($1) +') diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te new file mode 100644 index 00000000..3470036d --- /dev/null +++ b/policy/modules/contrib/passenger.te @@ -0,0 +1,77 @@ +policy_module(passanger, 1.0.0) + +######################################## +# +# Declarations +# + +type passenger_t; +type passenger_exec_t; +domain_type(passenger_t) +domain_entry_file(passenger_t, passenger_exec_t) +role system_r types passenger_t; + +type passenger_log_t; +logging_log_file(passenger_log_t) + +type passenger_tmp_t; +files_tmp_file(passenger_tmp_t) + +type passenger_var_lib_t; +files_type(passenger_var_lib_t) + +type passenger_var_run_t; +files_pid_file(passenger_var_run_t) + +######################################## +# +# passanger local policy +# + +allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice }; +allow passenger_t self:process { setpgid setsched sigkill signal }; +allow passenger_t self:fifo_file rw_fifo_file_perms; +allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +can_exec(passenger_t, passenger_exec_t) + +manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t) +manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +logging_log_filetrans(passenger_t, passenger_log_t, file) + +manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) +manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) +files_search_var_lib(passenger_t) + +manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) + +kernel_read_system_state(passenger_t) +kernel_read_kernel_sysctls(passenger_t) + +corenet_all_recvfrom_netlabel(passenger_t) +corenet_all_recvfrom_unlabeled(passenger_t) +corenet_tcp_sendrecv_generic_if(passenger_t) +corenet_tcp_sendrecv_generic_node(passenger_t) +corenet_tcp_connect_http_port(passenger_t) + +corecmd_exec_bin(passenger_t) +corecmd_exec_shell(passenger_t) + +dev_read_urand(passenger_t) + +files_read_etc_files(passenger_t) + +auth_use_nsswitch(passenger_t) + +miscfiles_read_localization(passenger_t) + +userdom_dontaudit_use_user_terminals(passenger_t) + +optional_policy(` + apache_append_log(passenger_t) + apache_read_sys_content(passenger_t) +') diff --git a/policy/modules/contrib/pcmcia.fc b/policy/modules/contrib/pcmcia.fc new file mode 100644 index 00000000..9cf0e564 --- /dev/null +++ b/policy/modules/contrib/pcmcia.fc @@ -0,0 +1,10 @@ + +/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0) + +/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0) +/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0) + +/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0) + +/var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) +/var/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) diff --git a/policy/modules/contrib/pcmcia.if b/policy/modules/contrib/pcmcia.if new file mode 100644 index 00000000..aef445d3 --- /dev/null +++ b/policy/modules/contrib/pcmcia.if @@ -0,0 +1,156 @@ +## <summary>PCMCIA card management services</summary> + +######################################## +## <summary> +## PCMCIA stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcmcia_stub',` + gen_require(` + type cardmgr_t; + ') +') + +######################################## +## <summary> +## Execute cardmgr in the cardmgr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pcmcia_domtrans_cardmgr',` + gen_require(` + type cardmgr_t, cardmgr_exec_t; + ') + + domtrans_pattern($1, cardmgr_exec_t, cardmgr_t) +') + +######################################## +## <summary> +## Inherit and use file descriptors from cardmgr. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcmcia_use_cardmgr_fds',` + gen_require(` + type cardmgr_t; + ') + + allow $1 cardmgr_t:fd use; +') + +######################################## +## <summary> +## Execute cardctl in the cardmgr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pcmcia_domtrans_cardctl',` + gen_require(` + type cardmgr_t, cardctl_exec_t; + ') + + domtrans_pattern($1, cardctl_exec_t, cardmgr_t) +') + +######################################## +## <summary> +## Execute cardmgr in the cardctl domain, and +## allow the specified role the cardmgr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`pcmcia_run_cardctl',` + gen_require(` + type cardmgr_t; + ') + + pcmcia_domtrans_cardctl($1) + role $2 types cardmgr_t; +') + +######################################## +## <summary> +## Read cardmgr pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcmcia_read_pid',` + gen_require(` + type cardmgr_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## cardmgr pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcmcia_manage_pid',` + gen_require(` + type cardmgr_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## cardmgr runtime character nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcmcia_manage_pid_chr_files',` + gen_require(` + type cardmgr_var_run_t; + ') + + files_search_pids($1) + manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) +') diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te new file mode 100644 index 00000000..4d06ae36 --- /dev/null +++ b/policy/modules/contrib/pcmcia.te @@ -0,0 +1,137 @@ +policy_module(pcmcia, 1.6.0) + +######################################## +# +# Declarations +# + +type cardmgr_t; +type cardmgr_exec_t; +init_daemon_domain(cardmgr_t, cardmgr_exec_t) + +# Create symbolic links in /dev. +# cjp: this should probably be eliminated +type cardmgr_lnk_t; +files_type(cardmgr_lnk_t) + +type cardmgr_var_lib_t; +files_type(cardmgr_var_lib_t) + +type cardmgr_var_run_t; +files_pid_file(cardmgr_var_run_t) + +type cardctl_exec_t; +application_domain(cardmgr_t, cardctl_exec_t) + +######################################## +# +# Local policy +# + +# Use capabilities (net_admin for route), setuid for cardctl +allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; +dontaudit cardmgr_t self:capability sys_tty_config; +allow cardmgr_t self:process signal_perms; +allow cardmgr_t self:fifo_file rw_fifo_file_perms; +allow cardmgr_t self:unix_dgram_socket create_socket_perms; +allow cardmgr_t self:unix_stream_socket create_socket_perms; + +allow cardmgr_t cardmgr_lnk_t:lnk_file manage_lnk_file_perms; +dev_filetrans(cardmgr_t, cardmgr_lnk_t, lnk_file) + +# Create stab file +manage_files_pattern(cardmgr_t, cardmgr_var_lib_t, cardmgr_var_lib_t) +files_var_lib_filetrans(cardmgr_t, cardmgr_var_lib_t, file) + +allow cardmgr_t cardmgr_var_run_t:file manage_file_perms; +files_pid_filetrans(cardmgr_t, cardmgr_var_run_t, file) + +kernel_read_system_state(cardmgr_t) +kernel_read_kernel_sysctls(cardmgr_t) +kernel_dontaudit_getattr_message_if(cardmgr_t) + +corecmd_exec_all_executables(cardmgr_t) + +dev_read_sysfs(cardmgr_t) +dev_manage_cardmgr_dev(cardmgr_t) +dev_filetrans_cardmgr(cardmgr_t) +dev_getattr_all_chr_files(cardmgr_t) +dev_getattr_all_blk_files(cardmgr_t) +# for SSP +dev_read_urand(cardmgr_t) + +domain_use_interactive_fds(cardmgr_t) +# Read /proc/PID directories for all domains (for fuser). +domain_read_confined_domains_state(cardmgr_t) +domain_getattr_confined_domains(cardmgr_t) +domain_dontaudit_ptrace_confined_domains(cardmgr_t) +# cjp: these look excessive: +domain_dontaudit_getattr_all_pipes(cardmgr_t) +domain_dontaudit_getattr_all_sockets(cardmgr_t) + +files_search_kernel_modules(cardmgr_t) +files_list_usr(cardmgr_t) +files_search_home(cardmgr_t) +files_read_etc_runtime_files(cardmgr_t) +files_exec_etc_files(cardmgr_t) +# for /var/lib/misc/pcmcia-scheme +# would be better to have it in a different type if I knew how it was created.. +files_read_var_lib_files(cardmgr_t) +# cjp: these look excessive: +files_dontaudit_getattr_all_dirs(cardmgr_t) +files_dontaudit_getattr_all_files(cardmgr_t) +files_dontaudit_getattr_all_symlinks(cardmgr_t) +files_dontaudit_getattr_all_pipes(cardmgr_t) +files_dontaudit_getattr_all_sockets(cardmgr_t) + +fs_getattr_all_fs(cardmgr_t) +fs_search_auto_mountpoints(cardmgr_t) + +term_use_unallocated_ttys(cardmgr_t) +term_getattr_all_ttys(cardmgr_t) +term_dontaudit_getattr_all_ptys(cardmgr_t) + +libs_exec_ld_so(cardmgr_t) +libs_exec_lib_files(cardmgr_t) + +logging_send_syslog_msg(cardmgr_t) + +miscfiles_read_localization(cardmgr_t) + +modutils_domtrans_insmod(cardmgr_t) + +sysnet_domtrans_ifconfig(cardmgr_t) +# for /etc/resolv.conf +sysnet_etc_filetrans_config(cardmgr_t) +sysnet_manage_config(cardmgr_t) + +userdom_use_user_terminals(cardmgr_t) +userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) +userdom_dontaudit_search_user_home_dirs(cardmgr_t) + +optional_policy(` + seutil_dontaudit_read_config(cardmgr_t) + seutil_sigchld_newrole(cardmgr_t) +') + +optional_policy(` + sysnet_domtrans_dhcpc(cardmgr_t) + + sysnet_read_dhcpc_pid(cardmgr_t) + sysnet_delete_dhcpc_pid(cardmgr_t) + sysnet_kill_dhcpc(cardmgr_t) + sysnet_sigchld_dhcpc(cardmgr_t) + sysnet_signal_dhcpc(cardmgr_t) + sysnet_signull_dhcpc(cardmgr_t) + sysnet_sigstop_dhcpc(cardmgr_t) +') + +optional_policy(` + udev_read_db(cardmgr_t) +') + +# Create device files in /tmp. +# cjp: why is this created all over the place? +files_pid_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file }) +files_tmp_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file }) +filetrans_pattern(cardmgr_t, cardmgr_var_run_t, cardmgr_dev_t, { chr_file blk_file }) diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc new file mode 100644 index 00000000..87f17e8d --- /dev/null +++ b/policy/modules/contrib/pcscd.fc @@ -0,0 +1,6 @@ +/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) +/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) +/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) +/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) + +/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if new file mode 100644 index 00000000..1c2a0913 --- /dev/null +++ b/policy/modules/contrib/pcscd.if @@ -0,0 +1,95 @@ +## <summary>PCSC smart card service</summary> + +######################################## +## <summary> +## Execute a domain transition to run pcscd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pcscd_domtrans',` + gen_require(` + type pcscd_t, pcscd_exec_t; + ') + + domtrans_pattern($1, pcscd_exec_t, pcscd_t) +') + +######################################## +## <summary> +## Read pcscd pub files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcscd_read_pub_files',` + gen_require(` + type pcscd_var_run_t; + ') + + files_search_pids($1) + allow $1 pcscd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Manage pcscd pub files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcscd_manage_pub_files',` + gen_require(` + type pcscd_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) +') + +######################################## +## <summary> +## Manage pcscd pub fifo files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcscd_manage_pub_pipes',` + gen_require(` + type pcscd_var_run_t; + ') + + files_search_pids($1) + manage_fifo_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) +') + +######################################## +## <summary> +## Connect to pcscd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pcscd_stream_connect',` + gen_require(` + type pcscd_t, pcscd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) +') diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te new file mode 100644 index 00000000..ceafba61 --- /dev/null +++ b/policy/modules/contrib/pcscd.te @@ -0,0 +1,79 @@ +policy_module(pcscd, 1.7.0) + +######################################## +# +# Declarations +# + +type pcscd_t; +type pcscd_exec_t; +domain_type(pcscd_t) +init_daemon_domain(pcscd_t, pcscd_exec_t) + +# pid files +type pcscd_var_run_t; +files_pid_file(pcscd_var_run_t) + +######################################## +# +# pcscd local policy +# + +allow pcscd_t self:capability { dac_override dac_read_search }; +allow pcscd_t self:process signal; +allow pcscd_t self:fifo_file rw_fifo_file_perms; +allow pcscd_t self:unix_stream_socket create_stream_socket_perms; +allow pcscd_t self:unix_dgram_socket create_socket_perms; +allow pcscd_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) + +kernel_read_system_state(pcscd_t) + +corenet_all_recvfrom_unlabeled(pcscd_t) +corenet_all_recvfrom_netlabel(pcscd_t) +corenet_tcp_sendrecv_generic_if(pcscd_t) +corenet_tcp_sendrecv_generic_node(pcscd_t) +corenet_tcp_sendrecv_all_ports(pcscd_t) +corenet_tcp_connect_http_port(pcscd_t) + +dev_rw_generic_usb_dev(pcscd_t) +dev_rw_smartcard(pcscd_t) +dev_rw_usbfs(pcscd_t) +dev_read_sysfs(pcscd_t) + +files_read_etc_files(pcscd_t) +files_read_etc_runtime_files(pcscd_t) + +term_use_unallocated_ttys(pcscd_t) +term_dontaudit_getattr_pty_dirs(pcscd_t) + +locallogin_use_fds(pcscd_t) + +logging_send_syslog_msg(pcscd_t) + +miscfiles_read_localization(pcscd_t) + +sysnet_dns_name_resolve(pcscd_t) + +optional_policy(` + dbus_system_bus_client(pcscd_t) + + optional_policy(` + hal_dbus_chat(pcscd_t) + ') +') + +optional_policy(` + openct_stream_connect(pcscd_t) + openct_read_pid_files(pcscd_t) + openct_signull(pcscd_t) +') + +optional_policy(` + rpm_use_script_fds(pcscd_t) +') diff --git a/policy/modules/contrib/pegasus.fc b/policy/modules/contrib/pegasus.fc new file mode 100644 index 00000000..95150438 --- /dev/null +++ b/policy/modules/contrib/pegasus.fc @@ -0,0 +1,12 @@ + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) +/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) + +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) + +/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) + +/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) + +/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) diff --git a/policy/modules/contrib/pegasus.if b/policy/modules/contrib/pegasus.if new file mode 100644 index 00000000..920b13ff --- /dev/null +++ b/policy/modules/contrib/pegasus.if @@ -0,0 +1 @@ +## <summary>The Open Group Pegasus CIM/WBEM Server.</summary> diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te new file mode 100644 index 00000000..31851146 --- /dev/null +++ b/policy/modules/contrib/pegasus.te @@ -0,0 +1,138 @@ +policy_module(pegasus, 1.8.0) + +######################################## +# +# Declarations +# + +type pegasus_t; +type pegasus_exec_t; +init_daemon_domain(pegasus_t, pegasus_exec_t) + +type pegasus_data_t; +files_type(pegasus_data_t) + +type pegasus_tmp_t; +files_tmp_file(pegasus_tmp_t) + +type pegasus_conf_t; +files_type(pegasus_conf_t) + +type pegasus_mof_t; +files_type(pegasus_mof_t) + +type pegasus_var_run_t; +files_pid_file(pegasus_var_run_t) + +######################################## +# +# Local policy +# + +allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; +dontaudit pegasus_t self:capability sys_tty_config; +allow pegasus_t self:process signal; +allow pegasus_t self:fifo_file rw_fifo_file_perms; +allow pegasus_t self:unix_dgram_socket create_socket_perms; +allow pegasus_t self:unix_stream_socket create_stream_socket_perms; +allow pegasus_t self:tcp_socket create_stream_socket_perms; + +allow pegasus_t pegasus_conf_t:dir rw_dir_perms; +allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; +allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) +manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) +manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) +filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir }) + +can_exec(pegasus_t, pegasus_exec_t) + +allow pegasus_t pegasus_mof_t:dir list_dir_perms; +read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) +read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) + +manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) +manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) +files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) + +allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; +manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) +files_pid_filetrans(pegasus_t, pegasus_var_run_t, file) + +kernel_read_kernel_sysctls(pegasus_t) +kernel_read_fs_sysctls(pegasus_t) +kernel_read_system_state(pegasus_t) +kernel_search_vm_sysctl(pegasus_t) +kernel_read_net_sysctls(pegasus_t) + +corenet_all_recvfrom_unlabeled(pegasus_t) +corenet_all_recvfrom_netlabel(pegasus_t) +corenet_tcp_sendrecv_generic_if(pegasus_t) +corenet_tcp_sendrecv_generic_node(pegasus_t) +corenet_tcp_sendrecv_all_ports(pegasus_t) +corenet_tcp_bind_generic_node(pegasus_t) +corenet_tcp_bind_pegasus_http_port(pegasus_t) +corenet_tcp_bind_pegasus_https_port(pegasus_t) +corenet_tcp_connect_pegasus_http_port(pegasus_t) +corenet_tcp_connect_pegasus_https_port(pegasus_t) +corenet_tcp_connect_generic_port(pegasus_t) +corenet_sendrecv_generic_client_packets(pegasus_t) +corenet_sendrecv_pegasus_http_client_packets(pegasus_t) +corenet_sendrecv_pegasus_http_server_packets(pegasus_t) +corenet_sendrecv_pegasus_https_client_packets(pegasus_t) +corenet_sendrecv_pegasus_https_server_packets(pegasus_t) + +corecmd_exec_bin(pegasus_t) +corecmd_exec_shell(pegasus_t) + +dev_read_sysfs(pegasus_t) +dev_read_urand(pegasus_t) + +fs_getattr_all_fs(pegasus_t) +fs_search_auto_mountpoints(pegasus_t) +files_getattr_all_dirs(pegasus_t) + +auth_use_nsswitch(pegasus_t) +auth_domtrans_chk_passwd(pegasus_t) + +domain_use_interactive_fds(pegasus_t) +domain_read_all_domains_state(pegasus_t) + +files_read_etc_files(pegasus_t) +files_list_var_lib(pegasus_t) +files_read_var_lib_files(pegasus_t) +files_read_var_lib_symlinks(pegasus_t) + +hostname_exec(pegasus_t) + +init_rw_utmp(pegasus_t) +init_stream_connect_script(pegasus_t) + +logging_send_audit_msgs(pegasus_t) +logging_send_syslog_msg(pegasus_t) + +miscfiles_read_localization(pegasus_t) + +sysnet_read_config(pegasus_t) +sysnet_domtrans_ifconfig(pegasus_t) + +userdom_dontaudit_use_unpriv_user_fds(pegasus_t) +userdom_dontaudit_search_user_home_dirs(pegasus_t) + +optional_policy(` + rpm_exec(pegasus_t) +') + +optional_policy(` + seutil_sigchld_newrole(pegasus_t) + seutil_dontaudit_read_config(pegasus_t) +') + +optional_policy(` + udev_read_db(pegasus_t) +') + +optional_policy(` + unconfined_signull(pegasus_t) +') diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc new file mode 100644 index 00000000..bcdf89b7 --- /dev/null +++ b/policy/modules/contrib/perdition.fc @@ -0,0 +1,3 @@ +/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0) + +/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0) diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if new file mode 100644 index 00000000..2b0bd641 --- /dev/null +++ b/policy/modules/contrib/perdition.if @@ -0,0 +1,15 @@ +## <summary>Perdition POP and IMAP proxy</summary> + +######################################## +## <summary> +## Connect to perdition over a TCP socket (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`perdition_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te new file mode 100644 index 00000000..36362771 --- /dev/null +++ b/policy/modules/contrib/perdition.te @@ -0,0 +1,75 @@ +policy_module(perdition, 1.7.0) + +######################################## +# +# Declarations +# + +type perdition_t; +type perdition_exec_t; +init_daemon_domain(perdition_t, perdition_exec_t) + +type perdition_etc_t; +files_config_file(perdition_etc_t) + +type perdition_var_run_t; +files_pid_file(perdition_var_run_t) + +######################################## +# +# Local policy +# + +allow perdition_t self:capability { setgid setuid }; +dontaudit perdition_t self:capability sys_tty_config; +allow perdition_t self:process signal_perms; +allow perdition_t self:tcp_socket create_stream_socket_perms; +allow perdition_t self:udp_socket create_socket_perms; + +allow perdition_t perdition_etc_t:file read_file_perms; +files_search_etc(perdition_t) + +manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) +files_pid_filetrans(perdition_t, perdition_var_run_t, file) + +kernel_read_kernel_sysctls(perdition_t) +kernel_list_proc(perdition_t) +kernel_read_proc_symlinks(perdition_t) + +corenet_all_recvfrom_unlabeled(perdition_t) +corenet_all_recvfrom_netlabel(perdition_t) +corenet_tcp_sendrecv_generic_if(perdition_t) +corenet_udp_sendrecv_generic_if(perdition_t) +corenet_tcp_sendrecv_generic_node(perdition_t) +corenet_udp_sendrecv_generic_node(perdition_t) +corenet_tcp_sendrecv_all_ports(perdition_t) +corenet_udp_sendrecv_all_ports(perdition_t) +corenet_tcp_bind_generic_node(perdition_t) +corenet_tcp_bind_pop_port(perdition_t) +corenet_sendrecv_pop_server_packets(perdition_t) + +dev_read_sysfs(perdition_t) + +domain_use_interactive_fds(perdition_t) + +fs_getattr_all_fs(perdition_t) +fs_search_auto_mountpoints(perdition_t) + +files_read_etc_files(perdition_t) + +logging_send_syslog_msg(perdition_t) + +miscfiles_read_localization(perdition_t) + +sysnet_read_config(perdition_t) + +userdom_dontaudit_use_unpriv_user_fds(perdition_t) +userdom_dontaudit_search_user_home_dirs(perdition_t) + +optional_policy(` + seutil_sigchld_newrole(perdition_t) +') + +optional_policy(` + udev_read_db(perdition_t) +') diff --git a/policy/modules/contrib/pingd.fc b/policy/modules/contrib/pingd.fc new file mode 100644 index 00000000..ea085f7e --- /dev/null +++ b/policy/modules/contrib/pingd.fc @@ -0,0 +1,6 @@ +/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) +/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0) + +/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0) + +/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) diff --git a/policy/modules/contrib/pingd.if b/policy/modules/contrib/pingd.if new file mode 100644 index 00000000..8688aaec --- /dev/null +++ b/policy/modules/contrib/pingd.if @@ -0,0 +1,97 @@ +## <summary>Pingd of the Whatsup cluster node up/down detection utility</summary> + +######################################## +## <summary> +## Execute a domain transition to run pingd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pingd_domtrans',` + gen_require(` + type pingd_t, pingd_exec_t; + ') + + domtrans_pattern($1, pingd_exec_t, pingd_t) +') + +####################################### +## <summary> +## Read pingd etc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pingd_read_config',` + gen_require(` + type pingd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, pingd_etc_t, pingd_etc_t) +') + +####################################### +## <summary> +## Manage pingd etc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pingd_manage_config',` + gen_require(` + type pingd_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) + manage_files_pattern($1, pingd_etc_t, pingd_etc_t) + +') + +####################################### +## <summary> +## All of the rules required to administrate +## an pingd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the pingd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`pingd_admin',` + gen_require(` + type pingd_t, pingd_etc_t; + type pingd_initrc_exec_t, pingd_modules_t; + ') + + allow $1 pingd_t:process { ptrace signal_perms }; + ps_process_pattern($1, pingd_t) + + init_labeled_script_domtrans($1, pingd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pingd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, pingd_etc_t) + + files_list_usr($1) + admin_pattern($1, pingd_modules_t) +') diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te new file mode 100644 index 00000000..e9cf8a49 --- /dev/null +++ b/policy/modules/contrib/pingd.te @@ -0,0 +1,47 @@ +policy_module(pingd, 1.0.0) + +######################################## +# +# Declarations +# + +type pingd_t; +type pingd_exec_t; +init_daemon_domain(pingd_t, pingd_exec_t) + +# type for config +type pingd_etc_t; +files_type(pingd_etc_t) + +type pingd_initrc_exec_t; +init_script_file(pingd_initrc_exec_t) + +# type for pingd modules +type pingd_modules_t; +files_type(pingd_modules_t) + +######################################## +# +# pingd local policy +# + +allow pingd_t self:capability net_raw; +allow pingd_t self:tcp_socket create_stream_socket_perms; +allow pingd_t self:rawip_socket { write read create bind }; + +read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) + +read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) +mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) + +corenet_raw_bind_generic_node(pingd_t) +corenet_tcp_bind_generic_node(pingd_t) +corenet_tcp_bind_pingd_port(pingd_t) + +auth_use_nsswitch(pingd_t) + +files_search_usr(pingd_t) + +logging_send_syslog_msg(pingd_t) + +miscfiles_read_localization(pingd_t) diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc new file mode 100644 index 00000000..5702ca42 --- /dev/null +++ b/policy/modules/contrib/plymouthd.fc @@ -0,0 +1,7 @@ +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) + +/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) + +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) +/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/policy/modules/contrib/plymouthd.if b/policy/modules/contrib/plymouthd.if new file mode 100644 index 00000000..9759ed80 --- /dev/null +++ b/policy/modules/contrib/plymouthd.if @@ -0,0 +1,260 @@ +## <summary>Plymouth graphical boot</summary> + +######################################## +## <summary> +## Execute a domain transition to run plymouthd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`plymouthd_domtrans', ` + gen_require(` + type plymouthd_t, plymouthd_exec_t; + ') + + domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) +') + +######################################## +## <summary> +## Execute the plymoth daemon in the current domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_exec', ` + gen_require(` + type plymouthd_exec_t; + ') + + can_exec($1, plymouthd_exec_t) +') + +######################################## +## <summary> +## Allow domain to Stream socket connect +## to Plymouth daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_stream_connect', ` + gen_require(` + type plymouthd_t; + ') + + allow $1 plymouthd_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Execute the plymoth command in the current domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_exec_plymouth', ` + gen_require(` + type plymouth_exec_t; + ') + + can_exec($1, plymouth_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run plymouthd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`plymouthd_domtrans_plymouth', ` + gen_require(` + type plymouth_t, plymouth_exec_t; + ') + + domtrans_pattern($1, plymouth_exec_t, plymouth_t) +') + +######################################## +## <summary> +## Search plymouthd spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_search_spool', ` + gen_require(` + type plymouthd_spool_t; + ') + + allow $1 plymouthd_spool_t:dir search_dir_perms; + files_search_spool($1) +') + +######################################## +## <summary> +## Read plymouthd spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_read_spool_files', ` + gen_require(` + type plymouthd_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## plymouthd spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_manage_spool_files', ` + gen_require(` + type plymouthd_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) +') + +######################################## +## <summary> +## Search plymouthd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_search_lib', ` + gen_require(` + type plymouthd_var_lib_t; + ') + + allow $1 plymouthd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read plymouthd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_read_lib_files', ` + gen_require(` + type plymouthd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## plymouthd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_manage_lib_files', ` + gen_require(` + type plymouthd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) +') + +######################################## +## <summary> +## Read plymouthd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_read_pid_files', ` + gen_require(` + type plymouthd_var_run_t; + ') + + files_search_pids($1) + allow $1 plymouthd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an plymouthd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`plymouthd_admin', ` + gen_require(` + type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; + type plymouthd_var_run_t; + ') + + allow $1 plymouthd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, plymouthd_t, plymouthd_t) + + admin_pattern($1, plymouthd_spool_t) + + admin_pattern($1, plymouthd_var_lib_t) + + admin_pattern($1, plymouthd_var_run_t) +') diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te new file mode 100644 index 00000000..86700edb --- /dev/null +++ b/policy/modules/contrib/plymouthd.te @@ -0,0 +1,99 @@ +policy_module(plymouthd, 1.1.0) + +######################################## +# +# Declarations +# + +type plymouth_t; +type plymouth_exec_t; +application_domain(plymouth_t, plymouth_exec_t) + +type plymouthd_t; +type plymouthd_exec_t; +init_daemon_domain(plymouthd_t, plymouthd_exec_t) + +type plymouthd_spool_t; +files_type(plymouthd_spool_t) + +type plymouthd_var_lib_t; +files_type(plymouthd_var_lib_t) + +type plymouthd_var_run_t; +files_pid_file(plymouthd_var_run_t) + +######################################## +# +# Plymouthd private policy +# + +allow plymouthd_t self:capability { sys_admin sys_tty_config }; +dontaudit plymouthd_t self:capability dac_override; +allow plymouthd_t self:process { signal getsched }; +allow plymouthd_t self:fifo_file rw_fifo_file_perms; +allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) +manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) +manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) +files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file }) + +manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) +manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) +files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) + +manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) +manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) +files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) + +kernel_read_system_state(plymouthd_t) +kernel_request_load_module(plymouthd_t) +kernel_change_ring_buffer_level(plymouthd_t) + +dev_rw_dri(plymouthd_t) +dev_read_sysfs(plymouthd_t) +dev_read_framebuffer(plymouthd_t) +dev_write_framebuffer(plymouthd_t) + +domain_use_interactive_fds(plymouthd_t) + +files_read_etc_files(plymouthd_t) +files_read_usr_files(plymouthd_t) + +miscfiles_read_localization(plymouthd_t) +miscfiles_read_fonts(plymouthd_t) +miscfiles_manage_fonts_cache(plymouthd_t) + +######################################## +# +# Plymouth private policy +# + +allow plymouth_t self:process signal; +allow plymouth_t self:fifo_file rw_file_perms; +allow plymouth_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_system_state(plymouth_t) + +domain_use_interactive_fds(plymouth_t) + +files_read_etc_files(plymouth_t) + +term_use_ptmx(plymouth_t) + +miscfiles_read_localization(plymouth_t) + +sysnet_read_config(plymouth_t) + +plymouthd_stream_connect(plymouth_t) + +ifdef(`hide_broken_symptoms', ` + optional_policy(` + hal_dontaudit_write_log(plymouth_t) + hal_dontaudit_rw_pipes(plymouth_t) + ') +') + +optional_policy(` + lvm_domtrans(plymouth_t) +') diff --git a/policy/modules/contrib/podsleuth.fc b/policy/modules/contrib/podsleuth.fc new file mode 100644 index 00000000..6fbc01c3 --- /dev/null +++ b/policy/modules/contrib/podsleuth.fc @@ -0,0 +1,3 @@ +/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) diff --git a/policy/modules/contrib/podsleuth.if b/policy/modules/contrib/podsleuth.if new file mode 100644 index 00000000..d6d80a0c --- /dev/null +++ b/policy/modules/contrib/podsleuth.if @@ -0,0 +1,45 @@ +## <summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM)</summary> + +######################################## +## <summary> +## Execute a domain transition to run podsleuth. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`podsleuth_domtrans',` + gen_require(` + type podsleuth_t, podsleuth_exec_t; + ') + + domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) + allow $1 podsleuth_t:process signal; +') + +######################################## +## <summary> +## Execute podsleuth in the podsleuth domain, and +## allow the specified role the podsleuth domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`podsleuth_run',` + gen_require(` + type podsleuth_t; + ') + + podsleuth_domtrans($1) + role $2 types podsleuth_t; +') diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te new file mode 100644 index 00000000..4cffb072 --- /dev/null +++ b/policy/modules/contrib/podsleuth.te @@ -0,0 +1,87 @@ +policy_module(podsleuth, 1.6.0) + +######################################## +# +# Declarations +# + +type podsleuth_t; +type podsleuth_exec_t; +application_domain(podsleuth_t, podsleuth_exec_t) +role system_r types podsleuth_t; + +type podsleuth_cache_t; +files_type(podsleuth_cache_t) +ubac_constrained(podsleuth_cache_t) + +type podsleuth_tmp_t; +userdom_user_tmp_file(podsleuth_tmp_t) + +type podsleuth_tmpfs_t; +userdom_user_tmpfs_file(podsleuth_tmpfs_t) + +######################################## +# +# podsleuth local policy +# +allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; +allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; +allow podsleuth_t self:fifo_file rw_file_perms; +allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; +allow podsleuth_t self:sem create_sem_perms; +allow podsleuth_t self:tcp_socket create_stream_socket_perms; +allow podsleuth_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) +manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) +files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) + +allow podsleuth_t podsleuth_tmp_t:dir mounton; +manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) +manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) +files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) + +manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) +manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) +manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) +fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) + +kernel_read_system_state(podsleuth_t) +kernel_request_load_module(podsleuth_t) + +corecmd_exec_bin(podsleuth_t) + +corenet_tcp_connect_http_port(podsleuth_t) + +dev_read_urand(podsleuth_t) + +files_read_etc_files(podsleuth_t) + +fs_mount_dos_fs(podsleuth_t) +fs_unmount_dos_fs(podsleuth_t) +fs_getattr_dos_fs(podsleuth_t) +fs_read_dos_files(podsleuth_t) +fs_search_dos(podsleuth_t) +fs_getattr_tmpfs(podsleuth_t) +fs_list_tmpfs(podsleuth_t) +fs_rw_removable_blk_files(podsleuth_t) + +miscfiles_read_localization(podsleuth_t) + +sysnet_dns_name_resolve(podsleuth_t) + +userdom_signal_unpriv_users(podsleuth_t) +userdom_signull_unpriv_users(podsleuth_t) +userdom_read_user_tmpfs_files(podsleuth_t) + +optional_policy(` + dbus_system_bus_client(podsleuth_t) + + optional_policy(` + hal_dbus_chat(podsleuth_t) + ') +') + +optional_policy(` + mono_exec(podsleuth_t) +') diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc new file mode 100644 index 00000000..63d00612 --- /dev/null +++ b/policy/modules/contrib/policykit.fc @@ -0,0 +1,16 @@ +/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) + +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) + diff --git a/policy/modules/contrib/policykit.if b/policy/modules/contrib/policykit.if new file mode 100644 index 00000000..48ff1e8a --- /dev/null +++ b/policy/modules/contrib/policykit.if @@ -0,0 +1,209 @@ +## <summary>Policy framework for controlling privileges for system-wide services.</summary> + +######################################## +## <summary> +## Send and receive messages from +## policykit over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_dbus_chat',` + gen_require(` + type policykit_t; + class dbus send_msg; + ') + + allow $1 policykit_t:dbus send_msg; + allow policykit_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Execute a domain transition to run polkit_auth. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans_auth',` + gen_require(` + type policykit_auth_t, policykit_auth_exec_t; + ') + + domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) +') + +######################################## +## <summary> +## Execute a policy_auth in the policy_auth domain, and +## allow the specified role the policy_auth domain, +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`policykit_run_auth',` + gen_require(` + type policykit_auth_t; + ') + + policykit_domtrans_auth($1) + role $2 types policykit_auth_t; +') + +######################################## +## <summary> +## Execute a domain transition to run polkit_grant. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans_grant',` + gen_require(` + type policykit_grant_t, policykit_grant_exec_t; + ') + + domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) +') + +######################################## +## <summary> +## Execute a policy_grant in the policy_grant domain, and +## allow the specified role the policy_grant domain, +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`policykit_run_grant',` + gen_require(` + type policykit_grant_t; + ') + + policykit_domtrans_grant($1) + role $2 types policykit_grant_t; + + allow $1 policykit_grant_t:process signal; + + ps_process_pattern(policykit_grant_t, $1) +') + +######################################## +## <summary> +## read policykit reload files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_read_reload',` + gen_require(` + type policykit_reload_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, policykit_reload_t, policykit_reload_t) +') + +######################################## +## <summary> +## rw policykit reload files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_rw_reload',` + gen_require(` + type policykit_reload_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, policykit_reload_t, policykit_reload_t) +') + +######################################## +## <summary> +## Execute a domain transition to run polkit_resolve. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`policykit_domtrans_resolve',` + gen_require(` + type policykit_resolve_t, policykit_resolve_exec_t; + ') + + domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) + + ps_process_pattern(policykit_resolve_t, $1) +') + +######################################## +## <summary> +## Search policykit lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_search_lib',` + gen_require(` + type policykit_var_lib_t; + ') + + allow $1 policykit_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## read policykit lib files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`policykit_read_lib',` + gen_require(` + type policykit_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) +') diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te new file mode 100644 index 00000000..44db896e --- /dev/null +++ b/policy/modules/contrib/policykit.te @@ -0,0 +1,210 @@ +policy_module(policykit, 1.2.0) + +######################################## +# +# Declarations +# + +type policykit_t alias polkit_t; +type policykit_exec_t alias polkit_exec_t; +init_daemon_domain(policykit_t, policykit_exec_t) + +type policykit_auth_t alias polkit_auth_t; +type policykit_auth_exec_t alias polkit_auth_exec_t; +init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) + +type policykit_grant_t alias polkit_grant_t; +type policykit_grant_exec_t alias polkit_grant_exec_t; +init_system_domain(policykit_grant_t, policykit_grant_exec_t) + +type policykit_resolve_t alias polkit_resolve_t; +type policykit_resolve_exec_t alias polkit_resolve_exec_t; +init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) + +type policykit_reload_t alias polkit_reload_t; +files_type(policykit_reload_t) + +type policykit_var_lib_t alias polkit_var_lib_t; +files_type(policykit_var_lib_t) + +type policykit_var_run_t alias polkit_var_run_t; +files_pid_file(policykit_var_run_t) + +######################################## +# +# policykit local policy +# + +allow policykit_t self:capability { setgid setuid }; +allow policykit_t self:process getattr; +allow policykit_t self:fifo_file rw_file_perms; +allow policykit_t self:unix_dgram_socket create_socket_perms; +allow policykit_t self:unix_stream_socket create_stream_socket_perms; + +policykit_domtrans_auth(policykit_t) + +can_exec(policykit_t, policykit_exec_t) +corecmd_exec_bin(policykit_t) + +rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) + +policykit_domtrans_resolve(policykit_t) + +manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) + +manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(policykit_t) + +files_read_etc_files(policykit_t) +files_read_usr_files(policykit_t) + +auth_use_nsswitch(policykit_t) + +logging_send_syslog_msg(policykit_t) + +miscfiles_read_localization(policykit_t) + +userdom_read_all_users_state(policykit_t) + +######################################## +# +# polkit_auth local policy +# + +allow policykit_auth_t self:capability setgid; +allow policykit_auth_t self:process getattr; +allow policykit_auth_t self:fifo_file rw_file_perms; +allow policykit_auth_t self:unix_dgram_socket create_socket_perms; +allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(policykit_auth_t, policykit_auth_exec_t) +corecmd_search_bin(policykit_auth_t) + +rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) + +manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t) + +manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) + +kernel_read_system_state(policykit_auth_t) + +files_read_etc_files(policykit_auth_t) +files_read_usr_files(policykit_auth_t) + +auth_use_nsswitch(policykit_auth_t) + +logging_send_syslog_msg(policykit_auth_t) + +miscfiles_read_localization(policykit_auth_t) + +userdom_dontaudit_read_user_home_content_files(policykit_auth_t) + +optional_policy(` + dbus_system_bus_client(policykit_auth_t) + dbus_session_bus_client(policykit_auth_t) + + optional_policy(` + consolekit_dbus_chat(policykit_auth_t) + ') +') + +optional_policy(` + kernel_search_proc(policykit_auth_t) + hal_read_state(policykit_auth_t) +') + +######################################## +# +# polkit_grant local policy +# + +allow policykit_grant_t self:capability setuid; +allow policykit_grant_t self:process getattr; +allow policykit_grant_t self:fifo_file rw_file_perms; +allow policykit_grant_t self:unix_dgram_socket create_socket_perms; +allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; + +policykit_domtrans_auth(policykit_grant_t) + +policykit_domtrans_resolve(policykit_grant_t) + +can_exec(policykit_grant_t, policykit_grant_exec_t) +corecmd_search_bin(policykit_grant_t) + +rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) + +manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t) + +manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) + +files_read_etc_files(policykit_grant_t) +files_read_usr_files(policykit_grant_t) + +auth_use_nsswitch(policykit_grant_t) +auth_domtrans_chk_passwd(policykit_grant_t) + +logging_send_syslog_msg(policykit_grant_t) + +miscfiles_read_localization(policykit_grant_t) + +userdom_read_all_users_state(policykit_grant_t) + +optional_policy(` + dbus_system_bus_client(policykit_grant_t) + + optional_policy(` + consolekit_dbus_chat(policykit_grant_t) + ') +') + +######################################## +# +# polkit_resolve local policy +# + +allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; +allow policykit_resolve_t self:process getattr; +allow policykit_resolve_t self:fifo_file rw_file_perms; +allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; +allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; + +policykit_domtrans_auth(policykit_resolve_t) + +read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t) + +read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t) + +can_exec(policykit_resolve_t, policykit_resolve_exec_t) +corecmd_search_bin(policykit_resolve_t) + +files_read_etc_files(policykit_resolve_t) +files_read_usr_files(policykit_resolve_t) + +mcs_ptrace_all(policykit_resolve_t) + +auth_use_nsswitch(policykit_resolve_t) + +logging_send_syslog_msg(policykit_resolve_t) + +miscfiles_read_localization(policykit_resolve_t) + +userdom_read_all_users_state(policykit_resolve_t) + +optional_policy(` + dbus_system_bus_client(policykit_resolve_t) + + optional_policy(` + consolekit_dbus_chat(policykit_resolve_t) + ') +') + +optional_policy(` + kernel_search_proc(policykit_resolve_t) + hal_read_state(policykit_resolve_t) +') + diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc new file mode 100644 index 00000000..8d426f52 --- /dev/null +++ b/policy/modules/contrib/portage.fc @@ -0,0 +1,35 @@ +/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0) +/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0) +/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) +/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0) + +/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0) +/usr/bin/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) +/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) + +/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) +/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) + +/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) +/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) + +/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) +/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) +/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) +/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0) +/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) +/var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) +/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) +/var/tmp/binpkgs(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) +/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) +/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) +/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if new file mode 100644 index 00000000..45e60b62 --- /dev/null +++ b/policy/modules/contrib/portage.if @@ -0,0 +1,394 @@ +## <summary> +## Portage Package Management System. The primary package management and +## distribution system for Gentoo. +## </summary> + +######################################## +## <summary> +## Execute emerge in the portage domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portage_domtrans',` + gen_require(` + type portage_t, portage_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + + domtrans_pattern($1, portage_exec_t, portage_t) +') + +######################################## +## <summary> +## Execute emerge in the portage domain, and +## allow the specified role the portage domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the portage domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`portage_run',` + gen_require(` + attribute_role portage_roles; + ') + + portage_domtrans($1) + roleattribute $2 portage_roles; +') + +######################################## +## <summary> +## Template for portage sandbox. +## </summary> +## <desc> +## <p> +## Template for portage sandbox. Portage +## does all compiling in the sandbox. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain Allowed Access +## </summary> +## </param> +# +interface(`portage_compile_domain',` + + gen_require(` + class dbus send_msg; + type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; + type portage_tmpfs_t; + ') + + allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; + dontaudit $1 self:capability sys_chroot; + allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; + allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; + allow $1 self:fd use; + allow $1 self:fifo_file rw_fifo_file_perms; + allow $1 self:shm create_shm_perms; + allow $1 self:sem create_sem_perms; + allow $1 self:msgq create_msgq_perms; + allow $1 self:msg { send receive }; + allow $1 self:unix_dgram_socket create_socket_perms; + allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 self:unix_dgram_socket sendto; + allow $1 self:unix_stream_socket connectto; + # really shouldnt need this + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; + # misc networking stuff (esp needed for compiling perl): + allow $1 self:rawip_socket { create ioctl }; + # needed for merging dbus: + allow $1 self:netlink_selinux_socket { bind create read }; + allow $1 self:dbus send_msg; + + allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr }; + term_create_pty($1, portage_devpts_t) + + # write compile logs + allow $1 portage_log_t:dir setattr; + allow $1 portage_log_t:file { write_file_perms setattr }; + + # Support live ebuilds (-9999) + manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + + # run scripts out of the build directory + can_exec(portage_sandbox_t, portage_tmp_t) + + manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t) + manage_files_pattern($1, portage_tmp_t, portage_tmp_t) + manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t) + manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t) + manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t) + files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file }) + # SELinux-enabled programs running in the sandbox + allow $1 portage_tmp_t:file relabel_file_perms; + + manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) + manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) + manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) + manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) + fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + + kernel_read_system_state($1) + kernel_read_network_state($1) + kernel_read_software_raid_state($1) + kernel_getattr_core_if($1) + kernel_getattr_message_if($1) + kernel_read_kernel_sysctls($1) + + corecmd_exec_all_executables($1) + + # really shouldnt need this but some packages test + # network access, such as during configure + # also distcc--need to reinvestigate confining distcc client + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_raw_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) + corenet_raw_sendrecv_generic_node($1) + corenet_tcp_sendrecv_all_ports($1) + corenet_udp_sendrecv_all_ports($1) + corenet_tcp_connect_all_reserved_ports($1) + corenet_tcp_connect_distccd_port($1) + corenet_tcp_connect_git_port($1) + + dev_read_sysfs($1) + dev_read_rand($1) + dev_read_urand($1) + + domain_use_interactive_fds($1) + domain_dontaudit_read_all_domains_state($1) + # SELinux-aware installs doing relabels in the sandbox + domain_obj_id_change_exemption($1) + + files_exec_etc_files($1) + files_exec_usr_src_files($1) + + fs_getattr_xattr_fs($1) + fs_list_noxattr_fs($1) + fs_read_noxattr_fs_files($1) + fs_read_noxattr_fs_symlinks($1) + fs_search_auto_mountpoints($1) + + selinux_validate_context($1) + # needed for merging dbus: + selinux_compute_access_vector($1) + + auth_read_all_dirs_except_auth_files($1) + auth_read_all_files_except_auth_files($1) + auth_read_all_symlinks_except_auth_files($1) + + libs_exec_lib_files($1) + # some config scripts use ldd + libs_exec_ld_so($1) + # this violates the idea of sandbox, but + # regular sandbox allows it + libs_domtrans_ldconfig($1) + + logging_send_syslog_msg($1) + + userdom_use_user_terminals($1) + + # SELinux-enabled programs running in the sandbox + seutil_libselinux_linked($1) + + tunable_policy(`portage_use_nfs',` + fs_getattr_nfs($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + fs_manage_nfs_symlinks($1) + ') + + ifdef(`TODO',` + # some gui ebuilds want to interact with X server, like xawtv + optional_policy(` + allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write }; + allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write }; + ') + ') dnl end TODO +') + +######################################## +## <summary> +## Execute tree management functions (fetching, layman, ...) +## in the portage_fetch_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portage_domtrans_fetch',` + gen_require(` + type portage_fetch_t, portage_fetch_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + + domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t) +') + +######################################## +## <summary> +## Execute tree management functions (fetching, layman, ...) +## in the portage_fetch_t domain, and allow the specified role +## the portage_fetch_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the portage_fetch domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`portage_run_fetch',` + gen_require(` + type portage_fetch_t; + ') + + portage_domtrans_fetch($1) + role $2 types portage_fetch_t; +') + + +######################################## +## <summary> +## Execute gcc-config in the gcc_config domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portage_domtrans_gcc_config',` + gen_require(` + type gcc_config_t, gcc_config_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + + domtrans_pattern($1, gcc_config_exec_t, gcc_config_t) +') + +######################################## +## <summary> +## Execute gcc-config in the gcc_config domain, and +## allow the specified role the gcc_config domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the gcc_config domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`portage_run_gcc_config',` + gen_require(` + type gcc_config_t; + ') + + portage_domtrans_gcc_config($1) + role $2 types gcc_config_t; +') + +######################################## +## <summary> +## Do not audit attempts to use +## portage file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`portage_dontaudit_use_fds',` + gen_require(` + type portage_t; + ') + + dontaudit $1 portage_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to search the +## portage temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`portage_dontaudit_search_tmp',` + gen_require(` + type portage_tmp_t; + ') + + dontaudit $1 portage_tmp_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## the portage temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`portage_dontaudit_rw_tmp_files',` + gen_require(` + type portage_tmp_t; + ') + + dontaudit $1 portage_tmp_t:file rw_file_perms; +') + +######################################## +## <summary> +## Allow the domain to run within an eselect module script. +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow within an eselect module +## </summary> +## </param> +# Specific to Gentoo, +# eselect modules allow users to switch between different flavors or versions +# of underlying components. In return, eselect makes a wrapper binary which +# makes the proper selections. If this binary is different from bin_t, it might +# not hold the necessary privileges for the wrapper to function. However, just +# marking the target binaries doesn't always work, since for python scripts the +# wrapper doesn't execute it, but treats the target as a library. +# +interface(`gentoo_portage_eselect_module',` + gen_require(` + type portage_t; + ') + allow $1 self:fifo_file { read write }; + + corecmd_exec_shell($1) + + # Support for /etc/env.d changes + files_manage_etc_runtime_files($1) +') + diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te new file mode 100644 index 00000000..1f83dd82 --- /dev/null +++ b/policy/modules/contrib/portage.te @@ -0,0 +1,367 @@ +policy_module(portage, 1.12.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow the portage domains to use NFS mounts (regular nfs_t) +## </p> +## </desc> +gen_tunable(portage_use_nfs, false) + +## <desc> +## <p> +## (deprecated) support for dontaudit tryouts +## </p> +## </desc> +gen_tunable(gentoo_try_dontaudit, false) + +## <desc> +## <p> +## (deprecated) support for fixes +## </p> +## </desc> +gen_tunable(gentoo_wait_requests, false) + + +attribute_role portage_roles; + +type gcc_config_t; +type gcc_config_exec_t; +application_domain(gcc_config_t, gcc_config_exec_t) + +type gcc_config_tmp_t; +files_tmp_file(gcc_config_tmp_t) + +# constraining type +type portage_t; +type portage_exec_t; +application_domain(portage_t, portage_exec_t) +domain_obj_id_change_exemption(portage_t) +rsync_entry_type(portage_t) +corecmd_shell_entry_type(portage_t) +role portage_roles types portage_t; + +# portage compile sandbox domain +type portage_sandbox_t; +application_domain(portage_sandbox_t, portage_exec_t) +# the shell is the entrypoint if regular sandbox is disabled +# portage_exec_t is the entrypoint if regular sandbox is enabled +corecmd_shell_entry_type(portage_sandbox_t) +role portage_roles types portage_sandbox_t; + +# portage package fetching domain +type portage_fetch_t; +type portage_fetch_exec_t; +application_domain(portage_fetch_t, portage_fetch_exec_t) +corecmd_shell_entry_type(portage_fetch_t) +rsync_entry_type(portage_fetch_t) +role portage_roles types portage_fetch_t; + +type portage_devpts_t; +term_pty(portage_devpts_t) + +type portage_ebuild_t; +files_mountpoint(portage_ebuild_t) + +type portage_fetch_tmp_t; +files_tmp_file(portage_fetch_tmp_t) + +type portage_db_t; +files_type(portage_db_t) + +type portage_conf_t; +files_type(portage_conf_t) + +type portage_cache_t; +files_type(portage_cache_t) + +type portage_gpg_t; +files_type(portage_gpg_t) + +type portage_log_t; +logging_log_file(portage_log_t) + +type portage_srcrepo_t; +files_type(portage_srcrepo_t) + +type portage_tmp_t; +files_tmp_file(portage_tmp_t) + +type portage_tmpfs_t; +files_tmpfs_file(portage_tmpfs_t) + +######################################## +# +# gcc-config policy +# + +allow gcc_config_t self:capability { chown fsetid }; +allow gcc_config_t self:fifo_file rw_file_perms; + +manage_files_pattern(gcc_config_t, gcc_config_tmp_t, gcc_config_tmp_t) +files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file) + +manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t) + +read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) + +allow gcc_config_t portage_ebuild_t:dir list_dir_perms; +read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t) + +allow gcc_config_t portage_exec_t:file mmap_file_perms; + +kernel_read_system_state(gcc_config_t) +kernel_read_kernel_sysctls(gcc_config_t) + +corecmd_exec_shell(gcc_config_t) +corecmd_exec_bin(gcc_config_t) +corecmd_manage_bin_files(gcc_config_t) + +domain_use_interactive_fds(gcc_config_t) + +files_manage_etc_files(gcc_config_t) +files_manage_etc_runtime_files(gcc_config_t) +files_manage_etc_runtime_lnk_files(gcc_config_t) +files_read_usr_files(gcc_config_t) +files_search_var_lib(gcc_config_t) +files_search_pids(gcc_config_t) +# complains loudly about not being able to list +# the directory it is being run from +files_list_all(gcc_config_t) + +# seems to be ok without this +init_dontaudit_read_script_status_files(gcc_config_t) + +libs_read_lib_files(gcc_config_t) +libs_run_ldconfig(gcc_config_t, portage_roles) +libs_manage_shared_libs(gcc_config_t) +# gcc-config creates a temp dir for the libs +libs_manage_lib_dirs(gcc_config_t) + +logging_send_syslog_msg(gcc_config_t) + +miscfiles_read_localization(gcc_config_t) + +userdom_use_user_terminals(gcc_config_t) + +consoletype_exec(gcc_config_t) + +ifdef(`distro_gentoo',` + init_exec_rc(gcc_config_t) +') + +tunable_policy(`portage_use_nfs',` + fs_read_nfs_files(gcc_config_t) +') + +optional_policy(` + seutil_use_newrole_fds(gcc_config_t) +') + +######################################## +# +# Portage Merging Rules +# + +# - setfscreate for merging to live fs +# - setexec to run portage fetch +allow portage_t self:process { setfscreate setexec }; +# - kill for mysql merging, at least +allow portage_t self:capability { sys_nice kill setfcap }; +dontaudit portage_t self:capability { dac_read_search }; +dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms; + +# user post-sync scripts +can_exec(portage_t, portage_conf_t) + +allow portage_t portage_log_t:file manage_file_perms; +logging_log_filetrans(portage_t, portage_log_t, file) + +allow portage_t { portage_fetch_t portage_sandbox_t }:process signal; + +# transition for rsync and wget +corecmd_shell_spec_domtrans(portage_t, portage_fetch_t) +rsync_entry_domtrans(portage_t, portage_fetch_t) +allow portage_fetch_t portage_t:fd use; +allow portage_fetch_t portage_t:fifo_file rw_file_perms; +allow portage_fetch_t portage_t:process sigchld; +dontaudit portage_fetch_t portage_devpts_t:chr_file { read write }; + +# transition to sandbox for compiling +domain_trans(portage_t, portage_exec_t, portage_sandbox_t) +corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) +allow portage_sandbox_t portage_t:fd use; +allow portage_sandbox_t portage_t:fifo_file rw_file_perms; +allow portage_sandbox_t portage_t:process sigchld; +allow portage_sandbox_t self:process ptrace; +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; + +# run scripts out of the build directory +can_exec(portage_t, portage_tmp_t) + +kernel_dontaudit_request_load_module(portage_t) +# merging baselayout will need this: +kernel_write_proc_files(portage_t) + +domain_dontaudit_read_all_domains_state(portage_t) + +# modify any files in the system +files_manage_all_files(portage_t) + +selinux_get_fs_mount(portage_t) + +auth_manage_shadow(portage_t) + +# merging baselayout will need this: +init_exec(portage_t) + +# run setfiles -r +seutil_run_setfiles(portage_t, portage_roles) +# run semodule +seutil_run_semanage(portage_t, portage_roles) + +portage_run_gcc_config(portage_t, portage_roles) +# if sesandbox is disabled, compiling is performed in this domain +portage_compile_domain(portage_t) + +optional_policy(` + bootloader_run(portage_t, portage_roles) +') + +optional_policy(` + cron_system_entry(portage_t, portage_exec_t) + cron_system_entry(portage_fetch_t, portage_fetch_exec_t) +') + +optional_policy(` + modutils_run_depmod(portage_t, portage_roles) + modutils_run_update_mods(portage_t, portage_roles) + #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; +') + +optional_policy(` + usermanage_run_groupadd(portage_t, portage_roles) + usermanage_run_useradd(portage_t, portage_roles) +') + +ifdef(`TODO',` +# seems to work ok without these +dontaudit portage_t device_t:{ blk_file chr_file } getattr; +dontaudit portage_t proc_t:dir setattr; +dontaudit portage_t device_type:chr_file read_chr_file_perms; +dontaudit portage_t device_type:blk_file read_blk_file_perms; +') + +########################################## +# +# Portage fetch domain +# - for rsync and distfile fetching +# + +allow portage_fetch_t self:process signal; +allow portage_fetch_t self:capability { dac_override fowner fsetid chown }; +allow portage_fetch_t self:fifo_file rw_fifo_file_perms; +allow portage_fetch_t self:tcp_socket create_stream_socket_perms; +allow portage_fetch_t self:unix_stream_socket create_socket_perms; + +allow portage_fetch_t portage_conf_t:dir list_dir_perms; + +allow portage_fetch_t portage_gpg_t:dir rw_dir_perms; +allow portage_fetch_t portage_gpg_t:file manage_file_perms; + +allow portage_fetch_t portage_tmp_t:dir manage_dir_perms; +allow portage_fetch_t portage_tmp_t:file manage_file_perms; + +allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr }; + +read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) + +manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) +manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) + +manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) +manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) +files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) + +kernel_read_system_state(portage_fetch_t) +kernel_read_kernel_sysctls(portage_fetch_t) + +corecmd_exec_bin(portage_fetch_t) +corecmd_exec_shell(portage_fetch_t) + +corenet_all_recvfrom_unlabeled(portage_fetch_t) +corenet_all_recvfrom_netlabel(portage_fetch_t) +corenet_tcp_sendrecv_generic_if(portage_fetch_t) +corenet_tcp_sendrecv_generic_node(portage_fetch_t) +corenet_tcp_sendrecv_all_ports(portage_fetch_t) +corenet_tcp_connect_http_cache_port(portage_fetch_t) +corenet_tcp_connect_git_port(portage_fetch_t) +corenet_tcp_connect_rsync_port(portage_fetch_t) +corenet_sendrecv_http_client_packets(portage_fetch_t) +corenet_sendrecv_http_cache_client_packets(portage_fetch_t) +corenet_sendrecv_git_client_packets(portage_fetch_t) +corenet_sendrecv_rsync_client_packets(portage_fetch_t) +# would rather not connect to unspecified ports, but +# it occasionally comes up +corenet_tcp_connect_all_reserved_ports(portage_fetch_t) +corenet_tcp_connect_generic_port(portage_fetch_t) + +dev_dontaudit_read_rand(portage_fetch_t) + +domain_use_interactive_fds(portage_fetch_t) + +files_read_etc_files(portage_fetch_t) +files_read_etc_runtime_files(portage_fetch_t) +files_read_usr_files(portage_fetch_t) +files_search_var_lib(portage_fetch_t) +files_dontaudit_search_pids(portage_fetch_t) + +logging_list_logs(portage_fetch_t) +logging_dontaudit_search_logs(portage_fetch_t) + +term_search_ptys(portage_fetch_t) + +miscfiles_read_localization(portage_fetch_t) + +sysnet_read_config(portage_fetch_t) +sysnet_dns_name_resolve(portage_fetch_t) + +userdom_use_user_terminals(portage_fetch_t) +userdom_dontaudit_read_user_home_content_files(portage_fetch_t) +userdom_dontaudit_getattr_user_home_dirs(portage_fetch_t) +userdom_dontaudit_search_user_home_dirs(portage_fetch_t) + +rsync_exec(portage_fetch_t) + +ifdef(`hide_broken_symptoms',` + dontaudit portage_fetch_t portage_cache_t:file read; +') + +tunable_policy(`portage_use_nfs',` + fs_getattr_nfs(portage_fetch_t) + fs_manage_nfs_dirs(portage_fetch_t) + fs_manage_nfs_files(portage_fetch_t) + fs_manage_nfs_symlinks(portage_fetch_t) +') + +optional_policy(` + gpg_exec(portage_fetch_t) +') + +########################################## +# +# Portage sandbox domain +# - SELinux-enforced sandbox +# + +portage_compile_domain(portage_sandbox_t) + +ifdef(`hide_broken_symptoms',` + # leaked descriptors + dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; + dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; +') diff --git a/policy/modules/contrib/portmap.fc b/policy/modules/contrib/portmap.fc new file mode 100644 index 00000000..3cdcd9f3 --- /dev/null +++ b/policy/modules/contrib/portmap.fc @@ -0,0 +1,16 @@ + +/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) + +ifdef(`distro_debian',` +/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) +/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) +', ` +/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) +/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) +') + +/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) + +ifdef(`distro_debian',` +/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) +') diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if new file mode 100644 index 00000000..374afcf7 --- /dev/null +++ b/policy/modules/contrib/portmap.if @@ -0,0 +1,89 @@ +## <summary>RPC port mapping service.</summary> + +######################################## +## <summary> +## Execute portmap_helper in the helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portmap_domtrans_helper',` + gen_require(` + type portmap_helper_t, portmap_helper_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t) +') + +######################################## +## <summary> +## Execute portmap helper in the helper domain, and +## allow the specified role the helper domain. +## Communicate with portmap. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`portmap_run_helper',` + gen_require(` + type portmap_t, portmap_helper_t; + ') + + portmap_domtrans_helper($1) + role $2 types portmap_helper_t; +') + +######################################## +## <summary> +## Send UDP network traffic to portmap. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`portmap_udp_send',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Send and receive UDP network traffic from portmap. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`portmap_udp_chat',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Connect to portmap over a TCP socket (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`portmap_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te new file mode 100644 index 00000000..c1db6524 --- /dev/null +++ b/policy/modules/contrib/portmap.te @@ -0,0 +1,150 @@ +policy_module(portmap, 1.10.0) + +######################################## +# +# Declarations +# + +type portmap_t; +type portmap_exec_t; +init_daemon_domain(portmap_t, portmap_exec_t) + +type portmap_helper_t; +type portmap_helper_exec_t; +init_system_domain(portmap_helper_t, portmap_helper_exec_t) +role system_r types portmap_helper_t; + +type portmap_tmp_t; +files_tmp_file(portmap_tmp_t) + +type portmap_var_run_t; +files_pid_file(portmap_var_run_t) + +######################################## +# +# Portmap local policy +# + +allow portmap_t self:capability { setuid setgid }; +dontaudit portmap_t self:capability sys_tty_config; +allow portmap_t self:netlink_route_socket r_netlink_socket_perms; +allow portmap_t self:unix_dgram_socket create_socket_perms; +allow portmap_t self:unix_stream_socket create_stream_socket_perms; +allow portmap_t self:tcp_socket create_stream_socket_perms; +allow portmap_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) +manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) +files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir }) + +manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) +files_pid_filetrans(portmap_t, portmap_var_run_t, file) + +kernel_read_system_state(portmap_t) +kernel_read_kernel_sysctls(portmap_t) + +corenet_all_recvfrom_unlabeled(portmap_t) +corenet_all_recvfrom_netlabel(portmap_t) +corenet_tcp_sendrecv_generic_if(portmap_t) +corenet_udp_sendrecv_generic_if(portmap_t) +corenet_tcp_sendrecv_generic_node(portmap_t) +corenet_udp_sendrecv_generic_node(portmap_t) +corenet_tcp_sendrecv_all_ports(portmap_t) +corenet_udp_sendrecv_all_ports(portmap_t) +corenet_tcp_bind_generic_node(portmap_t) +corenet_udp_bind_generic_node(portmap_t) +corenet_tcp_bind_portmap_port(portmap_t) +corenet_udp_bind_portmap_port(portmap_t) +corenet_tcp_connect_all_ports(portmap_t) +corenet_sendrecv_portmap_client_packets(portmap_t) +corenet_sendrecv_portmap_server_packets(portmap_t) +# portmap binds to arbitary ports +corenet_tcp_bind_generic_port(portmap_t) +corenet_udp_bind_generic_port(portmap_t) +corenet_tcp_bind_reserved_port(portmap_t) +corenet_udp_bind_reserved_port(portmap_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t) +corenet_dontaudit_udp_bind_all_ports(portmap_t) + +dev_read_sysfs(portmap_t) + +fs_getattr_all_fs(portmap_t) +fs_search_auto_mountpoints(portmap_t) + +domain_use_interactive_fds(portmap_t) + +files_read_etc_files(portmap_t) + +logging_send_syslog_msg(portmap_t) + +miscfiles_read_localization(portmap_t) + +sysnet_read_config(portmap_t) + +userdom_dontaudit_use_unpriv_user_fds(portmap_t) +userdom_dontaudit_search_user_home_dirs(portmap_t) + +optional_policy(` + nis_use_ypbind(portmap_t) +') + +optional_policy(` + nscd_socket_use(portmap_t) +') + +optional_policy(` + seutil_sigchld_newrole(portmap_t) +') + +optional_policy(` + udev_read_db(portmap_t) +') + +######################################## +# +# Portmap helper local policy +# + +dontaudit portmap_helper_t self:capability net_admin; +allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; +allow portmap_helper_t self:tcp_socket create_stream_socket_perms; +allow portmap_helper_t self:udp_socket create_socket_perms; + +allow portmap_helper_t portmap_var_run_t:file manage_file_perms; +files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) + +corenet_all_recvfrom_unlabeled(portmap_helper_t) +corenet_all_recvfrom_netlabel(portmap_helper_t) +corenet_tcp_sendrecv_generic_if(portmap_helper_t) +corenet_udp_sendrecv_generic_if(portmap_helper_t) +corenet_raw_sendrecv_generic_if(portmap_helper_t) +corenet_tcp_sendrecv_generic_node(portmap_helper_t) +corenet_udp_sendrecv_generic_node(portmap_helper_t) +corenet_raw_sendrecv_generic_node(portmap_helper_t) +corenet_tcp_sendrecv_all_ports(portmap_helper_t) +corenet_udp_sendrecv_all_ports(portmap_helper_t) +corenet_tcp_bind_generic_node(portmap_helper_t) +corenet_udp_bind_generic_node(portmap_helper_t) +corenet_tcp_bind_reserved_port(portmap_helper_t) +corenet_udp_bind_reserved_port(portmap_helper_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t) +corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t) +corenet_tcp_connect_all_ports(portmap_helper_t) + +domain_dontaudit_use_interactive_fds(portmap_helper_t) + +files_read_etc_files(portmap_helper_t) +files_rw_generic_pids(portmap_helper_t) + +init_rw_utmp(portmap_helper_t) + +logging_send_syslog_msg(portmap_helper_t) + +sysnet_read_config(portmap_helper_t) + +userdom_use_user_terminals(portmap_helper_t) +userdom_dontaudit_use_all_users_fds(portmap_helper_t) + +optional_policy(` + nis_use_ypbind(portmap_helper_t) +') diff --git a/policy/modules/contrib/portreserve.fc b/policy/modules/contrib/portreserve.fc new file mode 100644 index 00000000..4313a6f0 --- /dev/null +++ b/policy/modules/contrib/portreserve.fc @@ -0,0 +1,7 @@ +/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) + +/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) + +/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) + +/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) diff --git a/policy/modules/contrib/portreserve.if b/policy/modules/contrib/portreserve.if new file mode 100644 index 00000000..7719d160 --- /dev/null +++ b/policy/modules/contrib/portreserve.if @@ -0,0 +1,120 @@ +## <summary>Reserve well-known ports in the RPC port range.</summary> + +######################################## +## <summary> +## Execute a domain transition to run portreserve. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portreserve_domtrans',` + gen_require(` + type portreserve_t, portreserve_exec_t; + ') + + domtrans_pattern($1, portreserve_exec_t, portreserve_t) +') + +####################################### +## <summary> +## Allow the specified domain to read +## portreserve etcuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`portreserve_read_config',` + gen_require(` + type portreserve_etc_t; + ') + + files_search_etc($1) + allow $1 portreserve_etc_t:dir list_dir_perms; + read_files_pattern($1, portreserve_etc_t, portreserve_etc_t) + read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) +') + +####################################### +## <summary> +## Allow the specified domain to manage +## portreserve etcuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`portreserve_manage_config',` + gen_require(` + type portreserve_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t) + manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) + read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) +') + +######################################## +## <summary> +## Execute portreserve in the portreserve domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portreserve_initrc_domtrans',` + gen_require(` + type portreserve_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, portreserve_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an portreserve environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`portreserve_admin',` + gen_require(` + type portreserve_t, portreserve_etc_t, portreserve_var_run_t; + type portreserve_initrc_exec_t; + ') + + allow $1 portreserve_t:process { ptrace signal_perms }; + ps_process_pattern($1, portreserve_t) + + portreserve_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 portreserve_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, portreserve_etc_t) + + files_list_pids($1) + admin_pattern($1, portreserve_var_run_t) +') diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te new file mode 100644 index 00000000..152af929 --- /dev/null +++ b/policy/modules/contrib/portreserve.te @@ -0,0 +1,54 @@ +policy_module(portreserve, 1.3.0) + +######################################## +# +# Declarations +# + +type portreserve_t; +type portreserve_exec_t; +init_daemon_domain(portreserve_t, portreserve_exec_t) + +type portreserve_initrc_exec_t; +init_script_file(portreserve_initrc_exec_t) + +type portreserve_etc_t; +files_type(portreserve_etc_t) + +type portreserve_var_run_t; +files_pid_file(portreserve_var_run_t) + +######################################## +# +# Portreserve local policy +# + +allow portreserve_t self:capability { dac_read_search dac_override }; +allow portreserve_t self:fifo_file rw_fifo_file_perms; +allow portreserve_t self:unix_stream_socket create_stream_socket_perms; +allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; +allow portreserve_t self:tcp_socket create_socket_perms; +allow portreserve_t self:udp_socket create_socket_perms; + +# Read etc files +list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) +read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) + +# Manage /var/run/portreserve/* +manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }) + +corecmd_getattr_bin_files(portreserve_t) + +corenet_all_recvfrom_unlabeled(portreserve_t) +corenet_all_recvfrom_netlabel(portreserve_t) +corenet_tcp_bind_generic_node(portreserve_t) +corenet_udp_bind_generic_node(portreserve_t) +corenet_tcp_bind_all_ports(portreserve_t) +corenet_udp_bind_all_ports(portreserve_t) + +files_read_etc_files(portreserve_t) + +userdom_dontaudit_search_user_home_content(portreserve_t) diff --git a/policy/modules/contrib/portslave.fc b/policy/modules/contrib/portslave.fc new file mode 100644 index 00000000..2dd77861 --- /dev/null +++ b/policy/modules/contrib/portslave.fc @@ -0,0 +1,4 @@ +/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0) + +/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0) +/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0) diff --git a/policy/modules/contrib/portslave.if b/policy/modules/contrib/portslave.if new file mode 100644 index 00000000..b53ff778 --- /dev/null +++ b/policy/modules/contrib/portslave.if @@ -0,0 +1,19 @@ +## <summary>Portslave terminal server software</summary> + +######################################## +## <summary> +## Execute portslave with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portslave_domtrans',` + gen_require(` + type portslave_t, portslave_exec_t; + ') + + domtrans_pattern($1, portslave_exec_t, portslave_t) +') diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te new file mode 100644 index 00000000..69c331ee --- /dev/null +++ b/policy/modules/contrib/portslave.te @@ -0,0 +1,125 @@ +policy_module(portslave, 1.7.0) + +######################################## +# +# Declarations +# + +type portslave_t; +type portslave_exec_t; +init_domain(portslave_t, portslave_exec_t) +init_daemon_domain(portslave_t, portslave_exec_t) + +type portslave_etc_t; +files_config_file(portslave_etc_t) + +type portslave_lock_t; +files_lock_file(portslave_lock_t) + +######################################## +# +# Local policy +# + +# setuid setgid net_admin fsetid for pppd +# sys_admin for ctlportslave +# net_bind_service for rlogin +allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config }; +dontaudit portslave_t self:capability sys_admin; +allow portslave_t self:process signal_perms; +allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow portslave_t self:fd use; +allow portslave_t self:fifo_file rw_fifo_file_perms; +allow portslave_t self:unix_dgram_socket create_socket_perms; +allow portslave_t self:unix_stream_socket create_stream_socket_perms; +allow portslave_t self:unix_dgram_socket sendto; +allow portslave_t self:unix_stream_socket connectto; +allow portslave_t self:shm create_shm_perms; +allow portslave_t self:sem create_sem_perms; +allow portslave_t self:msgq create_msgq_perms; +allow portslave_t self:msg { send receive }; +allow portslave_t self:tcp_socket create_stream_socket_perms; +allow portslave_t self:udp_socket create_socket_perms; + +allow portslave_t portslave_etc_t:dir list_dir_perms; +read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t) +read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t) + +allow portslave_t portslave_lock_t:file manage_file_perms; +files_lock_filetrans(portslave_t, portslave_lock_t, file) + +kernel_read_system_state(portslave_t) +kernel_read_kernel_sysctls(portslave_t) + +corecmd_exec_bin(portslave_t) +corecmd_exec_shell(portslave_t) + +corenet_all_recvfrom_unlabeled(portslave_t) +corenet_all_recvfrom_netlabel(portslave_t) +corenet_tcp_sendrecv_generic_if(portslave_t) +corenet_udp_sendrecv_generic_if(portslave_t) +corenet_tcp_sendrecv_generic_node(portslave_t) +corenet_udp_sendrecv_generic_node(portslave_t) +corenet_tcp_sendrecv_all_ports(portslave_t) +corenet_udp_sendrecv_all_ports(portslave_t) +corenet_rw_ppp_dev(portslave_t) + +dev_read_sysfs(portslave_t) +# for ssh +dev_read_urand(portslave_t) + +domain_use_interactive_fds(portslave_t) + +files_read_etc_files(portslave_t) +files_read_etc_runtime_files(portslave_t) +files_exec_etc_files(portslave_t) + +fs_search_auto_mountpoints(portslave_t) +fs_getattr_xattr_fs(portslave_t) + +term_use_unallocated_ttys(portslave_t) +term_setattr_unallocated_ttys(portslave_t) +term_use_all_ttys(portslave_t) +term_search_ptys(portslave_t) + +auth_rw_login_records(portslave_t) +auth_domtrans_chk_passwd(portslave_t) + +init_rw_utmp(portslave_t) + +logging_send_syslog_msg(portslave_t) +logging_search_logs(portslave_t) + +sysnet_read_config(portslave_t) + +userdom_use_unpriv_users_fds(portslave_t) +# for ~/.ppprc - if it actually exists then you need some policy to read it +userdom_search_user_home_dirs(portslave_t) + +mta_send_mail(portslave_t) + +# this should probably be a domtrans to pppd +# instead of exec. +ppp_read_rw_config(portslave_t) +ppp_exec(portslave_t) +ppp_read_secrets(portslave_t) +ppp_manage_pid_files(portslave_t) +ppp_pid_filetrans(portslave_t) + +ssh_exec(portslave_t) + +optional_policy(` + inetd_tcp_service_domain(portslave_t, portslave_exec_t) +') + +optional_policy(` + nis_use_ypbind(portslave_t) +') + +optional_policy(` + seutil_sigchld_newrole(portslave_t) +') + +optional_policy(` + udev_read_db(portslave_t) +') diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc new file mode 100644 index 00000000..8bfd46b5 --- /dev/null +++ b/policy/modules/contrib/postfix.fc @@ -0,0 +1,53 @@ +# postfix +/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0) +ifdef(`distro_redhat', ` +/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) +/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) +/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) +/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) +/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) +/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) +/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) +/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) +', ` +/usr/lib(64)?/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +/usr/lib(64)?/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) +/usr/lib(64)?/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) +/usr/lib(64)?/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/lib(64)?/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) +/usr/lib(64)?/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) +/usr/lib(64)?/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/lib(64)?/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/lib(64)?/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +/usr/lib(64)?/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) +/usr/lib(64)?/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) +/usr/lib(64)?/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +/usr/lib(64)?/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) +') +/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) +/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) +/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +/usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0) +/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) +/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + +/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0) + +/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) +/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) +/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) +/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) +/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if new file mode 100644 index 00000000..4c6d5f05 --- /dev/null +++ b/policy/modules/contrib/postfix.if @@ -0,0 +1,683 @@ +## <summary>Postfix email server</summary> + +######################################## +## <summary> +## Postfix stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_stub',` + gen_require(` + type postfix_master_t; + ') +') + +######################################## +## <summary> +## Creates types and rules for a basic +## postfix process domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`postfix_domain_template',` + type postfix_$1_t; + type postfix_$1_exec_t; + domain_type(postfix_$1_t) + domain_entry_file(postfix_$1_t, postfix_$1_exec_t) + role system_r types postfix_$1_t; + + dontaudit postfix_$1_t self:capability sys_tty_config; + allow postfix_$1_t self:process { signal_perms setpgid }; + allow postfix_$1_t self:unix_dgram_socket create_socket_perms; + allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; + allow postfix_$1_t self:unix_stream_socket connectto; + + allow postfix_master_t postfix_$1_t:process signal; + #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 + allow postfix_$1_t postfix_master_t:file read; + + allow postfix_$1_t postfix_etc_t:dir list_dir_perms; + read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) + read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) + + can_exec(postfix_$1_t, postfix_$1_exec_t) + + allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl }; + + allow postfix_$1_t postfix_master_t:process sigchld; + + allow postfix_$1_t postfix_spool_t:dir list_dir_perms; + + allow postfix_$1_t postfix_var_run_t:file manage_file_perms; + allow postfix_$1_t postfix_var_run_t:dir rw_dir_perms; + files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file) + + kernel_read_system_state(postfix_$1_t) + kernel_read_network_state(postfix_$1_t) + kernel_read_all_sysctls(postfix_$1_t) + + dev_read_sysfs(postfix_$1_t) + dev_read_rand(postfix_$1_t) + dev_read_urand(postfix_$1_t) + + fs_search_auto_mountpoints(postfix_$1_t) + fs_getattr_xattr_fs(postfix_$1_t) + fs_rw_anon_inodefs_files(postfix_$1_t) + + term_dontaudit_use_console(postfix_$1_t) + + corecmd_exec_shell(postfix_$1_t) + + files_read_etc_files(postfix_$1_t) + files_read_etc_runtime_files(postfix_$1_t) + files_read_usr_symlinks(postfix_$1_t) + files_search_spool(postfix_$1_t) + files_getattr_tmp_dirs(postfix_$1_t) + files_search_all_mountpoints(postfix_$1_t) + + init_dontaudit_use_fds(postfix_$1_t) + init_sigchld(postfix_$1_t) + + auth_use_nsswitch(postfix_$1_t) + + logging_send_syslog_msg(postfix_$1_t) + + miscfiles_read_localization(postfix_$1_t) + miscfiles_read_generic_certs(postfix_$1_t) + + userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) + + optional_policy(` + udev_read_db(postfix_$1_t) + ') +') + +######################################## +## <summary> +## Creates a postfix server process domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix of the domain. +## </summary> +## </param> +# +template(`postfix_server_domain_template',` + postfix_domain_template($1) + + type postfix_$1_tmp_t; + files_tmp_file(postfix_$1_tmp_t) + + allow postfix_$1_t self:capability { setuid setgid dac_override }; + allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; + allow postfix_$1_t self:tcp_socket create_socket_perms; + allow postfix_$1_t self:udp_socket create_socket_perms; + + manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) + manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) + files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) + + domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) + + corenet_all_recvfrom_unlabeled(postfix_$1_t) + corenet_all_recvfrom_netlabel(postfix_$1_t) + corenet_tcp_sendrecv_generic_if(postfix_$1_t) + corenet_udp_sendrecv_generic_if(postfix_$1_t) + corenet_tcp_sendrecv_generic_node(postfix_$1_t) + corenet_udp_sendrecv_generic_node(postfix_$1_t) + corenet_tcp_sendrecv_all_ports(postfix_$1_t) + corenet_udp_sendrecv_all_ports(postfix_$1_t) + corenet_tcp_bind_generic_node(postfix_$1_t) + corenet_udp_bind_generic_node(postfix_$1_t) + corenet_tcp_connect_all_ports(postfix_$1_t) + corenet_sendrecv_all_client_packets(postfix_$1_t) +') + +######################################## +## <summary> +## Creates a process domain for programs +## that are ran by users. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix of the domain. +## </summary> +## </param> +# +template(`postfix_user_domain_template',` + gen_require(` + attribute postfix_user_domains, postfix_user_domtrans; + ') + + postfix_domain_template($1) + + typeattribute postfix_$1_t postfix_user_domains; + + allow postfix_$1_t self:capability dac_override; + + domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) + + domain_use_interactive_fds(postfix_$1_t) +') + +######################################## +## <summary> +## Read postfix configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`postfix_read_config',` + gen_require(` + type postfix_etc_t; + ') + + read_files_pattern($1, postfix_etc_t, postfix_etc_t) + read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) + files_search_etc($1) +') + +######################################## +## <summary> +## Create files with the specified type in +## the postfix configuration directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +# +interface(`postfix_config_filetrans',` + gen_require(` + type postfix_etc_t; + ') + + files_search_etc($1) + filetrans_pattern($1, postfix_etc_t, $2, $3) +') + +######################################## +## <summary> +## Do not audit attempts to read and +## write postfix local delivery +## TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`postfix_dontaudit_rw_local_tcp_sockets',` + gen_require(` + type postfix_local_t; + ') + + dontaudit $1 postfix_local_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Allow read/write postfix local pipes +## TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_rw_local_pipes',` + gen_require(` + type postfix_local_t; + ') + + allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Allow domain to read postfix local process state +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_read_local_state',` + gen_require(` + type postfix_local_t; + ') + + read_files_pattern($1, postfix_local_t, postfix_local_t) +') + +######################################## +## <summary> +## Allow domain to read postfix master process state +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_read_master_state',` + gen_require(` + type postfix_master_t; + ') + + read_files_pattern($1, postfix_master_t, postfix_master_t) +') + +######################################## +## <summary> +## Do not audit attempts to use +## postfix master process file +## file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`postfix_dontaudit_use_fds',` + gen_require(` + type postfix_master_t; + ') + + dontaudit $1 postfix_master_t:fd use; +') + +######################################## +## <summary> +## Execute postfix_map in the postfix_map domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`postfix_domtrans_map',` + gen_require(` + type postfix_map_t, postfix_map_exec_t; + ') + + domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) +') + +######################################## +## <summary> +## Execute postfix_map in the postfix_map domain, and +## allow the specified role the postfix_map domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`postfix_run_map',` + gen_require(` + type postfix_map_t; + ') + + postfix_domtrans_map($1) + role $2 types postfix_map_t; +') + +######################################## +## <summary> +## Execute postfix_$1 in the postfix_$1 domain, and +## allow the specified role the postfix_$1 domain. +## </summary> +## <param name="subdomain"> +## <summary> +## Postfix subdomain, like master, postqueue, map, ... +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`postfix_run',` + gen_require(` + type postfix_$1_t; + type postfix_$1_exec_t; + ') + + postfix_domtrans_$1($2) + role $3 types postfix_$1_t; +') + + +######################################## +## <summary> +## Execute the master postfix program in the +## postfix_master domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`postfix_domtrans_master',` + gen_require(` + type postfix_master_t, postfix_master_exec_t; + ') + + domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) +') + +######################################## +## <summary> +## Execute the master postfix program in the +## caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_exec_master',` + gen_require(` + type postfix_master_exec_t; + ') + + can_exec($1, postfix_master_exec_t) +') + +######################################## +## <summary> +## Execute the master postfix programs in the +## master domain. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_run_master',` + gen_require(` + type postfix_master_exec_t; + type postfix_master_t; + ') + + role $1 types { postfix_master_exec_t postfix_master_t }; + postfix_domtrans_master($2) +') + +####################################### +## <summary> +## Connect to postfix master process using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`postfix_stream_connect_master',` + gen_require(` + type postfix_master_t, postfix_public_t; + ') + + stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) +') + +######################################## +## <summary> +## Execute the master postdrop in the +## postfix_postdrop domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`postfix_domtrans_postdrop',` + gen_require(` + type postfix_postdrop_t, postfix_postdrop_exec_t; + ') + + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) +') + +######################################## +## <summary> +## Execute the master postqueue in the +## postfix_postqueue domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`postfix_domtrans_postqueue',` + gen_require(` + type postfix_postqueue_t, postfix_postqueue_exec_t; + ') + + domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) +') + +####################################### +## <summary> +## Execute the master postqueue in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`posftix_exec_postqueue',` + gen_require(` + type postfix_postqueue_exec_t; + ') + + can_exec($1, postfix_postqueue_exec_t) +') + +######################################## +## <summary> +## Create a named socket in a postfix private directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_create_private_sockets',` + gen_require(` + type postfix_private_t; + ') + + allow $1 postfix_private_t:dir list_dir_perms; + create_sock_files_pattern($1, postfix_private_t, postfix_private_t) +') + +######################################## +## <summary> +## manage named socket in a postfix private directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_manage_private_sockets',` + gen_require(` + type postfix_private_t; + ') + + allow $1 postfix_private_t:dir list_dir_perms; + manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) +') + +######################################## +## <summary> +## Execute the master postfix program in the +## postfix_master domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`postfix_domtrans_smtp',` + gen_require(` + type postfix_smtp_t, postfix_smtp_exec_t; + ') + + domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) +') + +######################################## +## <summary> +## Search postfix mail spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_search_spool',` + gen_require(` + type postfix_spool_t; + ') + + allow $1 postfix_spool_t:dir search_dir_perms; + files_search_spool($1) +') + +######################################## +## <summary> +## List postfix mail spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_list_spool',` + gen_require(` + type postfix_spool_t; + ') + + allow $1 postfix_spool_t:dir list_dir_perms; + files_search_spool($1) +') + +######################################## +## <summary> +## Read postfix mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_read_spool_files',` + gen_require(` + type postfix_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, postfix_spool_t, postfix_spool_t) +') + +######################################## +## <summary> +## Create, read, write, and delete postfix mail spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_manage_spool_files',` + gen_require(` + type postfix_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, postfix_spool_t, postfix_spool_t) +') + +######################################## +## <summary> +## Execute postfix user mail programs +## in their respective domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postfix_domtrans_user_mail_handler',` + gen_require(` + attribute postfix_user_domtrans; + ') + + typeattribute $1 postfix_user_domtrans; +') diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te new file mode 100644 index 00000000..499ea264 --- /dev/null +++ b/policy/modules/contrib/postfix.te @@ -0,0 +1,635 @@ +policy_module(postfix, 1.13.0) + +######################################## +# +# Declarations +# + +attribute postfix_user_domains; +# domains that transition to the +# postfix user domains +attribute postfix_user_domtrans; + +postfix_server_domain_template(bounce) + +type postfix_spool_bounce_t; +files_type(postfix_spool_bounce_t) + +postfix_server_domain_template(cleanup) + +type postfix_etc_t; +files_config_file(postfix_etc_t) + +type postfix_exec_t; +application_executable_file(postfix_exec_t) + +postfix_server_domain_template(local) +mta_mailserver_delivery(postfix_local_t) + +# Program for creating database files +type postfix_map_t; +type postfix_map_exec_t; +application_domain(postfix_map_t, postfix_map_exec_t) +role system_r types postfix_map_t; + +type postfix_map_tmp_t; +files_tmp_file(postfix_map_tmp_t) + +postfix_domain_template(master) +typealias postfix_master_t alias postfix_t; +# alias is a hack to make the disable trans bool +# generation macro work +mta_mailserver(postfix_t, postfix_master_exec_t) + +postfix_server_domain_template(pickup) + +postfix_server_domain_template(pipe) + +postfix_user_domain_template(postdrop) +mta_mailserver_user_agent(postfix_postdrop_t) + +postfix_user_domain_template(postqueue) + +type postfix_private_t; +files_type(postfix_private_t) + +type postfix_prng_t; +files_type(postfix_prng_t) + +postfix_server_domain_template(qmgr) + +postfix_user_domain_template(showq) + +postfix_server_domain_template(smtp) +mta_mailserver_sender(postfix_smtp_t) + +postfix_server_domain_template(smtpd) + +type postfix_spool_t; +files_type(postfix_spool_t) + +type postfix_spool_maildrop_t; +files_type(postfix_spool_maildrop_t) + +type postfix_spool_flush_t; +files_type(postfix_spool_flush_t) + +type postfix_public_t; +files_type(postfix_public_t) + +type postfix_var_run_t; +files_pid_file(postfix_var_run_t) + +# the data_directory config parameter +type postfix_data_t; +files_type(postfix_data_t) + +postfix_server_domain_template(virtual) +mta_mailserver_delivery(postfix_virtual_t) + +######################################## +# +# Postfix master process local policy +# + +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config dac_read_search fowner fsetid }; +allow postfix_master_t self:fifo_file rw_fifo_file_perms; +allow postfix_master_t self:tcp_socket create_stream_socket_perms; +allow postfix_master_t self:udp_socket create_socket_perms; +allow postfix_master_t self:process setrlimit; + +allow postfix_master_t postfix_etc_t:file rw_file_perms; + +can_exec(postfix_master_t, postfix_exec_t) + +allow postfix_master_t postfix_data_t:dir manage_dir_perms; +allow postfix_master_t postfix_data_t:file manage_file_perms; + +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; + +allow postfix_master_t postfix_postdrop_exec_t:file getattr; + +allow postfix_master_t postfix_postqueue_exec_t:file getattr; + +manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) + +domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) + +allow postfix_master_t postfix_prng_t:file rw_file_perms; + +manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) + +domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) + +# allow access to deferred queue and allow removing bogus incoming entries +manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) +manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) + +allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; +allow postfix_master_t postfix_spool_bounce_t:file getattr; + +manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) +manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) +manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) + +delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + +kernel_read_all_sysctls(postfix_master_t) + +corenet_all_recvfrom_unlabeled(postfix_master_t) +corenet_all_recvfrom_netlabel(postfix_master_t) +corenet_tcp_sendrecv_generic_if(postfix_master_t) +corenet_udp_sendrecv_generic_if(postfix_master_t) +corenet_tcp_sendrecv_generic_node(postfix_master_t) +corenet_udp_sendrecv_generic_node(postfix_master_t) +corenet_tcp_sendrecv_all_ports(postfix_master_t) +corenet_udp_sendrecv_all_ports(postfix_master_t) +corenet_tcp_bind_generic_node(postfix_master_t) +corenet_tcp_bind_amavisd_send_port(postfix_master_t) +corenet_tcp_bind_smtp_port(postfix_master_t) +corenet_tcp_connect_all_ports(postfix_master_t) +corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) +corenet_sendrecv_smtp_server_packets(postfix_master_t) +corenet_sendrecv_all_client_packets(postfix_master_t) + +# for a find command +selinux_dontaudit_search_fs(postfix_master_t) + +corecmd_exec_shell(postfix_master_t) +corecmd_exec_bin(postfix_master_t) + +domain_use_interactive_fds(postfix_master_t) + +files_read_usr_files(postfix_master_t) + +term_dontaudit_search_ptys(postfix_master_t) + +miscfiles_read_man_pages(postfix_master_t) + +seutil_sigchld_newrole(postfix_master_t) +# postfix does a "find" on startup for some reason - keep it quiet +seutil_dontaudit_search_config(postfix_master_t) + +mta_rw_aliases(postfix_master_t) +mta_read_sendmail_bin(postfix_master_t) +mta_getattr_spool(postfix_master_t) + +ifdef(`distro_redhat',` + # for newer main.cf that uses /etc/aliases + mta_manage_aliases(postfix_master_t) + mta_etc_filetrans_aliases(postfix_master_t) +') + +optional_policy(` + cyrus_stream_connect(postfix_master_t) +') + +optional_policy(` + kerberos_keytab_template(postfix, postfix_t) +') + +optional_policy(` +# for postalias + mailman_manage_data_files(postfix_master_t) +') + +optional_policy(` + mysql_stream_connect(postfix_master_t) + mysql_stream_connect(postfix_cleanup_t) + mysql_stream_connect(postfix_local_t) +') + +optional_policy(` + postgrey_search_spool(postfix_master_t) +') + +optional_policy(` + sendmail_signal(postfix_master_t) +') + +######################################## +# +# Postfix bounce local policy +# + +allow postfix_bounce_t self:capability dac_read_search; +allow postfix_bounce_t self:tcp_socket create_socket_perms; + +allow postfix_bounce_t postfix_public_t:sock_file write; +allow postfix_bounce_t postfix_public_t:dir search; + +manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) +manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) +manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir) + +manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) +manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) +manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) + +######################################## +# +# Postfix cleanup local policy +# + +allow postfix_cleanup_t self:process setrlimit; + +# connect to master process +stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) + +rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) +write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) + +manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) +manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) +manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) + +allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; + +corecmd_exec_bin(postfix_cleanup_t) + +mta_read_aliases(postfix_cleanup_t) + +optional_policy(` + mailman_read_data_files(postfix_cleanup_t) +') + +######################################## +# +# Postfix local local policy +# + +allow postfix_local_t self:fifo_file rw_fifo_file_perms; +allow postfix_local_t self:process { setsched setrlimit }; + +# connect to master process +stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) + +# for .forward - maybe we need a new type for it? +rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) + +allow postfix_local_t postfix_spool_t:file rw_file_perms; + +corecmd_exec_shell(postfix_local_t) +corecmd_exec_bin(postfix_local_t) + +files_read_etc_files(postfix_local_t) + +logging_dontaudit_search_logs(postfix_local_t) + +mta_read_aliases(postfix_local_t) +mta_delete_spool(postfix_local_t) +# For reading spamassasin +mta_read_config(postfix_local_t) + +domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) +# Might be a leak, but I need a postfix expert to explain +allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; + +optional_policy(` + clamav_search_lib(postfix_local_t) + clamav_exec_clamscan(postfix_local_t) +') + +optional_policy(` +# for postalias + mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) + mailman_read_log(postfix_local_t) +') + +optional_policy(` + procmail_domtrans(postfix_local_t) +') + +######################################## +# +# Postfix map local policy +# +allow postfix_map_t self:capability { dac_override setgid setuid }; +allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; +allow postfix_map_t self:unix_dgram_socket create_socket_perms; +allow postfix_map_t self:tcp_socket create_stream_socket_perms; +allow postfix_map_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) +manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) +manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) + +manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) +manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) +files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(postfix_map_t) +kernel_dontaudit_list_proc(postfix_map_t) +kernel_dontaudit_read_system_state(postfix_map_t) + +corenet_all_recvfrom_unlabeled(postfix_map_t) +corenet_all_recvfrom_netlabel(postfix_map_t) +corenet_tcp_sendrecv_generic_if(postfix_map_t) +corenet_udp_sendrecv_generic_if(postfix_map_t) +corenet_tcp_sendrecv_generic_node(postfix_map_t) +corenet_udp_sendrecv_generic_node(postfix_map_t) +corenet_tcp_sendrecv_all_ports(postfix_map_t) +corenet_udp_sendrecv_all_ports(postfix_map_t) +corenet_tcp_connect_all_ports(postfix_map_t) +corenet_sendrecv_all_client_packets(postfix_map_t) + +corecmd_list_bin(postfix_map_t) +corecmd_read_bin_symlinks(postfix_map_t) +corecmd_read_bin_files(postfix_map_t) +corecmd_read_bin_pipes(postfix_map_t) +corecmd_read_bin_sockets(postfix_map_t) + +files_list_home(postfix_map_t) +files_read_usr_files(postfix_map_t) +files_read_etc_files(postfix_map_t) +files_read_etc_runtime_files(postfix_map_t) +files_dontaudit_search_var(postfix_map_t) + +auth_use_nsswitch(postfix_map_t) + +logging_send_syslog_msg(postfix_map_t) + +miscfiles_read_localization(postfix_map_t) + +optional_policy(` + locallogin_dontaudit_use_fds(postfix_map_t) +') + +optional_policy(` +# for postalias + mailman_manage_data_files(postfix_map_t) +') + +######################################## +# +# Postfix pickup local policy +# + +allow postfix_pickup_t self:tcp_socket create_socket_perms; + +stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) + +rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) +rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) + +postfix_list_spool(postfix_pickup_t) + +allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; +read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + +######################################## +# +# Postfix pipe local policy +# + +allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; +allow postfix_pipe_t self:process setrlimit; + +write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) + +write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) + +rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) + +domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) + +optional_policy(` + dovecot_domtrans_deliver(postfix_pipe_t) +') + +optional_policy(` + procmail_domtrans(postfix_pipe_t) +') + +optional_policy(` + mailman_domtrans_queue(postfix_pipe_t) +') + +optional_policy(` + mta_manage_spool(postfix_pipe_t) + mta_send_mail(postfix_pipe_t) +') + +optional_policy(` + spamassassin_domtrans_client(postfix_pipe_t) +') + +optional_policy(` + uucp_domtrans_uux(postfix_pipe_t) +') + +######################################## +# +# Postfix postdrop local policy +# + +# usually it does not need a UDP socket +allow postfix_postdrop_t self:capability sys_resource; +allow postfix_postdrop_t self:tcp_socket create; +allow postfix_postdrop_t self:udp_socket create_socket_perms; + +rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) + +postfix_list_spool(postfix_postdrop_t) +manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + +corenet_udp_sendrecv_generic_if(postfix_postdrop_t) +corenet_udp_sendrecv_generic_node(postfix_postdrop_t) + +term_dontaudit_use_all_ptys(postfix_postdrop_t) +term_dontaudit_use_all_ttys(postfix_postdrop_t) + +mta_rw_user_mail_stream_sockets(postfix_postdrop_t) + +optional_policy(` + apache_dontaudit_rw_fifo_file(postfix_postdrop_t) +') + +optional_policy(` + cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) +') + +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951 +optional_policy(` + fstools_read_pipes(postfix_postdrop_t) +') + +optional_policy(` + sendmail_rw_unix_stream_sockets(postfix_postdrop_t) +') + +optional_policy(` + uucp_manage_spool(postfix_postdrop_t) +') + +####################################### +# +# Postfix postqueue local policy +# + +allow postfix_postqueue_t self:tcp_socket create; +allow postfix_postqueue_t self:udp_socket { create ioctl }; + +# wants to write to /var/spool/postfix/public/showq +stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t) + +# write to /var/spool/postfix/public/qmgr +write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t) + +domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) + +# to write the mailq output, it really should not need read access! +term_use_all_ptys(postfix_postqueue_t) +term_use_all_ttys(postfix_postqueue_t) + +init_sigchld_script(postfix_postqueue_t) +init_use_script_fds(postfix_postqueue_t) + +optional_policy(` + cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t) +') + +optional_policy(` + ppp_use_fds(postfix_postqueue_t) + ppp_sigchld(postfix_postqueue_t) +') + +######################################## +# +# Postfix qmgr local policy +# + +stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + +rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) + +# for /var/spool/postfix/active +manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) +manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) +manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) + +allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; +allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; + +corecmd_exec_bin(postfix_qmgr_t) + +######################################## +# +# Postfix showq local policy +# + +allow postfix_showq_t self:capability { setuid setgid }; +allow postfix_showq_t self:tcp_socket create_socket_perms; + +allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; + +allow postfix_showq_t postfix_spool_t:file read_file_perms; + +postfix_list_spool(postfix_showq_t) + +allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; +allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; +allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read }; + +# to write the mailq output, it really should not need read access! +term_use_all_ptys(postfix_showq_t) +term_use_all_ttys(postfix_showq_t) + +######################################## +# +# Postfix smtp delivery local policy +# + +# connect to master process +allow postfix_smtp_t self:capability sys_chroot; +stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + +allow postfix_smtp_t postfix_prng_t:file rw_file_perms; + +allow postfix_smtp_t postfix_spool_t:file rw_file_perms; + +files_search_all_mountpoints(postfix_smtp_t) + +optional_policy(` + cyrus_stream_connect(postfix_smtp_t) +') + +optional_policy(` + milter_stream_connect_all(postfix_smtp_t) +') + +######################################## +# +# Postfix smtpd local policy +# +allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; + +# connect to master process +stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + +# Connect to policy server +corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) + +# for prng_exch +allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; +allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; + +corecmd_exec_bin(postfix_smtpd_t) + +# for OpenSSL certificates +files_read_usr_files(postfix_smtpd_t) +mta_read_aliases(postfix_smtpd_t) +mta_read_config(postfix_smtpd_t) + +optional_policy(` + dovecot_stream_connect_auth(postfix_smtpd_t) +') + +optional_policy(` + mailman_read_data_files(postfix_smtpd_t) +') + +optional_policy(` + postgrey_stream_connect(postfix_smtpd_t) +') + +optional_policy(` + sasl_connect(postfix_smtpd_t) +') + +######################################## +# +# Postfix virtual local policy +# + +allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; +allow postfix_virtual_t self:process { setsched setrlimit }; + +allow postfix_virtual_t postfix_spool_t:file rw_file_perms; + +# connect to master process +stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + +corecmd_exec_shell(postfix_virtual_t) +corecmd_exec_bin(postfix_virtual_t) + +files_read_etc_files(postfix_virtual_t) +files_read_usr_files(postfix_virtual_t) + +mta_read_aliases(postfix_virtual_t) +mta_delete_spool(postfix_virtual_t) +# For reading spamassasin +mta_read_config(postfix_virtual_t) +mta_manage_spool(postfix_virtual_t) diff --git a/policy/modules/contrib/postfixpolicyd.fc b/policy/modules/contrib/postfixpolicyd.fc new file mode 100644 index 00000000..4361cb67 --- /dev/null +++ b/policy/modules/contrib/postfixpolicyd.fc @@ -0,0 +1,6 @@ +/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0) +/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0) + +/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) + +/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) diff --git a/policy/modules/contrib/postfixpolicyd.if b/policy/modules/contrib/postfixpolicyd.if new file mode 100644 index 00000000..feae93b0 --- /dev/null +++ b/policy/modules/contrib/postfixpolicyd.if @@ -0,0 +1,40 @@ +## <summary>Postfix policy server</summary> + +######################################## +## <summary> +## All of the rules required to administrate +## an postfixpolicyd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the postfixpolicyd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`postfixpolicyd_admin',` + gen_require(` + type postfix_policyd_t, postfix_policyd_conf_t; + type postfix_policyd_var_run_t; + type postfix_policyd_initrc_exec_t; + ') + + allow $1 postfix_policyd_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_policyd_t) + + init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 postfix_policyd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, postfix_policyd_conf_t) + + files_list_pids($1) + admin_pattern($1, postfix_policyd_var_run_t) +') diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te new file mode 100644 index 00000000..72575268 --- /dev/null +++ b/policy/modules/contrib/postfixpolicyd.te @@ -0,0 +1,53 @@ +policy_module(postfixpolicyd, 1.2.0) + +######################################## +# +# Declarations +# + +type postfix_policyd_t; +type postfix_policyd_exec_t; +init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t) + +type postfix_policyd_conf_t; +files_config_file(postfix_policyd_conf_t) + +type postfix_policyd_initrc_exec_t; +init_script_file(postfix_policyd_initrc_exec_t) + +type postfix_policyd_var_run_t; +files_pid_file(postfix_policyd_var_run_t) + +######################################## +# +# Local Policy +# + +allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; +allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; +allow postfix_policyd_t self:process setrlimit; +allow postfix_policyd_t self:unix_dgram_socket { connect create write}; + +allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; +allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms; +allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read }; + +manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) +files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) + +corenet_all_recvfrom_unlabeled(postfix_policyd_t) +corenet_tcp_sendrecv_generic_if(postfix_policyd_t) +corenet_tcp_sendrecv_generic_node(postfix_policyd_t) +corenet_tcp_sendrecv_all_ports(postfix_policyd_t) +corenet_tcp_bind_generic_node(postfix_policyd_t) +corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t) +corenet_tcp_bind_mysqld_port(postfix_policyd_t) + +files_read_etc_files(postfix_policyd_t) +files_read_usr_files(postfix_policyd_t) + +logging_send_syslog_msg(postfix_policyd_t) + +miscfiles_read_localization(postfix_policyd_t) + +sysnet_dns_name_resolve(postfix_policyd_t) diff --git a/policy/modules/contrib/postgrey.fc b/policy/modules/contrib/postgrey.fc new file mode 100644 index 00000000..e731841c --- /dev/null +++ b/policy/modules/contrib/postgrey.fc @@ -0,0 +1,12 @@ + +/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0) +/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0) + +/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0) + +/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0) + +/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) +/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) + +/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff --git a/policy/modules/contrib/postgrey.if b/policy/modules/contrib/postgrey.if new file mode 100644 index 00000000..ad15fde7 --- /dev/null +++ b/policy/modules/contrib/postgrey.if @@ -0,0 +1,81 @@ +## <summary>Postfix grey-listing server</summary> + +######################################## +## <summary> +## Write to postgrey socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postgrey_stream_connect',` + gen_require(` + type postgrey_var_run_t, postgrey_t, postgrey_spool_t; + ') + + stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t) + stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t) + files_search_pids($1) +') + +######################################## +## <summary> +## Search the spool directory +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`postgrey_search_spool',` + gen_require(` + type postgrey_spool_t; + ') + + allow $1 postgrey_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an postgrey environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the postgrey domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`postgrey_admin',` + gen_require(` + type postgrey_t, postgrey_etc_t; + type postgrey_var_lib_t, postgrey_var_run_t; + type postgrey_initrc_exec_t; + ') + + allow $1 postgrey_t:process { ptrace signal_perms }; + ps_process_pattern($1, postgrey_t) + + init_labeled_script_domtrans($1, postgrey_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 postgrey_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, postgrey_etc_t) + + files_list_var_lib($1) + admin_pattern($1, postgrey_var_lib_t) + + files_list_pids($1) + admin_pattern($1, postgrey_var_run_t) +') diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te new file mode 100644 index 00000000..db843e2c --- /dev/null +++ b/policy/modules/contrib/postgrey.te @@ -0,0 +1,107 @@ +policy_module(postgrey, 1.8.0) + +######################################## +# +# Declarations +# + +type postgrey_t; +type postgrey_exec_t; +init_daemon_domain(postgrey_t, postgrey_exec_t) + +type postgrey_etc_t; +files_config_file(postgrey_etc_t) + +type postgrey_initrc_exec_t; +init_script_file(postgrey_initrc_exec_t) + +type postgrey_spool_t; +files_type(postgrey_spool_t) + +type postgrey_var_lib_t; +files_type(postgrey_var_lib_t) + +type postgrey_var_run_t; +files_pid_file(postgrey_var_run_t) + +######################################## +# +# Local policy +# + +allow postgrey_t self:capability { chown dac_override setgid setuid }; +dontaudit postgrey_t self:capability sys_tty_config; +allow postgrey_t self:process signal_perms; +allow postgrey_t self:tcp_socket create_stream_socket_perms; +allow postgrey_t self:fifo_file create_fifo_file_perms; + +allow postgrey_t postgrey_etc_t:dir list_dir_perms; +read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t) +read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t) + +manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) +manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) +manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) +manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) + +manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) +files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) + +manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) +manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) +manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) +files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) + +kernel_read_system_state(postgrey_t) +kernel_read_kernel_sysctls(postgrey_t) + +# for perl +corecmd_search_bin(postgrey_t) + +corenet_all_recvfrom_unlabeled(postgrey_t) +corenet_all_recvfrom_netlabel(postgrey_t) +corenet_tcp_sendrecv_generic_if(postgrey_t) +corenet_tcp_sendrecv_generic_node(postgrey_t) +corenet_tcp_sendrecv_all_ports(postgrey_t) +corenet_tcp_bind_generic_node(postgrey_t) +corenet_tcp_bind_postgrey_port(postgrey_t) +corenet_sendrecv_postgrey_server_packets(postgrey_t) + +dev_read_urand(postgrey_t) +dev_read_sysfs(postgrey_t) + +domain_use_interactive_fds(postgrey_t) + +files_read_etc_files(postgrey_t) +files_read_etc_runtime_files(postgrey_t) +files_read_usr_files(postgrey_t) +files_getattr_tmp_dirs(postgrey_t) + +fs_getattr_all_fs(postgrey_t) +fs_search_auto_mountpoints(postgrey_t) + +logging_send_syslog_msg(postgrey_t) + +miscfiles_read_localization(postgrey_t) + +sysnet_read_config(postgrey_t) + +userdom_dontaudit_use_unpriv_user_fds(postgrey_t) +userdom_dontaudit_search_user_home_dirs(postgrey_t) + +optional_policy(` + nis_use_ypbind(postgrey_t) +') + +optional_policy(` + postfix_read_config(postgrey_t) + postfix_manage_spool_files(postgrey_t) +') + +optional_policy(` + seutil_sigchld_newrole(postgrey_t) +') + +optional_policy(` + udev_read_db(postgrey_t) +') diff --git a/policy/modules/contrib/ppp.fc b/policy/modules/contrib/ppp.fc new file mode 100644 index 00000000..2d82c6d0 --- /dev/null +++ b/policy/modules/contrib/ppp.fc @@ -0,0 +1,38 @@ +# +# /etc +# +/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) + +/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) +/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) +/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) +/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +# Fix /etc/ppp {up,down} family scripts (see man pppd) +/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) + +/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) + +# +# /sbin +# +/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) + +# +# /usr +# +/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) +/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) + +# +# /var +# +/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) +/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) +/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) +# Fix pptp sockets +/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) + +/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if new file mode 100644 index 00000000..de4bdb7e --- /dev/null +++ b/policy/modules/contrib/ppp.if @@ -0,0 +1,390 @@ +## <summary>Point to Point Protocol daemon creates links in ppp networks</summary> + +######################################## +## <summary> +## Use PPP file discriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_use_fds',` + gen_require(` + type pppd_t; + ') + + allow $1 pppd_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to inherit +## and use PPP file discriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`ppp_dontaudit_use_fds',` + gen_require(` + type pppd_t; + ') + + dontaudit $1 pppd_t:fd use; +') + +######################################## +## <summary> +## Send a SIGCHLD signal to PPP. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_sigchld',` + gen_require(` + type pppd_t; + + ') + + allow $1 pppd_t:process sigchld; +') + +######################################## +## <summary> +## Send ppp a kill signal +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +interface(`ppp_kill',` + gen_require(` + type pppd_t; + ') + + allow $1 pppd_t:process sigkill; +') + +######################################## +## <summary> +## Send a generic signal to PPP. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_signal',` + gen_require(` + type pppd_t; + ') + + allow $1 pppd_t:process signal; +') + +######################################## +## <summary> +## Send a generic signull to PPP. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_signull',` + gen_require(` + type pppd_t; + ') + + allow $1 pppd_t:process signull; +') + +######################################## +## <summary> +## Execute domain in the ppp domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ppp_domtrans',` + gen_require(` + type pppd_t, pppd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, pppd_exec_t, pppd_t) +') + +######################################## +## <summary> +## Conditionally execute ppp daemon on behalf of a user or staff type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the ppp domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`ppp_run_cond',` + gen_require(` + type pppd_t; + ') + + role $2 types pppd_t; + + tunable_policy(`pppd_for_user',` + ppp_domtrans($1) + ') +') + +######################################## +## <summary> +## Unconditionally execute ppp daemon on behalf of a user or staff type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the ppp domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`ppp_run',` + gen_require(` + attribute_role pppd_roles; + ') + + ppp_domtrans($1) + roleattribute $2 pppd_roles; +') + +######################################## +## <summary> +## Execute domain in the ppp caller. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_exec',` + gen_require(` + type pppd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, pppd_exec_t) +') + +######################################## +## <summary> +## Read ppp configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_read_config',` + gen_require(` + type pppd_etc_t; + ') + + read_files_pattern($1, pppd_etc_t, pppd_etc_t) + files_search_etc($1) +') + +######################################## +## <summary> +## Read PPP-writable configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_read_rw_config',` + gen_require(` + type pppd_etc_t, pppd_etc_rw_t; + ') + + allow $1 pppd_etc_t:dir list_dir_perms; + allow $1 pppd_etc_rw_t:file read_file_perms; + files_search_etc($1) +') + +######################################## +## <summary> +## Read PPP secrets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_read_secrets',` + gen_require(` + type pppd_etc_t, pppd_secret_t; + ') + + allow $1 pppd_etc_t:dir list_dir_perms; + allow $1 pppd_secret_t:file read_file_perms; + files_search_etc($1) +') + +######################################## +## <summary> +## Read PPP pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_read_pid_files',` + gen_require(` + type pppd_var_run_t; + ') + + allow $1 pppd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete PPP pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_manage_pid_files',` + gen_require(` + type pppd_var_run_t; + ') + + allow $1 pppd_var_run_t:file manage_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete PPP pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ppp_pid_filetrans',` + gen_require(` + type pppd_var_run_t; + ') + + files_pid_filetrans($1, pppd_var_run_t, file) +') + +######################################## +## <summary> +## Execute ppp server in the ntpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ppp_initrc_domtrans',` + gen_require(` + type pppd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, pppd_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an ppp environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ppp_admin',` + gen_require(` + type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; + type pppd_etc_t, pppd_secret_t; + type pppd_etc_rw_t, pppd_var_run_t; + + type pptp_t, pptp_log_t, pptp_var_run_t; + type pppd_initrc_exec_t; + ') + + allow $1 pppd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, pppd_t) + + ppp_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 pppd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, pppd_tmp_t) + + logging_list_logs($1) + admin_pattern($1, pppd_log_t) + + admin_pattern($1, pppd_lock_t) + + files_list_etc($1) + admin_pattern($1, pppd_etc_t) + + admin_pattern($1, pppd_etc_rw_t) + + admin_pattern($1, pppd_secret_t) + + files_list_pids($1) + admin_pattern($1, pppd_var_run_t) + + allow $1 pptp_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, pptp_t) + + admin_pattern($1, pptp_log_t) + + admin_pattern($1, pptp_var_run_t) +') diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te new file mode 100644 index 00000000..bcbf9acb --- /dev/null +++ b/policy/modules/contrib/ppp.te @@ -0,0 +1,325 @@ +policy_module(ppp, 1.13.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow pppd to load kernel modules for certain modems +## </p> +## </desc> +gen_tunable(pppd_can_insmod, false) + +## <desc> +## <p> +## Allow pppd to be run for a regular user +## </p> +## </desc> +gen_tunable(pppd_for_user, false) + +attribute_role pppd_roles; + +# pppd_t is the domain for the pppd program. +# pppd_exec_t is the type of the pppd executable. +type pppd_t; +type pppd_exec_t; +init_daemon_domain(pppd_t, pppd_exec_t) +role pppd_roles types pppd_t; + +type pppd_devpts_t; +term_pty(pppd_devpts_t) + +# Define a separate type for /etc/ppp +type pppd_etc_t; +files_config_file(pppd_etc_t) + +# Define a separate type for writable files under /etc/ppp +type pppd_etc_rw_t; +files_type(pppd_etc_rw_t) + +type pppd_initrc_exec_t alias pppd_script_exec_t; +init_script_file(pppd_initrc_exec_t) + +# pppd_secret_t is the type of the pap and chap password files +type pppd_secret_t; +files_type(pppd_secret_t) + +type pppd_log_t; +logging_log_file(pppd_log_t) + +type pppd_lock_t; +files_lock_file(pppd_lock_t) + +type pppd_tmp_t; +files_tmp_file(pppd_tmp_t) + +type pppd_var_run_t; +files_pid_file(pppd_var_run_t) + +type pptp_t; +type pptp_exec_t; +init_daemon_domain(pptp_t, pptp_exec_t) +role pppd_roles types pptp_t; + +type pptp_log_t; +logging_log_file(pptp_log_t) + +type pptp_var_run_t; +files_pid_file(pptp_var_run_t) + +######################################## +# +# PPPD Local policy +# + +allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override }; +dontaudit pppd_t self:capability sys_tty_config; +allow pppd_t self:process { getsched signal }; +allow pppd_t self:fifo_file rw_fifo_file_perms; +allow pppd_t self:socket create_socket_perms; +allow pppd_t self:unix_dgram_socket create_socket_perms; +allow pppd_t self:unix_stream_socket create_socket_perms; +allow pppd_t self:netlink_route_socket rw_netlink_socket_perms; +allow pppd_t self:tcp_socket create_stream_socket_perms; +allow pppd_t self:udp_socket { connect connected_socket_perms }; +allow pppd_t self:packet_socket create_socket_perms; + +domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) + +allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr }; + +allow pppd_t pppd_etc_t:dir rw_dir_perms; +allow pppd_t pppd_etc_t:file read_file_perms; +allow pppd_t pppd_etc_t:lnk_file { getattr read }; + +manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) +# Automatically label newly created files under /etc/ppp with this type +filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) + +allow pppd_t pppd_lock_t:file manage_file_perms; +files_lock_filetrans(pppd_t, pppd_lock_t, file) + +allow pppd_t pppd_log_t:file manage_file_perms; +logging_log_filetrans(pppd_t, pppd_log_t, file) + +manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) +manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) +files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) + +manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) +files_pid_filetrans(pppd_t, pppd_var_run_t, file) + +allow pppd_t pptp_t:process signal; + +# for SSP +# Access secret files +allow pppd_t pppd_secret_t:file read_file_perms; + +ppp_initrc_domtrans(pppd_t) + +kernel_read_kernel_sysctls(pppd_t) +kernel_read_system_state(pppd_t) +kernel_rw_net_sysctls(pppd_t) +kernel_read_network_state(pppd_t) +kernel_request_load_module(pppd_t) + +dev_read_urand(pppd_t) +dev_search_sysfs(pppd_t) +dev_read_sysfs(pppd_t) +dev_rw_modem(pppd_t) + +corenet_all_recvfrom_unlabeled(pppd_t) +corenet_all_recvfrom_netlabel(pppd_t) +corenet_tcp_sendrecv_generic_if(pppd_t) +corenet_raw_sendrecv_generic_if(pppd_t) +corenet_udp_sendrecv_generic_if(pppd_t) +corenet_tcp_sendrecv_generic_node(pppd_t) +corenet_raw_sendrecv_generic_node(pppd_t) +corenet_udp_sendrecv_generic_node(pppd_t) +corenet_tcp_sendrecv_all_ports(pppd_t) +corenet_udp_sendrecv_all_ports(pppd_t) +# Access /dev/ppp. +corenet_rw_ppp_dev(pppd_t) + +fs_getattr_all_fs(pppd_t) +fs_search_auto_mountpoints(pppd_t) + +term_use_unallocated_ttys(pppd_t) +term_setattr_unallocated_ttys(pppd_t) +term_ioctl_generic_ptys(pppd_t) +# for pppoe +term_create_pty(pppd_t, pppd_devpts_t) + +# allow running ip-up and ip-down scripts and running chat. +corecmd_exec_bin(pppd_t) +corecmd_exec_shell(pppd_t) + +domain_use_interactive_fds(pppd_t) + +files_exec_etc_files(pppd_t) +files_manage_etc_runtime_files(pppd_t) +files_dontaudit_write_etc_files(pppd_t) + +# for scripts +files_read_etc_files(pppd_t) + +init_read_utmp(pppd_t) +init_dontaudit_write_utmp(pppd_t) +init_signal_script(pppd_t) + +auth_use_nsswitch(pppd_t) + +logging_send_syslog_msg(pppd_t) +logging_send_audit_msgs(pppd_t) + +miscfiles_read_localization(pppd_t) + +sysnet_exec_ifconfig(pppd_t) +sysnet_manage_config(pppd_t) +sysnet_etc_filetrans_config(pppd_t) + +userdom_use_user_terminals(pppd_t) +userdom_dontaudit_use_unpriv_user_fds(pppd_t) +userdom_search_user_home_dirs(pppd_t) + +ppp_exec(pppd_t) + +optional_policy(` + ddclient_run(pppd_t, pppd_roles) +') + +optional_policy(` + tunable_policy(`pppd_can_insmod',` + modutils_domtrans_insmod(pppd_t) + ') +') + +optional_policy(` + mta_send_mail(pppd_t) +') + +optional_policy(` + networkmanager_signal(pppd_t) +') + +optional_policy(` + postfix_domtrans_master(pppd_t) +') + +optional_policy(` + seutil_sigchld_newrole(pppd_t) +') + +optional_policy(` + udev_read_db(pppd_t) +') + +######################################## +# +# PPTP Local policy +# + +allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; +dontaudit pptp_t self:capability sys_tty_config; +allow pptp_t self:process signal; +allow pptp_t self:fifo_file rw_fifo_file_perms; +allow pptp_t self:unix_dgram_socket create_socket_perms; +allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow pptp_t self:rawip_socket create_socket_perms; +allow pptp_t self:tcp_socket create_socket_perms; +allow pptp_t self:udp_socket create_socket_perms; +allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; + +allow pptp_t pppd_etc_t:dir list_dir_perms; +allow pptp_t pppd_etc_t:file read_file_perms; +allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; + +allow pptp_t pppd_etc_rw_t:dir list_dir_perms; +allow pptp_t pppd_etc_rw_t:file read_file_perms; +allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; +can_exec(pptp_t, pppd_etc_rw_t) + +# Allow pptp to append to pppd log files +allow pptp_t pppd_log_t:file append_file_perms; + +allow pptp_t pptp_log_t:file manage_file_perms; +logging_log_filetrans(pptp_t, pptp_log_t, file) + +manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) +manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) +files_pid_filetrans(pptp_t, pptp_var_run_t, file) + +kernel_list_proc(pptp_t) +kernel_read_kernel_sysctls(pptp_t) +kernel_read_proc_symlinks(pptp_t) +kernel_read_system_state(pptp_t) + +dev_read_sysfs(pptp_t) + +corecmd_exec_shell(pptp_t) +corecmd_read_bin_symlinks(pptp_t) + +corenet_all_recvfrom_unlabeled(pptp_t) +corenet_all_recvfrom_netlabel(pptp_t) +corenet_tcp_sendrecv_generic_if(pptp_t) +corenet_raw_sendrecv_generic_if(pptp_t) +corenet_tcp_sendrecv_generic_node(pptp_t) +corenet_raw_sendrecv_generic_node(pptp_t) +corenet_tcp_sendrecv_all_ports(pptp_t) +corenet_tcp_bind_generic_node(pptp_t) +corenet_tcp_connect_generic_port(pptp_t) +corenet_tcp_connect_all_reserved_ports(pptp_t) +corenet_sendrecv_generic_client_packets(pptp_t) + +files_read_etc_files(pptp_t) + +fs_getattr_all_fs(pptp_t) +fs_search_auto_mountpoints(pptp_t) + +term_ioctl_generic_ptys(pptp_t) +term_search_ptys(pptp_t) +term_use_ptmx(pptp_t) + +domain_use_interactive_fds(pptp_t) + +auth_use_nsswitch(pptp_t) + +logging_send_syslog_msg(pptp_t) + +miscfiles_read_localization(pptp_t) + +sysnet_exec_ifconfig(pptp_t) + +userdom_dontaudit_use_unpriv_user_fds(pptp_t) +userdom_dontaudit_search_user_home_dirs(pptp_t) +userdom_signal_unpriv_users(pptp_t) + +optional_policy(` + consoletype_exec(pppd_t) +') + +optional_policy(` + dbus_system_domain(pppd_t, pppd_exec_t) + + optional_policy(` + networkmanager_dbus_chat(pppd_t) + ') +') + +optional_policy(` + hostname_exec(pptp_t) +') + +optional_policy(` + seutil_sigchld_newrole(pptp_t) +') + +optional_policy(` + udev_read_db(pptp_t) +') + +optional_policy(` + postfix_read_config(pppd_t) +') diff --git a/policy/modules/contrib/prelink.fc b/policy/modules/contrib/prelink.fc new file mode 100644 index 00000000..ec0e76a4 --- /dev/null +++ b/policy/modules/contrib/prelink.fc @@ -0,0 +1,11 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) + +/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) + +/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) + +/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) +/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) + +/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) +/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --git a/policy/modules/contrib/prelink.if b/policy/modules/contrib/prelink.if new file mode 100644 index 00000000..93ec1755 --- /dev/null +++ b/policy/modules/contrib/prelink.if @@ -0,0 +1,204 @@ +## <summary>Prelink ELF shared library mappings.</summary> + +######################################## +## <summary> +## Execute the prelink program in the prelink domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`prelink_domtrans',` + gen_require(` + type prelink_t, prelink_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, prelink_exec_t, prelink_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit prelink_t $1:socket_class_set { read write }; + dontaudit prelink_t $1:fifo_file setattr; + ') +') + +######################################## +## <summary> +## Execute the prelink program in the current domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_exec',` + gen_require(` + type prelink_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, prelink_exec_t) +') + +######################################## +## <summary> +## Execute the prelink program in the prelink domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the prelink domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`prelink_run',` + gen_require(` + type prelink_t; + ') + + prelink_domtrans($1) + role $2 types prelink_t; +') + +######################################## +## <summary> +## Make the specified file type prelinkable. +## </summary> +## <param name="file_type"> +## <summary> +## File type to be prelinked. +## </summary> +## </param> +# +# cjp: added for misc non-entrypoint objects +interface(`prelink_object_file',` + gen_require(` + attribute prelink_object; + ') + + typeattribute $1 prelink_object; +') + +######################################## +## <summary> +## Read the prelink cache. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_read_cache',` + gen_require(` + type prelink_cache_t; + ') + + files_search_etc($1) + allow $1 prelink_cache_t:file read_file_perms; +') + +######################################## +## <summary> +## Delete the prelink cache. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_delete_cache',` + gen_require(` + type prelink_cache_t; + ') + + allow $1 prelink_cache_t:file unlink; + files_rw_etc_dirs($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## prelink log files. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_manage_log',` + gen_require(` + type prelink_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, prelink_log_t, prelink_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## prelink var_lib files. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_manage_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') + +######################################## +## <summary> +## Relabel from files in the /boot directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_relabelfrom_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') + +######################################## +## <summary> +## Relabel from files in the /boot directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_relabel_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te new file mode 100644 index 00000000..af553699 --- /dev/null +++ b/policy/modules/contrib/prelink.te @@ -0,0 +1,164 @@ +policy_module(prelink, 1.10.0) + +######################################## +# +# Declarations + +attribute prelink_object; + +type prelink_t; +type prelink_exec_t; +init_system_domain(prelink_t, prelink_exec_t) +domain_obj_id_change_exemption(prelink_t) + +type prelink_cache_t; +files_type(prelink_cache_t) + +type prelink_cron_system_t; +type prelink_cron_system_exec_t; +domain_type(prelink_cron_system_t) +domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) + +type prelink_log_t; +logging_log_file(prelink_log_t) + +type prelink_tmp_t; +files_tmp_file(prelink_tmp_t) + +type prelink_tmpfs_t; +files_tmpfs_file(prelink_tmpfs_t) + +type prelink_var_lib_t; +files_type(prelink_var_lib_t) + +######################################## +# +# Local policy +# + +allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource }; +allow prelink_t self:process { execheap execmem execstack signal }; +allow prelink_t self:fifo_file rw_fifo_file_perms; + +allow prelink_t prelink_cache_t:file manage_file_perms; +files_etc_filetrans(prelink_t, prelink_cache_t, file) + +allow prelink_t prelink_log_t:dir setattr; +create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) +append_files_pattern(prelink_t, prelink_log_t, prelink_log_t) +read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) +logging_log_filetrans(prelink_t, prelink_log_t, file) + +allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; +files_tmp_filetrans(prelink_t, prelink_tmp_t, file) + +allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod }; +fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) + +manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) + +# prelink misc objects that are not system +# libraries or entrypoints +allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; + +kernel_read_system_state(prelink_t) +kernel_read_kernel_sysctls(prelink_t) + +corecmd_manage_all_executables(prelink_t) +corecmd_relabel_all_executables(prelink_t) +corecmd_mmap_all_executables(prelink_t) +corecmd_read_bin_symlinks(prelink_t) + +dev_read_urand(prelink_t) + +files_list_all(prelink_t) +files_getattr_all_files(prelink_t) +files_write_non_security_dirs(prelink_t) +files_read_etc_files(prelink_t) +files_read_etc_runtime_files(prelink_t) +files_dontaudit_read_all_symlinks(prelink_t) +files_manage_usr_files(prelink_t) +files_manage_var_files(prelink_t) +files_relabelfrom_usr_files(prelink_t) + +fs_getattr_xattr_fs(prelink_t) + +selinux_get_enforce_mode(prelink_t) + +libs_exec_ld_so(prelink_t) +libs_legacy_use_shared_libs(prelink_t) +libs_manage_ld_so(prelink_t) +libs_relabel_ld_so(prelink_t) +libs_manage_shared_libs(prelink_t) +libs_relabel_shared_libs(prelink_t) +libs_delete_lib_symlinks(prelink_t) + +miscfiles_read_localization(prelink_t) + +userdom_use_user_terminals(prelink_t) + +optional_policy(` + amanda_manage_lib(prelink_t) +') + +optional_policy(` + cron_system_entry(prelink_t, prelink_exec_t) +') + +optional_policy(` + rpm_manage_tmp_files(prelink_t) +') + +optional_policy(` + unconfined_domain(prelink_t) +') + +######################################## +# +# Prelink Cron system Policy +# + +optional_policy(` + allow prelink_cron_system_t self:capability setuid; + allow prelink_cron_system_t self:process { setsched setfscreate signal }; + allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; + allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; + + read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) + allow prelink_cron_system_t prelink_cache_t:file unlink; + + domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) + allow prelink_cron_system_t prelink_t:process noatsecure; + + manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t) + + manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) + files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) + allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto }; + + kernel_read_system_state(prelink_cron_system_t) + + corecmd_exec_bin(prelink_cron_system_t) + corecmd_exec_shell(prelink_cron_system_t) + + files_dontaudit_search_all_mountpoints(prelink_cron_system_t) + files_read_etc_files(prelink_cron_system_t) + files_search_var_lib(prelink_cron_system_t) + + init_exec(prelink_cron_system_t) + + libs_exec_ld_so(prelink_cron_system_t) + + logging_search_logs(prelink_cron_system_t) + + miscfiles_read_localization(prelink_cron_system_t) + + cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) + + optional_policy(` + rpm_read_db(prelink_cron_system_t) + ') +') diff --git a/policy/modules/contrib/prelude.fc b/policy/modules/contrib/prelude.fc new file mode 100644 index 00000000..3bd847af --- /dev/null +++ b/policy/modules/contrib/prelude.fc @@ -0,0 +1,18 @@ +/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) +/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0) +/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) +/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) + +/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) + +/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) +/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) +/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) +/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) + +/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) +/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) +/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) +/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) +/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) +/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if new file mode 100644 index 00000000..23166537 --- /dev/null +++ b/policy/modules/contrib/prelude.if @@ -0,0 +1,144 @@ +## <summary>Prelude hybrid intrusion detection system</summary> + +######################################## +## <summary> +## Execute a domain transition to run prelude. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`prelude_domtrans',` + gen_require(` + type prelude_t, prelude_exec_t; + ') + + domtrans_pattern($1, prelude_exec_t, prelude_t) +') + +######################################## +## <summary> +## Execute a domain transition to run prelude_audisp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`prelude_domtrans_audisp',` + gen_require(` + type prelude_audisp_t, prelude_audisp_exec_t; + ') + + domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) +') + +######################################## +## <summary> +## Signal the prelude_audisp domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed acccess. +## </summary> +## </param> +# +interface(`prelude_signal_audisp',` + gen_require(` + type prelude_audisp_t; + ') + + allow $1 prelude_audisp_t:process signal; +') + +######################################## +## <summary> +## Read the prelude spool files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelude_read_spool',` + gen_require(` + type prelude_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## <summary> +## Manage to prelude-manager spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelude_manage_spool',` + gen_require(` + type prelude_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) + manage_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an prelude environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`prelude_admin',` + gen_require(` + type prelude_t, prelude_spool_t; + type prelude_var_run_t, prelude_var_lib_t; + type prelude_audisp_t, prelude_audisp_var_run_t; + type prelude_initrc_exec_t; + + type prelude_lml_t, prelude_lml_tmp_t; + type prelude_lml_var_run_t; + ') + + allow $1 prelude_t:process { ptrace signal_perms }; + ps_process_pattern($1, prelude_t) + + allow $1 prelude_audisp_t:process { ptrace signal_perms }; + ps_process_pattern($1, prelude_audisp_t) + + allow $1 prelude_lml_t:process { ptrace signal_perms }; + ps_process_pattern($1, prelude_lml_t) + + init_labeled_script_domtrans($1, prelude_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 prelude_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, prelude_spool_t) + admin_pattern($1, prelude_var_lib_t) + admin_pattern($1, prelude_var_run_t) + admin_pattern($1, prelude_audisp_var_run_t) + admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_var_run_t) +') diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te new file mode 100644 index 00000000..b1bc02c7 --- /dev/null +++ b/policy/modules/contrib/prelude.te @@ -0,0 +1,308 @@ +policy_module(prelude, 1.3.0) + +######################################## +# +# Declarations +# + +type prelude_t; +type prelude_exec_t; +init_daemon_domain(prelude_t, prelude_exec_t) + +type prelude_initrc_exec_t; +init_script_file(prelude_initrc_exec_t) + +type prelude_spool_t; +files_type(prelude_spool_t) + +type prelude_log_t; +logging_log_file(prelude_log_t) + +type prelude_var_run_t; +files_pid_file(prelude_var_run_t) + +type prelude_var_lib_t; +files_type(prelude_var_lib_t) + +type prelude_audisp_t; +type prelude_audisp_exec_t; +init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) +logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) + +type prelude_audisp_var_run_t; +files_pid_file(prelude_audisp_var_run_t) + +type prelude_correlator_t; +type prelude_correlator_exec_t; +init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) +role system_r types prelude_correlator_t; + +type prelude_correlator_config_t; +files_config_file(prelude_correlator_config_t) + +type prelude_lml_t; +type prelude_lml_exec_t; +init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) + +type prelude_lml_tmp_t; +files_tmp_file(prelude_lml_tmp_t) + +type prelude_lml_var_run_t; +files_pid_file(prelude_lml_var_run_t) + +######################################## +# +# prelude local policy +# + +allow prelude_t self:capability { dac_override sys_tty_config }; +allow prelude_t self:fifo_file rw_file_perms; +allow prelude_t self:unix_stream_socket create_stream_socket_perms; +allow prelude_t self:netlink_route_socket r_netlink_socket_perms; +allow prelude_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t) +logging_log_filetrans(prelude_t, prelude_log_t, file) + +manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t) +files_search_spool(prelude_t) + +manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) +manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) +files_search_var_lib(prelude_t) + +manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file }) + +kernel_read_system_state(prelude_t) +kernel_read_sysctl(prelude_t) + +corecmd_search_bin(prelude_t) + +corenet_all_recvfrom_unlabeled(prelude_t) +corenet_all_recvfrom_netlabel(prelude_t) +corenet_tcp_sendrecv_generic_if(prelude_t) +corenet_tcp_sendrecv_generic_node(prelude_t) +corenet_tcp_bind_generic_node(prelude_t) +corenet_tcp_bind_prelude_port(prelude_t) +corenet_tcp_connect_prelude_port(prelude_t) +corenet_tcp_connect_postgresql_port(prelude_t) +corenet_tcp_connect_mysqld_port(prelude_t) + +dev_read_rand(prelude_t) +dev_read_urand(prelude_t) + +files_read_etc_files(prelude_t) +files_read_etc_runtime_files(prelude_t) +files_read_usr_files(prelude_t) +files_search_tmp(prelude_t) + +fs_rw_anon_inodefs_files(prelude_t) + +auth_use_nsswitch(prelude_t) + +logging_send_audit_msgs(prelude_t) +logging_send_syslog_msg(prelude_t) + +miscfiles_read_localization(prelude_t) + +optional_policy(` + mysql_search_db(prelude_t) + mysql_stream_connect(prelude_t) +') + +optional_policy(` + postgresql_stream_connect(prelude_t) +') + +######################################## +# +# prelude_audisp local policy +# + +allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap }; +allow prelude_audisp_t self:process { getcap setcap }; +allow prelude_audisp_t self:fifo_file rw_file_perms; +allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; +allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; +allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms; +allow prelude_audisp_t self:tcp_socket create_socket_perms; + +manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) +files_search_spool(prelude_audisp_t) + +manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t) +files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file) + +kernel_read_sysctl(prelude_audisp_t) +kernel_read_system_state(prelude_audisp_t) + +corecmd_search_bin(prelude_audisp_t) + +corenet_all_recvfrom_unlabeled(prelude_audisp_t) +corenet_all_recvfrom_netlabel(prelude_audisp_t) +corenet_tcp_sendrecv_generic_if(prelude_audisp_t) +corenet_tcp_sendrecv_generic_node(prelude_audisp_t) +corenet_tcp_bind_generic_node(prelude_audisp_t) +corenet_tcp_connect_prelude_port(prelude_audisp_t) + +dev_read_rand(prelude_audisp_t) +dev_read_urand(prelude_audisp_t) + +# Init script handling +domain_use_interactive_fds(prelude_audisp_t) + +files_read_etc_files(prelude_audisp_t) +files_read_etc_runtime_files(prelude_audisp_t) +files_search_tmp(prelude_audisp_t) + +logging_send_syslog_msg(prelude_audisp_t) + +miscfiles_read_localization(prelude_audisp_t) + +sysnet_dns_name_resolve(prelude_audisp_t) + +######################################## +# +# prelude_correlator local policy +# + +allow prelude_correlator_t self:capability dac_override; +allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms; +allow prelude_correlator_t self:tcp_socket create_stream_socket_perms; +allow prelude_correlator_t self:unix_dgram_socket create_socket_perms; + +allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms; +read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) + +kernel_read_sysctl(prelude_correlator_t) + +corecmd_search_bin(prelude_correlator_t) + +corenet_all_recvfrom_unlabeled(prelude_correlator_t) +corenet_all_recvfrom_netlabel(prelude_correlator_t) +corenet_tcp_sendrecv_generic_if(prelude_correlator_t) +corenet_tcp_sendrecv_generic_node(prelude_correlator_t) +corenet_tcp_connect_prelude_port(prelude_correlator_t) + +dev_read_rand(prelude_correlator_t) +dev_read_urand(prelude_correlator_t) + +files_read_etc_files(prelude_correlator_t) +files_read_usr_files(prelude_correlator_t) +files_search_spool(prelude_correlator_t) + +logging_send_syslog_msg(prelude_correlator_t) + +miscfiles_read_localization(prelude_correlator_t) + +sysnet_dns_name_resolve(prelude_correlator_t) + +prelude_manage_spool(prelude_correlator_t) + +######################################## +# +# prelude_lml local declarations +# + +allow prelude_lml_t self:capability dac_override; +allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; +allow prelude_lml_t self:unix_dgram_socket { write create connect }; +allow prelude_lml_t self:fifo_file rw_fifo_file_perms; +allow prelude_lml_t self:unix_stream_socket connectto; + +manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) +manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) +files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) +files_list_tmp(prelude_lml_t) + +manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) +files_search_spool(prelude_lml_t) + +manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) +manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) +files_search_var_lib(prelude_lml_t) + +manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) +files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) + +kernel_read_system_state(prelude_lml_t) +kernel_read_sysctl(prelude_lml_t) + +corecmd_exec_bin(prelude_lml_t) + +corenet_tcp_sendrecv_generic_if(prelude_lml_t) +corenet_tcp_sendrecv_generic_node(prelude_lml_t) +corenet_tcp_recvfrom_netlabel(prelude_lml_t) +corenet_tcp_recvfrom_unlabeled(prelude_lml_t) +corenet_sendrecv_unlabeled_packets(prelude_lml_t) +corenet_tcp_connect_prelude_port(prelude_lml_t) + +dev_read_rand(prelude_lml_t) +dev_read_urand(prelude_lml_t) + +files_list_etc(prelude_lml_t) +files_read_etc_files(prelude_lml_t) +files_read_etc_runtime_files(prelude_lml_t) + +fs_getattr_all_fs(prelude_lml_t) +fs_list_inotifyfs(prelude_lml_t) +fs_rw_anon_inodefs_files(prelude_lml_t) + +auth_use_nsswitch(prelude_lml_t) + +libs_exec_lib_files(prelude_lml_t) +libs_read_lib_files(prelude_lml_t) + +logging_send_syslog_msg(prelude_lml_t) +logging_read_generic_logs(prelude_lml_t) + +miscfiles_read_localization(prelude_lml_t) + +sysnet_dns_name_resolve(prelude_lml_t) + +userdom_read_all_users_state(prelude_lml_t) + +optional_policy(` + apache_search_sys_content(prelude_lml_t) + apache_read_log(prelude_lml_t) +') + +######################################## +# +# prewikka_cgi Declarations +# + +optional_policy(` + apache_content_template(prewikka) + + can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) + + files_read_etc_files(httpd_prewikka_script_t) + files_search_tmp(httpd_prewikka_script_t) + + kernel_read_sysctl(httpd_prewikka_script_t) + kernel_search_network_sysctl(httpd_prewikka_script_t) + + corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t) + + auth_use_nsswitch(httpd_prewikka_script_t) + + logging_send_syslog_msg(httpd_prewikka_script_t) + + apache_search_sys_content(httpd_prewikka_script_t) + + optional_policy(` + mysql_search_db(httpd_prewikka_script_t) + mysql_stream_connect(httpd_prewikka_script_t) + ') + + optional_policy(` + postgresql_stream_connect(httpd_prewikka_script_t) + ') +') diff --git a/policy/modules/contrib/privoxy.fc b/policy/modules/contrib/privoxy.fc new file mode 100644 index 00000000..be4998ab --- /dev/null +++ b/policy/modules/contrib/privoxy.fc @@ -0,0 +1,6 @@ +/etc/privoxy/[^/]*\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) +/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0) + +/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) + +/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0) diff --git a/policy/modules/contrib/privoxy.if b/policy/modules/contrib/privoxy.if new file mode 100644 index 00000000..afd17516 --- /dev/null +++ b/policy/modules/contrib/privoxy.if @@ -0,0 +1,42 @@ +## <summary>Privacy enhancing web proxy.</summary> + +######################################## +## <summary> +## All of the rules required to administrate +## an privoxy environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`privoxy_admin',` + gen_require(` + type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; + type privoxy_etc_rw_t, privoxy_var_run_t; + ') + + allow $1 privoxy_t:process { ptrace signal_perms }; + ps_process_pattern($1, privoxy_t) + + init_labeled_script_domtrans($1, privoxy_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 privoxy_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, privoxy_log_t) + + files_list_etc($1) + admin_pattern($1, privoxy_etc_rw_t) + + files_list_pids($1) + admin_pattern($1, privoxy_var_run_t) +') diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te new file mode 100644 index 00000000..2dbf4d49 --- /dev/null +++ b/policy/modules/contrib/privoxy.te @@ -0,0 +1,103 @@ +policy_module(privoxy, 1.11.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow privoxy to connect to all ports, not just +## HTTP, FTP, and Gopher ports. +## </p> +## </desc> +gen_tunable(privoxy_connect_any, false) + +type privoxy_t; # web_client_domain +type privoxy_exec_t; +init_daemon_domain(privoxy_t, privoxy_exec_t) + +type privoxy_initrc_exec_t; +init_script_file(privoxy_initrc_exec_t) + +type privoxy_etc_rw_t; +files_type(privoxy_etc_rw_t) + +type privoxy_log_t; +logging_log_file(privoxy_log_t) + +type privoxy_var_run_t; +files_pid_file(privoxy_var_run_t) + +######################################## +# +# Local Policy +# + +allow privoxy_t self:capability { setgid setuid }; +dontaudit privoxy_t self:capability sys_tty_config; +allow privoxy_t self:tcp_socket create_stream_socket_perms; + +allow privoxy_t privoxy_etc_rw_t:file rw_file_perms; + +manage_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) +logging_log_filetrans(privoxy_t, privoxy_log_t, file) + +manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) +files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) + +kernel_read_system_state(privoxy_t) +kernel_read_kernel_sysctls(privoxy_t) + +corenet_all_recvfrom_unlabeled(privoxy_t) +corenet_all_recvfrom_netlabel(privoxy_t) +corenet_tcp_sendrecv_generic_if(privoxy_t) +corenet_tcp_sendrecv_generic_node(privoxy_t) +corenet_tcp_sendrecv_all_ports(privoxy_t) +corenet_tcp_bind_generic_node(privoxy_t) +corenet_tcp_bind_http_cache_port(privoxy_t) +corenet_tcp_connect_http_port(privoxy_t) +corenet_tcp_connect_http_cache_port(privoxy_t) +corenet_tcp_connect_squid_port(privoxy_t) +corenet_tcp_connect_ftp_port(privoxy_t) +corenet_tcp_connect_pgpkeyserver_port(privoxy_t) +corenet_tcp_connect_tor_port(privoxy_t) +corenet_sendrecv_http_cache_client_packets(privoxy_t) +corenet_sendrecv_squid_client_packets(privoxy_t) +corenet_sendrecv_http_cache_server_packets(privoxy_t) +corenet_sendrecv_http_client_packets(privoxy_t) +corenet_sendrecv_ftp_client_packets(privoxy_t) +corenet_sendrecv_tor_client_packets(privoxy_t) + +dev_read_sysfs(privoxy_t) + +fs_getattr_all_fs(privoxy_t) +fs_search_auto_mountpoints(privoxy_t) + +domain_use_interactive_fds(privoxy_t) + +files_read_etc_files(privoxy_t) + +auth_use_nsswitch(privoxy_t) + +logging_send_syslog_msg(privoxy_t) + +miscfiles_read_localization(privoxy_t) + +userdom_dontaudit_use_unpriv_user_fds(privoxy_t) +userdom_dontaudit_search_user_home_dirs(privoxy_t) +# cjp: this should really not be needed +userdom_use_user_terminals(privoxy_t) + +tunable_policy(`privoxy_connect_any',` + corenet_tcp_connect_all_ports(privoxy_t) + corenet_sendrecv_all_client_packets(privoxy_t) +') + +optional_policy(` + seutil_sigchld_newrole(privoxy_t) +') + +optional_policy(` + udev_read_db(privoxy_t) +') diff --git a/policy/modules/contrib/procmail.fc b/policy/modules/contrib/procmail.fc new file mode 100644 index 00000000..1343621b --- /dev/null +++ b/policy/modules/contrib/procmail.fc @@ -0,0 +1,5 @@ + +/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) + +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --git a/policy/modules/contrib/procmail.if b/policy/modules/contrib/procmail.if new file mode 100644 index 00000000..b64b02fd --- /dev/null +++ b/policy/modules/contrib/procmail.if @@ -0,0 +1,79 @@ +## <summary>Procmail mail delivery agent</summary> + +######################################## +## <summary> +## Execute procmail with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`procmail_domtrans',` + gen_require(` + type procmail_exec_t, procmail_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, procmail_exec_t, procmail_t) +') + +######################################## +## <summary> +## Execute procmail in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`procmail_exec',` + gen_require(` + type procmail_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + can_exec($1, procmail_exec_t) +') + +######################################## +## <summary> +## Read procmail tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`procmail_read_tmp_files',` + gen_require(` + type procmail_tmp_t; + ') + + files_search_tmp($1) + allow $1 procmail_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Read/write procmail tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`procmail_rw_tmp_files',` + gen_require(` + type procmail_tmp_t; + ') + + files_search_tmp($1) + rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) +') diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te new file mode 100644 index 00000000..29b92956 --- /dev/null +++ b/policy/modules/contrib/procmail.te @@ -0,0 +1,150 @@ +policy_module(procmail, 1.12.0) + +######################################## +# +# Declarations +# + +type procmail_t; +type procmail_exec_t; +application_domain(procmail_t, procmail_exec_t) +role system_r types procmail_t; + +type procmail_log_t; +logging_log_file(procmail_log_t) + +type procmail_tmp_t; +files_tmp_file(procmail_tmp_t) + +######################################## +# +# Local policy +# + +allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; +allow procmail_t self:process { setsched signal signull }; +allow procmail_t self:fifo_file rw_fifo_file_perms; +allow procmail_t self:unix_stream_socket create_socket_perms; +allow procmail_t self:unix_dgram_socket create_socket_perms; +allow procmail_t self:tcp_socket create_stream_socket_perms; +allow procmail_t self:udp_socket create_socket_perms; + +can_exec(procmail_t, procmail_exec_t) + +# Write log to /var/log/procmail.log or /var/log/procmail/.* +allow procmail_t procmail_log_t:dir setattr; +create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) +append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) +read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) +logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) + +allow procmail_t procmail_tmp_t:file manage_file_perms; +files_tmp_filetrans(procmail_t, procmail_tmp_t, file) + +kernel_read_system_state(procmail_t) +kernel_read_kernel_sysctls(procmail_t) + +corenet_all_recvfrom_unlabeled(procmail_t) +corenet_all_recvfrom_netlabel(procmail_t) +corenet_tcp_sendrecv_generic_if(procmail_t) +corenet_udp_sendrecv_generic_if(procmail_t) +corenet_tcp_sendrecv_generic_node(procmail_t) +corenet_udp_sendrecv_generic_node(procmail_t) +corenet_tcp_sendrecv_all_ports(procmail_t) +corenet_udp_sendrecv_all_ports(procmail_t) +corenet_udp_bind_generic_node(procmail_t) +corenet_tcp_connect_spamd_port(procmail_t) +corenet_sendrecv_spamd_client_packets(procmail_t) +corenet_sendrecv_comsat_client_packets(procmail_t) + +dev_read_urand(procmail_t) + +fs_getattr_xattr_fs(procmail_t) +fs_search_auto_mountpoints(procmail_t) +fs_rw_anon_inodefs_files(procmail_t) + +auth_use_nsswitch(procmail_t) + +corecmd_exec_bin(procmail_t) +corecmd_exec_shell(procmail_t) +corecmd_read_bin_symlinks(procmail_t) + +files_read_etc_files(procmail_t) +files_read_etc_runtime_files(procmail_t) +files_search_pids(procmail_t) +# for spamassasin +files_read_usr_files(procmail_t) + +logging_send_syslog_msg(procmail_t) + +miscfiles_read_localization(procmail_t) + +# only works until we define a different type for maildir +userdom_manage_user_home_content_dirs(procmail_t) +userdom_manage_user_home_content_files(procmail_t) +userdom_manage_user_home_content_symlinks(procmail_t) +userdom_manage_user_home_content_pipes(procmail_t) +userdom_manage_user_home_content_sockets(procmail_t) +userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) + +# Do not audit attempts to access /root. +userdom_dontaudit_search_user_home_dirs(procmail_t) + +mta_manage_spool(procmail_t) +mta_read_queue(procmail_t) + +ifdef(`hide_broken_symptoms',` + mta_dontaudit_rw_queue(procmail_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(procmail_t) + fs_manage_nfs_files(procmail_t) + fs_manage_nfs_symlinks(procmail_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(procmail_t) + fs_manage_cifs_files(procmail_t) + fs_manage_cifs_symlinks(procmail_t) +') + +optional_policy(` + clamav_domtrans_clamscan(procmail_t) + clamav_search_lib(procmail_t) +') + +optional_policy(` + munin_dontaudit_search_lib(procmail_t) +') + +optional_policy(` + # for a bug in the postfix local program + postfix_dontaudit_rw_local_tcp_sockets(procmail_t) + postfix_dontaudit_use_fds(procmail_t) + postfix_read_spool_files(procmail_t) + postfix_read_local_state(procmail_t) + postfix_read_master_state(procmail_t) +') + +optional_policy(` + pyzor_domtrans(procmail_t) + pyzor_signal(procmail_t) +') + +optional_policy(` + mta_read_config(procmail_t) + sendmail_domtrans(procmail_t) + sendmail_signal(procmail_t) + sendmail_dontaudit_rw_tcp_sockets(procmail_t) + sendmail_dontaudit_rw_unix_stream_sockets(procmail_t) +') + +optional_policy(` + corenet_udp_bind_generic_port(procmail_t) + corenet_dontaudit_udp_bind_all_ports(procmail_t) + + spamassassin_domtrans_local_client(procmail_t) + spamassassin_domtrans_client(procmail_t) + spamassassin_read_lib_files(procmail_t) +') diff --git a/policy/modules/contrib/psad.fc b/policy/modules/contrib/psad.fc new file mode 100644 index 00000000..6c66d448 --- /dev/null +++ b/policy/modules/contrib/psad.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0) +/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0) + +/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0) + +/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) +/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) +/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if new file mode 100644 index 00000000..bc329d18 --- /dev/null +++ b/policy/modules/contrib/psad.if @@ -0,0 +1,262 @@ +## <summary>Intrusion Detection and Log Analysis with iptables</summary> + +######################################## +## <summary> +## Execute a domain transition to run psad. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`psad_domtrans',` + gen_require(` + type psad_t, psad_exec_t; + ') + + domtrans_pattern($1, psad_exec_t, psad_t) +') + +######################################## +## <summary> +## Send a generic signal to psad +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_signal',` + gen_require(` + type psad_t; + ') + + allow $1 psad_t:process signal; +') + +####################################### +## <summary> +## Send a null signal to psad. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_signull',` + gen_require(` + type psad_t; + ') + + allow $1 psad_t:process signull; +') + +######################################## +## <summary> +## Read psad etc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_read_config',` + gen_require(` + type psad_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, psad_etc_t, psad_etc_t) +') + +######################################## +## <summary> +## Manage psad etc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_manage_config',` + gen_require(` + type psad_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, psad_etc_t, psad_etc_t) + manage_files_pattern($1, psad_etc_t, psad_etc_t) + +') + +######################################## +## <summary> +## Read psad PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_read_pid_files',` + gen_require(` + type psad_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, psad_var_run_t, psad_var_run_t) +') + +######################################## +## <summary> +## Read psad PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_rw_pid_files',` + gen_require(` + type psad_var_run_t; + ') + + files_search_pids($1) + rw_files_pattern($1, psad_var_run_t, psad_var_run_t) +') + +######################################## +## <summary> +## Allow the specified domain to read psad's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`psad_read_log',` + gen_require(` + type psad_var_log_t; + ') + + logging_search_logs($1) + list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) + read_files_pattern($1, psad_var_log_t, psad_var_log_t) +') + +######################################## +## <summary> +## Allow the specified domain to append to psad's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`psad_append_log',` + gen_require(` + type psad_var_log_t; + ') + + logging_search_logs($1) + list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) + append_files_pattern($1, psad_var_log_t, psad_var_log_t) +') + +######################################## +## <summary> +## Read and write psad fifo files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_rw_fifo_file',` + gen_require(` + type psad_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) + rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) +') + +####################################### +## <summary> +## Read and write psad tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`psad_rw_tmp_files',` + gen_require(` + type psad_tmp_t; + ') + + files_search_tmp($1) + rw_files_pattern($1, psad_tmp_t, psad_tmp_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an psad environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`psad_admin',` + gen_require(` + type psad_t, psad_var_run_t, psad_var_log_t; + type psad_initrc_exec_t, psad_var_lib_t; + type psad_tmp_t; + ') + + allow $1 psad_t:process { ptrace signal_perms }; + ps_process_pattern($1, psad_t) + + init_labeled_script_domtrans($1, psad_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 psad_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, psad_etc_t) + + files_search_pids($1) + admin_pattern($1, psad_var_run_t) + + logging_search_logs($1) + admin_pattern($1, psad_var_log_t) + + files_search_var_lib($1) + admin_pattern($1, psad_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, psad_tmp_t) +') diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te new file mode 100644 index 00000000..d4000e0d --- /dev/null +++ b/policy/modules/contrib/psad.te @@ -0,0 +1,106 @@ +policy_module(psad, 1.0.0) + +######################################## +# +# Declarations +# + +type psad_t; +type psad_exec_t; +init_daemon_domain(psad_t, psad_exec_t) + +# config files +type psad_etc_t; +files_type(psad_etc_t) + +type psad_initrc_exec_t; +init_script_file(psad_initrc_exec_t) + +# var/lib files +type psad_var_lib_t; +files_type(psad_var_lib_t) + +# log files +type psad_var_log_t; +logging_log_file(psad_var_log_t) + +# pid files +type psad_var_run_t; +files_pid_file(psad_var_run_t) + +# tmp files +type psad_tmp_t; +files_tmp_file(psad_tmp_t) + +######################################## +# +# psad local policy +# + +allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; +dontaudit psad_t self:capability sys_tty_config; +allow psad_t self:process signull; +allow psad_t self:fifo_file rw_fifo_file_perms; +allow psad_t self:rawip_socket create_socket_perms; + +# config files +read_files_pattern(psad_t, psad_etc_t, psad_etc_t) +list_dirs_pattern(psad_t, psad_etc_t, psad_etc_t) + +# log files +manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) +manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) +logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) + +# pid file +manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) +manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) +files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file }) + +# tmp files +manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) +manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t) +files_tmp_filetrans(psad_t, psad_tmp_t, { file dir }) + +# /var/lib files +search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) +manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) + +kernel_read_system_state(psad_t) +kernel_read_network_state(psad_t) +kernel_read_net_sysctls(psad_t) + +corecmd_exec_shell(psad_t) +corecmd_exec_bin(psad_t) + +corenet_all_recvfrom_unlabeled(psad_t) +corenet_all_recvfrom_netlabel(psad_t) +corenet_tcp_sendrecv_generic_if(psad_t) +corenet_tcp_sendrecv_generic_node(psad_t) +corenet_tcp_bind_generic_node(psad_t) +corenet_tcp_sendrecv_all_ports(psad_t) +corenet_tcp_connect_whois_port(psad_t) +corenet_sendrecv_whois_client_packets(psad_t) + +dev_read_urand(psad_t) + +files_read_etc_runtime_files(psad_t) + +fs_getattr_all_fs(psad_t) + +auth_use_nsswitch(psad_t) + +iptables_domtrans(psad_t) + +logging_read_generic_logs(psad_t) +logging_read_syslog_config(psad_t) +logging_send_syslog_msg(psad_t) + +miscfiles_read_localization(psad_t) + +sysnet_exec_ifconfig(psad_t) + +optional_policy(` + mta_send_mail(psad_t) + mta_read_queue(psad_t) +') diff --git a/policy/modules/contrib/ptchown.fc b/policy/modules/contrib/ptchown.fc new file mode 100644 index 00000000..9fc398e8 --- /dev/null +++ b/policy/modules/contrib/ptchown.fc @@ -0,0 +1 @@ +/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) diff --git a/policy/modules/contrib/ptchown.if b/policy/modules/contrib/ptchown.if new file mode 100644 index 00000000..96cc0237 --- /dev/null +++ b/policy/modules/contrib/ptchown.if @@ -0,0 +1,44 @@ +## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary> + +######################################## +## <summary> +## Execute a domain transition to run ptchown. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ptchown_domtrans',` + gen_require(` + type ptchown_t, ptchown_exec_t; + ') + + domtrans_pattern($1, ptchown_exec_t, ptchown_t) +') + +######################################## +## <summary> +## Execute ptchown in the ptchown domain, and +## allow the specified role the ptchown domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`ptchown_run',` + gen_require(` + type ptchown_t; + ') + + ptchown_domtrans($1) + role $2 types ptchown_t; +') diff --git a/policy/modules/contrib/ptchown.te b/policy/modules/contrib/ptchown.te new file mode 100644 index 00000000..d90245a2 --- /dev/null +++ b/policy/modules/contrib/ptchown.te @@ -0,0 +1,31 @@ +policy_module(ptchown, 1.1.0) + +######################################## +# +# Declarations +# + +type ptchown_t; +type ptchown_exec_t; +application_domain(ptchown_t, ptchown_exec_t) +role system_r types ptchown_t; + +######################################## +# +# ptchown local policy +# + +allow ptchown_t self:capability { chown fowner fsetid setuid }; +allow ptchown_t self:process { getcap setcap }; + +files_read_etc_files(ptchown_t) + +fs_rw_anon_inodefs_files(ptchown_t) + +term_setattr_generic_ptys(ptchown_t) +term_getattr_all_ptys(ptchown_t) +term_setattr_all_ptys(ptchown_t) +term_use_generic_ptys(ptchown_t) +term_use_ptmx(ptchown_t) + +miscfiles_read_localization(ptchown_t) diff --git a/policy/modules/contrib/publicfile.fc b/policy/modules/contrib/publicfile.fc new file mode 100644 index 00000000..5b20b688 --- /dev/null +++ b/policy/modules/contrib/publicfile.fc @@ -0,0 +1,7 @@ + +/usr/bin/ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) +/usr/bin/httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) + +# this is the place where online content located +# set this to suit your needs +#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0) diff --git a/policy/modules/contrib/publicfile.if b/policy/modules/contrib/publicfile.if new file mode 100644 index 00000000..5b075925 --- /dev/null +++ b/policy/modules/contrib/publicfile.if @@ -0,0 +1 @@ +## <summary>publicfile supplies files to the public through HTTP and FTP</summary> diff --git a/policy/modules/contrib/publicfile.te b/policy/modules/contrib/publicfile.te new file mode 100644 index 00000000..32edb73a --- /dev/null +++ b/policy/modules/contrib/publicfile.te @@ -0,0 +1,34 @@ +policy_module(publicfile, 1.1.0) + +######################################## +# +# Declarations +# + +type publicfile_t; +type publicfile_exec_t; +init_daemon_domain(publicfile_t, publicfile_exec_t) + +type publicfile_content_t; +files_type(publicfile_content_t) + +######################################## +# +# Local policy +# + +allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; +allow publicfile_t publicfile_content_t:dir list_dir_perms; +allow publicfile_t publicfile_content_t:file read_file_perms; + +files_search_var(publicfile_t) + +optional_policy(` + daemontools_ipc_domain(publicfile_t) +') + +optional_policy(` + ucspitcp_service_domain(publicfile_t, publicfile_exec_t) +') + +#allow publicfile_t initrc_t:tcp_socket { read write }; diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc new file mode 100644 index 00000000..84f23dca --- /dev/null +++ b/policy/modules/contrib/pulseaudio.fc @@ -0,0 +1,7 @@ +HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) + +/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) + +/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) +/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if new file mode 100644 index 00000000..f40c64dc --- /dev/null +++ b/policy/modules/contrib/pulseaudio.if @@ -0,0 +1,260 @@ +## <summary>Pulseaudio network sound server.</summary> + +######################################## +## <summary> +## Role access for pulseaudio +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`pulseaudio_role',` + gen_require(` + type pulseaudio_t, pulseaudio_exec_t; + class dbus { acquire_svc send_msg }; + ') + + role $1 types pulseaudio_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) + + ps_process_pattern($2, pulseaudio_t) + + allow pulseaudio_t $2:process { signal signull }; + allow $2 pulseaudio_t:process { signal signull sigkill }; + ps_process_pattern(pulseaudio_t, $2) + + allow pulseaudio_t $2:unix_stream_socket connectto; + allow $2 pulseaudio_t:unix_stream_socket connectto; + + allow $2 pulseaudio_t:dbus send_msg; + allow pulseaudio_t $2:dbus { acquire_svc send_msg }; +') + +######################################## +## <summary> +## Execute a domain transition to run pulseaudio. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pulseaudio_domtrans',` + gen_require(` + type pulseaudio_t, pulseaudio_exec_t; + ') + + domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) +') + +######################################## +## <summary> +## Execute pulseaudio in the pulseaudio domain, and +## allow the specified role the pulseaudio domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_run',` + gen_require(` + type pulseaudio_t; + ') + + pulseaudio_domtrans($1) + role $2 types pulseaudio_t; +') + +######################################## +## <summary> +## Execute a pulseaudio in the current domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_exec',` + gen_require(` + type pulseaudio_exec_t; + ') + + can_exec($1, pulseaudio_exec_t) +') + +######################################## +## <summary> +## Do not audit to execute a pulseaudio. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`pulseaudio_dontaudit_exec',` + gen_require(` + type pulseaudio_exec_t; + ') + + dontaudit $1 pulseaudio_exec_t:file exec_file_perms; +') + +######################################## +## <summary> +## Send signull signal to pulseaudio +## processes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_signull',` + gen_require(` + type pulseaudio_t; + ') + + allow $1 pulseaudio_t:process signull; +') + +##################################### +## <summary> +## Connect to pulseaudio over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_stream_connect',` + gen_require(` + type pulseaudio_t, pulseaudio_var_run_t; + ') + + files_search_pids($1) + allow $1 pulseaudio_t:process signull; + allow pulseaudio_t $1:process signull; + stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) +') + +######################################## +## <summary> +## Send and receive messages from +## pulseaudio over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_dbus_chat',` + gen_require(` + type pulseaudio_t; + class dbus send_msg; + ') + + allow $1 pulseaudio_t:dbus send_msg; + allow pulseaudio_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Set the attributes of the pulseaudio homedir. +## </summary> +## <param name="user_domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_setattr_home_dir',` + gen_require(` + type pulseaudio_home_t; + ') + + allow $1 pulseaudio_home_t:dir setattr; +') + +######################################## +## <summary> +## Read pulseaudio homedir files. +## </summary> +## <param name="user_domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_read_home_files',` + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) + read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) +') + +######################################## +## <summary> +## Read and write Pulse Audio files. +## </summary> +## <param name="user_domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_rw_home_files',` + gen_require(` + type pulseaudio_home_t; + ') + + rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Create, read, write, and delete pulseaudio +## home directory files. +## </summary> +## <param name="user_domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_manage_home_files',` + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) + manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) +') diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te new file mode 100644 index 00000000..901ac9b1 --- /dev/null +++ b/policy/modules/contrib/pulseaudio.te @@ -0,0 +1,148 @@ +policy_module(pulseaudio, 1.5.0) + +######################################## +# +# Declarations +# + +type pulseaudio_t; +type pulseaudio_exec_t; +init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) +userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t) +role system_r types pulseaudio_t; + +type pulseaudio_home_t; +userdom_user_home_content(pulseaudio_home_t) + +type pulseaudio_tmpfs_t; +userdom_user_tmpfs_file(pulseaudio_tmpfs_t) + +type pulseaudio_var_lib_t; +files_type(pulseaudio_var_lib_t) +ubac_constrained(pulseaudio_var_lib_t) + +type pulseaudio_var_run_t; +files_pid_file(pulseaudio_var_run_t) +ubac_constrained(pulseaudio_var_run_t) + +######################################## +# +# pulseaudio local policy +# + +allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; +allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; +allow pulseaudio_t self:fifo_file rw_file_perms; +allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; +allow pulseaudio_t self:tcp_socket create_stream_socket_perms; +allow pulseaudio_t self:udp_socket create_socket_perms; +allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) +manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) +userdom_search_user_home_dirs(pulseaudio_t) + +manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) +manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) +manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) +files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) + +manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) + +can_exec(pulseaudio_t, pulseaudio_exec_t) + +kernel_getattr_proc(pulseaudio_t) +kernel_read_system_state(pulseaudio_t) +kernel_read_kernel_sysctls(pulseaudio_t) + +corecmd_exec_bin(pulseaudio_t) + +corenet_all_recvfrom_unlabeled(pulseaudio_t) +corenet_all_recvfrom_netlabel(pulseaudio_t) +corenet_tcp_bind_pulseaudio_port(pulseaudio_t) +corenet_tcp_bind_soundd_port(pulseaudio_t) +corenet_tcp_sendrecv_generic_if(pulseaudio_t) +corenet_tcp_sendrecv_generic_node(pulseaudio_t) +corenet_udp_bind_sap_port(pulseaudio_t) +corenet_udp_sendrecv_generic_if(pulseaudio_t) +corenet_udp_sendrecv_generic_node(pulseaudio_t) + +dev_read_sound(pulseaudio_t) +dev_write_sound(pulseaudio_t) +dev_read_sysfs(pulseaudio_t) +dev_read_urand(pulseaudio_t) + +files_read_etc_files(pulseaudio_t) +files_read_usr_files(pulseaudio_t) + +fs_rw_anon_inodefs_files(pulseaudio_t) +fs_getattr_tmpfs(pulseaudio_t) +fs_list_inotifyfs(pulseaudio_t) + +term_use_all_ttys(pulseaudio_t) +term_use_all_ptys(pulseaudio_t) + +auth_use_nsswitch(pulseaudio_t) + +logging_send_syslog_msg(pulseaudio_t) + +miscfiles_read_localization(pulseaudio_t) + +# cjp: this seems excessive. need to confirm +userdom_manage_user_home_content_files(pulseaudio_t) +userdom_manage_user_tmp_files(pulseaudio_t) +userdom_manage_user_tmpfs_files(pulseaudio_t) + +optional_policy(` + bluetooth_stream_connect(pulseaudio_t) +') + +optional_policy(` + dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) + dbus_system_bus_client(pulseaudio_t) + dbus_session_bus_client(pulseaudio_t) + dbus_connect_session_bus(pulseaudio_t) + + optional_policy(` + consolekit_dbus_chat(pulseaudio_t) + ') + + optional_policy(` + hal_dbus_chat(pulseaudio_t) + ') + + optional_policy(` + policykit_dbus_chat(pulseaudio_t) + ') + + optional_policy(` + rpm_dbus_chat(pulseaudio_t) + ') +') + +optional_policy(` + rtkit_scheduled(pulseaudio_t) +') + +optional_policy(` + policykit_domtrans_auth(pulseaudio_t) + policykit_read_lib(pulseaudio_t) + policykit_read_reload(pulseaudio_t) +') + +optional_policy(` + udev_read_state(pulseaudio_t) + udev_read_db(pulseaudio_t) +') + +optional_policy(` + xserver_stream_connect(pulseaudio_t) + xserver_manage_xdm_tmp_files(pulseaudio_t) + xserver_read_xdm_lib_files(pulseaudio_t) + xserver_read_xdm_pid(pulseaudio_t) + xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) +') diff --git a/policy/modules/contrib/puppet.fc b/policy/modules/contrib/puppet.fc new file mode 100644 index 00000000..f42490f3 --- /dev/null +++ b/policy/modules/contrib/puppet.fc @@ -0,0 +1,13 @@ +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) + +/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) +/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) + +/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if new file mode 100644 index 00000000..2855a443 --- /dev/null +++ b/policy/modules/contrib/puppet.if @@ -0,0 +1,31 @@ +## <summary>Puppet client daemon</summary> +## <desc> +## <p> +## Puppet is a configuration management system written in Ruby. +## The client daemon is responsible for periodically requesting the +## desired system state from the server and ensuring the state of +## the client system matches. +## </p> +## </desc> + +################################################ +## <summary> +## Read / Write to Puppet temp files. Puppet uses +## some system binaries (groupadd, etc) that run in +## a non-puppet domain and redirects output into temp +## files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`puppet_rw_tmp', ` + gen_require(` + type puppet_tmp_t; + ') + + allow $1 puppet_tmp_t:file rw_file_perms; + files_search_tmp($1) +') diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te new file mode 100644 index 00000000..8f92a8db --- /dev/null +++ b/policy/modules/contrib/puppet.te @@ -0,0 +1,282 @@ +policy_module(puppet, 1.2.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow Puppet client to manage all file +## types. +## </p> +## </desc> +gen_tunable(puppet_manage_all_files, false) + +type puppet_t; +type puppet_exec_t; +init_daemon_domain(puppet_t, puppet_exec_t) + +type puppet_etc_t; +files_config_file(puppet_etc_t) + +type puppet_initrc_exec_t; +init_script_file(puppet_initrc_exec_t) + +type puppet_log_t; +logging_log_file(puppet_log_t) + +type puppet_tmp_t; +files_tmp_file(puppet_tmp_t) + +type puppet_var_lib_t; +files_type(puppet_var_lib_t) + +type puppet_var_run_t; +files_pid_file(puppet_var_run_t) + +type puppetmaster_t; +type puppetmaster_exec_t; +init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) + +type puppetmaster_initrc_exec_t; +init_script_file(puppetmaster_initrc_exec_t) + +type puppetmaster_tmp_t; +files_tmp_file(puppetmaster_tmp_t) + +######################################## +# +# Puppet personal policy +# + +allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config chown }; +allow puppet_t self:process { signal signull getsched setsched }; +allow puppet_t self:fifo_file rw_fifo_file_perms; +allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +allow puppet_t self:tcp_socket create_stream_socket_perms; +allow puppet_t self:udp_socket create_socket_perms; + +read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) + +manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +files_search_var_lib(puppet_t) + +setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) + +create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) +create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) + +manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + +kernel_dontaudit_search_sysctl(puppet_t) +kernel_read_kernel_sysctls(puppet_t) +kernel_read_network_state(puppet_t) +kernel_read_system_state(puppet_t) +kernel_read_crypto_sysctls(puppet_t) + +corecmd_exec_bin(puppet_t) +corecmd_exec_shell(puppet_t) + +corenet_all_recvfrom_netlabel(puppet_t) +corenet_all_recvfrom_unlabeled(puppet_t) +corenet_tcp_sendrecv_generic_if(puppet_t) +corenet_tcp_sendrecv_generic_node(puppet_t) +corenet_tcp_bind_generic_node(puppet_t) +corenet_tcp_connect_puppet_port(puppet_t) +corenet_sendrecv_puppet_client_packets(puppet_t) + +dev_read_rand(puppet_t) +dev_read_sysfs(puppet_t) +dev_read_urand(puppet_t) + +domain_read_all_domains_state(puppet_t) +domain_interactive_fd(puppet_t) + +files_manage_config_files(puppet_t) +files_manage_config_dirs(puppet_t) +files_manage_etc_dirs(puppet_t) +files_manage_etc_files(puppet_t) +files_read_usr_symlinks(puppet_t) +files_relabel_config_dirs(puppet_t) +files_relabel_config_files(puppet_t) + +selinux_search_fs(puppet_t) +selinux_set_all_booleans(puppet_t) +selinux_set_generic_booleans(puppet_t) +selinux_validate_context(puppet_t) + +term_dontaudit_getattr_unallocated_ttys(puppet_t) +term_dontaudit_getattr_all_ttys(puppet_t) + +init_all_labeled_script_domtrans(puppet_t) +init_domtrans_script(puppet_t) +init_read_utmp(puppet_t) +init_signull_script(puppet_t) + +logging_send_syslog_msg(puppet_t) + +miscfiles_read_hwdata(puppet_t) +miscfiles_read_localization(puppet_t) + +mount_domtrans(puppet_t) + +seutil_domtrans_setfiles(puppet_t) +seutil_domtrans_semanage(puppet_t) + +sysnet_dns_name_resolve(puppet_t) +sysnet_run_ifconfig(puppet_t, system_r) +sysnet_use_ldap(puppet_t) + +usermanage_domtrans_passwd(puppet_t) + +tunable_policy(`gentoo_try_dontaudit',` + dontaudit puppet_t self:capability dac_read_search; + userdom_dontaudit_use_user_terminals(puppet_t) +') + +tunable_policy(`puppet_manage_all_files',` + auth_manage_all_files_except_auth_files(puppet_t) + + # We should use files_relabel_all_files here, but it calls + # seutil_relabelto_bin_policy which sets a "typeattribute type attr", + # which is not allowed within a tunable_policy. + # So, we duplicate the content of files_relabel_all_files except for + # the policy configuration stuff and hope users do that through Portage. + + gen_require(` + attribute file_type; + attribute security_file_type; + type policy_config_t; + ') + + allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms; + relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + # this is only relabelfrom since there should be no + # device nodes with file types. + relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) +') + +optional_policy(` + consoletype_domtrans(puppet_t) +') + +optional_policy(` + hostname_exec(puppet_t) +') + +optional_policy(` + portage_domtrans(puppet_t) + portage_domtrans_fetch(puppet_t) + portage_domtrans_gcc_config(puppet_t) +') + +optional_policy(` + mta_send_mail(puppet_t) +') + +optional_policy(` + init_exec_rc(puppet_t) + portage_run(puppet_t, system_r) +') + +optional_policy(` + files_rw_var_files(puppet_t) + + rpm_domtrans(puppet_t) + rpm_manage_db(puppet_t) + rpm_manage_log(puppet_t) +') + +optional_policy(` + unconfined_domain(puppet_t) +') + +optional_policy(` + usermanage_domtrans_groupadd(puppet_t) + usermanage_domtrans_useradd(puppet_t) +') + +######################################## +# +# Pupper master personal policy +# + +allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; +allow puppetmaster_t self:process { signal_perms getsched setsched }; +allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; +allow puppetmaster_t self:socket create; +allow puppetmaster_t self:tcp_socket create_stream_socket_perms; +allow puppetmaster_t self:udp_socket create_socket_perms; + +list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) +read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) + +allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; +allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; +logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) + +manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) +manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) + +setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) +manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) +files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) + +manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) +manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) +files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) + +kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) +kernel_read_system_state(puppetmaster_t) +kernel_read_crypto_sysctls(puppetmaster_t) + +corecmd_exec_bin(puppetmaster_t) +corecmd_exec_shell(puppetmaster_t) + +corenet_all_recvfrom_netlabel(puppetmaster_t) +corenet_all_recvfrom_unlabeled(puppetmaster_t) +corenet_tcp_sendrecv_generic_if(puppetmaster_t) +corenet_tcp_sendrecv_generic_node(puppetmaster_t) +corenet_tcp_bind_generic_node(puppetmaster_t) +corenet_tcp_bind_puppet_port(puppetmaster_t) +corenet_sendrecv_puppet_server_packets(puppetmaster_t) + +dev_read_rand(puppetmaster_t) +dev_read_urand(puppetmaster_t) + +domain_read_all_domains_state(puppetmaster_t) + +files_read_etc_files(puppetmaster_t) +files_search_var_lib(puppetmaster_t) + +logging_send_syslog_msg(puppetmaster_t) + +miscfiles_read_localization(puppetmaster_t) + +sysnet_dns_name_resolve(puppetmaster_t) +sysnet_run_ifconfig(puppetmaster_t, system_r) + +optional_policy(` + hostname_exec(puppetmaster_t) +') + +optional_policy(` + files_read_usr_symlinks(puppetmaster_t) + + rpm_exec(puppetmaster_t) + rpm_read_db(puppetmaster_t) +') diff --git a/policy/modules/contrib/pxe.fc b/policy/modules/contrib/pxe.fc new file mode 100644 index 00000000..44b3a0c4 --- /dev/null +++ b/policy/modules/contrib/pxe.fc @@ -0,0 +1,6 @@ + +/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0) + +/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0) + +/var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) diff --git a/policy/modules/contrib/pxe.if b/policy/modules/contrib/pxe.if new file mode 100644 index 00000000..d3d6a6b8 --- /dev/null +++ b/policy/modules/contrib/pxe.if @@ -0,0 +1 @@ +## <summary>Server for the PXE network boot protocol</summary> diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te new file mode 100644 index 00000000..fec69ebd --- /dev/null +++ b/policy/modules/contrib/pxe.te @@ -0,0 +1,63 @@ +policy_module(pxe, 1.4.0) + +# cjp: policy seems incomplete + +######################################## +# +# Declarations +# + +type pxe_t; +type pxe_exec_t; +init_daemon_domain(pxe_t, pxe_exec_t) + +type pxe_log_t; +logging_log_file(pxe_log_t) + +type pxe_var_run_t; +files_pid_file(pxe_var_run_t) + +######################################## +# +# Local policy +# + +allow pxe_t self:capability { chown setgid setuid }; +dontaudit pxe_t self:capability sys_tty_config; +allow pxe_t self:process signal_perms; + +allow pxe_t pxe_log_t:file manage_file_perms; +logging_log_filetrans(pxe_t, pxe_log_t, file) + +manage_files_pattern(pxe_t, pxe_var_run_t, pxe_var_run_t) +files_pid_filetrans(pxe_t, pxe_var_run_t, file) + +kernel_read_kernel_sysctls(pxe_t) +kernel_list_proc(pxe_t) +kernel_read_proc_symlinks(pxe_t) + +corenet_udp_bind_pxe_port(pxe_t) + +dev_read_sysfs(pxe_t) + +domain_use_interactive_fds(pxe_t) + +files_read_etc_files(pxe_t) + +fs_getattr_all_fs(pxe_t) +fs_search_auto_mountpoints(pxe_t) + +logging_send_syslog_msg(pxe_t) + +miscfiles_read_localization(pxe_t) + +userdom_dontaudit_use_unpriv_user_fds(pxe_t) +userdom_dontaudit_search_user_home_dirs(pxe_t) + +optional_policy(` + seutil_sigchld_newrole(pxe_t) +') + +optional_policy(` + udev_read_db(pxe_t) +') diff --git a/policy/modules/contrib/pyicqt.fc b/policy/modules/contrib/pyicqt.fc new file mode 100644 index 00000000..491fe8f8 --- /dev/null +++ b/policy/modules/contrib/pyicqt.fc @@ -0,0 +1,7 @@ +/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0) + +/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) + +/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) + +/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) diff --git a/policy/modules/contrib/pyicqt.if b/policy/modules/contrib/pyicqt.if new file mode 100644 index 00000000..9604b6a0 --- /dev/null +++ b/policy/modules/contrib/pyicqt.if @@ -0,0 +1 @@ +## <summary>PyICQt is an ICQ transport for XMPP server.</summary> diff --git a/policy/modules/contrib/pyicqt.te b/policy/modules/contrib/pyicqt.te new file mode 100644 index 00000000..a841221a --- /dev/null +++ b/policy/modules/contrib/pyicqt.te @@ -0,0 +1,59 @@ +policy_module(pyicqt, 1.0.0) + +######################################## +# +# Declarations +# + +type pyicqt_t; +type pyicqt_exec_t; +init_daemon_domain(pyicqt_t, pyicqt_exec_t) + +type pyicqt_conf_t; +files_config_file(pyicqt_conf_t) + +type pyicqt_spool_t; +files_type(pyicqt_spool_t) + +type pyicqt_var_run_t; +files_pid_file(pyicqt_var_run_t) + +######################################## +# +# PyICQt policy +# + +allow pyicqt_t self:fifo_file rw_fifo_file_perms; +allow pyicqt_t self:tcp_socket create_socket_perms; +allow pyicqt_t self:udp_socket create_socket_perms; + +read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t) + +manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) +manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) +files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file }) + +manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t) +files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) + +kernel_read_system_state(pyicqt_t) + +corecmd_exec_bin(pyicqt_t) + +corenet_all_recvfrom_unlabeled(pyicqt_t) +corenet_all_recvfrom_netlabel(pyicqt_t) +corenet_tcp_sendrecv_generic_if(pyicqt_t) +corenet_tcp_sendrecv_generic_node(pyicqt_t) +corenet_tcp_connect_generic_port(pyicqt_t) +corenet_sendrecv_generic_client_packets(pyicqt_t) + +dev_read_urand(pyicqt_t) + +files_read_etc_files(pyicqt_t) +files_read_usr_files(pyicqt_t) + +libs_read_lib_files(pyicqt_t) + +miscfiles_read_localization(pyicqt_t) + +sysnet_read_config(pyicqt_t) diff --git a/policy/modules/contrib/pyzor.fc b/policy/modules/contrib/pyzor.fc new file mode 100644 index 00000000..d4a77506 --- /dev/null +++ b/policy/modules/contrib/pyzor.fc @@ -0,0 +1,9 @@ +/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) + +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) + +/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) +/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) + +/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) +/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0) diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if new file mode 100644 index 00000000..494f7e22 --- /dev/null +++ b/policy/modules/contrib/pyzor.if @@ -0,0 +1,90 @@ +## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary> + +######################################## +## <summary> +## Role access for pyzor +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`pyzor_role',` + gen_require(` + type pyzor_t, pyzor_exec_t; + type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t; + ') + + role $1 types pyzor_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, pyzor_exec_t, pyzor_t) + + # allow ps to show pyzor and allow the user to kill it + ps_process_pattern($2, pyzor_t) + allow $2 pyzor_t:process signal; +') + +######################################## +## <summary> +## Send generic signals to pyzor +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pyzor_signal',` + gen_require(` + type pyzor_t; + ') + + allow $1 pyzor_t:process signal; +') + +######################################## +## <summary> +## Execute pyzor with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pyzor_domtrans',` + gen_require(` + type pyzor_exec_t, pyzor_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, pyzor_exec_t, pyzor_t) +') + +######################################## +## <summary> +## Execute pyzor in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pyzor_exec',` + gen_require(` + type pyzor_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + can_exec($1, pyzor_exec_t) +') diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te new file mode 100644 index 00000000..c8fb70b4 --- /dev/null +++ b/policy/modules/contrib/pyzor.te @@ -0,0 +1,146 @@ +policy_module(pyzor, 2.2.0) + +######################################## +# +# Declarations +# + +type pyzor_t; +type pyzor_exec_t; +typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; +typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; +userdom_user_application_domain(pyzor_t, pyzor_exec_t) +role system_r types pyzor_t; + +type pyzor_etc_t; +files_type(pyzor_etc_t) + +type pyzor_home_t; +typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; +typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; +userdom_user_home_content(pyzor_home_t) + +type pyzor_tmp_t; +typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; +typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; +userdom_user_tmp_file(pyzor_tmp_t) + +type pyzor_var_lib_t; +typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; +typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; +files_type(pyzor_var_lib_t) +ubac_constrained(pyzor_var_lib_t) + +type pyzord_t; +type pyzord_exec_t; +init_daemon_domain(pyzord_t, pyzord_exec_t) + +type pyzord_log_t; +logging_log_file(pyzord_log_t) + +######################################## +# +# Pyzor client local policy +# + +allow pyzor_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file }) + +allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; +read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t) +files_search_var_lib(pyzor_t) + +manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) +manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) +files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(pyzor_t) +kernel_read_system_state(pyzor_t) + +corecmd_list_bin(pyzor_t) +corecmd_getattr_bin_files(pyzor_t) + +corenet_tcp_sendrecv_generic_if(pyzor_t) +corenet_udp_sendrecv_generic_if(pyzor_t) +corenet_tcp_sendrecv_generic_node(pyzor_t) +corenet_udp_sendrecv_generic_node(pyzor_t) +corenet_tcp_sendrecv_all_ports(pyzor_t) +corenet_udp_sendrecv_all_ports(pyzor_t) +corenet_tcp_connect_http_port(pyzor_t) + +dev_read_urand(pyzor_t) + +files_read_etc_files(pyzor_t) + +auth_use_nsswitch(pyzor_t) + +miscfiles_read_localization(pyzor_t) + +userdom_dontaudit_search_user_home_dirs(pyzor_t) + +optional_policy(` + amavis_manage_lib_files(pyzor_t) + amavis_manage_spool_files(pyzor_t) +') + +optional_policy(` + spamassassin_signal_spamd(pyzor_t) + spamassassin_read_spamd_tmp_files(pyzor_t) +') + +######################################## +# +# Pyzor server local policy +# + +allow pyzord_t self:udp_socket create_socket_perms; + +manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t) +allow pyzord_t pyzor_var_lib_t:dir setattr; +files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir }) + +read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t) +allow pyzord_t pyzor_etc_t:dir list_dir_perms; + +can_exec(pyzord_t, pyzor_exec_t) + +manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) +allow pyzord_t pyzord_log_t:dir setattr; +logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } ) + +kernel_read_kernel_sysctls(pyzord_t) +kernel_read_system_state(pyzord_t) + +dev_read_urand(pyzord_t) + +corecmd_exec_bin(pyzord_t) + +corenet_all_recvfrom_unlabeled(pyzord_t) +corenet_all_recvfrom_netlabel(pyzord_t) +corenet_udp_sendrecv_generic_if(pyzord_t) +corenet_udp_sendrecv_generic_node(pyzord_t) +corenet_udp_sendrecv_all_ports(pyzord_t) +corenet_udp_bind_generic_node(pyzord_t) +corenet_udp_bind_pyzor_port(pyzord_t) +corenet_sendrecv_pyzor_server_packets(pyzord_t) + +files_read_etc_files(pyzord_t) + +auth_use_nsswitch(pyzord_t) + +locallogin_dontaudit_use_fds(pyzord_t) + +miscfiles_read_localization(pyzord_t) + +# Do not audit attempts to access /root. +userdom_dontaudit_search_user_home_dirs(pyzord_t) + +mta_manage_spool(pyzord_t) + +optional_policy(` + logging_send_syslog_msg(pyzord_t) +') diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc new file mode 100644 index 00000000..64d877ec --- /dev/null +++ b/policy/modules/contrib/qemu.fc @@ -0,0 +1,4 @@ +/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if new file mode 100644 index 00000000..268d6913 --- /dev/null +++ b/policy/modules/contrib/qemu.if @@ -0,0 +1,309 @@ +## <summary>QEMU machine emulator and virtualizer</summary> + +######################################## +## <summary> +## Creates types and rules for a basic +## qemu process domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`qemu_domain_template',` + + ############################## + # + # Local Policy + # + + type $1_t; + domain_type($1_t) + + type $1_tmp_t; + files_tmp_file($1_tmp_t) + + ############################## + # + # Local Policy + # + + allow $1_t self:capability { dac_read_search dac_override }; + allow $1_t self:process { execstack execmem signal getsched }; + allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:shm create_shm_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:tun_socket create; + + manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) + + kernel_read_system_state($1_t) + + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) + corenet_tcp_sendrecv_generic_if($1_t) + corenet_tcp_sendrecv_generic_node($1_t) + corenet_tcp_sendrecv_all_ports($1_t) + corenet_tcp_bind_generic_node($1_t) + corenet_tcp_bind_vnc_port($1_t) + corenet_rw_tun_tap_dev($1_t) + +# dev_rw_kvm($1_t) + + domain_use_interactive_fds($1_t) + + files_read_etc_files($1_t) + files_read_usr_files($1_t) + files_read_var_files($1_t) + files_search_all($1_t) + + fs_list_inotifyfs($1_t) + fs_rw_anon_inodefs_files($1_t) + fs_rw_tmpfs_files($1_t) + + storage_raw_write_removable_device($1_t) + storage_raw_read_removable_device($1_t) + + term_use_ptmx($1_t) + term_getattr_pty_fs($1_t) + term_use_generic_ptys($1_t) + + miscfiles_read_localization($1_t) + + sysnet_read_config($1_t) + + userdom_use_user_terminals($1_t) + userdom_attach_admin_tun_iface($1_t) + + optional_policy(` + samba_domtrans_smbd($1_t) + ') + + optional_policy(` + virt_manage_images($1_t) + virt_read_config($1_t) + virt_read_lib_files($1_t) + virt_attach_tun_iface($1_t) + ') + + optional_policy(` + xserver_stream_connect($1_t) + xserver_read_xdm_tmp_files($1_t) + xserver_read_xdm_pid($1_t) +# xserver_xdm_rw_shm($1_t) + ') +') + +####################################### +## <summary> +## The per role template for the qemu module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for qemu web browser. +## </p> +## <p> +## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +## </p> +## </desc> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`qemu_role',` + gen_require(` + type qemu_t, qemu_exec_t; + type qemu_config_t, qemu_config_exec_t; + ') + + role $1 types { qemu_t qemu_config_t }; + + domtrans_pattern($2, qemu_exec_t, qemu_t) + domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) + allow qemu_t $2:process signull; +') + +######################################## +## <summary> +## Execute a domain transition to run qemu. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qemu_domtrans',` + gen_require(` + type qemu_t, qemu_exec_t; + ') + + domtrans_pattern($1, qemu_exec_t, qemu_t) +') + +######################################## +## <summary> +## Execute qemu in the qemu domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the qemu domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`qemu_run',` + gen_require(` + type qemu_t; + ') + + qemu_domtrans($1) + role $2 types qemu_t; + allow qemu_t $1:process signull; + allow $1 qemu_t:process signull; +') + +######################################## +## <summary> +## Allow the domain to read state files in /proc. +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow access. +## </summary> +## </param> +# +interface(`qemu_read_state',` + gen_require(` + type qemu_t; + ') + + read_files_pattern($1, qemu_t, qemu_t) +') + +######################################## +## <summary> +## Set the schedule on qemu. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_setsched',` + gen_require(` + type qemu_t; + ') + + allow $1 qemu_t:process setsched; +') + +######################################## +## <summary> +## Send a signal to qemu. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_signal',` + gen_require(` + type qemu_t; + ') + + allow $1 qemu_t:process signal; +') + +######################################## +## <summary> +## Send a sigill to qemu +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_kill',` + gen_require(` + type qemu_t; + ') + + allow $1 qemu_t:process sigkill; +') + +######################################## +## <summary> +## Execute a domain transition to run qemu unconfined. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qemu_domtrans_unconfined',` + gen_require(` + type unconfined_qemu_t, qemu_exec_t; + ') + + domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) +') + +######################################## +## <summary> +## Manage qemu temporary dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_manage_tmp_dirs',` + gen_require(` + type qemu_tmp_t; + ') + + manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) +') + +######################################## +## <summary> +## Manage qemu temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qemu_manage_tmp_files',` + gen_require(` + type qemu_tmp_t; + ') + + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) +') diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te new file mode 100644 index 00000000..44f407ce --- /dev/null +++ b/policy/modules/contrib/qemu.te @@ -0,0 +1,135 @@ +policy_module(qemu, 1.6.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow qemu to connect fully to the network +## </p> +## </desc> +gen_tunable(qemu_full_network, false) + +## <desc> +## <p> +## Allow qemu to use cifs/Samba file systems +## </p> +## </desc> +gen_tunable(qemu_use_cifs, true) + +## <desc> +## <p> +## Allow qemu to use serial/parallel communication ports +## </p> +## </desc> +gen_tunable(qemu_use_comm, false) + +## <desc> +## <p> +## Allow qemu to use nfs file systems +## </p> +## </desc> +gen_tunable(qemu_use_nfs, true) + +## <desc> +## <p> +## Allow qemu to use usb devices +## </p> +## </desc> +gen_tunable(qemu_use_usb, true) + +type qemu_exec_t; +virt_domain_template(qemu) +application_domain(qemu_t, qemu_exec_t) +role system_r types qemu_t; + +######################################## +# +# qemu local policy +# +dontaudit qemu_t self:socket create; + +can_exec(qemu_t, qemu_exec_t) + +storage_raw_write_removable_device(qemu_t) +storage_raw_read_removable_device(qemu_t) + +userdom_search_user_home_content(qemu_t) +userdom_read_user_tmpfs_files(qemu_t) + +tunable_policy(`qemu_full_network',` + allow qemu_t self:udp_socket create_socket_perms; + + corenet_udp_sendrecv_generic_if(qemu_t) + corenet_udp_sendrecv_generic_node(qemu_t) + corenet_udp_sendrecv_all_ports(qemu_t) + corenet_udp_bind_generic_node(qemu_t) + corenet_udp_bind_all_ports(qemu_t) + corenet_tcp_bind_all_ports(qemu_t) + corenet_tcp_connect_all_ports(qemu_t) +') + +tunable_policy(`qemu_use_cifs',` + fs_manage_cifs_dirs(qemu_t) + fs_manage_cifs_files(qemu_t) +') + +tunable_policy(`qemu_use_comm',` + term_use_unallocated_ttys(qemu_t) + dev_rw_printer(qemu_t) +') + +tunable_policy(`qemu_use_nfs',` + fs_manage_nfs_dirs(qemu_t) + fs_manage_nfs_files(qemu_t) +') + +tunable_policy(`qemu_use_usb',` + dev_rw_usbfs(qemu_t) + fs_manage_dos_dirs(qemu_t) + fs_manage_dos_files(qemu_t) +') + +optional_policy(` + dbus_read_lib_files(qemu_t) +') + +optional_policy(` + pulseaudio_manage_home_files(qemu_t) + pulseaudio_stream_connect(qemu_t) +') + +optional_policy(` + vde_connect(qemu_t) +') + +optional_policy(` + virt_manage_images(qemu_t) + virt_append_log(qemu_t) +') + +optional_policy(` + xen_rw_image_files(qemu_t) +') + +optional_policy(` + xserver_read_xdm_pid(qemu_t) + xserver_stream_connect(qemu_t) +') + +######################################## +# +# Unconfined qemu local policy +# + +optional_policy(` + type unconfined_qemu_t; + typealias unconfined_qemu_t alias qemu_unconfined_t; + application_type(unconfined_qemu_t) + unconfined_domain(unconfined_qemu_t) + + allow unconfined_qemu_t self:process { execstack execmem }; + allow unconfined_qemu_t qemu_exec_t:file execmod; +') diff --git a/policy/modules/contrib/qmail.fc b/policy/modules/contrib/qmail.fc new file mode 100644 index 00000000..0055e54b --- /dev/null +++ b/policy/modules/contrib/qmail.fc @@ -0,0 +1,47 @@ + +/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) +/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) + +/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) +/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) +/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) +/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) +/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) +/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) +/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) +/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) +/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) +/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) +/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) +/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) +/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) + +/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) + +/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) + +ifdef(`distro_debian', ` +/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) + +/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) + +#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0) + +/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) +/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) +/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) +/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) +/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) +/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) +/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) +/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) +/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) +/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) +/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) +/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) + +/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) + +/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) +') + diff --git a/policy/modules/contrib/qmail.if b/policy/modules/contrib/qmail.if new file mode 100644 index 00000000..a55bf44b --- /dev/null +++ b/policy/modules/contrib/qmail.if @@ -0,0 +1,151 @@ +## <summary>Qmail Mail Server</summary> + +######################################## +## <summary> +## Template for qmail parent/sub-domain pairs +## </summary> +## <param name="child_prefix"> +## <summary> +## The prefix of the child domain +## </summary> +## </param> +## <param name="parent_domain"> +## <summary> +## The name of the parent domain. +## </summary> +## </param> +# +template(`qmail_child_domain_template',` + type $1_t; + domain_type($1_t) + type $1_exec_t; + domain_entry_file($1_t, $1_exec_t) + domain_auto_trans($2, $1_exec_t, $1_t) + role system_r types $1_t; + + allow $1_t self:process signal_perms; + + allow $1_t $2:fd use; + allow $1_t $2:fifo_file rw_file_perms; + allow $1_t $2:process sigchld; + + allow $1_t qmail_etc_t:dir list_dir_perms; + allow $1_t qmail_etc_t:file read_file_perms; + allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms; + + allow $1_t qmail_start_t:fd use; + + kernel_list_proc($2) + kernel_read_proc_symlinks($2) + + corecmd_search_bin($1_t) + + files_search_var($1_t) + + fs_getattr_xattr_fs($1_t) + + miscfiles_read_localization($1_t) +') + +######################################## +## <summary> +## Transition to qmail_inject_t +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qmail_domtrans_inject',` + gen_require(` + type qmail_inject_t, qmail_inject_exec_t; + ') + + domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) + + ifdef(`distro_debian',` + files_search_usr($1) + corecmd_search_bin($1) + ',` + files_search_var($1) + corecmd_search_bin($1) + ') +') + +######################################## +## <summary> +## Transition to qmail_queue_t +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qmail_domtrans_queue',` + gen_require(` + type qmail_queue_t, qmail_queue_exec_t; + ') + + domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) + + ifdef(`distro_debian',` + files_search_usr($1) + corecmd_search_bin($1) + ',` + files_search_var($1) + corecmd_search_bin($1) + ') +') + +######################################## +## <summary> +## Read qmail configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`qmail_read_config',` + gen_require(` + type qmail_etc_t; + ') + + allow $1 qmail_etc_t:dir list_dir_perms; + allow $1 qmail_etc_t:file read_file_perms; + allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; + files_search_var($1) + + ifdef(`distro_debian',` + # handle /etc/qmail + files_search_etc($1) + ') +') + +######################################## +## <summary> +## Define the specified domain as a qmail-smtp service. +## Needed by antivirus/antispam filters. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`qmail_smtpd_service_domain',` + gen_require(` + type qmail_smtpd_t; + ') + + domtrans_pattern(qmail_smtpd_t, $2, $1) +') diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te new file mode 100644 index 00000000..355b2a28 --- /dev/null +++ b/policy/modules/contrib/qmail.te @@ -0,0 +1,321 @@ +policy_module(qmail, 1.5.0) + +######################################## +# +# Declarations +# + +attribute qmail_user_domains; + +type qmail_alias_home_t; +files_type(qmail_alias_home_t) + +qmail_child_domain_template(qmail_clean, qmail_start_t) + +type qmail_etc_t; +files_config_file(qmail_etc_t) + +type qmail_exec_t; +files_type(qmail_exec_t) + +type qmail_inject_t, qmail_user_domains; +type qmail_inject_exec_t; +domain_type(qmail_inject_t) +domain_entry_file(qmail_inject_t, qmail_inject_exec_t) +mta_mailserver_user_agent(qmail_inject_t) +role system_r types qmail_inject_t; + +qmail_child_domain_template(qmail_local, qmail_lspawn_t) +mta_mailserver_delivery(qmail_local_t) + +qmail_child_domain_template(qmail_lspawn, qmail_start_t) +mta_mailserver_delivery(qmail_lspawn_t) + +qmail_child_domain_template(qmail_queue, qmail_inject_t) +typeattribute qmail_queue_t qmail_user_domains; +mta_mailserver_user_agent(qmail_queue_t) + +qmail_child_domain_template(qmail_remote, qmail_rspawn_t) +mta_mailserver_sender(qmail_remote_t) + +qmail_child_domain_template(qmail_rspawn, qmail_start_t) + +qmail_child_domain_template(qmail_send, qmail_start_t) + +qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) + +qmail_child_domain_template(qmail_splogger, qmail_start_t) + +type qmail_spool_t; +files_type(qmail_spool_t) + +type qmail_start_t; +type qmail_start_exec_t; +init_daemon_domain(qmail_start_t, qmail_start_exec_t) + +type qmail_tcp_env_t; +type qmail_tcp_env_exec_t; +application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) + +######################################## +# +# qmail-clean local policy +# this component cleans up the queue directory +# + +read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) +delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) + +######################################## +# +# qmail-inject local policy +# this component preprocesses mail from stdin and invokes qmail-queue +# + +allow qmail_inject_t self:fifo_file write_fifo_file_perms; +allow qmail_inject_t self:process signal_perms; + +allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; + +corecmd_search_bin(qmail_inject_t) + +files_search_var(qmail_inject_t) + +miscfiles_read_localization(qmail_inject_t) + +qmail_read_config(qmail_inject_t) + +######################################## +# +# qmail-local local policy +# this component delivers a mail message +# + +allow qmail_local_t self:fifo_file write_file_perms; +allow qmail_local_t self:process signal_perms; +allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) +manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) + +can_exec(qmail_local_t, qmail_local_exec_t) + +allow qmail_local_t qmail_queue_exec_t:file read_file_perms; + +allow qmail_local_t qmail_spool_t:file read_file_perms; + +kernel_read_system_state(qmail_local_t) + +corecmd_exec_bin(qmail_local_t) +corecmd_exec_shell(qmail_local_t) + +files_read_etc_files(qmail_local_t) +files_read_etc_runtime_files(qmail_local_t) + +auth_use_nsswitch(qmail_local_t) + +logging_send_syslog_msg(qmail_local_t) + +mta_append_spool(qmail_local_t) + +qmail_domtrans_queue(qmail_local_t) + +optional_policy(` + spamassassin_domtrans_client(qmail_local_t) +') + +######################################## +# +# qmail-lspawn local policy +# this component schedules local deliveries +# + +allow qmail_lspawn_t self:capability { setuid setgid }; +allow qmail_lspawn_t self:process signal_perms; +allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms; +allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; + +can_exec(qmail_lspawn_t, qmail_exec_t) + +allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; + +read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) + +corecmd_search_bin(qmail_lspawn_t) + +files_read_etc_files(qmail_lspawn_t) +files_search_pids(qmail_lspawn_t) +files_search_tmp(qmail_lspawn_t) + +######################################## +# +# qmail-queue local policy +# this component places a mail in a delivery queue, later to be processed by qmail-send +# + +allow qmail_queue_t qmail_lspawn_t:fd use; +allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; + +allow qmail_queue_t qmail_smtpd_t:fd use; +allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; +allow qmail_queue_t qmail_smtpd_t:process sigchld; + +manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) +manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) +rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) + +corecmd_exec_bin(qmail_queue_t) + +logging_send_syslog_msg(qmail_queue_t) + +optional_policy(` + daemontools_ipc_domain(qmail_queue_t) +') + +######################################## +# +# qmail-remote local policy +# this component sends mail via SMTP +# + +allow qmail_remote_t self:tcp_socket create_socket_perms; +allow qmail_remote_t self:udp_socket create_socket_perms; + +rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t) + +corenet_all_recvfrom_unlabeled(qmail_remote_t) +corenet_all_recvfrom_netlabel(qmail_remote_t) +corenet_tcp_sendrecv_generic_if(qmail_remote_t) +corenet_udp_sendrecv_generic_if(qmail_remote_t) +corenet_tcp_sendrecv_generic_node(qmail_remote_t) +corenet_udp_sendrecv_generic_node(qmail_remote_t) +corenet_tcp_sendrecv_smtp_port(qmail_remote_t) +corenet_udp_sendrecv_dns_port(qmail_remote_t) +corenet_tcp_connect_smtp_port(qmail_remote_t) +corenet_sendrecv_smtp_client_packets(qmail_remote_t) + +dev_read_rand(qmail_remote_t) +dev_read_urand(qmail_remote_t) + +sysnet_read_config(qmail_remote_t) + +######################################## +# +# qmail-rspawn local policy +# this component scedules remote deliveries +# + +allow qmail_rspawn_t self:process signal_perms; +allow qmail_rspawn_t self:fifo_file read_fifo_file_perms; + +allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; + +rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) + +corecmd_search_bin(qmail_rspawn_t) + +######################################## +# +# qmail-send local policy +# this component delivers mail messages from the queue +# + +allow qmail_send_t self:process signal_perms; +allow qmail_send_t self:fifo_file write_fifo_file_perms; + +manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) +manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) +read_fifo_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) + +qmail_domtrans_queue(qmail_send_t) + +optional_policy(` + daemontools_ipc_domain(qmail_send_t) +') + +######################################## +# +# qmail-smtpd local policy +# this component receives mails via SMTP +# + +allow qmail_smtpd_t self:process signal_perms; +allow qmail_smtpd_t self:fifo_file write_fifo_file_perms; +allow qmail_smtpd_t self:tcp_socket create_socket_perms; + +allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms; + +dev_read_rand(qmail_smtpd_t) +dev_read_urand(qmail_smtpd_t) + +qmail_domtrans_queue(qmail_smtpd_t) + +optional_policy(` + daemontools_ipc_domain(qmail_smtpd_t) +') + +optional_policy(` + kerberos_keytab_template(qmail, qmail_smtpd_t) +') + +optional_policy(` + ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t) +') + +######################################## +# +# splogger local policy +# this component creates entries in syslog +# + +allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; + +files_read_etc_files(qmail_splogger_t) + +init_dontaudit_use_script_fds(qmail_splogger_t) + +miscfiles_read_localization(qmail_splogger_t) + +######################################## +# +# qmail-start local policy +# this component starts up the mail delivery component +# + +allow qmail_start_t self:capability { setgid setuid }; +dontaudit qmail_start_t self:capability sys_tty_config; +allow qmail_start_t self:fifo_file rw_fifo_file_perms; +allow qmail_start_t self:process signal_perms; + +can_exec(qmail_start_t, qmail_start_exec_t) + +corecmd_search_bin(qmail_start_t) + +files_search_var(qmail_start_t) + +qmail_read_config(qmail_start_t) + +optional_policy(` + daemontools_service_domain(qmail_start_t, qmail_start_exec_t) + daemontools_ipc_domain(qmail_start_t) +') + +######################################## +# +# tcp-env local policy +# this component sets up TCP-related environment variables +# + +allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; + +corecmd_search_bin(qmail_tcp_env_t) + +sysnet_read_config(qmail_tcp_env_t) + +optional_policy(` + inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) +') + +optional_policy(` + ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) +') diff --git a/policy/modules/contrib/qpid.fc b/policy/modules/contrib/qpid.fc new file mode 100644 index 00000000..4f942292 --- /dev/null +++ b/policy/modules/contrib/qpid.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0) + +/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) + +/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) + +/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0) +/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if new file mode 100644 index 00000000..5a9630c0 --- /dev/null +++ b/policy/modules/contrib/qpid.if @@ -0,0 +1,186 @@ +## <summary>Apache QPID AMQP messaging server.</summary> + +######################################## +## <summary> +## Execute a domain transition to run qpidd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qpidd_domtrans',` + gen_require(` + type qpidd_t, qpidd_exec_t; + ') + + domtrans_pattern($1, qpidd_exec_t, qpidd_t) +') + +##################################### +## <summary> +## Allow read and write access to qpidd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_rw_semaphores',` + gen_require(` + type qpidd_t; + ') + + allow $1 qpidd_t:sem rw_sem_perms; +') + +######################################## +## <summary> +## Read and write to qpidd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_rw_shm',` + gen_require(` + type qpidd_t; + ') + + allow $1 qpidd_t:shm rw_shm_perms; +') + +######################################## +## <summary> +## Execute qpidd server in the qpidd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_initrc_domtrans',` + gen_require(` + type qpidd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, qpidd_initrc_exec_t) +') + +######################################## +## <summary> +## Read qpidd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_read_pid_files',` + gen_require(` + type qpidd_var_run_t; + ') + + files_search_pids($1) + allow $1 qpidd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Search qpidd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_search_lib',` + gen_require(` + type qpidd_var_lib_t; + ') + + allow $1 qpidd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read qpidd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_read_lib_files',` + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## qpidd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qpidd_manage_lib_files',` + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an qpidd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`qpidd_admin',` + gen_require(` + type qpidd_t, qpidd_initrc_exec_t; + ') + + allow $1 qpidd_t:process { ptrace signal_perms }; + ps_process_pattern($1, qpidd_t) + + # Allow qpidd_t to restart the apache service + qpidd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 qpidd_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, qpidd_var_lib_t) + + admin_pattern($1, qpidd_var_run_t) +') diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te new file mode 100644 index 00000000..cb7ecb54 --- /dev/null +++ b/policy/modules/contrib/qpid.te @@ -0,0 +1,63 @@ +policy_module(qpid, 1.0.0) + +######################################## +# +# Declarations +# + +type qpidd_t; +type qpidd_exec_t; +init_daemon_domain(qpidd_t, qpidd_exec_t) + +type qpidd_initrc_exec_t; +init_script_file(qpidd_initrc_exec_t) + +type qpidd_var_lib_t; +files_type(qpidd_var_lib_t) + +type qpidd_var_run_t; +files_pid_file(qpidd_var_run_t) + +######################################## +# +# qpidd local policy +# + +allow qpidd_t self:process { setsched signull }; +allow qpidd_t self:fifo_file rw_fifo_file_perms; +allow qpidd_t self:sem create_sem_perms; +allow qpidd_t self:shm create_shm_perms; +allow qpidd_t self:tcp_socket create_stream_socket_perms; +allow qpidd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) + +manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) +manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) +files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) + +kernel_read_system_state(qpidd_t) + +corenet_all_recvfrom_unlabeled(qpidd_t) +corenet_all_recvfrom_netlabel(qpidd_t) +corenet_tcp_sendrecv_generic_if(qpidd_t) +corenet_tcp_sendrecv_generic_node(qpidd_t) +corenet_tcp_sendrecv_all_ports(qpidd_t) +corenet_tcp_bind_generic_node(qpidd_t) +corenet_tcp_bind_amqp_port(qpidd_t) + +dev_read_urand(qpidd_t) + +files_read_etc_files(qpidd_t) + +logging_send_syslog_msg(qpidd_t) + +miscfiles_read_localization(qpidd_t) + +sysnet_dns_name_resolve(qpidd_t) + +optional_policy(` + corosync_stream_connect(qpidd_t) +') diff --git a/policy/modules/contrib/quota.fc b/policy/modules/contrib/quota.fc new file mode 100644 index 00000000..f3872307 --- /dev/null +++ b/policy/modules/contrib/quota.fc @@ -0,0 +1,19 @@ +HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) + +/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) +/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +ifdef(`distro_redhat',` +/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) +',` +/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) +') diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if new file mode 100644 index 00000000..bf75d999 --- /dev/null +++ b/policy/modules/contrib/quota.if @@ -0,0 +1,85 @@ +## <summary>File system quota management</summary> + +######################################## +## <summary> +## Execute quota management tools in the quota domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`quota_domtrans',` + gen_require(` + type quota_t, quota_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, quota_exec_t, quota_t) +') + +######################################## +## <summary> +## Execute quota management tools in the quota domain, and +## allow the specified role the quota domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`quota_run',` + gen_require(` + type quota_t; + ') + + quota_domtrans($1) + role $2 types quota_t; +') + +######################################## +## <summary> +## Do not audit attempts to get the attributes +## of filesystem quota data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`quota_dontaudit_getattr_db',` + gen_require(` + type quota_db_t; + ') + + dontaudit $1 quota_db_t:file getattr_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete quota +## flag files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`quota_manage_flags',` + gen_require(` + type quota_flag_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, quota_flag_t, quota_flag_t) +') diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te new file mode 100644 index 00000000..5dd42f5f --- /dev/null +++ b/policy/modules/contrib/quota.te @@ -0,0 +1,84 @@ +policy_module(quota, 1.5.0) + +######################################## +# +# Declarations +# + +type quota_t; +type quota_exec_t; +init_system_domain(quota_t, quota_exec_t) + +type quota_db_t; +files_type(quota_db_t) + +type quota_flag_t; +files_type(quota_flag_t) + +######################################## +# +# Local policy +# + +allow quota_t self:capability { sys_admin dac_override }; +dontaudit quota_t self:capability sys_tty_config; +allow quota_t self:process signal_perms; + +# for /quota.* +allow quota_t quota_db_t:file { manage_file_perms quotaon }; +files_root_filetrans(quota_t, quota_db_t, file) +files_boot_filetrans(quota_t, quota_db_t, file) +files_etc_filetrans(quota_t, quota_db_t, file) +files_tmp_filetrans(quota_t, quota_db_t, file) +files_home_filetrans(quota_t, quota_db_t, file) +files_usr_filetrans(quota_t, quota_db_t, file) +files_var_filetrans(quota_t, quota_db_t, file) +files_spool_filetrans(quota_t, quota_db_t, file) + +kernel_list_proc(quota_t) +kernel_read_proc_symlinks(quota_t) +kernel_read_kernel_sysctls(quota_t) +kernel_setsched(quota_t) + +dev_read_sysfs(quota_t) +dev_getattr_all_blk_files(quota_t) +dev_getattr_all_chr_files(quota_t) + +fs_get_xattr_fs_quotas(quota_t) +fs_set_xattr_fs_quotas(quota_t) +fs_getattr_xattr_fs(quota_t) +fs_remount_xattr_fs(quota_t) +fs_search_auto_mountpoints(quota_t) + +mls_file_read_all_levels(quota_t) + +storage_raw_read_fixed_disk(quota_t) + +term_dontaudit_use_console(quota_t) + +domain_use_interactive_fds(quota_t) + +files_list_all(quota_t) +files_read_all_files(quota_t) +files_read_all_symlinks(quota_t) +files_getattr_all_pipes(quota_t) +files_getattr_all_sockets(quota_t) +files_getattr_all_file_type_fs(quota_t) +# Read /etc/mtab. +files_read_etc_runtime_files(quota_t) + +init_use_fds(quota_t) +init_use_script_ptys(quota_t) + +logging_send_syslog_msg(quota_t) + +userdom_use_user_terminals(quota_t) +userdom_dontaudit_use_unpriv_user_fds(quota_t) + +optional_policy(` + seutil_sigchld_newrole(quota_t) +') + +optional_policy(` + udev_read_db(quota_t) +') diff --git a/policy/modules/contrib/radius.fc b/policy/modules/contrib/radius.fc new file mode 100644 index 00000000..09f7b501 --- /dev/null +++ b/policy/modules/contrib/radius.fc @@ -0,0 +1,23 @@ + +/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) +/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) +/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0) + +/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) +/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0) + +/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) +/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) + +/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) + +/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0) +/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) + +/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) +/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if new file mode 100644 index 00000000..75e5dc40 --- /dev/null +++ b/policy/modules/contrib/radius.if @@ -0,0 +1,62 @@ +## <summary>RADIUS authentication and accounting server.</summary> + +######################################## +## <summary> +## Use radius over a UDP connection. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`radius_use',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## All of the rules required to administrate +## an radius environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`radius_admin',` + gen_require(` + type radiusd_t, radiusd_etc_t, radiusd_log_t; + type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; + type radiusd_initrc_exec_t; + ') + + allow $1 radiusd_t:process { ptrace signal_perms }; + ps_process_pattern($1, radiusd_t) + + init_labeled_script_domtrans($1, radiusd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 radiusd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, radiusd_etc_t) + + logging_list_logs($1) + admin_pattern($1, radiusd_log_t) + + admin_pattern($1, radiusd_etc_rw_t) + + files_list_var_lib($1) + admin_pattern($1, radiusd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, radiusd_var_run_t) +') diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te new file mode 100644 index 00000000..b1ed1bf4 --- /dev/null +++ b/policy/modules/contrib/radius.te @@ -0,0 +1,143 @@ +policy_module(radius, 1.12.0) + +######################################## +# +# Declarations +# + +type radiusd_t; +type radiusd_exec_t; +init_daemon_domain(radiusd_t, radiusd_exec_t) + +type radiusd_etc_t; +files_config_file(radiusd_etc_t) + +type radiusd_etc_rw_t; +files_type(radiusd_etc_rw_t) + +type radiusd_initrc_exec_t; +init_script_file(radiusd_initrc_exec_t) + +type radiusd_log_t; +logging_log_file(radiusd_log_t) + +type radiusd_var_lib_t; +files_type(radiusd_var_lib_t) + +type radiusd_var_run_t; +files_pid_file(radiusd_var_run_t) + +######################################## +# +# Local policy +# + +# fsetid is for gzip which needs it when run from scripts +# gzip also needs chown access to preserve GID for radwtmp files +allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; +dontaudit radiusd_t self:capability sys_tty_config; +allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; +allow radiusd_t self:fifo_file rw_fifo_file_perms; +allow radiusd_t self:unix_stream_socket create_stream_socket_perms; +allow radiusd_t self:tcp_socket create_stream_socket_perms; +allow radiusd_t self:udp_socket create_socket_perms; + +allow radiusd_t radiusd_etc_t:dir list_dir_perms; +read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t) +read_lnk_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t) +files_search_etc(radiusd_t) + +manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) +manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) +manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) +filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) + +manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) +manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) +logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir }) + +manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) + +manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) + +kernel_read_kernel_sysctls(radiusd_t) +kernel_read_system_state(radiusd_t) + +corenet_all_recvfrom_unlabeled(radiusd_t) +corenet_all_recvfrom_netlabel(radiusd_t) +corenet_tcp_sendrecv_generic_if(radiusd_t) +corenet_udp_sendrecv_generic_if(radiusd_t) +corenet_tcp_sendrecv_generic_node(radiusd_t) +corenet_udp_sendrecv_generic_node(radiusd_t) +corenet_tcp_sendrecv_all_ports(radiusd_t) +corenet_udp_sendrecv_all_ports(radiusd_t) +corenet_udp_bind_generic_node(radiusd_t) +corenet_udp_bind_radacct_port(radiusd_t) +corenet_udp_bind_radius_port(radiusd_t) +corenet_tcp_connect_mysqld_port(radiusd_t) +corenet_tcp_connect_snmp_port(radiusd_t) +corenet_sendrecv_radius_server_packets(radiusd_t) +corenet_sendrecv_radacct_server_packets(radiusd_t) +corenet_sendrecv_mysqld_client_packets(radiusd_t) +corenet_sendrecv_snmp_client_packets(radiusd_t) +# for RADIUS proxy port +corenet_udp_bind_generic_port(radiusd_t) +corenet_dontaudit_udp_bind_all_ports(radiusd_t) +corenet_sendrecv_generic_server_packets(radiusd_t) + +dev_read_sysfs(radiusd_t) + +fs_getattr_all_fs(radiusd_t) +fs_search_auto_mountpoints(radiusd_t) + +corecmd_exec_bin(radiusd_t) +corecmd_exec_shell(radiusd_t) + +domain_use_interactive_fds(radiusd_t) + +files_read_usr_files(radiusd_t) +files_read_etc_files(radiusd_t) +files_read_etc_runtime_files(radiusd_t) + +auth_use_nsswitch(radiusd_t) +auth_read_shadow(radiusd_t) +auth_domtrans_chk_passwd(radiusd_t) + +libs_exec_lib_files(radiusd_t) + +logging_send_syslog_msg(radiusd_t) + +miscfiles_read_localization(radiusd_t) +miscfiles_read_generic_certs(radiusd_t) + +userdom_dontaudit_use_unpriv_user_fds(radiusd_t) +userdom_dontaudit_search_user_home_dirs(radiusd_t) + +optional_policy(` + cron_system_entry(radiusd_t, radiusd_exec_t) +') + +optional_policy(` + logrotate_exec(radiusd_t) +') + +optional_policy(` + mysql_read_config(radiusd_t) + mysql_stream_connect(radiusd_t) +') + +optional_policy(` + samba_domtrans_winbind_helper(radiusd_t) + samba_read_var_files(radiusd_t) +') + +optional_policy(` + seutil_sigchld_newrole(radiusd_t) +') + +optional_policy(` + udev_read_db(radiusd_t) +') diff --git a/policy/modules/contrib/radvd.fc b/policy/modules/contrib/radvd.fc new file mode 100644 index 00000000..cc98d83b --- /dev/null +++ b/policy/modules/contrib/radvd.fc @@ -0,0 +1,7 @@ +/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0) +/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0) + +/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0) + +/var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) +/var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) diff --git a/policy/modules/contrib/radvd.if b/policy/modules/contrib/radvd.if new file mode 100644 index 00000000..be05bff5 --- /dev/null +++ b/policy/modules/contrib/radvd.if @@ -0,0 +1,39 @@ +## <summary>IPv6 router advertisement daemon</summary> + +######################################## +## <summary> +## All of the rules required to administrate +## an radvd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`radvd_admin',` + gen_require(` + type radvd_t, radvd_etc_t; + type radvd_var_run_t, radvd_initrc_exec_t; + ') + + allow $1 radvd_t:process { ptrace signal_perms }; + ps_process_pattern($1, radvd_t) + + init_labeled_script_domtrans($1, radvd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 radvd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, radvd_etc_t) + + files_list_pids($1) + admin_pattern($1, radvd_var_run_t) +') diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te new file mode 100644 index 00000000..f9a21622 --- /dev/null +++ b/policy/modules/contrib/radvd.te @@ -0,0 +1,82 @@ +policy_module(radvd, 1.13.0) + +######################################## +# +# Declarations +# +type radvd_t; +type radvd_exec_t; +init_daemon_domain(radvd_t, radvd_exec_t) + +type radvd_initrc_exec_t; +init_script_file(radvd_initrc_exec_t) + +type radvd_var_run_t; +files_pid_file(radvd_var_run_t) + +type radvd_etc_t; +files_config_file(radvd_etc_t) + +######################################## +# +# Local policy +# +allow radvd_t self:capability { kill setgid setuid net_raw net_admin }; +dontaudit radvd_t self:capability sys_tty_config; +allow radvd_t self:process { fork signal_perms }; +allow radvd_t self:unix_dgram_socket create_socket_perms; +allow radvd_t self:unix_stream_socket create_socket_perms; +allow radvd_t self:rawip_socket create_socket_perms; +allow radvd_t self:tcp_socket create_stream_socket_perms; +allow radvd_t self:udp_socket create_socket_perms; +allow radvd_t self:fifo_file rw_file_perms; + +allow radvd_t radvd_etc_t:file read_file_perms; + +manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) +manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) +files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file }) + +kernel_read_kernel_sysctls(radvd_t) +kernel_rw_net_sysctls(radvd_t) +kernel_read_network_state(radvd_t) +kernel_read_system_state(radvd_t) +kernel_request_load_module(radvd_t) + +corenet_all_recvfrom_unlabeled(radvd_t) +corenet_all_recvfrom_netlabel(radvd_t) +corenet_tcp_sendrecv_generic_if(radvd_t) +corenet_udp_sendrecv_generic_if(radvd_t) +corenet_raw_sendrecv_generic_if(radvd_t) +corenet_tcp_sendrecv_generic_node(radvd_t) +corenet_udp_sendrecv_generic_node(radvd_t) +corenet_raw_sendrecv_generic_node(radvd_t) +corenet_tcp_sendrecv_all_ports(radvd_t) +corenet_udp_sendrecv_all_ports(radvd_t) + +dev_read_sysfs(radvd_t) + +fs_getattr_all_fs(radvd_t) +fs_search_auto_mountpoints(radvd_t) + +domain_use_interactive_fds(radvd_t) + +files_read_etc_files(radvd_t) +files_list_usr(radvd_t) + +auth_use_nsswitch(radvd_t) + +logging_send_syslog_msg(radvd_t) + +miscfiles_read_localization(radvd_t) + +userdom_dontaudit_use_unpriv_user_fds(radvd_t) +userdom_dontaudit_search_user_home_dirs(radvd_t) + +optional_policy(` + seutil_sigchld_newrole(radvd_t) +') + +optional_policy(` + udev_read_db(radvd_t) +') diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc new file mode 100644 index 00000000..ed9c70d4 --- /dev/null +++ b/policy/modules/contrib/raid.fc @@ -0,0 +1,6 @@ +/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0) + +/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) +/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) + +/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if new file mode 100644 index 00000000..b1a85b51 --- /dev/null +++ b/policy/modules/contrib/raid.if @@ -0,0 +1,75 @@ +## <summary>RAID array management tools</summary> + +######################################## +## <summary> +## Execute software raid tools in the mdadm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`raid_domtrans_mdadm',` + gen_require(` + type mdadm_t, mdadm_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mdadm_exec_t, mdadm_t) +') + +###################################### +## <summary> +## Execute a domain transition to mdadm_t for the +## specified role, allowing it to use the mdadm_t +## domain +## </summary> +## <param name="role"> +## <summary> +## Role allowed to access mdadm_t domain +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed to transition to mdadm_t +## </summary> +## </param> +# +interface(`raid_run_mdadm',` + gen_require(` + type mdadm_t; + ') + + role $1 types mdadm_t; + raid_domtrans_mdadm($2) +') + +######################################## +## <summary> +## Create, read, write, and delete the mdadm pid files. +## </summary> +## <desc> +## <p> +## Create, read, write, and delete the mdadm pid files. +## </p> +## <p> +## Added for use in the init module. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`raid_manage_mdadm_pid',` + gen_require(` + type mdadm_var_run_t; + ') + + # FIXME: maybe should have a type_transition. not + # clear what this is doing, from the original + # mdadm policy + allow $1 mdadm_var_run_t:file manage_file_perms; +') diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te new file mode 100644 index 00000000..458d42ec --- /dev/null +++ b/policy/modules/contrib/raid.te @@ -0,0 +1,102 @@ +policy_module(raid, 1.11.0) + +######################################## +# +# Declarations +# + +type mdadm_t; +type mdadm_exec_t; +init_daemon_domain(mdadm_t, mdadm_exec_t) +role system_r types mdadm_t; + +type mdadm_map_t; +files_type(mdadm_map_t) + +type mdadm_var_run_t; +files_pid_file(mdadm_var_run_t) + +######################################## +# +# Local policy +# + +allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; +dontaudit mdadm_t self:capability sys_tty_config; +allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; +allow mdadm_t self:fifo_file rw_fifo_file_perms; + +# create .mdadm files in /dev +allow mdadm_t mdadm_map_t:file manage_file_perms; +dev_filetrans(mdadm_t, mdadm_map_t, file) + +manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) +files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) + +kernel_read_system_state(mdadm_t) +kernel_read_kernel_sysctls(mdadm_t) +kernel_rw_software_raid_state(mdadm_t) +kernel_getattr_core_if(mdadm_t) + +# Helper program access +corecmd_exec_bin(mdadm_t) +corecmd_exec_shell(mdadm_t) + +dev_rw_sysfs(mdadm_t) +# Ignore attempts to read every device file +dev_dontaudit_getattr_all_blk_files(mdadm_t) +dev_dontaudit_getattr_all_chr_files(mdadm_t) +dev_dontaudit_getattr_generic_files(mdadm_t) +dev_dontaudit_getattr_generic_chr_files(mdadm_t) +dev_dontaudit_getattr_generic_blk_files(mdadm_t) +dev_read_realtime_clock(mdadm_t) +# unfortunately needed for DMI decoding: +dev_read_raw_memory(mdadm_t) + +domain_use_interactive_fds(mdadm_t) + +files_read_etc_files(mdadm_t) +files_read_etc_runtime_files(mdadm_t) +files_dontaudit_getattr_all_files(mdadm_t) + +fs_search_auto_mountpoints(mdadm_t) +fs_dontaudit_list_tmpfs(mdadm_t) + +mls_file_read_all_levels(mdadm_t) +mls_file_write_all_levels(mdadm_t) + +# RAID block device access +storage_manage_fixed_disk(mdadm_t) +storage_dev_filetrans_fixed_disk(mdadm_t) +storage_read_scsi_generic(mdadm_t) + +term_dontaudit_list_ptys(mdadm_t) +term_dontaudit_use_unallocated_ttys(mdadm_t) + +init_dontaudit_getattr_initctl(mdadm_t) + +logging_send_syslog_msg(mdadm_t) + +miscfiles_read_localization(mdadm_t) + +userdom_dontaudit_use_unpriv_user_fds(mdadm_t) +userdom_dontaudit_search_user_home_content(mdadm_t) +userdom_dontaudit_use_user_terminals(mdadm_t) + +mta_send_mail(mdadm_t) + +optional_policy(` + gpm_dontaudit_getattr_gpmctl(mdadm_t) +') + +optional_policy(` + seutil_sigchld_newrole(mdadm_t) +') + +optional_policy(` + udev_read_db(mdadm_t) +') + +optional_policy(` + unconfined_domain(mdadm_t) +') diff --git a/policy/modules/contrib/razor.fc b/policy/modules/contrib/razor.fc new file mode 100644 index 00000000..1efba0c0 --- /dev/null +++ b/policy/modules/contrib/razor.fc @@ -0,0 +1,8 @@ +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) + +/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) + +/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) + +/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) +/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0) diff --git a/policy/modules/contrib/razor.if b/policy/modules/contrib/razor.if new file mode 100644 index 00000000..f04a5950 --- /dev/null +++ b/policy/modules/contrib/razor.if @@ -0,0 +1,159 @@ +## <summary>A distributed, collaborative, spam detection and filtering network.</summary> +## <desc> +## <p> +## A distributed, collaborative, spam detection and filtering network. +## </p> +## <p> +## This policy will work with either the ATrpms provided config +## file in /etc/razor, or with the default of dumping everything into +## $HOME/.razor. +## </p> +## </desc> + +####################################### +## <summary> +## Template to create types and rules common to +## all razor domains. +## </summary> +## <param name="prefix"> +## <summary> +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +# +template(`razor_common_domain_template',` + gen_require(` + type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; + ') + type $1_t; + domain_type($1_t) + domain_entry_file($1_t, razor_exec_t) + + allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_t self:fd use; + allow $1_t self:fifo_file rw_fifo_file_perms; + allow $1_t self:unix_dgram_socket create_socket_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:unix_dgram_socket sendto; + allow $1_t self:unix_stream_socket connectto; + allow $1_t self:shm create_shm_perms; + allow $1_t self:sem create_sem_perms; + allow $1_t self:msgq create_msgq_perms; + allow $1_t self:msg { send receive }; + allow $1_t self:tcp_socket create_socket_perms; + + # Read system config file + allow $1_t razor_etc_t:dir list_dir_perms; + allow $1_t razor_etc_t:file read_file_perms; + allow $1_t razor_etc_t:lnk_file { getattr read }; + + manage_dirs_pattern($1_t, razor_log_t, razor_log_t) + manage_files_pattern($1_t, razor_log_t, razor_log_t) + manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t) + logging_log_filetrans($1_t, razor_log_t, file) + + manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t) + manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) + manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) + files_search_var_lib($1_t) + + # Razor is one executable and several symlinks + allow $1_t razor_exec_t:file read_file_perms; + allow $1_t razor_exec_t:lnk_file read_lnk_file_perms; + + kernel_read_system_state($1_t) + kernel_read_network_state($1_t) + kernel_read_software_raid_state($1_t) + kernel_getattr_core_if($1_t) + kernel_getattr_message_if($1_t) + kernel_read_kernel_sysctls($1_t) + + corecmd_exec_bin($1_t) + + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) + corenet_tcp_sendrecv_generic_if($1_t) + corenet_raw_sendrecv_generic_if($1_t) + corenet_tcp_sendrecv_generic_node($1_t) + corenet_raw_sendrecv_generic_node($1_t) + corenet_tcp_sendrecv_razor_port($1_t) + + # mktemp and other randoms + dev_read_rand($1_t) + dev_read_urand($1_t) + + files_search_pids($1_t) + # Allow access to various files in the /etc/directory including mtab + # and nsswitch + files_read_etc_files($1_t) + files_read_etc_runtime_files($1_t) + + fs_search_auto_mountpoints($1_t) + + libs_read_lib_files($1_t) + + miscfiles_read_localization($1_t) + + sysnet_read_config($1_t) + sysnet_dns_name_resolve($1_t) + + optional_policy(` + nis_use_ypbind($1_t) + ') +') + +######################################## +## <summary> +## Role access for razor +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`razor_role',` + gen_require(` + type razor_t, razor_exec_t, razor_home_t; + ') + + role $1 types razor_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, razor_exec_t, razor_t) + + # allow ps to show razor and allow the user to kill it + ps_process_pattern($2, razor_t) + allow $2 razor_t:process signal; + + manage_dirs_pattern($2, razor_home_t, razor_home_t) + manage_files_pattern($2, razor_home_t, razor_home_t) + manage_lnk_files_pattern($2, razor_home_t, razor_home_t) + relabel_dirs_pattern($2, razor_home_t, razor_home_t) + relabel_files_pattern($2, razor_home_t, razor_home_t) + relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) +') + +######################################## +## <summary> +## Execute razor in the system razor domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`razor_domtrans',` + gen_require(` + type razor_t, razor_exec_t; + ') + + domtrans_pattern($1, razor_exec_t, razor_t) +') diff --git a/policy/modules/contrib/razor.te b/policy/modules/contrib/razor.te new file mode 100644 index 00000000..9353d5eb --- /dev/null +++ b/policy/modules/contrib/razor.te @@ -0,0 +1,121 @@ +policy_module(razor, 2.3.0) + +######################################## +# +# Declarations +# + +type razor_exec_t; +corecmd_executable_file(razor_exec_t) + +type razor_etc_t; +files_config_file(razor_etc_t) + +type razor_home_t; +typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; +typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; +userdom_user_home_content(razor_home_t) + +type razor_log_t; +logging_log_file(razor_log_t) + +type razor_tmp_t; +typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; +typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; +userdom_user_tmp_file(razor_tmp_t) + +type razor_var_lib_t; +files_type(razor_var_lib_t) + +# these are here due to ordering issues: +razor_common_domain_template(razor) +typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; +typealias razor_t alias { auditadm_razor_t secadm_razor_t }; +userdom_user_application_type(razor_t) + +razor_common_domain_template(system_razor) +role system_r types system_razor_t; + +######################################## +# +# System razor local policy +# + +# this version of razor is invoked typically +# via the system spam filter + +allow system_razor_t self:tcp_socket create_socket_perms; + +manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) +manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +files_search_etc(system_razor_t) + +allow system_razor_t razor_log_t:file manage_file_perms; +logging_log_filetrans(system_razor_t, razor_log_t, file) + +manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) + +corenet_all_recvfrom_unlabeled(system_razor_t) +corenet_all_recvfrom_netlabel(system_razor_t) +corenet_tcp_sendrecv_generic_if(system_razor_t) +corenet_raw_sendrecv_generic_if(system_razor_t) +corenet_tcp_sendrecv_generic_node(system_razor_t) +corenet_raw_sendrecv_generic_node(system_razor_t) +corenet_tcp_sendrecv_razor_port(system_razor_t) +corenet_tcp_connect_razor_port(system_razor_t) +corenet_sendrecv_razor_client_packets(system_razor_t) + +sysnet_read_config(system_razor_t) + +# cjp: this shouldn't be needed +userdom_use_unpriv_users_fds(system_razor_t) + +optional_policy(` + logging_send_syslog_msg(system_razor_t) +') + +optional_policy(` + nscd_socket_use(system_razor_t) +') + +######################################## +# +# User razor local policy +# + +# Allow razor to be run by hand. Needed by any action other than +# invocation from a spam filter. + +allow razor_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) +manage_files_pattern(razor_t, razor_home_t, razor_home_t) +manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) +userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) + +manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) +manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) +files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) + +logging_send_syslog_msg(razor_t) + +userdom_search_user_home_dirs(razor_t) +userdom_use_user_terminals(razor_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(razor_t) + fs_manage_nfs_files(razor_t) + fs_manage_nfs_symlinks(razor_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(razor_t) + fs_manage_cifs_files(razor_t) + fs_manage_cifs_symlinks(razor_t) +') + +optional_policy(` + nscd_socket_use(razor_t) +') diff --git a/policy/modules/contrib/rdisc.fc b/policy/modules/contrib/rdisc.fc new file mode 100644 index 00000000..dee4adcd --- /dev/null +++ b/policy/modules/contrib/rdisc.fc @@ -0,0 +1,2 @@ + +/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) diff --git a/policy/modules/contrib/rdisc.if b/policy/modules/contrib/rdisc.if new file mode 100644 index 00000000..fe24d25d --- /dev/null +++ b/policy/modules/contrib/rdisc.if @@ -0,0 +1,20 @@ +## <summary>Network router discovery daemon</summary> + +###################################### +## <summary> +## Execute rdisc in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rdisc_exec',` + gen_require(` + type rdisc_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rdisc_exec_t) +') diff --git a/policy/modules/contrib/rdisc.te b/policy/modules/contrib/rdisc.te new file mode 100644 index 00000000..0f076850 --- /dev/null +++ b/policy/modules/contrib/rdisc.te @@ -0,0 +1,58 @@ +policy_module(rdisc, 1.8.0) + +######################################## +# +# Declarations +# + +type rdisc_t; +type rdisc_exec_t; +init_daemon_domain(rdisc_t, rdisc_exec_t) + +######################################## +# +# Local policy +# + +allow rdisc_t self:capability net_raw; +dontaudit rdisc_t self:capability sys_tty_config; +allow rdisc_t self:process signal_perms; +allow rdisc_t self:unix_stream_socket create_stream_socket_perms; +allow rdisc_t self:udp_socket create_socket_perms; +allow rdisc_t self:rawip_socket create_socket_perms; + +kernel_list_proc(rdisc_t) +kernel_read_proc_symlinks(rdisc_t) +kernel_read_kernel_sysctls(rdisc_t) + +corenet_all_recvfrom_unlabeled(rdisc_t) +corenet_all_recvfrom_netlabel(rdisc_t) +corenet_udp_sendrecv_generic_if(rdisc_t) +corenet_raw_sendrecv_generic_if(rdisc_t) +corenet_udp_sendrecv_generic_node(rdisc_t) +corenet_raw_sendrecv_generic_node(rdisc_t) +corenet_udp_sendrecv_all_ports(rdisc_t) + +dev_read_sysfs(rdisc_t) + +fs_search_auto_mountpoints(rdisc_t) + +domain_use_interactive_fds(rdisc_t) + +files_read_etc_files(rdisc_t) + +logging_send_syslog_msg(rdisc_t) + +miscfiles_read_localization(rdisc_t) + +sysnet_read_config(rdisc_t) + +userdom_dontaudit_use_unpriv_user_fds(rdisc_t) + +optional_policy(` + seutil_sigchld_newrole(rdisc_t) +') + +optional_policy(` + udev_read_db(rdisc_t) +') diff --git a/policy/modules/contrib/readahead.fc b/policy/modules/contrib/readahead.fc new file mode 100644 index 00000000..70774134 --- /dev/null +++ b/policy/modules/contrib/readahead.fc @@ -0,0 +1,3 @@ +/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) +/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) +/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) diff --git a/policy/modules/contrib/readahead.if b/policy/modules/contrib/readahead.if new file mode 100644 index 00000000..47c4723c --- /dev/null +++ b/policy/modules/contrib/readahead.if @@ -0,0 +1 @@ +## <summary>Readahead, read files into page cache for improved performance</summary> diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te new file mode 100644 index 00000000..b4ac57e2 --- /dev/null +++ b/policy/modules/contrib/readahead.te @@ -0,0 +1,101 @@ +policy_module(readahead, 1.12.0) + +######################################## +# +# Declarations +# + +type readahead_t; +type readahead_exec_t; +init_daemon_domain(readahead_t, readahead_exec_t) +application_domain(readahead_t, readahead_exec_t) + +type readahead_var_lib_t; +files_type(readahead_var_lib_t) +typealias readahead_var_lib_t alias readahead_etc_rw_t; + +type readahead_var_run_t; +files_pid_file(readahead_var_run_t) + +######################################## +# +# Local policy +# + +allow readahead_t self:capability { fowner dac_override dac_read_search }; +dontaudit readahead_t self:capability { net_admin sys_tty_config }; +allow readahead_t self:process { setsched signal_perms }; + +manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) +manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) +files_search_var_lib(readahead_t) + +manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) +files_pid_filetrans(readahead_t, readahead_var_run_t, file) + +kernel_read_all_sysctls(readahead_t) +kernel_read_system_state(readahead_t) +kernel_dontaudit_getattr_core_if(readahead_t) + +dev_read_sysfs(readahead_t) +dev_getattr_generic_chr_files(readahead_t) +dev_getattr_generic_blk_files(readahead_t) +dev_getattr_all_chr_files(readahead_t) +dev_getattr_all_blk_files(readahead_t) +dev_dontaudit_read_all_blk_files(readahead_t) +dev_dontaudit_getattr_memory_dev(readahead_t) +dev_dontaudit_getattr_nvram_dev(readahead_t) +# Early devtmpfs, before udev relabel +dev_dontaudit_rw_generic_chr_files(readahead_t) + +domain_use_interactive_fds(readahead_t) +domain_read_all_domains_state(readahead_t) + +files_list_non_security(readahead_t) +files_read_non_security_files(readahead_t) +files_create_boot_flag(readahead_t) +files_getattr_all_pipes(readahead_t) +files_dontaudit_getattr_all_sockets(readahead_t) +files_dontaudit_getattr_non_security_blk_files(readahead_t) + +fs_getattr_all_fs(readahead_t) +fs_search_auto_mountpoints(readahead_t) +fs_getattr_all_pipes(readahead_t) +fs_getattr_all_files(readahead_t) +fs_read_cgroup_files(readahead_t) +fs_read_tmpfs_files(readahead_t) +fs_read_tmpfs_symlinks(readahead_t) +fs_list_inotifyfs(readahead_t) +fs_dontaudit_search_ramfs(readahead_t) +fs_dontaudit_read_ramfs_pipes(readahead_t) +fs_dontaudit_read_ramfs_files(readahead_t) +fs_dontaudit_use_tmpfs_chr_dev(readahead_t) + +mls_file_read_all_levels(readahead_t) + +storage_raw_read_fixed_disk(readahead_t) + +term_dontaudit_use_console(readahead_t) + +auth_dontaudit_read_shadow(readahead_t) + +init_use_fds(readahead_t) +init_use_script_ptys(readahead_t) +init_getattr_initctl(readahead_t) + +logging_send_syslog_msg(readahead_t) +logging_set_audit_parameters(readahead_t) +logging_dontaudit_search_audit_config(readahead_t) + +miscfiles_read_localization(readahead_t) + +userdom_dontaudit_use_unpriv_user_fds(readahead_t) +userdom_dontaudit_search_user_home_dirs(readahead_t) + +optional_policy(` + cron_system_entry(readahead_t, readahead_exec_t) +') + +optional_policy(` + seutil_sigchld_newrole(readahead_t) +') diff --git a/policy/modules/contrib/remotelogin.fc b/policy/modules/contrib/remotelogin.fc new file mode 100644 index 00000000..d8691bd1 --- /dev/null +++ b/policy/modules/contrib/remotelogin.fc @@ -0,0 +1,2 @@ + +# Remote login currently has no file contexts. diff --git a/policy/modules/contrib/remotelogin.if b/policy/modules/contrib/remotelogin.if new file mode 100644 index 00000000..31be9714 --- /dev/null +++ b/policy/modules/contrib/remotelogin.if @@ -0,0 +1,37 @@ +## <summary>Policy for rshd, rlogind, and telnetd.</summary> + +######################################## +## <summary> +## Domain transition to the remote login domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`remotelogin_domtrans',` + gen_require(` + type remote_login_t; + ') + + auth_domtrans_login_program($1, remote_login_t) +') + +######################################## +## <summary> +## allow Domain to signal remote login domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`remotelogin_signal',` + gen_require(` + type remote_login_t; + ') + + allow $1 remote_login_t:process signal; +') diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te new file mode 100644 index 00000000..0a760273 --- /dev/null +++ b/policy/modules/contrib/remotelogin.te @@ -0,0 +1,123 @@ +policy_module(remotelogin, 1.7.0) + +######################################## +# +# Declarations +# + +type remote_login_t; +domain_interactive_fd(remote_login_t) +auth_login_pgm_domain(remote_login_t) +auth_login_entry_type(remote_login_t) + +type remote_login_tmp_t; +files_tmp_file(remote_login_tmp_t) + +######################################## +# +# Remote login remote policy +# + +allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; +allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow remote_login_t self:process { setrlimit setexec }; +allow remote_login_t self:fd use; +allow remote_login_t self:fifo_file rw_fifo_file_perms; +allow remote_login_t self:sock_file read_sock_file_perms; +allow remote_login_t self:unix_dgram_socket create_socket_perms; +allow remote_login_t self:unix_stream_socket create_stream_socket_perms; +allow remote_login_t self:unix_dgram_socket sendto; +allow remote_login_t self:unix_stream_socket connectto; +allow remote_login_t self:shm create_shm_perms; +allow remote_login_t self:sem create_sem_perms; +allow remote_login_t self:msgq create_msgq_perms; +allow remote_login_t self:msg { send receive }; +allow remote_login_t self:key write; + +manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) +manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) +files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) + +kernel_read_system_state(remote_login_t) +kernel_read_kernel_sysctls(remote_login_t) + +dev_getattr_mouse_dev(remote_login_t) +dev_setattr_mouse_dev(remote_login_t) +dev_dontaudit_search_sysfs(remote_login_t) + +fs_getattr_xattr_fs(remote_login_t) +fs_search_auto_mountpoints(remote_login_t) + +term_relabel_all_ptys(remote_login_t) + +auth_rw_login_records(remote_login_t) +auth_rw_faillog(remote_login_t) +auth_manage_pam_console_data(remote_login_t) +auth_domtrans_pam_console(remote_login_t) + +corecmd_list_bin(remote_login_t) +corecmd_read_bin_symlinks(remote_login_t) +# cjp: these are probably not needed: +corecmd_read_bin_files(remote_login_t) +corecmd_read_bin_pipes(remote_login_t) +corecmd_read_bin_sockets(remote_login_t) + +domain_read_all_entry_files(remote_login_t) + +files_read_etc_files(remote_login_t) +files_read_etc_runtime_files(remote_login_t) +files_list_home(remote_login_t) +files_read_usr_files(remote_login_t) +files_list_world_readable(remote_login_t) +files_read_world_readable_files(remote_login_t) +files_read_world_readable_symlinks(remote_login_t) +files_read_world_readable_pipes(remote_login_t) +files_read_world_readable_sockets(remote_login_t) +files_list_mnt(remote_login_t) +# for when /var/mail is a sym-link +files_read_var_symlinks(remote_login_t) + +sysnet_dns_name_resolve(remote_login_t) + +miscfiles_read_localization(remote_login_t) + +userdom_use_unpriv_users_fds(remote_login_t) +userdom_search_user_home_content(remote_login_t) +# Only permit unprivileged user domains to be entered via rlogin, +# since very weak authentication is used. +userdom_signal_unpriv_users(remote_login_t) +userdom_spec_domtrans_unpriv_users(remote_login_t) + +# Search for mail spool file. +mta_getattr_spool(remote_login_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(remote_login_t) + fs_read_nfs_symlinks(remote_login_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(remote_login_t) + fs_read_cifs_symlinks(remote_login_t) +') + +optional_policy(` + alsa_domtrans(remote_login_t) +') + +optional_policy(` + nis_use_ypbind(remote_login_t) +') + +optional_policy(` + nscd_socket_use(remote_login_t) +') + +optional_policy(` + unconfined_domain(remote_login_t) + unconfined_shell_domtrans(remote_login_t) +') + +optional_policy(` + usermanage_read_crack_db(remote_login_t) +') diff --git a/policy/modules/contrib/resmgr.fc b/policy/modules/contrib/resmgr.fc new file mode 100644 index 00000000..af810b94 --- /dev/null +++ b/policy/modules/contrib/resmgr.fc @@ -0,0 +1,7 @@ + +/etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0) + +/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) + +/var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) +/var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) diff --git a/policy/modules/contrib/resmgr.if b/policy/modules/contrib/resmgr.if new file mode 100644 index 00000000..d457736d --- /dev/null +++ b/policy/modules/contrib/resmgr.if @@ -0,0 +1,22 @@ +## <summary>Resource management daemon</summary> + +######################################## +## <summary> +## Connect to resmgrd over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`resmgr_stream_connect',` + gen_require(` + type resmgrd_var_run_t, resmgrd_t; + ') + + allow $1 resmgrd_t:unix_stream_socket connectto; + allow $1 resmgrd_var_run_t:sock_file { getattr write }; + files_search_pids($1) +') diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te new file mode 100644 index 00000000..bf5efbff --- /dev/null +++ b/policy/modules/contrib/resmgr.te @@ -0,0 +1,66 @@ +policy_module(resmgr, 1.2.0) + +######################################## +# +# Declarations +# + +type resmgrd_t; +type resmgrd_exec_t; +init_daemon_domain(resmgrd_t, resmgrd_exec_t) + +type resmgrd_etc_t; +files_config_file(resmgrd_etc_t) + +type resmgrd_var_run_t; +files_pid_file(resmgrd_var_run_t) + +######################################## +# +# Local policy +# + +allow resmgrd_t self:capability { dac_override sys_admin sys_rawio }; +dontaudit resmgrd_t self:capability sys_tty_config; +allow resmgrd_t self:process signal_perms; + +allow resmgrd_t resmgrd_etc_t:file read_file_perms; +files_search_etc(resmgrd_t) + +allow resmgrd_t resmgrd_var_run_t:file manage_file_perms; +allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms; +files_pid_filetrans(resmgrd_t, resmgrd_var_run_t, { file sock_file }) + +kernel_list_proc(resmgrd_t) +kernel_read_proc_symlinks(resmgrd_t) +kernel_read_kernel_sysctls(resmgrd_t) + +dev_read_sysfs(resmgrd_t) +dev_getattr_scanner_dev(resmgrd_t) + +domain_use_interactive_fds(resmgrd_t) + +files_read_etc_files(resmgrd_t) + +fs_search_auto_mountpoints(resmgrd_t) + +storage_dontaudit_read_fixed_disk(resmgrd_t) +storage_read_scsi_generic(resmgrd_t) +storage_raw_read_removable_device(resmgrd_t) +# not sure if it needs write access, needs to be investigated further... +storage_write_scsi_generic(resmgrd_t) +storage_raw_write_removable_device(resmgrd_t) + +logging_send_syslog_msg(resmgrd_t) + +miscfiles_read_localization(resmgrd_t) + +userdom_dontaudit_use_unpriv_user_fds(resmgrd_t) + +optional_policy(` + seutil_sigchld_newrole(resmgrd_t) +') + +optional_policy(` + udev_read_db(resmgrd_t) +') diff --git a/policy/modules/contrib/rgmanager.fc b/policy/modules/contrib/rgmanager.fc new file mode 100644 index 00000000..3c97ef04 --- /dev/null +++ b/policy/modules/contrib/rgmanager.fc @@ -0,0 +1,7 @@ +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) + +/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) + +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) + +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/policy/modules/contrib/rgmanager.if b/policy/modules/contrib/rgmanager.if new file mode 100644 index 00000000..7dc38d15 --- /dev/null +++ b/policy/modules/contrib/rgmanager.if @@ -0,0 +1,77 @@ +## <summary>rgmanager - Resource Group Manager</summary> + +####################################### +## <summary> +## Execute a domain transition to run rgmanager. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rgmanager_domtrans',` + gen_require(` + type rgmanager_t, rgmanager_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rgmanager_exec_t, rgmanager_t) +') + +######################################## +## <summary> +## Connect to rgmanager over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rgmanager_stream_connect',` + gen_require(` + type rgmanager_t, rgmanager_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) +') + +###################################### +## <summary> +## Allow manage rgmanager tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rgmanager_manage_tmp_files',` + gen_require(` + type rgmanager_tmp_t; + ') + + files_search_tmp($1) + manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) +') + +###################################### +## <summary> +## Allow manage rgmanager tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rgmanager_manage_tmpfs_files',` + gen_require(` + type rgmanager_tmpfs_t; + ') + + fs_search_tmpfs($1) + manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +') diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te new file mode 100644 index 00000000..c5370009 --- /dev/null +++ b/policy/modules/contrib/rgmanager.te @@ -0,0 +1,202 @@ +policy_module(rgmanager, 1.1.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow rgmanager domain to connect to the network using TCP. +## </p> +## </desc> +gen_tunable(rgmanager_can_network_connect, false) + +type rgmanager_t; +type rgmanager_exec_t; +domain_type(rgmanager_t) +init_daemon_domain(rgmanager_t, rgmanager_exec_t) + +type rgmanager_tmp_t; +files_tmp_file(rgmanager_tmp_t) + +type rgmanager_tmpfs_t; +files_tmpfs_file(rgmanager_tmpfs_t) + +type rgmanager_var_log_t; +logging_log_file(rgmanager_var_log_t) + +type rgmanager_var_run_t; +files_pid_file(rgmanager_var_run_t) + +######################################## +# +# rgmanager local policy +# + +allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; +dontaudit rgmanager_t self:capability { sys_ptrace }; +allow rgmanager_t self:process { setsched signal }; +dontaudit rgmanager_t self:process { ptrace }; + +allow rgmanager_t self:fifo_file rw_fifo_file_perms; +allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; +allow rgmanager_t self:unix_dgram_socket create_socket_perms; +allow rgmanager_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) +manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) +files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) + +manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) + +manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) +logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) + +manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) +manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) +files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(rgmanager_t) +kernel_read_system_state(rgmanager_t) +kernel_rw_rpc_sysctls(rgmanager_t) +kernel_search_debugfs(rgmanager_t) +kernel_search_network_state(rgmanager_t) + +corecmd_exec_bin(rgmanager_t) +corecmd_exec_shell(rgmanager_t) +consoletype_exec(rgmanager_t) + +# need to write to /dev/misc/dlm-control +dev_rw_dlm_control(rgmanager_t) +dev_setattr_dlm_control(rgmanager_t) +dev_search_sysfs(rgmanager_t) + +domain_read_all_domains_state(rgmanager_t) +domain_getattr_all_domains(rgmanager_t) +domain_dontaudit_ptrace_all_domains(rgmanager_t) + +files_list_all(rgmanager_t) +files_getattr_all_symlinks(rgmanager_t) +files_manage_mnt_dirs(rgmanager_t) +files_manage_isid_type_dirs(rgmanager_t) + +fs_getattr_xattr_fs(rgmanager_t) +fs_getattr_all_fs(rgmanager_t) + +storage_getattr_fixed_disk_dev(rgmanager_t) + +term_getattr_pty_fs(rgmanager_t) +#term_use_ptmx(rgmanager_t) + +# needed by resources scripts +auth_read_all_files_except_auth_files(rgmanager_t) +auth_dontaudit_getattr_shadow(rgmanager_t) +auth_use_nsswitch(rgmanager_t) + +logging_send_syslog_msg(rgmanager_t) + +miscfiles_read_localization(rgmanager_t) + +mount_domtrans(rgmanager_t) + +tunable_policy(`rgmanager_can_network_connect',` + corenet_tcp_connect_all_ports(rgmanager_t) +') + +# rgmanager can run resource scripts +optional_policy(` + aisexec_stream_connect(rgmanager_t) + corosync_stream_connect(rgmanager_t) +') + +optional_policy(` + apache_domtrans(rgmanager_t) + apache_signal(rgmanager_t) +') + +optional_policy(` + fstools_domtrans(rgmanager_t) +') + +optional_policy(` + rhcs_stream_connect_groupd(rgmanager_t) +') + +optional_policy(` + hostname_exec(rgmanager_t) +') + +optional_policy(` + ccs_manage_config(rgmanager_t) + ccs_stream_connect(rgmanager_t) + rhcs_stream_connect_gfs_controld(rgmanager_t) +') + +optional_policy(` + lvm_domtrans(rgmanager_t) +') + +optional_policy(` + mysql_domtrans_mysql_safe(rgmanager_t) + mysql_stream_connect(rgmanager_t) +') + +optional_policy(` + netutils_domtrans(rgmanager_t) + netutils_domtrans_ping(rgmanager_t) +') + +optional_policy(` + postgresql_domtrans(rgmanager_t) + postgresql_signal(rgmanager_t) +') + +optional_policy(` + rdisc_exec(rgmanager_t) +') + +optional_policy(` + ricci_dontaudit_rw_modcluster_pipes(rgmanager_t) +') + +optional_policy(` + rpc_initrc_domtrans_nfsd(rgmanager_t) + rpc_initrc_domtrans_rpcd(rgmanager_t) + + rpc_domtrans_nfsd(rgmanager_t) + rpc_domtrans_rpcd(rgmanager_t) + rpc_manage_nfs_state_data(rgmanager_t) +') + +optional_policy(` + samba_initrc_domtrans(rgmanager_t) + samba_domtrans_smbd(rgmanager_t) + samba_domtrans_nmbd(rgmanager_t) + samba_manage_var_files(rgmanager_t) + samba_rw_config(rgmanager_t) + samba_signal_smbd(rgmanager_t) + samba_signal_nmbd(rgmanager_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(rgmanager_t) +') + +optional_policy(` + udev_read_db(rgmanager_t) +') + +optional_policy(` + virt_stream_connect(rgmanager_t) +') + +optional_policy(` + unconfined_domain(rgmanager_t) +') + +optional_policy(` + xen_domtrans_xm(rgmanager_t) +') diff --git a/policy/modules/contrib/rhcs.fc b/policy/modules/contrib/rhcs.fc new file mode 100644 index 00000000..c2ba53b3 --- /dev/null +++ b/policy/modules/contrib/rhcs.fc @@ -0,0 +1,22 @@ +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) +/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) +/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) + +/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) + +/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) + +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) +/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) +/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) + +/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) +/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) +/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) +/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if new file mode 100644 index 00000000..de37806c --- /dev/null +++ b/policy/modules/contrib/rhcs.if @@ -0,0 +1,355 @@ +## <summary>RHCS - Red Hat Cluster Suite</summary> + +####################################### +## <summary> +## Creates types and rules for a basic +## rhcs init daemon domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`rhcs_domain_template',` + gen_require(` + attribute cluster_domain; + ') + + ############################## + # + # Declarations + # + + type $1_t, cluster_domain; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + + type $1_tmpfs_t; + files_tmpfs_file($1_tmpfs_t) + + type $1_var_log_t; + logging_log_file($1_var_log_t) + + type $1_var_run_t; + files_pid_file($1_var_run_t) + + ############################## + # + # Local policy + # + + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) + + manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + logging_log_filetrans($1_t, $1_var_log_t, { file sock_file }) + + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) + +') + +###################################### +## <summary> +## Execute a domain transition to run dlm_controld. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_dlm_controld',` + gen_require(` + type dlm_controld_t, dlm_controld_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t) +') + +##################################### +## <summary> +## Connect to dlm_controld over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_dlm_controld',` + gen_require(` + type dlm_controld_t, dlm_controld_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) +') + +##################################### +## <summary> +## Allow read and write access to dlm_controld semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_dlm_controld_semaphores',` + gen_require(` + type dlm_controld_t, dlm_controld_tmpfs_t; + ') + + allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) +') + +###################################### +## <summary> +## Execute a domain transition to run fenced. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_fenced',` + gen_require(` + type fenced_t, fenced_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fenced_exec_t, fenced_t) +') + +###################################### +## <summary> +## Allow read and write access to fenced semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_fenced_semaphores',` + gen_require(` + type fenced_t, fenced_tmpfs_t; + ') + + allow $1 fenced_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) +') + +###################################### +## <summary> +## Connect to fenced over an unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_fenced',` + gen_require(` + type fenced_var_run_t, fenced_t; + ') + + allow $1 fenced_t:unix_stream_socket connectto; + allow $1 fenced_var_run_t:sock_file { getattr write }; + files_search_pids($1) +') + +##################################### +## <summary> +## Execute a domain transition to run gfs_controld. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_gfs_controld',` + gen_require(` + type gfs_controld_t, gfs_controld_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) +') + +#################################### +## <summary> +## Allow read and write access to gfs_controld semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_gfs_controld_semaphores',` + gen_require(` + type gfs_controld_t, gfs_controld_tmpfs_t; + ') + + allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) +') + +######################################## +## <summary> +## Read and write to gfs_controld_t shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_gfs_controld_shm',` + gen_require(` + type gfs_controld_t, gfs_controld_tmpfs_t; + ') + + allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) +') + +##################################### +## <summary> +## Connect to gfs_controld_t over an unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_gfs_controld',` + gen_require(` + type gfs_controld_t, gfs_controld_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t) +') + +###################################### +## <summary> +## Execute a domain transition to run groupd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_groupd',` + gen_require(` + type groupd_t, groupd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, groupd_exec_t, groupd_t) +') + +##################################### +## <summary> +## Connect to groupd over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_groupd',` + gen_require(` + type groupd_t, groupd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) +') + +##################################### +## <summary> +## Allow read and write access to groupd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_groupd_semaphores',` + gen_require(` + type groupd_t, groupd_tmpfs_t; + ') + + allow $1 groupd_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +') + +######################################## +## <summary> +## Read and write to group shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_groupd_shm',` + gen_require(` + type groupd_t, groupd_tmpfs_t; + ') + + allow $1 groupd_t:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +') + +###################################### +## <summary> +## Execute a domain transition to run qdiskd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_qdiskd',` + gen_require(` + type qdiskd_t, qdiskd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) +') diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te new file mode 100644 index 00000000..93c896a8 --- /dev/null +++ b/policy/modules/contrib/rhcs.te @@ -0,0 +1,240 @@ +policy_module(rhcs, 1.1.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow fenced domain to connect to the network using TCP. +## </p> +## </desc> +gen_tunable(fenced_can_network_connect, false) + +attribute cluster_domain; + +rhcs_domain_template(dlm_controld) + +rhcs_domain_template(fenced) + +type fenced_lock_t; +files_lock_file(fenced_lock_t) + +type fenced_tmp_t; +files_tmp_file(fenced_tmp_t) + +rhcs_domain_template(gfs_controld) + +rhcs_domain_template(groupd) + +rhcs_domain_template(qdiskd) + +type qdiskd_var_lib_t; +files_type(qdiskd_var_lib_t) + +##################################### +# +# dlm_controld local policy +# + +allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; + +allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + +stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +kernel_read_system_state(dlm_controld_t) + +dev_rw_dlm_control(dlm_controld_t) +dev_rw_sysfs(dlm_controld_t) + +fs_manage_configfs_files(dlm_controld_t) +fs_manage_configfs_dirs(dlm_controld_t) + +init_rw_script_tmp_files(dlm_controld_t) + +optional_policy(` + ccs_stream_connect(dlm_controld_t) +') + +####################################### +# +# fenced local policy +# + +allow fenced_t self:capability { sys_rawio sys_resource }; +allow fenced_t self:process getsched; + +allow fenced_t self:tcp_socket create_stream_socket_perms; +allow fenced_t self:udp_socket create_socket_perms; + +can_exec(fenced_t, fenced_exec_t) + +manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) +files_lock_filetrans(fenced_t, fenced_lock_t, file) + +manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) +manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) +manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) +files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) + +stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +corecmd_exec_bin(fenced_t) + +corenet_tcp_connect_http_port(fenced_t) + +dev_read_sysfs(fenced_t) +dev_read_urand(fenced_t) + +files_read_usr_symlinks(fenced_t) + +storage_raw_read_fixed_disk(fenced_t) +storage_raw_write_fixed_disk(fenced_t) +storage_raw_read_removable_device(fenced_t) + +term_getattr_pty_fs(fenced_t) +term_use_ptmx(fenced_t) + +auth_use_nsswitch(fenced_t) + +tunable_policy(`fenced_can_network_connect',` + corenet_tcp_connect_all_ports(fenced_t) +') + +optional_policy(` + ccs_read_config(fenced_t) + ccs_stream_connect(fenced_t) +') + +optional_policy(` + lvm_domtrans(fenced_t) + lvm_read_config(fenced_t) +') + +###################################### +# +# gfs_controld local policy +# + +allow gfs_controld_t self:capability { net_admin sys_resource }; + +allow gfs_controld_t self:shm create_shm_perms; +allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + +stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) +stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +kernel_read_system_state(gfs_controld_t) + +dev_rw_dlm_control(gfs_controld_t) +dev_setattr_dlm_control(gfs_controld_t) +dev_rw_sysfs(gfs_controld_t) + +storage_getattr_removable_dev(gfs_controld_t) + +init_rw_script_tmp_files(gfs_controld_t) + +optional_policy(` + ccs_stream_connect(gfs_controld_t) +') + +optional_policy(` + lvm_exec(gfs_controld_t) + dev_rw_lvm_control(gfs_controld_t) +') + +####################################### +# +# groupd local policy +# + +allow groupd_t self:capability { sys_nice sys_resource }; +allow groupd_t self:process setsched; + +allow groupd_t self:shm create_shm_perms; + +dev_list_sysfs(groupd_t) + +files_read_etc_files(groupd_t) + +init_rw_script_tmp_files(groupd_t) + +###################################### +# +# qdiskd local policy +# + +allow qdiskd_t self:capability ipc_lock; + +allow qdiskd_t self:tcp_socket create_stream_socket_perms; +allow qdiskd_t self:udp_socket create_socket_perms; + +manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) + +kernel_read_system_state(qdiskd_t) +kernel_read_software_raid_state(qdiskd_t) +kernel_getattr_core_if(qdiskd_t) + +corecmd_getattr_bin_files(qdiskd_t) +corecmd_exec_shell(qdiskd_t) + +dev_read_sysfs(qdiskd_t) +dev_list_all_dev_nodes(qdiskd_t) +dev_getattr_all_blk_files(qdiskd_t) +dev_getattr_all_chr_files(qdiskd_t) +dev_manage_generic_blk_files(qdiskd_t) +dev_manage_generic_chr_files(qdiskd_t) + +domain_dontaudit_getattr_all_pipes(qdiskd_t) +domain_dontaudit_getattr_all_sockets(qdiskd_t) + +files_dontaudit_getattr_all_sockets(qdiskd_t) +files_dontaudit_getattr_all_pipes(qdiskd_t) +files_read_etc_files(qdiskd_t) + +storage_raw_read_removable_device(qdiskd_t) +storage_raw_write_removable_device(qdiskd_t) +storage_raw_read_fixed_disk(qdiskd_t) +storage_raw_write_fixed_disk(qdiskd_t) + +auth_use_nsswitch(qdiskd_t) + +optional_policy(` + ccs_stream_connect(qdiskd_t) +') + +optional_policy(` + netutils_domtrans_ping(qdiskd_t) +') + +optional_policy(` + udev_read_db(qdiskd_t) +') + +##################################### +# +# rhcs domains common policy +# + +allow cluster_domain self:capability { sys_nice }; +allow cluster_domain self:process setsched; + +allow cluster_domain self:sem create_sem_perms; +allow cluster_domain self:fifo_file rw_fifo_file_perms; +allow cluster_domain self:unix_stream_socket create_stream_socket_perms; +allow cluster_domain self:unix_dgram_socket create_socket_perms; + +logging_send_syslog_msg(cluster_domain) + +miscfiles_read_localization(cluster_domain) + +optional_policy(` + corosync_stream_connect(cluster_domain) +') diff --git a/policy/modules/contrib/rhgb.fc b/policy/modules/contrib/rhgb.fc new file mode 100644 index 00000000..9e5d31b5 --- /dev/null +++ b/policy/modules/contrib/rhgb.fc @@ -0,0 +1,4 @@ +# +# /usr +# +/usr/bin/rhgb -- gen_context(system_u:object_r:rhgb_exec_t,s0) diff --git a/policy/modules/contrib/rhgb.if b/policy/modules/contrib/rhgb.if new file mode 100644 index 00000000..96efae7f --- /dev/null +++ b/policy/modules/contrib/rhgb.if @@ -0,0 +1,198 @@ +## <summary> Red Hat Graphical Boot </summary> + +######################################## +## <summary> +## RHGB stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## N/A +## </summary> +## </param> +# +interface(`rhgb_stub',` + gen_require(` + type rhgb_t; + ') +') + +######################################## +## <summary> +## Use a rhgb file descriptor. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_use_fds',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:fd use; +') + +######################################## +## <summary> +## Get the process group of rhgb. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_getpgid',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:process getpgid; +') + +######################################## +## <summary> +## Send a signal to rhgb. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_signal',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:process signal; +') + +######################################## +## <summary> +## Read and write to unix stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_rw_stream_sockets',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## rhgb unix domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rhgb_dontaudit_rw_stream_sockets',` + gen_require(` + type rhgb_t; + ') + + dontaudit $1 rhgb_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Connected to rhgb unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_stream_connect',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Read and write to rhgb shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_rw_shm',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:shm rw_shm_perms; +') + +######################################## +## <summary> +## Read from and write to the rhgb devpts. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_use_ptys',` + gen_require(` + type rhgb_devpts_t; + ') + + allow $1 rhgb_devpts_t:chr_file rw_term_perms; +') + +######################################## +## <summary> +## dontaudit Read from and write to the rhgb devpts. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rhgb_dontaudit_use_ptys',` + gen_require(` + type rhgb_devpts_t; + ') + + dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms; +') + +######################################## +## <summary> +## Read and write to rhgb temporary file system. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhgb_rw_tmpfs_files',` + gen_require(` + type rhgb_tmpfs_t; + ') + + allow $1 rhgb_tmpfs_t:file rw_file_perms; +') diff --git a/policy/modules/contrib/rhgb.te b/policy/modules/contrib/rhgb.te new file mode 100644 index 00000000..0f262a7d --- /dev/null +++ b/policy/modules/contrib/rhgb.te @@ -0,0 +1,142 @@ +policy_module(rhgb, 1.9.0) + +######################################## +# +# Declarations +# + +type rhgb_t; +type rhgb_exec_t; +init_daemon_domain(rhgb_t, rhgb_exec_t) + +type rhgb_tmpfs_t; +files_tmpfs_file(rhgb_tmpfs_t) + +type rhgb_devpts_t; +term_pty(rhgb_devpts_t) + +######################################## +# +# Local policy +# + +allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config }; +dontaudit rhgb_t self:capability sys_tty_config; +allow rhgb_t self:process { setpgid signal_perms }; +allow rhgb_t self:shm create_shm_perms; +allow rhgb_t self:unix_stream_socket create_stream_socket_perms; +allow rhgb_t self:fifo_file rw_fifo_file_perms; +allow rhgb_t self:tcp_socket create_socket_perms; +allow rhgb_t self:udp_socket create_socket_perms; +allow rhgb_t self:netlink_route_socket r_netlink_socket_perms; + +allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; +term_create_pty(rhgb_t, rhgb_devpts_t) + +manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +manage_lnk_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +manage_fifo_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +manage_sock_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +fs_tmpfs_filetrans(rhgb_t, rhgb_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(rhgb_t) +kernel_read_system_state(rhgb_t) + +corecmd_exec_bin(rhgb_t) +corecmd_exec_shell(rhgb_t) + +corenet_all_recvfrom_unlabeled(rhgb_t) +corenet_all_recvfrom_netlabel(rhgb_t) +corenet_tcp_sendrecv_generic_if(rhgb_t) +corenet_udp_sendrecv_generic_if(rhgb_t) +corenet_tcp_sendrecv_generic_node(rhgb_t) +corenet_udp_sendrecv_generic_node(rhgb_t) +corenet_tcp_sendrecv_all_ports(rhgb_t) +corenet_udp_sendrecv_all_ports(rhgb_t) +corenet_tcp_connect_all_ports(rhgb_t) +corenet_sendrecv_all_client_packets(rhgb_t) + +dev_read_sysfs(rhgb_t) +dev_read_urand(rhgb_t) + +domain_use_interactive_fds(rhgb_t) + +files_read_etc_files(rhgb_t) +files_read_var_files(rhgb_t) +files_read_etc_runtime_files(rhgb_t) +files_search_tmp(rhgb_t) +files_read_usr_files(rhgb_t) +files_mounton_mnt(rhgb_t) +files_dontaudit_rw_root_dir(rhgb_t) +files_dontaudit_read_default_files(rhgb_t) +files_dontaudit_search_pids(rhgb_t) +# for nscd +files_dontaudit_search_var(rhgb_t) + +fs_search_auto_mountpoints(rhgb_t) +fs_mount_ramfs(rhgb_t) +fs_unmount_ramfs(rhgb_t) +fs_getattr_tmpfs(rhgb_t) +# for ramfs file systems +fs_manage_ramfs_dirs(rhgb_t) +fs_manage_ramfs_files(rhgb_t) +fs_manage_ramfs_pipes(rhgb_t) +fs_manage_ramfs_sockets(rhgb_t) + +selinux_dontaudit_read_fs(rhgb_t) + +term_use_unallocated_ttys(rhgb_t) +term_use_ptmx(rhgb_t) +term_getattr_pty_fs(rhgb_t) + +init_write_initctl(rhgb_t) + +# for localization +libs_read_lib_files(rhgb_t) + +logging_send_syslog_msg(rhgb_t) + +miscfiles_read_localization(rhgb_t) +miscfiles_read_fonts(rhgb_t) +miscfiles_dontaudit_write_fonts(rhgb_t) + +seutil_search_default_contexts(rhgb_t) +seutil_read_config(rhgb_t) + +sysnet_read_config(rhgb_t) +sysnet_domtrans_ifconfig(rhgb_t) + +userdom_dontaudit_use_unpriv_user_fds(rhgb_t) +userdom_dontaudit_search_user_home_content(rhgb_t) + +xserver_read_tmp_files(rhgb_t) +xserver_kill(rhgb_t) +# for running setxkbmap +xserver_read_xkb_libs(rhgb_t) +xserver_domtrans(rhgb_t) +xserver_signal(rhgb_t) +xserver_read_xdm_tmp_files(rhgb_t) +xserver_stream_connect(rhgb_t) + +optional_policy(` + consoletype_exec(rhgb_t) +') + +optional_policy(` + nis_use_ypbind(rhgb_t) +') + +optional_policy(` + seutil_sigchld_newrole(rhgb_t) +') + +optional_policy(` + udev_read_db(rhgb_t) +') + +ifdef(`TODO',` + #this seems a bit much + allow domain rhgb_devpts_t:chr_file { read write }; + allow initrc_t rhgb_gph_t:fd use; +') diff --git a/policy/modules/contrib/rhsmcertd.fc b/policy/modules/contrib/rhsmcertd.fc new file mode 100644 index 00000000..c7add8bf --- /dev/null +++ b/policy/modules/contrib/rhsmcertd.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0) + +/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) + +/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) + +/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) + +/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0) + +/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) diff --git a/policy/modules/contrib/rhsmcertd.if b/policy/modules/contrib/rhsmcertd.if new file mode 100644 index 00000000..137605a2 --- /dev/null +++ b/policy/modules/contrib/rhsmcertd.if @@ -0,0 +1,296 @@ +## <summary>Subscription Management Certificate Daemon policy</summary> + +######################################## +## <summary> +## Transition to rhsmcertd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhsmcertd_domtrans',` + gen_require(` + type rhsmcertd_t, rhsmcertd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t) +') + +######################################## +## <summary> +## Execute rhsmcertd server in the rhsmcertd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_initrc_domtrans',` + gen_require(` + type rhsmcertd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t) +') + +######################################## +## <summary> +## Read rhsmcertd's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rhsmcertd_read_log',` + gen_require(` + type rhsmcertd_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) +') + +######################################## +## <summary> +## Append to rhsmcertd log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_append_log',` + gen_require(` + type rhsmcertd_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) +') + +######################################## +## <summary> +## Manage rhsmcertd log files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_manage_log',` + gen_require(` + type rhsmcertd_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) + manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) + manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) +') + +######################################## +## <summary> +## Search rhsmcertd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_search_lib',` + gen_require(` + type rhsmcertd_var_lib_t; + ') + + allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read rhsmcertd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_read_lib_files',` + gen_require(` + type rhsmcertd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +') + +######################################## +## <summary> +## Manage rhsmcertd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_manage_lib_files',` + gen_require(` + type rhsmcertd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +') + +######################################## +## <summary> +## Manage rhsmcertd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_manage_lib_dirs',` + gen_require(` + type rhsmcertd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +') + +######################################## +## <summary> +## Read rhsmcertd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_read_pid_files',` + gen_require(` + type rhsmcertd_var_run_t; + ') + + files_search_pids($1) + allow $1 rhsmcertd_var_run_t:file read_file_perms; +') + +#################################### +## <summary> +## Connect to rhsmcertd over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_stream_connect',` + gen_require(` + type rhsmcertd_t, rhsmcertd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t) +') + +####################################### +## <summary> +## Send and receive messages from +## rhsmcertd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_dbus_chat',` + gen_require(` + type rhsmcertd_t; + class dbus send_msg; + ') + + allow $1 rhsmcertd_t:dbus send_msg; + allow rhsmcertd_t $1:dbus send_msg; +') + +###################################### +## <summary> +## Dontaudit Send and receive messages from +## rhsmcertd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhsmcertd_dontaudit_dbus_chat',` + gen_require(` + type rhsmcertd_t; + class dbus send_msg; + ') + + dontaudit $1 rhsmcertd_t:dbus send_msg; + dontaudit rhsmcertd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an rhsmcertd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rhsmcertd_admin',` + gen_require(` + type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; + type rhsmcertd_var_lib_t, rhsmcertd_var_run_t; + ') + + allow $1 rhsmcertd_t:process signal_perms; + ps_process_pattern($1, rhsmcertd_t) + + rhsmcertd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 rhsmcertd_initrc_exec_t system_r; + allow $2 system_r; + + logging_search_logs($1) + admin_pattern($1, rhsmcertd_log_t) + + files_search_var_lib($1) + admin_pattern($1, rhsmcertd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, rhsmcertd_var_run_t) +') diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te new file mode 100644 index 00000000..783f6788 --- /dev/null +++ b/policy/modules/contrib/rhsmcertd.te @@ -0,0 +1,59 @@ +policy_module(rhsmcertd, 1.0.0) + +######################################## +# +# Declarations +# + +type rhsmcertd_t; +type rhsmcertd_exec_t; +init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t) + +type rhsmcertd_initrc_exec_t; +init_script_file(rhsmcertd_initrc_exec_t) + +type rhsmcertd_log_t; +logging_log_file(rhsmcertd_log_t) + +type rhsmcertd_lock_t; +files_lock_file(rhsmcertd_lock_t) + +type rhsmcertd_var_lib_t; +files_type(rhsmcertd_var_lib_t) + +type rhsmcertd_var_run_t; +files_pid_file(rhsmcertd_var_run_t) + +######################################## +# +# rhsmcertd local policy +# + +allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; +allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) + +manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) +files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) + +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) + +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) + +kernel_read_system_state(rhsmcertd_t) + +corecmd_exec_bin(rhsmcertd_t) + +dev_read_urand(rhsmcertd_t) + +files_read_etc_files(rhsmcertd_t) +files_read_usr_files(rhsmcertd_t) + +miscfiles_read_localization(rhsmcertd_t) +miscfiles_read_generic_certs(rhsmcertd_t) + +sysnet_dns_name_resolve(rhsmcertd_t) diff --git a/policy/modules/contrib/ricci.fc b/policy/modules/contrib/ricci.fc new file mode 100644 index 00000000..5b08327f --- /dev/null +++ b/policy/modules/contrib/ricci.fc @@ -0,0 +1,16 @@ +/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0) +/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) +/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) +/usr/libexec/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0) +/usr/libexec/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0) + +/usr/sbin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0) +/usr/sbin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0) + +/var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0) + +/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) + +/var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) +/var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) +/var/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0) diff --git a/policy/modules/contrib/ricci.if b/policy/modules/contrib/ricci.if new file mode 100644 index 00000000..f7826f94 --- /dev/null +++ b/policy/modules/contrib/ricci.if @@ -0,0 +1,167 @@ +## <summary>Ricci cluster management agent</summary> + +######################################## +## <summary> +## Execute a domain transition to run ricci. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans',` + gen_require(` + type ricci_t, ricci_exec_t; + ') + + domtrans_pattern($1, ricci_exec_t, ricci_t) +') + +######################################## +## <summary> +## Execute a domain transition to run ricci_modcluster. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans_modcluster',` + gen_require(` + type ricci_modcluster_t, ricci_modcluster_exec_t; + ') + + domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) +') + +######################################## +## <summary> +## Do not audit attempts to use +## ricci_modcluster file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`ricci_dontaudit_use_modcluster_fds',` + gen_require(` + type ricci_modcluster_t; + ') + + dontaudit $1 ricci_modcluster_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to read write +## ricci_modcluster unamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`ricci_dontaudit_rw_modcluster_pipes',` + gen_require(` + type ricci_modcluster_t; + ') + + dontaudit $1 ricci_modcluster_t:fifo_file { read write }; +') + +######################################## +## <summary> +## Connect to ricci_modclusterd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ricci_stream_connect_modclusterd',` + gen_require(` + type ricci_modclusterd_t, ricci_modcluster_var_run_t; + ') + + files_search_pids($1) + allow $1 ricci_modcluster_var_run_t:sock_file write; + allow $1 ricci_modclusterd_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Execute a domain transition to run ricci_modlog. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans_modlog',` + gen_require(` + type ricci_modlog_t, ricci_modlog_exec_t; + ') + + domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) +') + +######################################## +## <summary> +## Execute a domain transition to run ricci_modrpm. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans_modrpm',` + gen_require(` + type ricci_modrpm_t, ricci_modrpm_exec_t; + ') + + domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) +') + +######################################## +## <summary> +## Execute a domain transition to run ricci_modservice. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans_modservice',` + gen_require(` + type ricci_modservice_t, ricci_modservice_exec_t; + ') + + domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) +') + +######################################## +## <summary> +## Execute a domain transition to run ricci_modstorage. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ricci_domtrans_modstorage',` + gen_require(` + type ricci_modstorage_t, ricci_modstorage_exec_t; + ') + + domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) +') diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te new file mode 100644 index 00000000..33e72e80 --- /dev/null +++ b/policy/modules/contrib/ricci.te @@ -0,0 +1,488 @@ +policy_module(ricci, 1.7.0) + +######################################## +# +# Declarations +# + +type ricci_t; +type ricci_exec_t; +domain_type(ricci_t) +init_daemon_domain(ricci_t, ricci_exec_t) + +type ricci_tmp_t; +files_tmp_file(ricci_tmp_t) + +type ricci_var_lib_t; +files_type(ricci_var_lib_t) + +type ricci_var_log_t; +logging_log_file(ricci_var_log_t) + +type ricci_var_run_t; +files_pid_file(ricci_var_run_t) + +type ricci_modcluster_t; +type ricci_modcluster_exec_t; +domain_type(ricci_modcluster_t) +domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t) +role system_r types ricci_modcluster_t; + +type ricci_modcluster_var_lib_t; +files_type(ricci_modcluster_var_lib_t) + +type ricci_modcluster_var_log_t; +logging_log_file(ricci_modcluster_var_log_t) + +type ricci_modcluster_var_run_t; +files_pid_file(ricci_modcluster_var_run_t) + +type ricci_modclusterd_t; +type ricci_modclusterd_exec_t; +domain_type(ricci_modclusterd_t) +init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t) + +type ricci_modlog_t; +type ricci_modlog_exec_t; +domain_type(ricci_modlog_t) +domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t) +role system_r types ricci_modlog_t; + +type ricci_modrpm_t; +type ricci_modrpm_exec_t; +domain_type(ricci_modrpm_t) +domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t) +role system_r types ricci_modrpm_t; + +type ricci_modservice_t; +type ricci_modservice_exec_t; +domain_type(ricci_modservice_t) +domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t) +role system_r types ricci_modservice_t; + +type ricci_modstorage_t; +type ricci_modstorage_exec_t; +domain_type(ricci_modstorage_t) +domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t) +role system_r types ricci_modstorage_t; + +type ricci_modstorage_lock_t; +files_lock_file(ricci_modstorage_lock_t) + +######################################## +# +# ricci local policy +# + +allow ricci_t self:capability { setuid sys_nice sys_boot }; +allow ricci_t self:process setsched; +allow ricci_t self:fifo_file rw_fifo_file_perms; +allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow ricci_t self:tcp_socket create_stream_socket_perms; + +domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t) +domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t) +domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t) +domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t) +domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t) + +manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) +manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) +files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir }) + +manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) +manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) +manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) +files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file }) + +allow ricci_t ricci_var_log_t:dir setattr; +manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) +manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) +logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) + +manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) +manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) +files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(ricci_t) + +corecmd_exec_bin(ricci_t) + +corenet_all_recvfrom_unlabeled(ricci_t) +corenet_all_recvfrom_netlabel(ricci_t) +corenet_tcp_sendrecv_generic_if(ricci_t) +corenet_tcp_sendrecv_generic_node(ricci_t) +corenet_tcp_sendrecv_all_ports(ricci_t) +corenet_tcp_bind_generic_node(ricci_t) +corenet_udp_bind_generic_node(ricci_t) +corenet_tcp_bind_ricci_port(ricci_t) +corenet_udp_bind_ricci_port(ricci_t) +corenet_tcp_connect_http_port(ricci_t) + +dev_read_urand(ricci_t) + +domain_read_all_domains_state(ricci_t) + +files_read_etc_files(ricci_t) +files_read_etc_runtime_files(ricci_t) +files_create_boot_flag(ricci_t) + +auth_domtrans_chk_passwd(ricci_t) +auth_append_login_records(ricci_t) + +init_stream_connect_script(ricci_t) + +locallogin_dontaudit_use_fds(ricci_t) + +logging_send_syslog_msg(ricci_t) + +miscfiles_read_localization(ricci_t) + +sysnet_dns_name_resolve(ricci_t) + +optional_policy(` + ccs_read_config(ricci_t) +') + +optional_policy(` + dbus_system_bus_client(ricci_t) + + oddjob_dbus_chat(ricci_t) +') + +optional_policy(` + # Needed so oddjob can run halt/reboot on behalf of ricci + corecmd_bin_entry_type(ricci_t) + term_dontaudit_search_ptys(ricci_t) + init_exec(ricci_t) + init_telinit(ricci_t) + init_rw_utmp(ricci_t) + + oddjob_system_entry(ricci_t, ricci_exec_t) +') + +optional_policy(` + rpm_use_script_fds(ricci_t) +') + +optional_policy(` + sasl_connect(ricci_t) +') + +optional_policy(` + unconfined_use_fds(ricci_t) +') + +optional_policy(` + xen_domtrans_xm(ricci_t) +') + +######################################## +# +# ricci_modcluster local policy +# + +allow ricci_modcluster_t self:capability { net_bind_service sys_nice }; +allow ricci_modcluster_t self:process setsched; +allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms; + +kernel_read_kernel_sysctls(ricci_modcluster_t) +kernel_read_system_state(ricci_modcluster_t) + +corecmd_exec_shell(ricci_modcluster_t) +corecmd_exec_bin(ricci_modcluster_t) + +corenet_tcp_bind_cluster_port(ricci_modclusterd_t) +corenet_tcp_bind_reserved_port(ricci_modclusterd_t) + +domain_read_all_domains_state(ricci_modcluster_t) + +files_search_locks(ricci_modcluster_t) +files_read_etc_runtime_files(ricci_modcluster_t) +files_read_etc_files(ricci_modcluster_t) +files_search_usr(ricci_modcluster_t) + +init_exec(ricci_modcluster_t) +init_domtrans_script(ricci_modcluster_t) + +logging_send_syslog_msg(ricci_modcluster_t) + +miscfiles_read_localization(ricci_modcluster_t) + +modutils_domtrans_insmod(ricci_modcluster_t) + +mount_domtrans(ricci_modcluster_t) + +consoletype_exec(ricci_modcluster_t) + +ricci_stream_connect_modclusterd(ricci_modcluster_t) + +optional_policy(` + aisexec_stream_connect(ricci_modcluster_t) + corosync_stream_connect(ricci_modcluster_t) +') + +optional_policy(` + ccs_stream_connect(ricci_modcluster_t) + ccs_domtrans(ricci_modcluster_t) + ccs_manage_config(ricci_modcluster_t) +') + +optional_policy(` + lvm_domtrans(ricci_modcluster_t) +') + +optional_policy(` + nscd_socket_use(ricci_modcluster_t) +') + +optional_policy(` + oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t) +') + +optional_policy(` + # XXX This has got to go. + unconfined_domain(ricci_modcluster_t) +') + +######################################## +# +# ricci_modclusterd local policy +# + +allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config }; +allow ricci_modclusterd_t self:process { signal sigkill setsched }; +allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms; +allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms; +allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms; +# cjp: this needs to be fixed for a specific socket type: +allow ricci_modclusterd_t self:socket create_socket_perms; + +allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; +allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; + +allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; +manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) +manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) +logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir }) + +manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) +manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) +files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(ricci_modclusterd_t) +kernel_read_system_state(ricci_modclusterd_t) + +corecmd_exec_bin(ricci_modclusterd_t) + +corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t) +corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t) +corenet_tcp_bind_generic_node(ricci_modclusterd_t) +corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) +corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) + +domain_read_all_domains_state(ricci_modclusterd_t) + +files_read_etc_files(ricci_modclusterd_t) +files_read_etc_runtime_files(ricci_modclusterd_t) + +fs_getattr_xattr_fs(ricci_modclusterd_t) + +auth_use_nsswitch(ricci_modclusterd_t) + +init_stream_connect_script(ricci_modclusterd_t) + +locallogin_dontaudit_use_fds(ricci_modclusterd_t) + +logging_send_syslog_msg(ricci_modclusterd_t) + +miscfiles_read_localization(ricci_modclusterd_t) + +sysnet_domtrans_ifconfig(ricci_modclusterd_t) + +optional_policy(` + aisexec_stream_connect(ricci_modclusterd_t) + corosync_stream_connect(ricci_modclusterd_t) +') + +optional_policy(` + ccs_domtrans(ricci_modclusterd_t) + ccs_stream_connect(ricci_modclusterd_t) + ccs_read_config(ricci_modclusterd_t) +') + +optional_policy(` + rgmanager_stream_connect(ricci_modclusterd_t) +') + +optional_policy(` + unconfined_use_fds(ricci_modclusterd_t) +') + +######################################## +# +# ricci_modlog local policy +# + +allow ricci_modlog_t self:capability sys_nice; +allow ricci_modlog_t self:process setsched; + +kernel_read_kernel_sysctls(ricci_modlog_t) +kernel_read_system_state(ricci_modlog_t) + +corecmd_exec_bin(ricci_modlog_t) + +domain_read_all_domains_state(ricci_modlog_t) + +files_read_etc_files(ricci_modlog_t) +files_search_usr(ricci_modlog_t) + +logging_read_generic_logs(ricci_modlog_t) + +miscfiles_read_localization(ricci_modlog_t) + +optional_policy(` + nscd_dontaudit_search_pid(ricci_modlog_t) +') + +optional_policy(` + oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t) +') + +######################################## +# +# ricci_modrpm local policy +# + +allow ricci_modrpm_t self:fifo_file read_fifo_file_perms; + +kernel_read_kernel_sysctls(ricci_modrpm_t) + +corecmd_exec_bin(ricci_modrpm_t) + +files_search_usr(ricci_modrpm_t) +files_read_etc_files(ricci_modrpm_t) + +miscfiles_read_localization(ricci_modrpm_t) + +optional_policy(` + oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) +') + +optional_policy(` + rpm_domtrans(ricci_modrpm_t) +') + +######################################## +# +# ricci_modservice local policy +# + +allow ricci_modservice_t self:capability { dac_override sys_nice }; +allow ricci_modservice_t self:fifo_file rw_fifo_file_perms; +allow ricci_modservice_t self:process setsched; + +kernel_read_kernel_sysctls(ricci_modservice_t) +kernel_read_system_state(ricci_modservice_t) + +corecmd_exec_bin(ricci_modservice_t) +corecmd_exec_shell(ricci_modservice_t) + +files_read_etc_files(ricci_modservice_t) +files_read_etc_runtime_files(ricci_modservice_t) +files_search_usr(ricci_modservice_t) +# Needed for running chkconfig +files_manage_etc_symlinks(ricci_modservice_t) + +consoletype_exec(ricci_modservice_t) + +init_domtrans_script(ricci_modservice_t) + +miscfiles_read_localization(ricci_modservice_t) + +optional_policy(` + ccs_read_config(ricci_modservice_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(ricci_modservice_t) +') + +optional_policy(` + oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t) +') + +######################################## +# +# ricci_modstorage local policy +# + +allow ricci_modstorage_t self:process { setsched signal }; +dontaudit ricci_modstorage_t self:process ptrace; +allow ricci_modstorage_t self:capability { mknod sys_nice }; +allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; +allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms; + +kernel_read_kernel_sysctls(ricci_modstorage_t) +kernel_read_system_state(ricci_modstorage_t) + +create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t) +files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file) + +corecmd_exec_shell(ricci_modstorage_t) +corecmd_exec_bin(ricci_modstorage_t) + +dev_read_sysfs(ricci_modstorage_t) +dev_read_urand(ricci_modstorage_t) +dev_manage_generic_blk_files(ricci_modstorage_t) + +domain_read_all_domains_state(ricci_modstorage_t) + +#Needed for editing /etc/fstab +files_manage_etc_files(ricci_modstorage_t) +files_read_etc_runtime_files(ricci_modstorage_t) +files_read_usr_files(ricci_modstorage_t) +files_read_kernel_modules(ricci_modstorage_t) + +storage_raw_read_fixed_disk(ricci_modstorage_t) + +term_dontaudit_use_console(ricci_modstorage_t) + +fstools_domtrans(ricci_modstorage_t) + +logging_send_syslog_msg(ricci_modstorage_t) + +miscfiles_read_localization(ricci_modstorage_t) + +modutils_read_module_deps(ricci_modstorage_t) + +consoletype_exec(ricci_modstorage_t) + +mount_domtrans(ricci_modstorage_t) + +optional_policy(` + aisexec_stream_connect(ricci_modstorage_t) + corosync_stream_connect(ricci_modstorage_t) +') + +optional_policy(` + ccs_stream_connect(ricci_modstorage_t) + ccs_read_config(ricci_modstorage_t) +') + +optional_policy(` + lvm_domtrans(ricci_modstorage_t) + lvm_manage_config(ricci_modstorage_t) +') + +optional_policy(` + nscd_socket_use(ricci_modstorage_t) +') + +optional_policy(` + oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t) +') + +optional_policy(` + raid_domtrans_mdadm(ricci_modstorage_t) +') diff --git a/policy/modules/contrib/rlogin.fc b/policy/modules/contrib/rlogin.fc new file mode 100644 index 00000000..27853373 --- /dev/null +++ b/policy/modules/contrib/rlogin.fc @@ -0,0 +1,7 @@ +HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) + +/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) + +/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0) + +/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/policy/modules/contrib/rlogin.if b/policy/modules/contrib/rlogin.if new file mode 100644 index 00000000..63e78c60 --- /dev/null +++ b/policy/modules/contrib/rlogin.if @@ -0,0 +1,47 @@ +## <summary>Remote login daemon</summary> + +######################################## +## <summary> +## Execute rlogind in the rlogin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rlogin_domtrans',` + gen_require(` + type rlogind_t, rlogind_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rlogind_exec_t, rlogind_t) +') + +######################################## +## <summary> +## read rlogin homedir content (.config) +## </summary> +## <param name="userdomain_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`rlogin_read_home_content',` + gen_require(` + type rlogind_home_t; + ') + + userdom_search_user_home_dirs($1) + list_dirs_pattern($1, rlogind_home_t, rlogind_home_t) + read_files_pattern($1, rlogind_home_t, rlogind_home_t) + read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t) +') diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te new file mode 100644 index 00000000..779fa445 --- /dev/null +++ b/policy/modules/contrib/rlogin.te @@ -0,0 +1,116 @@ +policy_module(rlogin, 1.9.0) + +######################################## +# +# Declarations +# + +type rlogind_t; +type rlogind_exec_t; +inetd_service_domain(rlogind_t, rlogind_exec_t) +role system_r types rlogind_t; + +type rlogind_devpts_t; #, userpty_type; +term_login_pty(rlogind_devpts_t) + +type rlogind_home_t; +userdom_user_home_content(rlogind_home_t) + +type rlogind_tmp_t; +files_tmp_file(rlogind_tmp_t) + +type rlogind_var_run_t; +files_pid_file(rlogind_var_run_t) + +######################################## +# +# Local policy +# + +allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override }; +allow rlogind_t self:process signal_perms; +allow rlogind_t self:fifo_file rw_fifo_file_perms; +allow rlogind_t self:tcp_socket connected_stream_socket_perms; +# for identd; cjp: this should probably only be inetd_child rules? +allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow rlogind_t self:capability { setuid setgid }; + +allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; +term_create_pty(rlogind_t, rlogind_devpts_t) + +# for /usr/lib/telnetlogin +can_exec(rlogind_t, rlogind_exec_t) + +manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) +manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) +files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir }) + +manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) +files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) + +kernel_read_kernel_sysctls(rlogind_t) +kernel_read_system_state(rlogind_t) +kernel_read_network_state(rlogind_t) + +corenet_all_recvfrom_unlabeled(rlogind_t) +corenet_all_recvfrom_netlabel(rlogind_t) +corenet_tcp_sendrecv_generic_if(rlogind_t) +corenet_udp_sendrecv_generic_if(rlogind_t) +corenet_tcp_sendrecv_generic_node(rlogind_t) +corenet_udp_sendrecv_generic_node(rlogind_t) +corenet_tcp_sendrecv_all_ports(rlogind_t) +corenet_udp_sendrecv_all_ports(rlogind_t) + +dev_read_urand(rlogind_t) + +domain_interactive_fd(rlogind_t) + +fs_getattr_xattr_fs(rlogind_t) +fs_search_auto_mountpoints(rlogind_t) + +auth_domtrans_chk_passwd(rlogind_t) +auth_rw_login_records(rlogind_t) +auth_use_nsswitch(rlogind_t) + +files_read_etc_files(rlogind_t) +files_read_etc_runtime_files(rlogind_t) +files_search_home(rlogind_t) +files_search_default(rlogind_t) + +init_rw_utmp(rlogind_t) + +logging_send_syslog_msg(rlogind_t) + +miscfiles_read_localization(rlogind_t) + +seutil_read_config(rlogind_t) + +userdom_setattr_user_ptys(rlogind_t) +# cjp: this is egregious +userdom_read_user_home_content_files(rlogind_t) + +remotelogin_domtrans(rlogind_t) +remotelogin_signal(rlogind_t) + +rlogin_read_home_content(rlogind_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(rlogind_t) + fs_read_nfs_files(rlogind_t) + fs_read_nfs_symlinks(rlogind_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(rlogind_t) + fs_read_cifs_files(rlogind_t) + fs_read_cifs_symlinks(rlogind_t) +') + +optional_policy(` + kerberos_keytab_template(rlogind, rlogind_t) + kerberos_manage_host_rcache(rlogind_t) +') + +optional_policy(` + tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) +') diff --git a/policy/modules/contrib/roundup.fc b/policy/modules/contrib/roundup.fc new file mode 100644 index 00000000..e4110e6e --- /dev/null +++ b/policy/modules/contrib/roundup.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0) + +# +# /usr +# +/usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0) + +# +# /var +# +/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) diff --git a/policy/modules/contrib/roundup.if b/policy/modules/contrib/roundup.if new file mode 100644 index 00000000..30c4b756 --- /dev/null +++ b/policy/modules/contrib/roundup.if @@ -0,0 +1,39 @@ +## <summary>Roundup Issue Tracking System policy</summary> + +######################################## +## <summary> +## All of the rules required to administrate +## an roundup environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the roundup domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`roundup_admin',` + gen_require(` + type roundup_t, roundup_var_lib_t, roundup_var_run_t; + type roundup_initrc_exec_t; + ') + + allow $1 roundup_t:process { ptrace signal_perms }; + ps_process_pattern($1, roundup_t) + + init_labeled_script_domtrans($1, roundup_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 roundup_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var_lib($1) + admin_pattern($1, roundup_var_lib_t) + + files_list_pids($1) + admin_pattern($1, roundup_var_run_t) +') diff --git a/policy/modules/contrib/roundup.te b/policy/modules/contrib/roundup.te new file mode 100644 index 00000000..57f839f4 --- /dev/null +++ b/policy/modules/contrib/roundup.te @@ -0,0 +1,96 @@ +policy_module(roundup, 1.7.0) + +######################################## +# +# Declarations +# + +type roundup_t; +type roundup_exec_t; +init_daemon_domain(roundup_t, roundup_exec_t) + +type roundup_initrc_exec_t; +init_script_file(roundup_initrc_exec_t) + +type roundup_var_run_t; +files_pid_file(roundup_var_run_t) + +type roundup_var_lib_t; +files_type(roundup_var_lib_t) + +######################################## +# +# Local policy +# + +allow roundup_t self:capability { setgid setuid }; +dontaudit roundup_t self:capability sys_tty_config; +allow roundup_t self:process signal_perms; +allow roundup_t self:unix_stream_socket create_stream_socket_perms; +allow roundup_t self:tcp_socket create_stream_socket_perms; +allow roundup_t self:udp_socket create_socket_perms; + +manage_files_pattern(roundup_t, roundup_var_lib_t, roundup_var_lib_t) +files_var_lib_filetrans(roundup_t, roundup_var_lib_t, file) + +manage_files_pattern(roundup_t, roundup_var_run_t, roundup_var_run_t) +files_pid_filetrans(roundup_t, roundup_var_run_t, file) + +kernel_read_kernel_sysctls(roundup_t) +kernel_list_proc(roundup_t) +kernel_read_proc_symlinks(roundup_t) + +dev_read_sysfs(roundup_t) + +# execute python +corecmd_exec_bin(roundup_t) + +corenet_all_recvfrom_unlabeled(roundup_t) +corenet_all_recvfrom_netlabel(roundup_t) +corenet_tcp_sendrecv_generic_if(roundup_t) +corenet_udp_sendrecv_generic_if(roundup_t) +corenet_raw_sendrecv_generic_if(roundup_t) +corenet_tcp_sendrecv_generic_node(roundup_t) +corenet_udp_sendrecv_generic_node(roundup_t) +corenet_raw_sendrecv_generic_node(roundup_t) +corenet_tcp_sendrecv_all_ports(roundup_t) +corenet_udp_sendrecv_all_ports(roundup_t) +corenet_tcp_bind_generic_node(roundup_t) +corenet_tcp_bind_http_cache_port(roundup_t) +corenet_tcp_connect_smtp_port(roundup_t) +corenet_sendrecv_http_cache_server_packets(roundup_t) +corenet_sendrecv_smtp_client_packets(roundup_t) + +# /usr/share/mysql/charsets/Index.xml +dev_read_urand(roundup_t) + +domain_use_interactive_fds(roundup_t) + +# /usr/share/mysql/charsets/Index.xml +files_read_usr_files(roundup_t) +files_read_etc_files(roundup_t) + +fs_getattr_all_fs(roundup_t) +fs_search_auto_mountpoints(roundup_t) + +logging_send_syslog_msg(roundup_t) + +miscfiles_read_localization(roundup_t) + +sysnet_read_config(roundup_t) + +userdom_dontaudit_use_unpriv_user_fds(roundup_t) +userdom_dontaudit_search_user_home_dirs(roundup_t) + +optional_policy(` + mysql_stream_connect(roundup_t) + mysql_search_db(roundup_t) +') + +optional_policy(` + seutil_sigchld_newrole(roundup_t) +') + +optional_policy(` + udev_read_db(roundup_t) +') diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc new file mode 100644 index 00000000..5c70c0cc --- /dev/null +++ b/policy/modules/contrib/rpc.fc @@ -0,0 +1,31 @@ +# +# /etc +# +/etc/exports -- gen_context(system_u:object_r:exports_t,s0) +/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + +# +# /sbin +# +/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + +# +# /usr +# +/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) +/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) +/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) +/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) + +# +# /var +# +/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) + +/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) +/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if new file mode 100644 index 00000000..f92551df --- /dev/null +++ b/policy/modules/contrib/rpc.if @@ -0,0 +1,436 @@ +## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary> + +######################################## +## <summary> +## RPC stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_stub',` + gen_require(` + type exports_t; + ') +') + +####################################### +## <summary> +## The template to define a rpc domain. +## </summary> +## <desc> +## <p> +## This template creates a domain to be used for +## a new rpc daemon. +## </p> +## </desc> +## <param name="userdomain_prefix"> +## <summary> +## The type of daemon to be used. +## </summary> +## </param> +# +template(`rpc_domain_template', ` + ######################################## + # + # Declarations + # + + type $1_t; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + domain_use_interactive_fds($1_t) + + #################################### + # + # Local Policy + # + + dontaudit $1_t self:capability { net_admin sys_tty_config }; + allow $1_t self:capability net_bind_service; + allow $1_t self:process signal_perms; + allow $1_t self:unix_dgram_socket create_socket_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + + manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) + manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) + + kernel_list_proc($1_t) + kernel_read_proc_symlinks($1_t) + kernel_read_kernel_sysctls($1_t) + # bind to arbitary unused ports + kernel_rw_rpc_sysctls($1_t) + + dev_read_sysfs($1_t) + dev_read_urand($1_t) + dev_read_rand($1_t) + + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) + corenet_tcp_sendrecv_generic_if($1_t) + corenet_udp_sendrecv_generic_if($1_t) + corenet_tcp_sendrecv_generic_node($1_t) + corenet_udp_sendrecv_generic_node($1_t) + corenet_tcp_sendrecv_all_ports($1_t) + corenet_udp_sendrecv_all_ports($1_t) + corenet_tcp_bind_generic_node($1_t) + corenet_udp_bind_generic_node($1_t) + corenet_tcp_bind_reserved_port($1_t) + corenet_tcp_connect_all_ports($1_t) + corenet_sendrecv_portmap_client_packets($1_t) + # do not log when it tries to bind to a port belonging to another domain + corenet_dontaudit_tcp_bind_all_ports($1_t) + corenet_dontaudit_udp_bind_all_ports($1_t) + # bind to arbitary unused ports + corenet_tcp_bind_generic_port($1_t) + corenet_udp_bind_generic_port($1_t) + corenet_tcp_bind_all_rpc_ports($1_t) + corenet_udp_bind_all_rpc_ports($1_t) + corenet_sendrecv_generic_server_packets($1_t) + + fs_rw_rpc_named_pipes($1_t) + fs_search_auto_mountpoints($1_t) + + files_read_etc_files($1_t) + files_read_etc_runtime_files($1_t) + files_search_var($1_t) + files_search_var_lib($1_t) + files_list_home($1_t) + + auth_use_nsswitch($1_t) + + logging_send_syslog_msg($1_t) + + miscfiles_read_localization($1_t) + + userdom_dontaudit_use_unpriv_user_fds($1_t) + + optional_policy(` + rpcbind_stream_connect($1_t) + ') + + optional_policy(` + seutil_sigchld_newrole($1_t) + ') + + optional_policy(` + udev_read_db($1_t) + ') +') + +######################################## +## <summary> +## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_udp_send',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Do not audit attempts to get the attributes +## of the NFS export file. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rpc_dontaudit_getattr_exports',` + gen_require(` + type exports_t; + ') + + dontaudit $1 exports_t:file getattr; +') + +######################################## +## <summary> +## Allow read access to exports. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_read_exports',` + gen_require(` + type exports_t; + ') + + allow $1 exports_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow write access to exports. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_write_exports',` + gen_require(` + type exports_t; + ') + + allow $1 exports_t:file write; +') + +######################################## +## <summary> +## Execute domain in nfsd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpc_domtrans_nfsd',` + gen_require(` + type nfsd_t, nfsd_exec_t; + ') + + domtrans_pattern($1, nfsd_exec_t, nfsd_t) +') + +####################################### +## <summary> +## Execute domain in nfsd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpc_initrc_domtrans_nfsd',` + gen_require(` + type nfsd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, nfsd_initrc_exec_t) +') + +######################################## +## <summary> +## Execute domain in rpcd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpc_domtrans_rpcd',` + gen_require(` + type rpcd_t, rpcd_exec_t; + ') + + domtrans_pattern($1, rpcd_exec_t, rpcd_t) + allow rpcd_t $1:process signal; +') + +####################################### +## <summary> +## Execute domain in rpcd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpc_initrc_domtrans_rpcd',` + gen_require(` + type rpcd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, rpcd_initrc_exec_t) +') + +######################################## +## <summary> +## Read NFS exported content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpc_read_nfs_content',` + gen_require(` + type nfsd_ro_t, nfsd_rw_t; + ') + + allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; + allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; + allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read }; +') + +######################################## +## <summary> +## Allow domain to create read and write NFS directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpc_manage_nfs_rw_content',` + gen_require(` + type nfsd_rw_t; + ') + + manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t) + manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t) + manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t) +') + +######################################## +## <summary> +## Allow domain to create read and write NFS directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpc_manage_nfs_ro_content',` + gen_require(` + type nfsd_ro_t; + ') + + manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t) + manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t) + manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t) +') + +######################################## +## <summary> +## Allow domain to read and write to an NFS TCP socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_tcp_rw_nfs_sockets',` + gen_require(` + type nfsd_t; + ') + + allow $1 nfsd_t:tcp_socket rw_socket_perms; +') + +######################################## +## <summary> +## Allow domain to read and write to an NFS UDP socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_udp_rw_nfs_sockets',` + gen_require(` + type nfsd_t; + ') + + allow $1 nfsd_t:udp_socket rw_socket_perms; +') + +######################################## +## <summary> +## Send UDP traffic to NFSd. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_udp_send_nfs',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Search NFS state data in /var/lib/nfs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_search_nfs_state_data',` + gen_require(` + type var_lib_nfs_t; + ') + + files_search_var_lib($1) + allow $1 var_lib_nfs_t:dir search; +') + +######################################## +## <summary> +## Read NFS state data in /var/lib/nfs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_read_nfs_state_data',` + gen_require(` + type var_lib_nfs_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) +') + +######################################## +## <summary> +## Manage NFS state data in /var/lib/nfs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpc_manage_nfs_state_data',` + gen_require(` + type var_lib_nfs_t; + ') + + files_search_var_lib($1) + rw_dirs_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) +') diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te new file mode 100644 index 00000000..7f48e511 --- /dev/null +++ b/policy/modules/contrib/rpc.te @@ -0,0 +1,237 @@ +policy_module(rpc, 1.13.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow gssd to read temp directory. For access to kerberos tgt. +## </p> +## </desc> +gen_tunable(allow_gssd_read_tmp, true) + +## <desc> +## <p> +## Allow nfs servers to modify public files +## used for public file transfer services. Files/Directories must be +## labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_nfsd_anon_write, false) + +type exports_t; +files_config_file(exports_t) + +rpc_domain_template(gssd) + +type gssd_tmp_t; +files_tmp_file(gssd_tmp_t) + +type rpcd_var_run_t; +files_pid_file(rpcd_var_run_t) + +# rpcd_t is the domain of rpc daemons. +# rpc_exec_t is the type of rpc daemon programs. +rpc_domain_template(rpcd) + +type rpcd_initrc_exec_t; +init_script_file(rpcd_initrc_exec_t) + +rpc_domain_template(nfsd) + +type nfsd_initrc_exec_t; +init_script_file(nfsd_initrc_exec_t) + +type nfsd_rw_t; +files_type(nfsd_rw_t) + +type nfsd_ro_t; +files_type(nfsd_ro_t) + +type var_lib_nfs_t; +files_mountpoint(var_lib_nfs_t) + +######################################## +# +# RPC local policy +# + +allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; +allow rpcd_t self:process { getcap setcap }; +allow rpcd_t self:fifo_file rw_fifo_file_perms; + +allow rpcd_t rpcd_var_run_t:dir setattr; +manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) +files_pid_filetrans(rpcd_t, rpcd_var_run_t, file) + +# rpc.statd executes sm-notify +can_exec(rpcd_t, rpcd_exec_t) + +kernel_read_system_state(rpcd_t) +kernel_read_network_state(rpcd_t) +# for rpc.rquotad +kernel_read_sysctl(rpcd_t) +kernel_rw_fs_sysctls(rpcd_t) +kernel_dontaudit_getattr_core_if(rpcd_t) +kernel_signal(rpcd_t) + +corecmd_exec_bin(rpcd_t) + +files_manage_mounttab(rpcd_t) +files_getattr_all_dirs(rpcd_t) + +fs_list_rpc(rpcd_t) +fs_read_rpc_files(rpcd_t) +fs_read_rpc_symlinks(rpcd_t) +fs_rw_rpc_sockets(rpcd_t) +fs_get_all_fs_quotas(rpcd_t) +fs_getattr_all_fs(rpcd_t) + +storage_getattr_fixed_disk_dev(rpcd_t) + +selinux_dontaudit_read_fs(rpcd_t) + +miscfiles_read_generic_certs(rpcd_t) + +seutil_dontaudit_search_config(rpcd_t) + +optional_policy(` + automount_signal(rpcd_t) + automount_dontaudit_write_pipes(rpcd_t) +') + +optional_policy(` + nis_read_ypserv_config(rpcd_t) +') + +######################################## +# +# NFSD local policy +# + +allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; +allow nfsd_t self:udp_socket listen; +allow nfsd_t exports_t:file read_file_perms; +allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; + +# for /proc/fs/nfs/exports - should we have a new type? +kernel_read_system_state(nfsd_t) +kernel_read_network_state(nfsd_t) +kernel_dontaudit_getattr_core_if(nfsd_t) + +corenet_tcp_bind_all_rpc_ports(nfsd_t) +corenet_udp_bind_all_rpc_ports(nfsd_t) + +dev_dontaudit_getattr_all_blk_files(nfsd_t) +dev_dontaudit_getattr_all_chr_files(nfsd_t) +dev_rw_lvm_control(nfsd_t) + +# does not really need this, but it is easier to just allow it +files_search_pids(nfsd_t) +# for exportfs and rpc.mountd +files_getattr_tmp_dirs(nfsd_t) +# cjp: this should really have its own type +files_manage_mounttab(nfsd_t) +files_read_etc_runtime_files(nfsd_t) + +fs_mount_nfsd_fs(nfsd_t) +fs_search_nfsd_fs(nfsd_t) +fs_getattr_all_fs(nfsd_t) +fs_getattr_all_dirs(nfsd_t) +fs_rw_nfsd_fs(nfsd_t) + +storage_dontaudit_read_fixed_disk(nfsd_t) +storage_raw_read_removable_device(nfsd_t) + +# Read access to public_content_t and public_content_rw_t +miscfiles_read_public_files(nfsd_t) + +# Write access to public_content_t and public_content_rw_t +tunable_policy(`allow_nfsd_anon_write',` + miscfiles_manage_public_files(nfsd_t) +') + +tunable_policy(`nfs_export_all_rw',` + dev_getattr_all_blk_files(nfsd_t) + dev_getattr_all_chr_files(nfsd_t) + + fs_read_noxattr_fs_files(nfsd_t) + auth_manage_all_files_except_auth_files(nfsd_t) +') + +tunable_policy(`nfs_export_all_ro',` + dev_getattr_all_blk_files(nfsd_t) + dev_getattr_all_chr_files(nfsd_t) + + files_getattr_all_pipes(nfsd_t) + files_getattr_all_sockets(nfsd_t) + + fs_read_noxattr_fs_files(nfsd_t) + + auth_read_all_dirs_except_auth_files(nfsd_t) + auth_read_all_files_except_auth_files(nfsd_t) +') + +######################################## +# +# GSSD local policy +# + +allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; +allow gssd_t self:process { getsched setsched }; +allow gssd_t self:fifo_file rw_file_perms; + +manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) + +kernel_read_system_state(gssd_t) +kernel_read_network_state(gssd_t) +kernel_read_network_state_symlinks(gssd_t) +kernel_request_load_module(gssd_t) +kernel_search_network_sysctl(gssd_t) +kernel_signal(gssd_t) + +corecmd_exec_bin(gssd_t) + +fs_list_rpc(gssd_t) +fs_rw_rpc_sockets(gssd_t) +fs_read_rpc_files(gssd_t) + +fs_list_inotifyfs(gssd_t) +files_list_tmp(gssd_t) +files_read_usr_symlinks(gssd_t) +files_dontaudit_write_var_dirs(gssd_t) + +auth_use_nsswitch(gssd_t) +auth_manage_cache(gssd_t) + +miscfiles_read_generic_certs(gssd_t) + +mount_signal(gssd_t) + +userdom_signal_all_users(gssd_t) + +tunable_policy(`allow_gssd_read_tmp',` + userdom_list_user_tmp(gssd_t) + userdom_read_user_tmp_files(gssd_t) + userdom_read_user_tmp_symlinks(gssd_t) +') + +optional_policy(` + automount_signal(gssd_t) +') + +optional_policy(` + kerberos_keytab_template(gssd, gssd_t) +') + +optional_policy(` + pcscd_read_pub_files(gssd_t) +') + +optional_policy(` + xserver_rw_xdm_tmp_files(gssd_t) +') diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc new file mode 100644 index 00000000..f5c47d64 --- /dev/null +++ b/policy/modules/contrib/rpcbind.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) + +/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) + +/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) + +/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) +/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) +/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if new file mode 100644 index 00000000..a96249cf --- /dev/null +++ b/policy/modules/contrib/rpcbind.if @@ -0,0 +1,148 @@ +## <summary>Universal Addresses to RPC Program Number Mapper</summary> + +######################################## +## <summary> +## Execute a domain transition to run rpcbind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpcbind_domtrans',` + gen_require(` + type rpcbind_t, rpcbind_exec_t; + ') + + domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) +') + +######################################## +## <summary> +## Connect to rpcbindd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_stream_connect',` + gen_require(` + type rpcbind_t, rpcbind_var_run_t; + ') + + files_search_pids($1) + allow $1 rpcbind_var_run_t:sock_file write; + allow $1 rpcbind_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Read rpcbind PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_read_pid_files',` + gen_require(` + type rpcbind_var_run_t; + ') + + files_search_pids($1) + allow $1 rpcbind_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Search rpcbind lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_search_lib',` + gen_require(` + type rpcbind_var_lib_t; + ') + + allow $1 rpcbind_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read rpcbind lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_read_lib_files',` + gen_require(` + type rpcbind_var_lib_t; + ') + + read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rpcbind lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpcbind_manage_lib_files',` + gen_require(` + type rpcbind_var_lib_t; + ') + + manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an rpcbind environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the rpcbind domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpcbind_admin',` + gen_require(` + type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t; + type rpcbind_initrc_exec_t; + ') + + allow $1 rpcbind_t:process { ptrace signal_perms }; + ps_process_pattern($1, rpcbind_t) + + init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rpcbind_initrc_exec_t system_r; + allow $2 system_r; +') diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te new file mode 100644 index 00000000..a63e9eee --- /dev/null +++ b/policy/modules/contrib/rpcbind.te @@ -0,0 +1,69 @@ +policy_module(rpcbind, 1.5.0) + +######################################## +# +# Declarations +# + +type rpcbind_t; +type rpcbind_exec_t; +init_daemon_domain(rpcbind_t, rpcbind_exec_t) + +type rpcbind_initrc_exec_t; +init_script_file(rpcbind_initrc_exec_t) + +type rpcbind_var_run_t; +files_pid_file(rpcbind_var_run_t) + +type rpcbind_var_lib_t; +files_type(rpcbind_var_lib_t) + +######################################## +# +# rpcbind local policy +# + +allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; +allow rpcbind_t self:fifo_file rw_file_perms; +allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; +allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; +allow rpcbind_t self:udp_socket create_socket_perms; +allow rpcbind_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) +manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) +files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file }) + +manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) +manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) +manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) +files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file }) + +kernel_read_system_state(rpcbind_t) +kernel_read_network_state(rpcbind_t) +kernel_request_load_module(rpcbind_t) + +corenet_all_recvfrom_unlabeled(rpcbind_t) +corenet_all_recvfrom_netlabel(rpcbind_t) +corenet_tcp_sendrecv_generic_if(rpcbind_t) +corenet_udp_sendrecv_generic_if(rpcbind_t) +corenet_tcp_sendrecv_generic_node(rpcbind_t) +corenet_udp_sendrecv_generic_node(rpcbind_t) +corenet_tcp_sendrecv_all_ports(rpcbind_t) +corenet_udp_sendrecv_all_ports(rpcbind_t) +corenet_tcp_bind_generic_node(rpcbind_t) +corenet_udp_bind_generic_node(rpcbind_t) +corenet_tcp_bind_portmap_port(rpcbind_t) +corenet_udp_bind_portmap_port(rpcbind_t) +corenet_udp_bind_all_rpc_ports(rpcbind_t) + +domain_use_interactive_fds(rpcbind_t) + +files_read_etc_files(rpcbind_t) +files_read_etc_runtime_files(rpcbind_t) + +logging_send_syslog_msg(rpcbind_t) + +miscfiles_read_localization(rpcbind_t) + +sysnet_dns_name_resolve(rpcbind_t) diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc new file mode 100644 index 00000000..b206bf68 --- /dev/null +++ b/policy/modules/contrib/rpm.fc @@ -0,0 +1,52 @@ + +/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) + +/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) +/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) + +/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) + +/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) + +/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) + +/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) + +/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) + +ifdef(`distro_redhat', ` +/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +') + +/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) + +/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) + +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) +/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) + +/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) +/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) + +# SuSE +ifdef(`distro_suse', ` +/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) +/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) +') + +ifdef(`enable_mls',` +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) +') diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if new file mode 100644 index 00000000..951d8f6b --- /dev/null +++ b/policy/modules/contrib/rpm.if @@ -0,0 +1,575 @@ +## <summary>Policy for the RPM package manager.</summary> + +######################################## +## <summary> +## Execute rpm programs in the rpm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpm_domtrans',` + gen_require(` + type rpm_t, rpm_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rpm_exec_t, rpm_t) +') + +######################################## +## <summary> +## Execute debuginfo_install programs in the rpm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpm_debuginfo_domtrans',` + gen_require(` + type rpm_t, debuginfo_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, debuginfo_exec_t, rpm_t) +') + +######################################## +## <summary> +## Execute rpm_script programs in the rpm_script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpm_domtrans_script',` + gen_require(` + type rpm_script_t; + ') + + # transition to rpm script: + corecmd_shell_domtrans($1, rpm_script_t) + allow rpm_script_t $1:fd use; + allow rpm_script_t $1:fifo_file rw_file_perms; + allow rpm_script_t $1:process sigchld; +') + +######################################## +## <summary> +## Execute RPM programs in the RPM domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the RPM domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpm_run',` + gen_require(` + attribute_role rpm_roles; + ') + + rpm_domtrans($1) + roleattribute $2 rpm_roles; +') + +######################################## +## <summary> +## Execute the rpm client in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_exec',` + gen_require(` + type rpm_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rpm_exec_t) +') + +######################################## +## <summary> +## Send a null signal to rpm. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_signull',` + gen_require(` + type rpm_t; + ') + + allow $1 rpm_t:process signull; +') + +######################################## +## <summary> +## Inherit and use file descriptors from RPM. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_use_fds',` + gen_require(` + type rpm_t; + ') + + allow $1 rpm_t:fd use; +') + +######################################## +## <summary> +## Read from an unnamed RPM pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_read_pipes',` + gen_require(` + type rpm_t; + ') + + allow $1 rpm_t:fifo_file read_fifo_file_perms; +') + +######################################## +## <summary> +## Read and write an unnamed RPM pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_rw_pipes',` + gen_require(` + type rpm_t; + ') + + allow $1 rpm_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Send and receive messages from +## rpm over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_dbus_chat',` + gen_require(` + type rpm_t; + class dbus send_msg; + ') + + allow $1 rpm_t:dbus send_msg; + allow rpm_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Do not audit attempts to send and +## receive messages from rpm over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rpm_dontaudit_dbus_chat',` + gen_require(` + type rpm_t; + class dbus send_msg; + ') + + dontaudit $1 rpm_t:dbus send_msg; + dontaudit rpm_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## rpm_script over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_script_dbus_chat',` + gen_require(` + type rpm_script_t; + class dbus send_msg; + ') + + allow $1 rpm_script_t:dbus send_msg; + allow rpm_script_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Search RPM log directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_search_log',` + gen_require(` + type rpm_log_t; + ') + + logging_search_logs($1) + allow $1 rpm_log_t:dir search_dir_perms; +') + +##################################### +## <summary> +## Allow the specified domain to append +## to rpm log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_append_log',` + gen_require(` + type rpm_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, rpm_log_t, rpm_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete the RPM log. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_log',` + gen_require(` + type rpm_log_t; + ') + + logging_rw_generic_log_dirs($1) + allow $1 rpm_log_t:file manage_file_perms; +') + +######################################## +## <summary> +## Inherit and use file descriptors from RPM scripts. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_use_script_fds',` + gen_require(` + type rpm_script_t; + ') + + allow $1 rpm_script_t:fd use; +') + +######################################## +## <summary> +## Create, read, write, and delete RPM +## script temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_script_tmp_files',` + gen_require(` + type rpm_script_tmp_t; + ') + + files_search_tmp($1) + manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) +') + +##################################### +## <summary> +## Allow the specified domain to append +## to rpm tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_append_tmp_files',` + gen_require(` + type rpm_tmp_t; + ') + + files_search_tmp($1) + append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) +') + +######################################## +## <summary> +## Create, read, write, and delete RPM +## temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_tmp_files',` + gen_require(` + type rpm_tmp_t; + ') + + files_search_tmp($1) + manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) +') + +######################################## +## <summary> +## Read RPM script temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_read_script_tmp_files',` + gen_require(` + type rpm_script_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) + read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) +') + +######################################## +## <summary> +## Read the RPM cache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_read_cache',` + gen_require(` + type rpm_var_cache_t; + ') + + files_search_var($1) + allow $1 rpm_var_cache_t:dir list_dir_perms; + read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) + read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) +') + +######################################## +## <summary> +## Create, read, write, and delete the RPM package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_cache',` + gen_require(` + type rpm_var_cache_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) + manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) + manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) +') + +######################################## +## <summary> +## Read the RPM package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_read_db',` + gen_require(` + type rpm_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 rpm_var_lib_t:dir list_dir_perms; + read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) +') + +######################################## +## <summary> +## Delete the RPM package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_delete_db',` + gen_require(` + type rpm_var_lib_t; + ') + + files_search_var_lib($1) + delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete the RPM package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_db',` + gen_require(` + type rpm_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) +') + +######################################## +## <summary> +## Do not audit attempts to create, read, +## write, and delete the RPM package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rpm_dontaudit_manage_db',` + gen_require(` + type rpm_var_lib_t; + ') + + dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; + dontaudit $1 rpm_var_lib_t:file manage_file_perms; + dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; +') + +##################################### +## <summary> +## Read rpm pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_read_pid_files',` + gen_require(` + type rpm_var_run_t; + ') + + read_files_pattern($1, rpm_var_run_t, rpm_var_run_t) + files_search_pids($1) +') + +##################################### +## <summary> +## Create, read, write, and delete rpm pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_pid_files',` + gen_require(` + type rpm_var_run_t; + ') + + manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t) + files_search_pids($1) +') + +###################################### +## <summary> +## Create files in /var/run with the rpm pid file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_pid_filetrans',` + gen_require(` + type rpm_var_run_t; + ') + + files_pid_filetrans($1, rpm_var_run_t, file) +') diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te new file mode 100644 index 00000000..e9f1f161 --- /dev/null +++ b/policy/modules/contrib/rpm.te @@ -0,0 +1,399 @@ +policy_module(rpm, 1.14.0) + +######################################## +# +# Declarations +# + +attribute_role rpm_roles; + +type debuginfo_exec_t; +domain_entry_file(rpm_t, debuginfo_exec_t) + +type rpm_t; +type rpm_exec_t; +init_system_domain(rpm_t, rpm_exec_t) +domain_obj_id_change_exemption(rpm_t) +domain_role_change_exemption(rpm_t) +domain_system_change_exemption(rpm_t) +domain_interactive_fd(rpm_t) +role rpm_roles types rpm_t; + +type rpm_file_t; +files_type(rpm_file_t) + +type rpm_tmp_t; +files_tmp_file(rpm_tmp_t) + +type rpm_tmpfs_t; +files_tmpfs_file(rpm_tmpfs_t) + +type rpm_log_t; +logging_log_file(rpm_log_t) + +type rpm_var_lib_t; +files_type(rpm_var_lib_t) +typealias rpm_var_lib_t alias var_lib_rpm_t; + +type rpm_var_cache_t; +files_type(rpm_var_cache_t) + +type rpm_var_run_t; +files_pid_file(rpm_var_run_t) + +type rpm_script_t; +type rpm_script_exec_t; +domain_obj_id_change_exemption(rpm_script_t) +domain_system_change_exemption(rpm_script_t) +corecmd_shell_entry_type(rpm_script_t) +corecmd_bin_entry_type(rpm_script_t) +domain_type(rpm_script_t) +domain_entry_file(rpm_t, rpm_script_exec_t) +domain_interactive_fd(rpm_script_t) +role rpm_roles types rpm_script_t; +role system_r types rpm_script_t; + +type rpm_script_tmp_t; +files_tmp_file(rpm_script_tmp_t) + +type rpm_script_tmpfs_t; +files_tmpfs_file(rpm_script_tmpfs_t) + +######################################## +# +# rpm Local policy +# + +allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; +allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; +allow rpm_t self:process { getattr setexec setfscreate setrlimit }; +allow rpm_t self:fd use; +allow rpm_t self:fifo_file rw_fifo_file_perms; +allow rpm_t self:unix_dgram_socket create_socket_perms; +allow rpm_t self:unix_stream_socket rw_stream_socket_perms; +allow rpm_t self:unix_dgram_socket sendto; +allow rpm_t self:unix_stream_socket connectto; +allow rpm_t self:udp_socket { connect }; +allow rpm_t self:udp_socket create_socket_perms; +allow rpm_t self:tcp_socket create_stream_socket_perms; +allow rpm_t self:shm create_shm_perms; +allow rpm_t self:sem create_sem_perms; +allow rpm_t self:msgq create_msgq_perms; +allow rpm_t self:msg { send receive }; + +allow rpm_t rpm_log_t:file manage_file_perms; +logging_log_filetrans(rpm_t, rpm_log_t, file) + +manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) +manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) +files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) +can_exec(rpm_t, rpm_tmp_t) + +manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +can_exec(rpm_t, rpm_tmpfs_t) + +manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) +manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) +files_var_filetrans(rpm_t, rpm_var_cache_t, dir) + +# Access /var/lib/rpm files +manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) +files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) + +manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) +files_pid_filetrans(rpm_t, rpm_var_run_t, file) + +kernel_read_crypto_sysctls(rpm_t) +kernel_read_network_state(rpm_t) +kernel_read_system_state(rpm_t) +kernel_read_kernel_sysctls(rpm_t) + +corecmd_exec_all_executables(rpm_t) + +corenet_all_recvfrom_unlabeled(rpm_t) +corenet_all_recvfrom_netlabel(rpm_t) +corenet_tcp_sendrecv_generic_if(rpm_t) +corenet_raw_sendrecv_generic_if(rpm_t) +corenet_udp_sendrecv_generic_if(rpm_t) +corenet_tcp_sendrecv_generic_node(rpm_t) +corenet_raw_sendrecv_generic_node(rpm_t) +corenet_udp_sendrecv_generic_node(rpm_t) +corenet_tcp_sendrecv_all_ports(rpm_t) +corenet_udp_sendrecv_all_ports(rpm_t) +corenet_tcp_connect_all_ports(rpm_t) +corenet_sendrecv_all_client_packets(rpm_t) + +dev_list_sysfs(rpm_t) +dev_list_usbfs(rpm_t) +dev_read_urand(rpm_t) + +fs_getattr_all_dirs(rpm_t) +fs_list_inotifyfs(rpm_t) +fs_manage_nfs_dirs(rpm_t) +fs_manage_nfs_files(rpm_t) +fs_manage_nfs_symlinks(rpm_t) +fs_getattr_all_fs(rpm_t) +fs_search_auto_mountpoints(rpm_t) + +mls_file_read_all_levels(rpm_t) +mls_file_write_all_levels(rpm_t) +mls_file_upgrade(rpm_t) +mls_file_downgrade(rpm_t) + +selinux_get_fs_mount(rpm_t) +selinux_validate_context(rpm_t) +selinux_compute_access_vector(rpm_t) +selinux_compute_create_context(rpm_t) +selinux_compute_relabel_context(rpm_t) +selinux_compute_user_contexts(rpm_t) + +storage_raw_write_fixed_disk(rpm_t) +# for installing kernel packages +storage_raw_read_fixed_disk(rpm_t) + +term_list_ptys(rpm_t) + +auth_relabel_all_files_except_auth_files(rpm_t) +auth_manage_all_files_except_auth_files(rpm_t) +auth_dontaudit_read_shadow(rpm_t) +auth_use_nsswitch(rpm_t) + +# transition to rpm script: +rpm_domtrans_script(rpm_t) + +domain_read_all_domains_state(rpm_t) +domain_getattr_all_domains(rpm_t) +domain_dontaudit_ptrace_all_domains(rpm_t) +domain_use_interactive_fds(rpm_t) +domain_dontaudit_getattr_all_pipes(rpm_t) +domain_dontaudit_getattr_all_tcp_sockets(rpm_t) +domain_dontaudit_getattr_all_udp_sockets(rpm_t) +domain_dontaudit_getattr_all_packet_sockets(rpm_t) +domain_dontaudit_getattr_all_raw_sockets(rpm_t) +domain_dontaudit_getattr_all_stream_sockets(rpm_t) +domain_dontaudit_getattr_all_dgram_sockets(rpm_t) + +files_exec_etc_files(rpm_t) + +init_domtrans_script(rpm_t) +init_use_script_ptys(rpm_t) + +libs_exec_ld_so(rpm_t) +libs_exec_lib_files(rpm_t) +libs_run_ldconfig(rpm_t, rpm_roles) + +logging_send_syslog_msg(rpm_t) + +# allow compiling and loading new policy +seutil_manage_src_policy(rpm_t) +seutil_manage_bin_policy(rpm_t) + +userdom_use_user_terminals(rpm_t) +userdom_use_unpriv_users_fds(rpm_t) + +optional_policy(` + cron_system_entry(rpm_t, rpm_exec_t) +') + +optional_policy(` + dbus_system_domain(rpm_t, rpm_exec_t) + dbus_system_domain(rpm_t, debuginfo_exec_t) + + optional_policy(` + hal_dbus_chat(rpm_t) + ') + + optional_policy(` + networkmanager_dbus_chat(rpm_t) + ') +') + +optional_policy(` + prelink_run(rpm_t, rpm_roles) +') + +optional_policy(` + unconfined_domain(rpm_t) + # yum-updatesd requires this + unconfined_dbus_chat(rpm_t) + unconfined_dbus_chat(rpm_script_t) +') + +######################################## +# +# rpm-script Local policy +# + +allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin }; +allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; +allow rpm_script_t self:fd use; +allow rpm_script_t self:fifo_file rw_fifo_file_perms; +allow rpm_script_t self:unix_dgram_socket create_socket_perms; +allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms; +allow rpm_script_t self:unix_dgram_socket sendto; +allow rpm_script_t self:unix_stream_socket connectto; +allow rpm_script_t self:shm create_shm_perms; +allow rpm_script_t self:sem create_sem_perms; +allow rpm_script_t self:msgq create_msgq_perms; +allow rpm_script_t self:msg { send receive }; +allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; + +allow rpm_script_t rpm_tmp_t:file read_file_perms; + +allow rpm_script_t rpm_script_tmp_t:dir mounton; +manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) +can_exec(rpm_script_t, rpm_script_tmp_t) + +manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +can_exec(rpm_script_t, rpm_script_tmpfs_t) + +kernel_read_crypto_sysctls(rpm_script_t) +kernel_read_kernel_sysctls(rpm_script_t) +kernel_read_system_state(rpm_script_t) +kernel_read_network_state(rpm_script_t) +kernel_read_software_raid_state(rpm_script_t) + +dev_list_sysfs(rpm_script_t) + +# ideally we would not need this +dev_manage_generic_blk_files(rpm_script_t) +dev_manage_generic_chr_files(rpm_script_t) +dev_manage_all_blk_files(rpm_script_t) +dev_manage_all_chr_files(rpm_script_t) + +fs_manage_nfs_files(rpm_script_t) +fs_getattr_nfs(rpm_script_t) +fs_search_all(rpm_script_t) +fs_getattr_all_fs(rpm_script_t) +# why is this not using mount? +fs_getattr_xattr_fs(rpm_script_t) +fs_mount_xattr_fs(rpm_script_t) +fs_unmount_xattr_fs(rpm_script_t) +fs_search_auto_mountpoints(rpm_script_t) + +mcs_killall(rpm_script_t) +mcs_ptrace_all(rpm_script_t) + +mls_file_read_all_levels(rpm_script_t) +mls_file_write_all_levels(rpm_script_t) + +selinux_get_fs_mount(rpm_script_t) +selinux_validate_context(rpm_script_t) +selinux_compute_access_vector(rpm_script_t) +selinux_compute_create_context(rpm_script_t) +selinux_compute_relabel_context(rpm_script_t) +selinux_compute_user_contexts(rpm_script_t) + +storage_raw_read_fixed_disk(rpm_script_t) +storage_raw_write_fixed_disk(rpm_script_t) + +term_getattr_unallocated_ttys(rpm_script_t) +term_list_ptys(rpm_script_t) +term_use_all_terms(rpm_script_t) + +auth_dontaudit_getattr_shadow(rpm_script_t) +auth_use_nsswitch(rpm_script_t) +# ideally we would not need this +auth_manage_all_files_except_auth_files(rpm_script_t) +auth_relabel_shadow(rpm_script_t) + +corecmd_exec_all_executables(rpm_script_t) + +domain_read_all_domains_state(rpm_script_t) +domain_getattr_all_domains(rpm_script_t) +domain_dontaudit_ptrace_all_domains(rpm_script_t) +domain_use_interactive_fds(rpm_script_t) +domain_signal_all_domains(rpm_script_t) +domain_signull_all_domains(rpm_script_t) + +files_exec_etc_files(rpm_script_t) +files_read_etc_runtime_files(rpm_script_t) +files_exec_usr_files(rpm_script_t) +files_relabel_all_files(rpm_script_t) + +init_domtrans_script(rpm_script_t) +init_telinit(rpm_script_t) + +libs_exec_ld_so(rpm_script_t) +libs_exec_lib_files(rpm_script_t) +libs_run_ldconfig(rpm_script_t, rpm_roles) + +logging_send_syslog_msg(rpm_script_t) + +miscfiles_read_localization(rpm_script_t) + +modutils_run_depmod(rpm_script_t, rpm_roles) +modutils_run_insmod(rpm_script_t, rpm_roles) + +seutil_run_loadpolicy(rpm_script_t, rpm_roles) +seutil_run_setfiles(rpm_script_t, rpm_roles) +seutil_run_semanage(rpm_script_t, rpm_roles) + +userdom_use_all_users_fds(rpm_script_t) + +ifdef(`distro_redhat',` + optional_policy(` + mta_send_mail(rpm_script_t) + ') +') + +tunable_policy(`allow_execmem',` + allow rpm_script_t self:process execmem; +') + +optional_policy(` + bootloader_run(rpm_script_t, rpm_roles) +') + +optional_policy(` + dbus_system_bus_client(rpm_script_t) +') + +optional_policy(` + lvm_run(rpm_script_t, rpm_roles) +') + +optional_policy(` + ntp_domtrans(rpm_script_t) +') + +optional_policy(` + tzdata_run(rpm_t, rpm_roles) + tzdata_run(rpm_script_t, rpm_roles) +') + +optional_policy(` + udev_domtrans(rpm_script_t) +') + +optional_policy(` + unconfined_domain(rpm_script_t) + unconfined_domtrans(rpm_script_t) + + optional_policy(` + java_domtrans_unconfined(rpm_script_t) + ') + + optional_policy(` + mono_domtrans(rpm_script_t) + ') +') + +optional_policy(` + usermanage_run_groupadd(rpm_script_t, rpm_roles) + usermanage_run_useradd(rpm_script_t, rpm_roles) +') diff --git a/policy/modules/contrib/rshd.fc b/policy/modules/contrib/rshd.fc new file mode 100644 index 00000000..6a4db031 --- /dev/null +++ b/policy/modules/contrib/rshd.fc @@ -0,0 +1,5 @@ + +/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) + +/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) +/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0) diff --git a/policy/modules/contrib/rshd.if b/policy/modules/contrib/rshd.if new file mode 100644 index 00000000..2e87d76b --- /dev/null +++ b/policy/modules/contrib/rshd.if @@ -0,0 +1,21 @@ +## <summary>Remote shell service.</summary> + +######################################## +## <summary> +## Domain transition to rshd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rshd_domtrans',` + gen_require(` + type rshd_exec_t, rshd_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, rshd_exec_t, rshd_t) +') diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te new file mode 100644 index 00000000..0b405d10 --- /dev/null +++ b/policy/modules/contrib/rshd.te @@ -0,0 +1,96 @@ +policy_module(rshd, 1.7.0) + +######################################## +# +# Declarations +# +type rshd_t; +type rshd_exec_t; +inetd_tcp_service_domain(rshd_t, rshd_exec_t) +domain_subj_id_change_exemption(rshd_t) +domain_role_change_exemption(rshd_t) +role system_r types rshd_t; + +######################################## +# +# Local policy +# +allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; +allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; +allow rshd_t self:fifo_file rw_fifo_file_perms; +allow rshd_t self:tcp_socket create_stream_socket_perms; + +kernel_read_kernel_sysctls(rshd_t) + +corenet_all_recvfrom_unlabeled(rshd_t) +corenet_all_recvfrom_netlabel(rshd_t) +corenet_tcp_sendrecv_generic_if(rshd_t) +corenet_udp_sendrecv_generic_if(rshd_t) +corenet_tcp_sendrecv_generic_node(rshd_t) +corenet_udp_sendrecv_generic_node(rshd_t) +corenet_tcp_sendrecv_all_ports(rshd_t) +corenet_udp_sendrecv_all_ports(rshd_t) +corenet_tcp_bind_generic_node(rshd_t) +corenet_tcp_bind_rsh_port(rshd_t) +corenet_tcp_bind_all_rpc_ports(rshd_t) +corenet_tcp_connect_all_ports(rshd_t) +corenet_tcp_connect_all_rpc_ports(rshd_t) +corenet_sendrecv_rsh_server_packets(rshd_t) + +dev_read_urand(rshd_t) + +selinux_get_fs_mount(rshd_t) +selinux_validate_context(rshd_t) +selinux_compute_access_vector(rshd_t) +selinux_compute_create_context(rshd_t) +selinux_compute_relabel_context(rshd_t) +selinux_compute_user_contexts(rshd_t) + +corecmd_read_bin_symlinks(rshd_t) + +files_list_home(rshd_t) +files_read_etc_files(rshd_t) +files_search_tmp(rshd_t) + +auth_login_pgm_domain(rshd_t) +auth_write_login_records(rshd_t) + +init_rw_utmp(rshd_t) + +logging_send_syslog_msg(rshd_t) +logging_search_logs(rshd_t) + +miscfiles_read_localization(rshd_t) + +seutil_read_config(rshd_t) +seutil_read_default_contexts(rshd_t) + +userdom_search_user_home_content(rshd_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(rshd_t) + fs_read_nfs_symlinks(rshd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(rshd_t) + fs_read_cifs_symlinks(rshd_t) +') + +optional_policy(` + kerberos_keytab_template(rshd, rshd_t) + kerberos_manage_host_rcache(rshd_t) +') + +optional_policy(` + rlogin_read_home_content(rshd_t) +') + +optional_policy(` + tcpd_wrapped_domain(rshd_t, rshd_exec_t) +') + +optional_policy(` + unconfined_shell_domtrans(rshd_t) + unconfined_signal(rshd_t) +') diff --git a/policy/modules/contrib/rssh.fc b/policy/modules/contrib/rssh.fc new file mode 100644 index 00000000..4c091ca3 --- /dev/null +++ b/policy/modules/contrib/rssh.fc @@ -0,0 +1 @@ +/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0) diff --git a/policy/modules/contrib/rssh.if b/policy/modules/contrib/rssh.if new file mode 100644 index 00000000..cb3d9737 --- /dev/null +++ b/policy/modules/contrib/rssh.if @@ -0,0 +1,103 @@ +## <summary>Restricted (scp/sftp) only shell</summary> + +######################################## +## <summary> +## Role access for rssh +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`rssh_role',` + gen_require(` + type rssh_t; + ') + + role $1 types rssh_t; + + # allow ps to show irc + ps_process_pattern($2, rssh_t) + allow $2 rssh_t:process signal; +') + +######################################## +## <summary> +## Transition to all user rssh domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rssh_spec_domtrans',` + gen_require(` + type rssh_t, rssh_exec_t; + ') + + spec_domtrans_pattern($1, rssh_exec_t, rssh_t) +') + +######################################## +## <summary> +## Execute the rssh program +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rssh_exec',` + gen_require(` + type rssh_exec_t; + ') + + can_exec($1, rssh_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run rssh_chroot_helper. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rssh_domtrans_chroot_helper',` + gen_require(` + type rssh_chroot_helper_t, rssh_chroot_helper_exec_t; + ') + + domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t) +') + +######################################## +## <summary> +## Read all users rssh read-only content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rssh_read_ro_content',` + gen_require(` + type rssh_ro_t; + ') + + allow $1 rssh_ro_t:dir list_dir_perms; + read_files_pattern($1, rssh_ro_t, rssh_ro_t) + read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t) +') diff --git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te new file mode 100644 index 00000000..ffb9605c --- /dev/null +++ b/policy/modules/contrib/rssh.te @@ -0,0 +1,104 @@ +policy_module(rssh, 2.2.0) + +######################################## +# +# Declarations +# + +type rssh_t; +type rssh_exec_t; +typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t }; +typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t }; +userdom_user_application_domain(rssh_t, rssh_exec_t) +domain_user_exemption_target(rssh_t) +domain_interactive_fd(rssh_t) +role system_r types rssh_t; + +type rssh_chroot_helper_t; +type rssh_chroot_helper_exec_t; +init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t) + +type rssh_devpts_t; +typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t }; +typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t }; +term_user_pty(rssh_t, rssh_devpts_t) +ubac_constrained(rssh_devpts_t) + +type rssh_ro_t; +typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t }; +typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t }; +userdom_user_home_content(rssh_ro_t) + +type rssh_rw_t; +typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t }; +typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t }; +userdom_user_home_content(rssh_rw_t) + +############################## +# +# Local policy +# + +allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow rssh_t self:fd use; +allow rssh_t self:fifo_file rw_fifo_file_perms; +allow rssh_t self:unix_dgram_socket create_socket_perms; +allow rssh_t self:unix_stream_socket create_stream_socket_perms; +allow rssh_t self:unix_dgram_socket sendto; +allow rssh_t self:unix_stream_socket connectto; +allow rssh_t self:shm create_shm_perms; +allow rssh_t self:sem create_sem_perms; +allow rssh_t self:msgq create_msgq_perms; +allow rssh_t self:msg { send receive }; + +allow rssh_t rssh_devpts_t:chr_file { rw_file_perms setattr }; +term_create_pty(rssh_t, rssh_devpts_t) + +allow rssh_t rssh_ro_t:dir list_dir_perms; +read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t) + +manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t) +manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) + +kernel_read_system_state(rssh_t) +kernel_read_kernel_sysctls(rssh_t) + +files_read_etc_files(rssh_t) +files_read_etc_runtime_files(rssh_t) +files_list_home(rssh_t) +files_read_usr_files(rssh_t) +files_list_var(rssh_t) + +fs_search_auto_mountpoints(rssh_t) + +logging_send_syslog_msg(rssh_t) + +miscfiles_read_localization(rssh_t) + +rssh_domtrans_chroot_helper(rssh_t) + +ssh_rw_tcp_sockets(rssh_t) +ssh_rw_stream_sockets(rssh_t) + +optional_policy(` + nis_use_ypbind(rssh_t) +') + +######################################## +# +# rssh_chroot_helper local policy +# + +allow rssh_chroot_helper_t self:capability { sys_chroot setuid }; +allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms; +allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms; + +domain_use_interactive_fds(rssh_chroot_helper_t) + +files_read_etc_files(rssh_chroot_helper_t) + +auth_use_nsswitch(rssh_chroot_helper_t) + +logging_send_syslog_msg(rssh_chroot_helper_t) + +miscfiles_read_localization(rssh_chroot_helper_t) diff --git a/policy/modules/contrib/rsync.fc b/policy/modules/contrib/rsync.fc new file mode 100644 index 00000000..479615be --- /dev/null +++ b/policy/modules/contrib/rsync.fc @@ -0,0 +1,7 @@ +/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) + +/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) + +/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) + +/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if new file mode 100644 index 00000000..3386f297 --- /dev/null +++ b/policy/modules/contrib/rsync.if @@ -0,0 +1,143 @@ +## <summary>Fast incremental file transfer for synchronization</summary> + +######################################## +## <summary> +## Make rsync an entry point for +## the specified domain. +## </summary> +## <param name="domain"> +## <summary> +## The domain for which init scripts are an entrypoint. +## </summary> +## </param> +# cjp: added for portage +interface(`rsync_entry_type',` + gen_require(` + type rsync_exec_t; + ') + + domain_entry_file($1, rsync_exec_t) +') + +######################################## +## <summary> +## Execute a rsync in a specified domain. +## </summary> +## <desc> +## <p> +## Execute a rsync in a specified domain. +## </p> +## <p> +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +## </p> +## </desc> +## <param name="source_domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="target_domain"> +## <summary> +## Domain to transition to. +## </summary> +## </param> +# cjp: added for portage +interface(`rsync_entry_spec_domtrans',` + gen_require(` + type rsync_exec_t; + ') + + domain_trans($1, rsync_exec_t, $2) +') + +######################################## +## <summary> +## Execute a rsync in a specified domain. +## </summary> +## <desc> +## <p> +## Execute a rsync in a specified domain. +## </p> +## <p> +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +## </p> +## </desc> +## <param name="source_domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="target_domain"> +## <summary> +## Domain to transition to. +## </summary> +## </param> +# cjp: added for portage +interface(`rsync_entry_domtrans',` + gen_require(` + type rsync_exec_t; + ') + + domain_auto_trans($1, rsync_exec_t, $2) +') + +######################################## +## <summary> +## Execute rsync in the caller domain domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rsync_exec',` + gen_require(` + type rsync_exec_t; + ') + + can_exec($1, rsync_exec_t) +') + +######################################## +## <summary> +## Read rsync config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rsync_read_config',` + gen_require(` + type rsync_etc_t; + ') + + allow $1 rsync_etc_t:file read_file_perms; + files_search_etc($1) +') + +######################################## +## <summary> +## Write to rsync config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rsync_write_config',` + gen_require(` + type rsync_etc_t; + ') + + allow $1 rsync_etc_t:file read_file_perms; + files_search_etc($1) +') diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te new file mode 100644 index 00000000..5c17e847 --- /dev/null +++ b/policy/modules/contrib/rsync.te @@ -0,0 +1,133 @@ +policy_module(rsync, 1.11.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow rsync to export any files/directories read only. +## </p> +## </desc> +gen_tunable(rsync_export_all_ro, false) + +## <desc> +## <p> +## Allow rsync to modify public files +## used for public file transfer services. Files/Directories must be +## labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_rsync_anon_write, false) + +type rsync_t; +type rsync_exec_t; +init_daemon_domain(rsync_t, rsync_exec_t) +application_executable_file(rsync_exec_t) +role system_r types rsync_t; + +type rsync_etc_t; +files_config_file(rsync_etc_t) + +type rsync_data_t; +files_type(rsync_data_t) + +type rsync_log_t; +logging_log_file(rsync_log_t) + +type rsync_tmp_t; +files_tmp_file(rsync_tmp_t) + +type rsync_var_run_t; +files_pid_file(rsync_var_run_t) + +######################################## +# +# Local policy +# + +allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; +allow rsync_t self:process signal_perms; +allow rsync_t self:fifo_file rw_fifo_file_perms; +allow rsync_t self:tcp_socket create_stream_socket_perms; +allow rsync_t self:udp_socket connected_socket_perms; + +# for identd +# cjp: this should probably only be inetd_child_t rules? +# search home and kerberos also. +allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +#end for identd + +allow rsync_t rsync_etc_t:file read_file_perms; + +allow rsync_t rsync_data_t:dir list_dir_perms; +read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) + +manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) +logging_log_filetrans(rsync_t, rsync_log_t, file) + +manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) +manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) +files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) + +manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t) +files_pid_filetrans(rsync_t, rsync_var_run_t, file) + +kernel_read_kernel_sysctls(rsync_t) +kernel_read_system_state(rsync_t) +kernel_read_network_state(rsync_t) + +corenet_all_recvfrom_unlabeled(rsync_t) +corenet_all_recvfrom_netlabel(rsync_t) +corenet_tcp_sendrecv_generic_if(rsync_t) +corenet_udp_sendrecv_generic_if(rsync_t) +corenet_tcp_sendrecv_generic_node(rsync_t) +corenet_udp_sendrecv_generic_node(rsync_t) +corenet_tcp_sendrecv_all_ports(rsync_t) +corenet_udp_sendrecv_all_ports(rsync_t) +corenet_tcp_bind_generic_node(rsync_t) +corenet_tcp_bind_rsync_port(rsync_t) +corenet_sendrecv_rsync_server_packets(rsync_t) + +dev_read_urand(rsync_t) + +fs_getattr_xattr_fs(rsync_t) + +files_read_etc_files(rsync_t) +files_search_home(rsync_t) + +auth_use_nsswitch(rsync_t) + +logging_send_syslog_msg(rsync_t) + +miscfiles_read_localization(rsync_t) +miscfiles_read_public_files(rsync_t) + +tunable_policy(`allow_rsync_anon_write',` + miscfiles_manage_public_files(rsync_t) +') + +optional_policy(` + daemontools_service_domain(rsync_t, rsync_exec_t) +') + +optional_policy(` + kerberos_use(rsync_t) +') + +optional_policy(` + inetd_service_domain(rsync_t, rsync_exec_t) +') + +tunable_policy(`rsync_export_all_ro',` + fs_read_noxattr_fs_files(rsync_t) + fs_read_nfs_files(rsync_t) + fs_read_cifs_files(rsync_t) + auth_read_all_dirs_except_auth_files(rsync_t) + auth_read_all_files_except_auth_files(rsync_t) + auth_read_all_symlinks_except_auth_files(rsync_t) + auth_tunable_read_shadow(rsync_t) +') +auth_can_read_shadow_passwords(rsync_t) diff --git a/policy/modules/contrib/rtkit.fc b/policy/modules/contrib/rtkit.fc new file mode 100644 index 00000000..52c441e1 --- /dev/null +++ b/policy/modules/contrib/rtkit.fc @@ -0,0 +1 @@ +/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if new file mode 100644 index 00000000..46dad1f9 --- /dev/null +++ b/policy/modules/contrib/rtkit.if @@ -0,0 +1,60 @@ +## <summary>Realtime scheduling for user processes.</summary> + +######################################## +## <summary> +## Execute a domain transition to run rtkit_daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rtkit_daemon_domtrans',` + gen_require(` + type rtkit_daemon_t, rtkit_daemon_exec_t; + ') + + domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) +') + +######################################## +## <summary> +## Send and receive messages from +## rtkit_daemon over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rtkit_daemon_dbus_chat',` + gen_require(` + type rtkit_daemon_t; + class dbus send_msg; + ') + + allow $1 rtkit_daemon_t:dbus send_msg; + allow rtkit_daemon_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Allow rtkit to control scheduling for your process +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rtkit_scheduled',` + gen_require(` + type rtkit_daemon_t; + ') + + ps_process_pattern(rtkit_daemon_t, $1) + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te new file mode 100644 index 00000000..6f8e2682 --- /dev/null +++ b/policy/modules/contrib/rtkit.te @@ -0,0 +1,35 @@ +policy_module(rtkit, 1.1.0) + +######################################## +# +# Declarations +# + +type rtkit_daemon_t; +type rtkit_daemon_exec_t; +dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) + +######################################## +# +# rtkit_daemon local policy +# + +allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; +allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; + +kernel_read_system_state(rtkit_daemon_t) + +domain_getsched_all_domains(rtkit_daemon_t) +domain_read_all_domains_state(rtkit_daemon_t) + +fs_rw_anon_inodefs_files(rtkit_daemon_t) + +auth_use_nsswitch(rtkit_daemon_t) + +logging_send_syslog_msg(rtkit_daemon_t) + +miscfiles_read_localization(rtkit_daemon_t) + +optional_policy(` + policykit_dbus_chat(rtkit_daemon_t) +') diff --git a/policy/modules/contrib/rwho.fc b/policy/modules/contrib/rwho.fc new file mode 100644 index 00000000..bc048cef --- /dev/null +++ b/policy/modules/contrib/rwho.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0) + +/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0) + +/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) + +/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0) diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if new file mode 100644 index 00000000..71ea0eab --- /dev/null +++ b/policy/modules/contrib/rwho.if @@ -0,0 +1,154 @@ +## <summary>Who is logged in on other machines?</summary> + +######################################## +## <summary> +## Execute a domain transition to run rwho. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rwho_domtrans',` + gen_require(` + type rwho_t, rwho_exec_t; + ') + + domtrans_pattern($1, rwho_exec_t, rwho_t) +') + +######################################## +## <summary> +## Search rwho log directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rwho_search_log',` + gen_require(` + type rwho_log_t; + ') + + allow $1 rwho_log_t:dir search_dir_perms; + logging_search_logs($1) +') + +######################################## +## <summary> +## Read rwho log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rwho_read_log_files',` + gen_require(` + type rwho_log_t; + ') + + allow $1 rwho_log_t:file read_file_perms; + allow $1 rwho_log_t:dir list_dir_perms; + logging_search_logs($1) +') + +######################################## +## <summary> +## Search rwho spool directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rwho_search_spool',` + gen_require(` + type rwho_spool_t; + ') + + allow $1 rwho_spool_t:dir search_dir_perms; + files_search_spool($1) +') + +######################################## +## <summary> +## Read rwho spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rwho_read_spool_files',` + gen_require(` + type rwho_spool_t; + ') + + read_files_pattern($1, rwho_spool_t, rwho_spool_t) + files_search_spool($1) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rwho spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rwho_manage_spool_files',` + gen_require(` + type rwho_spool_t; + ') + + manage_files_pattern($1, rwho_spool_t, rwho_spool_t) + files_search_spool($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an rwho environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rwho_admin',` + gen_require(` + type rwho_t, rwho_log_t, rwho_spool_t; + type rwho_initrc_exec_t; + ') + + allow $1 rwho_t:process { ptrace signal_perms }; + ps_process_pattern($1, rwho_t) + + init_labeled_script_domtrans($1, rwho_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rwho_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, rwho_log_t) + + files_list_spool($1) + admin_pattern($1, rwho_spool_t) +') diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te new file mode 100644 index 00000000..a07b2f40 --- /dev/null +++ b/policy/modules/contrib/rwho.te @@ -0,0 +1,60 @@ +policy_module(rwho, 1.6.0) + +######################################## +# +# Declarations +# + +type rwho_t; +type rwho_exec_t; +init_daemon_domain(rwho_t, rwho_exec_t) + +type rwho_initrc_exec_t; +init_script_file(rwho_initrc_exec_t) + +type rwho_log_t; +files_type(rwho_log_t) + +type rwho_spool_t; +files_type(rwho_spool_t) + +######################################## +# +# rwho local policy +# + +allow rwho_t self:capability sys_chroot; +allow rwho_t self:unix_dgram_socket create; +allow rwho_t self:fifo_file rw_file_perms; +allow rwho_t self:unix_stream_socket create_stream_socket_perms; +allow rwho_t self:udp_socket create_socket_perms; + +allow rwho_t rwho_log_t:dir manage_dir_perms; +allow rwho_t rwho_log_t:file manage_file_perms; +logging_log_filetrans(rwho_t, rwho_log_t, { file dir }) + +allow rwho_t rwho_spool_t:dir manage_dir_perms; +allow rwho_t rwho_spool_t:file manage_file_perms; +files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) + +kernel_read_system_state(rwho_t) + +corenet_all_recvfrom_unlabeled(rwho_t) +corenet_all_recvfrom_netlabel(rwho_t) +corenet_udp_sendrecv_generic_if(rwho_t) +corenet_udp_sendrecv_generic_node(rwho_t) +corenet_udp_sendrecv_all_ports(rwho_t) +corenet_udp_bind_generic_node(rwho_t) +corenet_udp_bind_rwho_port(rwho_t) +corenet_sendrecv_rwho_server_packets(rwho_t) + +domain_use_interactive_fds(rwho_t) + +files_read_etc_files(rwho_t) + +init_read_utmp(rwho_t) +init_dontaudit_write_utmp(rwho_t) + +miscfiles_read_localization(rwho_t) + +sysnet_dns_name_resolve(rwho_t) diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc new file mode 100644 index 00000000..69a6074f --- /dev/null +++ b/policy/modules/contrib/samba.fc @@ -0,0 +1,53 @@ + +# +# /etc +# +/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) +/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) +/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) +/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) +/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) +/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) +/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) +/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) + +# +# /usr +# +/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) +/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) +/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) +/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) +/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) + +/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) +/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) +/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) +/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) + +# +# /var +# +/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + +/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + +/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) + +/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +/var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) + +/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + +/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if new file mode 100644 index 00000000..82cb169c --- /dev/null +++ b/policy/modules/contrib/samba.if @@ -0,0 +1,730 @@ +## <summary> +## SMB and CIFS client/server programs for UNIX and +## name Service Switch daemon for resolving names +## from Windows NT servers. +## </summary> + +######################################## +## <summary> +## Execute nmbd net in the nmbd_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_nmbd',` + gen_require(` + type nmbd_t, nmbd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nmbd_exec_t, nmbd_t) +') + +####################################### +## <summary> +## Allow domain to signal samba +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_signal_nmbd',` + gen_require(` + type nmbd_t; + ') + allow $1 nmbd_t:process signal; +') + +######################################## +## <summary> +## Execute samba server in the samba domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_initrc_domtrans',` + gen_require(` + type samba_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, samba_initrc_exec_t) +') + +######################################## +## <summary> +## Execute samba net in the samba_net domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_net',` + gen_require(` + type samba_net_t, samba_net_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, samba_net_exec_t, samba_net_t) +') + +######################################## +## <summary> +## Execute samba net in the samba_net domain, and +## allow the specified role the samba_net domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_run_net',` + gen_require(` + type samba_net_t; + ') + + samba_domtrans_net($1) + role $2 types samba_net_t; +') + +######################################## +## <summary> +## Execute smbmount in the smbmount domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_smbmount',` + gen_require(` + type smbmount_t, smbmount_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, smbmount_exec_t, smbmount_t) +') + +######################################## +## <summary> +## Execute smbmount interactively and do +## a domain transition to the smbmount domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_run_smbmount',` + gen_require(` + type smbmount_t; + ') + + samba_domtrans_smbmount($1) + role $2 types smbmount_t; +') + +######################################## +## <summary> +## Allow the specified domain to read +## samba configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_read_config',` + gen_require(` + type samba_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, samba_etc_t, samba_etc_t) +') + +######################################## +## <summary> +## Allow the specified domain to read +## and write samba configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_rw_config',` + gen_require(` + type samba_etc_t; + ') + + files_search_etc($1) + rw_files_pattern($1, samba_etc_t, samba_etc_t) +') + +######################################## +## <summary> +## Allow the specified domain to read +## and write samba configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_manage_config',` + gen_require(` + type samba_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, samba_etc_t, samba_etc_t) + manage_files_pattern($1, samba_etc_t, samba_etc_t) +') + +######################################## +## <summary> +## Allow the specified domain to read samba's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_read_log',` + gen_require(` + type samba_log_t; + ') + + logging_search_logs($1) + allow $1 samba_log_t:dir list_dir_perms; + read_files_pattern($1, samba_log_t, samba_log_t) +') + +######################################## +## <summary> +## Allow the specified domain to append to samba's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_append_log',` + gen_require(` + type samba_log_t; + ') + + logging_search_logs($1) + allow $1 samba_log_t:dir list_dir_perms; + allow $1 samba_log_t:file append_file_perms; +') + +######################################## +## <summary> +## Execute samba log in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_exec_log',` + gen_require(` + type samba_log_t; + ') + + logging_search_logs($1) + can_exec($1, samba_log_t) +') + +######################################## +## <summary> +## Allow the specified domain to read samba's secrets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_read_secrets',` + gen_require(` + type samba_secrets_t; + ') + + files_search_etc($1) + allow $1 samba_secrets_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow the specified domain to read samba's shares +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_read_share_files',` + gen_require(` + type samba_share_t; + ') + + allow $1 samba_share_t:filesystem getattr; + read_files_pattern($1, samba_share_t, samba_share_t) +') + +######################################## +## <summary> +## Allow the specified domain to search +## samba /var directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_search_var',` + gen_require(` + type samba_var_t; + ') + + files_search_var($1) + files_search_var_lib($1) + allow $1 samba_var_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Allow the specified domain to +## read samba /var files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_read_var_files',` + gen_require(` + type samba_var_t; + ') + + files_search_var($1) + files_search_var_lib($1) + read_files_pattern($1, samba_var_t, samba_var_t) +') + +######################################## +## <summary> +## Do not audit attempts to write samba +## /var files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`samba_dontaudit_write_var_files',` + gen_require(` + type samba_var_t; + ') + + dontaudit $1 samba_var_t:file write; +') + +######################################## +## <summary> +## Allow the specified domain to +## read and write samba /var files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_rw_var_files',` + gen_require(` + type samba_var_t; + ') + + files_search_var($1) + files_search_var_lib($1) + rw_files_pattern($1, samba_var_t, samba_var_t) +') + +######################################## +## <summary> +## Allow the specified domain to +## read and write samba /var files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_manage_var_files',` + gen_require(` + type samba_var_t; + ') + + files_search_var($1) + files_search_var_lib($1) + manage_files_pattern($1, samba_var_t, samba_var_t) +') + +######################################## +## <summary> +## Execute a domain transition to run smbcontrol. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_smbcontrol',` + gen_require(` + type smbcontrol_t; + type smbcontrol_exec_t; + ') + + domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) +') + +######################################## +## <summary> +## Execute smbcontrol in the smbcontrol domain, and +## allow the specified role the smbcontrol domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`samba_run_smbcontrol',` + gen_require(` + type smbcontrol_t; + ') + + samba_domtrans_smbcontrol($1) + role $2 types smbcontrol_t; +') + +######################################## +## <summary> +## Execute smbd in the smbd_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_smbd',` + gen_require(` + type smbd_t, smbd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, smbd_exec_t, smbd_t) +') + +###################################### +## <summary> +## Allow domain to signal samba +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_signal_smbd',` + gen_require(` + type smbd_t; + ') + allow $1 smbd_t:process signal; +') + +######################################## +## <summary> +## Do not audit attempts to use file descriptors from samba. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`samba_dontaudit_use_fds',` + gen_require(` + type smbd_t; + ') + + dontaudit $1 smbd_t:fd use; +') + +######################################## +## <summary> +## Allow the specified domain to write to smbmount tcp sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_write_smbmount_tcp_sockets',` + gen_require(` + type smbmount_t; + ') + + allow $1 smbmount_t:tcp_socket write; +') + +######################################## +## <summary> +## Allow the specified domain to read and write to smbmount tcp sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_rw_smbmount_tcp_sockets',` + gen_require(` + type smbmount_t; + ') + + allow $1 smbmount_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Execute winbind_helper in the winbind_helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_winbind_helper',` + gen_require(` + type winbind_helper_t, winbind_helper_exec_t; + ') + + domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) +') + +######################################## +## <summary> +## Execute winbind_helper in the winbind_helper domain, and +## allow the specified role the winbind_helper domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_run_winbind_helper',` + gen_require(` + type winbind_helper_t; + ') + + samba_domtrans_winbind_helper($1) + role $2 types winbind_helper_t; +') + +######################################## +## <summary> +## Allow the specified domain to read the winbind pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_read_winbind_pid',` + gen_require(` + type winbind_var_run_t; + ') + + files_search_pids($1) + allow $1 winbind_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Connect to winbind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_stream_connect_winbind',` + gen_require(` + type samba_var_t, winbind_t, winbind_var_run_t; + ') + + files_search_pids($1) + allow $1 samba_var_t:dir search_dir_perms; + stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) + + ifndef(`distro_redhat',` + gen_require(` + type winbind_tmp_t; + ') + + # the default for the socket is (poorly named): + # /tmp/.winbindd/pipe + files_search_tmp($1) + stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) + ') +') + +######################################## +## <summary> +## All of the rules required to administrate +## an samba environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the samba domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`samba_admin',` + gen_require(` + type nmbd_t, nmbd_var_run_t; + type smbd_t, smbd_tmp_t; + type smbd_var_run_t; + type smbd_spool_t; + + type samba_log_t, samba_var_t; + type samba_etc_t, samba_share_t; + type samba_secrets_t; + + type swat_var_run_t, swat_tmp_t; + + type winbind_var_run_t, winbind_tmp_t; + type winbind_log_t; + + type samba_initrc_exec_t; + ') + + allow $1 smbd_t:process { ptrace signal_perms }; + ps_process_pattern($1, smbd_t) + + allow $1 nmbd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nmbd_t) + + samba_run_smbcontrol($1, $2, $3) + samba_run_winbind_helper($1, $2, $3) + samba_run_smbmount($1, $2, $3) + samba_run_net($1, $2, $3) + + init_labeled_script_domtrans($1, samba_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 samba_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, nmbd_var_run_t) + + admin_pattern($1, samba_etc_t) + files_list_etc($1) + + admin_pattern($1, samba_log_t) + logging_list_logs($1) + + admin_pattern($1, samba_secrets_t) + + admin_pattern($1, samba_share_t) + + admin_pattern($1, samba_var_t) + files_list_var($1) + + admin_pattern($1, smbd_spool_t) + files_list_spool($1) + + admin_pattern($1, smbd_var_run_t) + files_list_pids($1) + + admin_pattern($1, smbd_tmp_t) + files_list_tmp($1) + + admin_pattern($1, swat_var_run_t) + + admin_pattern($1, swat_tmp_t) + + admin_pattern($1, winbind_log_t) + + admin_pattern($1, winbind_tmp_t) + + admin_pattern($1, winbind_var_run_t) +') diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te new file mode 100644 index 00000000..fff6675d --- /dev/null +++ b/policy/modules/contrib/samba.te @@ -0,0 +1,939 @@ +policy_module(samba, 1.14.0) + +################################# +# +# Declarations +# + +## <desc> +## <p> +## Allow samba to modify public files used for public file +## transfer services. Files/Directories must be labeled +## public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_smbd_anon_write, false) + +## <desc> +## <p> +## Allow samba to create new home directories (e.g. via PAM) +## </p> +## </desc> +gen_tunable(samba_create_home_dirs, false) + +## <desc> +## <p> +## Allow samba to act as the domain controller, add users, +## groups and change passwords. +## +## </p> +## </desc> +gen_tunable(samba_domain_controller, false) + +## <desc> +## <p> +## Allow samba to share users home directories. +## </p> +## </desc> +gen_tunable(samba_enable_home_dirs, false) + +## <desc> +## <p> +## Allow samba to share any file/directory read only. +## </p> +## </desc> +gen_tunable(samba_export_all_ro, false) + +## <desc> +## <p> +## Allow samba to share any file/directory read/write. +## </p> +## </desc> +gen_tunable(samba_export_all_rw, false) + +## <desc> +## <p> +## Allow samba to run unconfined scripts +## </p> +## </desc> +gen_tunable(samba_run_unconfined, false) + +## <desc> +## <p> +## Allow samba to export NFS volumes. +## </p> +## </desc> +gen_tunable(samba_share_nfs, false) + +## <desc> +## <p> +## Allow samba to export ntfs/fusefs volumes. +## </p> +## </desc> +gen_tunable(samba_share_fusefs, false) + +type nmbd_t; +type nmbd_exec_t; +init_daemon_domain(nmbd_t, nmbd_exec_t) + +type nmbd_var_run_t; +files_pid_file(nmbd_var_run_t) + +type samba_etc_t; +files_config_file(samba_etc_t) + +type samba_initrc_exec_t; +init_script_file(samba_initrc_exec_t) + +type samba_log_t; +logging_log_file(samba_log_t) + +type samba_net_t; +type samba_net_exec_t; +application_domain(samba_net_t, samba_net_exec_t) +role system_r types samba_net_t; + +type samba_net_tmp_t; +files_tmp_file(samba_net_tmp_t) + +type samba_secrets_t; +files_type(samba_secrets_t) + +type samba_share_t; # customizable +files_type(samba_share_t) + +type samba_var_t; +files_type(samba_var_t) + +type smbcontrol_t; +type smbcontrol_exec_t; +application_domain(smbcontrol_t, smbcontrol_exec_t) +role system_r types smbcontrol_t; + +type smbd_t; +type smbd_exec_t; +init_daemon_domain(smbd_t, smbd_exec_t) + +type smbd_tmp_t; +files_tmp_file(smbd_tmp_t) + +type smbd_var_run_t; +files_pid_file(smbd_var_run_t) + +type smbmount_t; +domain_type(smbmount_t) + +type smbmount_exec_t; +domain_entry_file(smbmount_t, smbmount_exec_t) + +type swat_t; +type swat_exec_t; +domain_type(swat_t) +domain_entry_file(swat_t, swat_exec_t) +role system_r types swat_t; + +type swat_tmp_t; +files_tmp_file(swat_tmp_t) + +type swat_var_run_t; +files_pid_file(swat_var_run_t) + +type winbind_t; +type winbind_exec_t; +init_daemon_domain(winbind_t, winbind_exec_t) + +type winbind_helper_t; +domain_type(winbind_helper_t) +role system_r types winbind_helper_t; + +type winbind_helper_exec_t; +domain_entry_file(winbind_helper_t, winbind_helper_exec_t) + +type winbind_log_t; +logging_log_file(winbind_log_t) + +type winbind_tmp_t; +files_tmp_file(winbind_tmp_t) + +type winbind_var_run_t; +files_pid_file(winbind_var_run_t) + +######################################## +# +# Samba net local policy +# +allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; +allow samba_net_t self:process { getsched setsched }; +allow samba_net_t self:unix_dgram_socket create_socket_perms; +allow samba_net_t self:unix_stream_socket create_stream_socket_perms; +allow samba_net_t self:udp_socket create_socket_perms; +allow samba_net_t self:tcp_socket create_socket_perms; + +allow samba_net_t samba_etc_t:file read_file_perms; + +manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t) +filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file) + +manage_dirs_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) +manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) +files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) + +manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) +manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) + +kernel_read_proc_symlinks(samba_net_t) +kernel_read_system_state(samba_net_t) + +corenet_all_recvfrom_unlabeled(samba_net_t) +corenet_all_recvfrom_netlabel(samba_net_t) +corenet_tcp_sendrecv_generic_if(samba_net_t) +corenet_udp_sendrecv_generic_if(samba_net_t) +corenet_raw_sendrecv_generic_if(samba_net_t) +corenet_tcp_sendrecv_generic_node(samba_net_t) +corenet_udp_sendrecv_generic_node(samba_net_t) +corenet_raw_sendrecv_generic_node(samba_net_t) +corenet_tcp_sendrecv_all_ports(samba_net_t) +corenet_udp_sendrecv_all_ports(samba_net_t) +corenet_tcp_bind_generic_node(samba_net_t) +corenet_udp_bind_generic_node(samba_net_t) +corenet_tcp_connect_smbd_port(samba_net_t) + +dev_read_urand(samba_net_t) + +domain_use_interactive_fds(samba_net_t) + +files_read_etc_files(samba_net_t) +files_read_usr_symlinks(samba_net_t) + +auth_use_nsswitch(samba_net_t) +auth_manage_cache(samba_net_t) + +logging_send_syslog_msg(samba_net_t) + +miscfiles_read_localization(samba_net_t) + +samba_read_var_files(samba_net_t) + +userdom_use_user_terminals(samba_net_t) +userdom_list_user_home_dirs(samba_net_t) + +optional_policy(` + pcscd_read_pub_files(samba_net_t) +') + +optional_policy(` + kerberos_use(samba_net_t) +') + +######################################## +# +# smbd Local policy +# +allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; +dontaudit smbd_t self:capability sys_tty_config; +allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow smbd_t self:process setrlimit; +allow smbd_t self:fd use; +allow smbd_t self:fifo_file rw_fifo_file_perms; +allow smbd_t self:msg { send receive }; +allow smbd_t self:msgq create_msgq_perms; +allow smbd_t self:sem create_sem_perms; +allow smbd_t self:shm create_shm_perms; +allow smbd_t self:sock_file read_sock_file_perms; +allow smbd_t self:tcp_socket create_stream_socket_perms; +allow smbd_t self:udp_socket create_socket_perms; +allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +allow smbd_t nmbd_t:process { signal signull }; + +allow smbd_t nmbd_var_run_t:file rw_file_perms; + +allow smbd_t samba_etc_t:file { rw_file_perms setattr }; + +manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) +manage_files_pattern(smbd_t, samba_log_t, samba_log_t) + +allow smbd_t samba_net_tmp_t:file getattr; + +manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) +filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) + +manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) +manage_files_pattern(smbd_t, samba_share_t, samba_share_t) +manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) +allow smbd_t samba_share_t:filesystem getattr; + +manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) +manage_files_pattern(smbd_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) +manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) + +allow smbd_t smbcontrol_t:process { signal signull }; + +manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) +manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) +files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) + +manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) +manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) +manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) +files_pid_filetrans(smbd_t, smbd_var_run_t, file) + +allow smbd_t swat_t:process signal; + +allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; + +allow smbd_t winbind_t:process { signal signull }; + +kernel_getattr_core_if(smbd_t) +kernel_getattr_message_if(smbd_t) +kernel_read_network_state(smbd_t) +kernel_read_fs_sysctls(smbd_t) +kernel_read_kernel_sysctls(smbd_t) +kernel_read_software_raid_state(smbd_t) +kernel_read_system_state(smbd_t) + +corecmd_exec_shell(smbd_t) +corecmd_exec_bin(smbd_t) + +corenet_all_recvfrom_unlabeled(smbd_t) +corenet_all_recvfrom_netlabel(smbd_t) +corenet_tcp_sendrecv_generic_if(smbd_t) +corenet_udp_sendrecv_generic_if(smbd_t) +corenet_raw_sendrecv_generic_if(smbd_t) +corenet_tcp_sendrecv_generic_node(smbd_t) +corenet_udp_sendrecv_generic_node(smbd_t) +corenet_raw_sendrecv_generic_node(smbd_t) +corenet_tcp_sendrecv_all_ports(smbd_t) +corenet_udp_sendrecv_all_ports(smbd_t) +corenet_tcp_bind_generic_node(smbd_t) +corenet_udp_bind_generic_node(smbd_t) +corenet_tcp_bind_smbd_port(smbd_t) +corenet_tcp_connect_ipp_port(smbd_t) +corenet_tcp_connect_smbd_port(smbd_t) + +dev_read_sysfs(smbd_t) +dev_read_urand(smbd_t) +dev_getattr_mtrr_dev(smbd_t) +dev_dontaudit_getattr_usbfs_dirs(smbd_t) +# For redhat bug 566984 +dev_getattr_all_blk_files(smbd_t) +dev_getattr_all_chr_files(smbd_t) + +fs_getattr_all_fs(smbd_t) +fs_get_xattr_fs_quotas(smbd_t) +fs_search_auto_mountpoints(smbd_t) +fs_getattr_rpc_dirs(smbd_t) +fs_list_inotifyfs(smbd_t) + +auth_use_nsswitch(smbd_t) +auth_domtrans_chk_passwd(smbd_t) +auth_domtrans_upd_passwd(smbd_t) +auth_manage_cache(smbd_t) + +domain_use_interactive_fds(smbd_t) +domain_dontaudit_list_all_domains_state(smbd_t) + +files_list_var_lib(smbd_t) +files_read_etc_files(smbd_t) +files_read_etc_runtime_files(smbd_t) +files_read_usr_files(smbd_t) +files_search_spool(smbd_t) +# smbd seems to getattr all mountpoints +files_dontaudit_getattr_all_dirs(smbd_t) +# Allow samba to list mnt_t for potential mounted dirs +files_list_mnt(smbd_t) + +init_rw_utmp(smbd_t) + +logging_search_logs(smbd_t) +logging_send_syslog_msg(smbd_t) + +miscfiles_read_localization(smbd_t) +miscfiles_read_public_files(smbd_t) + +userdom_use_unpriv_users_fds(smbd_t) +userdom_search_user_home_content(smbd_t) +userdom_signal_all_users(smbd_t) + +usermanage_read_crack_db(smbd_t) + +term_use_ptmx(smbd_t) + +ifdef(`hide_broken_symptoms', ` + files_dontaudit_getattr_default_dirs(smbd_t) + files_dontaudit_getattr_boot_dirs(smbd_t) + fs_dontaudit_getattr_tmpfs_dirs(smbd_t) +') + +tunable_policy(`allow_smbd_anon_write',` + miscfiles_manage_public_files(smbd_t) +') + +tunable_policy(`samba_domain_controller',` + gen_require(` + class passwd passwd; + ') + + usermanage_domtrans_passwd(smbd_t) + usermanage_kill_passwd(smbd_t) + usermanage_domtrans_useradd(smbd_t) + usermanage_domtrans_groupadd(smbd_t) + allow smbd_t self:passwd passwd; +') + +tunable_policy(`samba_enable_home_dirs',` + userdom_manage_user_home_content_dirs(smbd_t) + userdom_manage_user_home_content_files(smbd_t) + userdom_manage_user_home_content_symlinks(smbd_t) + userdom_manage_user_home_content_sockets(smbd_t) + userdom_manage_user_home_content_pipes(smbd_t) + userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) +') + +# Support Samba sharing of NFS mount points +tunable_policy(`samba_share_nfs',` + fs_manage_nfs_dirs(smbd_t) + fs_manage_nfs_files(smbd_t) + fs_manage_nfs_symlinks(smbd_t) + fs_manage_nfs_named_pipes(smbd_t) + fs_manage_nfs_named_sockets(smbd_t) +') + +# Support Samba sharing of ntfs/fusefs mount points +tunable_policy(`samba_share_fusefs',` + fs_manage_fusefs_dirs(smbd_t) + fs_manage_fusefs_files(smbd_t) +',` + fs_search_fusefs(smbd_t) +') + +optional_policy(` + cups_read_rw_config(smbd_t) + cups_stream_connect(smbd_t) +') + +optional_policy(` + kerberos_use(smbd_t) + kerberos_keytab_template(smbd, smbd_t) +') + +optional_policy(` + lpd_exec_lpr(smbd_t) +') + +optional_policy(` + qemu_manage_tmp_dirs(smbd_t) + qemu_manage_tmp_files(smbd_t) +') + +optional_policy(` + rpc_search_nfs_state_data(smbd_t) +') + +optional_policy(` + seutil_sigchld_newrole(smbd_t) +') + +optional_policy(` + udev_read_db(smbd_t) +') + +tunable_policy(`samba_create_home_dirs',` + allow smbd_t self:capability chown; + userdom_create_user_home_dirs(smbd_t) + userdom_home_filetrans_user_home_dir(smbd_t) +') + +tunable_policy(`samba_export_all_ro',` + fs_read_noxattr_fs_files(smbd_t) + auth_read_all_dirs_except_auth_files(smbd_t) + auth_read_all_files_except_auth_files(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) + auth_read_all_dirs_except_auth_files(nmbd_t) + auth_read_all_files_except_auth_files(nmbd_t) +') + +tunable_policy(`samba_export_all_rw',` + fs_read_noxattr_fs_files(smbd_t) + auth_manage_all_files_except_auth_files(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) + auth_manage_all_files_except_auth_files(nmbd_t) + userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) +') + +######################################## +# +# nmbd Local policy +# + +dontaudit nmbd_t self:capability sys_tty_config; +allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow nmbd_t self:fd use; +allow nmbd_t self:fifo_file rw_fifo_file_perms; +allow nmbd_t self:msg { send receive }; +allow nmbd_t self:msgq create_msgq_perms; +allow nmbd_t self:sem create_sem_perms; +allow nmbd_t self:shm create_shm_perms; +allow nmbd_t self:sock_file read_sock_file_perms; +allow nmbd_t self:tcp_socket create_stream_socket_perms; +allow nmbd_t self:udp_socket create_socket_perms; +allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) +files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) + +read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) + +manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) +manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) + +manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) + +allow nmbd_t smbcontrol_t:process signal; + +allow nmbd_t smbd_var_run_t:dir rw_dir_perms; + +kernel_getattr_core_if(nmbd_t) +kernel_getattr_message_if(nmbd_t) +kernel_read_kernel_sysctls(nmbd_t) +kernel_read_network_state(nmbd_t) +kernel_read_software_raid_state(nmbd_t) +kernel_read_system_state(nmbd_t) + +corenet_all_recvfrom_unlabeled(nmbd_t) +corenet_all_recvfrom_netlabel(nmbd_t) +corenet_tcp_sendrecv_generic_if(nmbd_t) +corenet_udp_sendrecv_generic_if(nmbd_t) +corenet_tcp_sendrecv_generic_node(nmbd_t) +corenet_udp_sendrecv_generic_node(nmbd_t) +corenet_tcp_sendrecv_all_ports(nmbd_t) +corenet_udp_sendrecv_all_ports(nmbd_t) +corenet_udp_bind_generic_node(nmbd_t) +corenet_udp_bind_nmbd_port(nmbd_t) +corenet_sendrecv_nmbd_server_packets(nmbd_t) +corenet_sendrecv_nmbd_client_packets(nmbd_t) +corenet_tcp_connect_smbd_port(nmbd_t) + +dev_read_sysfs(nmbd_t) +dev_getattr_mtrr_dev(nmbd_t) + +fs_getattr_all_fs(nmbd_t) +fs_search_auto_mountpoints(nmbd_t) + +domain_use_interactive_fds(nmbd_t) + +files_read_usr_files(nmbd_t) +files_read_etc_files(nmbd_t) +files_list_var_lib(nmbd_t) + +auth_use_nsswitch(nmbd_t) + +logging_search_logs(nmbd_t) +logging_send_syslog_msg(nmbd_t) + +miscfiles_read_localization(nmbd_t) + +userdom_use_unpriv_users_fds(nmbd_t) +userdom_dontaudit_search_user_home_dirs(nmbd_t) + +optional_policy(` + seutil_sigchld_newrole(nmbd_t) +') + +optional_policy(` + udev_read_db(nmbd_t) +') + +######################################## +# +# smbcontrol local policy +# + +# internal communication is often done using fifo and unix sockets. +allow smbcontrol_t self:fifo_file rw_file_perms; +allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; + +allow smbcontrol_t nmbd_t:process { signal signull }; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; + +allow smbcontrol_t smbd_t:process signal; + +allow smbcontrol_t winbind_t:process { signal signull }; + +samba_read_config(smbcontrol_t) +samba_rw_var_files(smbcontrol_t) +samba_search_var(smbcontrol_t) +samba_read_winbind_pid(smbcontrol_t) + +domain_use_interactive_fds(smbcontrol_t) + +files_read_etc_files(smbcontrol_t) + +miscfiles_read_localization(smbcontrol_t) + +userdom_use_user_terminals(smbcontrol_t) + +######################################## +# +# smbmount Local policy +# + +allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary? +allow smbmount_t self:process { fork signal_perms }; +allow smbmount_t self:tcp_socket create_stream_socket_perms; +allow smbmount_t self:udp_socket connect; +allow smbmount_t self:unix_dgram_socket create_socket_perms; +allow smbmount_t self:unix_stream_socket create_socket_perms; + +allow smbmount_t samba_etc_t:dir list_dir_perms; +allow smbmount_t samba_etc_t:file read_file_perms; + +can_exec(smbmount_t, smbmount_exec_t) + +allow smbmount_t samba_log_t:dir list_dir_perms; +allow smbmount_t samba_log_t:file manage_file_perms; + +allow smbmount_t samba_secrets_t:file manage_file_perms; + +manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) +files_list_var_lib(smbmount_t) + +kernel_read_system_state(smbmount_t) + +corenet_all_recvfrom_unlabeled(smbmount_t) +corenet_all_recvfrom_netlabel(smbmount_t) +corenet_tcp_sendrecv_generic_if(smbmount_t) +corenet_raw_sendrecv_generic_if(smbmount_t) +corenet_udp_sendrecv_generic_if(smbmount_t) +corenet_tcp_sendrecv_generic_node(smbmount_t) +corenet_raw_sendrecv_generic_node(smbmount_t) +corenet_udp_sendrecv_generic_node(smbmount_t) +corenet_tcp_sendrecv_all_ports(smbmount_t) +corenet_udp_sendrecv_all_ports(smbmount_t) +corenet_tcp_bind_generic_node(smbmount_t) +corenet_udp_bind_generic_node(smbmount_t) +corenet_tcp_connect_all_ports(smbmount_t) + +fs_getattr_cifs(smbmount_t) +fs_mount_cifs(smbmount_t) +fs_remount_cifs(smbmount_t) +fs_unmount_cifs(smbmount_t) +fs_list_cifs(smbmount_t) +fs_read_cifs_files(smbmount_t) + +storage_raw_read_fixed_disk(smbmount_t) +storage_raw_write_fixed_disk(smbmount_t) + +corecmd_list_bin(smbmount_t) + +files_list_mnt(smbmount_t) +files_mounton_mnt(smbmount_t) +files_manage_etc_runtime_files(smbmount_t) +files_etc_filetrans_etc_runtime(smbmount_t, file) +files_read_etc_files(smbmount_t) + +auth_use_nsswitch(smbmount_t) + +miscfiles_read_localization(smbmount_t) + +mount_use_fds(smbmount_t) + +locallogin_use_fds(smbmount_t) + +logging_search_logs(smbmount_t) + +userdom_use_user_terminals(smbmount_t) +userdom_use_all_users_fds(smbmount_t) + +optional_policy(` + cups_read_rw_config(smbmount_t) +') + +######################################## +# +# SWAT Local policy +# + +allow swat_t self:capability { dac_override setuid setgid sys_resource }; +allow swat_t self:process { setrlimit signal_perms }; +allow swat_t self:fifo_file rw_fifo_file_perms; +allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow swat_t self:tcp_socket create_stream_socket_perms; +allow swat_t self:udp_socket create_socket_perms; +allow swat_t self:unix_stream_socket connectto; + +samba_domtrans_smbd(swat_t) +allow swat_t smbd_t:process { signal signull }; + +samba_domtrans_nmbd(swat_t) +allow swat_t nmbd_t:process { signal signull }; +allow nmbd_t swat_t:process signal; + +allow swat_t smbd_var_run_t:file { lock unlink }; + +allow swat_t smbd_port_t:tcp_socket name_bind; + +allow swat_t nmbd_port_t:udp_socket name_bind; + +rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) +read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) + +manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) +manage_files_pattern(swat_t, samba_log_t, samba_log_t) + +manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) + +manage_files_pattern(swat_t, samba_var_t, samba_var_t) + +allow swat_t smbd_exec_t:file mmap_file_perms ; + +allow swat_t smbd_t:process signull; + +allow swat_t smbd_var_run_t:file read_file_perms; + +manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) +manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) +files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) + +manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) +files_pid_filetrans(swat_t, swat_var_run_t, file) + +allow swat_t winbind_exec_t:file mmap_file_perms; +domtrans_pattern(swat_t, winbind_exec_t, winbind_t) +allow swat_t winbind_t:process { signal signull }; + +allow swat_t winbind_var_run_t:dir { write add_name remove_name }; +allow swat_t winbind_var_run_t:sock_file { create unlink }; + +kernel_read_kernel_sysctls(swat_t) +kernel_read_system_state(swat_t) +kernel_read_network_state(swat_t) + +corecmd_search_bin(swat_t) + +corenet_all_recvfrom_unlabeled(swat_t) +corenet_all_recvfrom_netlabel(swat_t) +corenet_tcp_sendrecv_generic_if(swat_t) +corenet_udp_sendrecv_generic_if(swat_t) +corenet_raw_sendrecv_generic_if(swat_t) +corenet_tcp_sendrecv_generic_node(swat_t) +corenet_udp_sendrecv_generic_node(swat_t) +corenet_raw_sendrecv_generic_node(swat_t) +corenet_tcp_sendrecv_all_ports(swat_t) +corenet_udp_sendrecv_all_ports(swat_t) +corenet_tcp_connect_smbd_port(swat_t) +corenet_tcp_connect_ipp_port(swat_t) +corenet_sendrecv_smbd_client_packets(swat_t) +corenet_sendrecv_ipp_client_packets(swat_t) + +dev_read_urand(swat_t) + +files_list_var_lib(swat_t) +files_read_etc_files(swat_t) +files_search_home(swat_t) +files_read_usr_files(swat_t) +fs_getattr_xattr_fs(swat_t) + +auth_domtrans_chk_passwd(swat_t) +auth_use_nsswitch(swat_t) + +init_read_utmp(swat_t) +init_dontaudit_write_utmp(swat_t) + +logging_send_syslog_msg(swat_t) +logging_send_audit_msgs(swat_t) +logging_search_logs(swat_t) + +miscfiles_read_localization(swat_t) + +optional_policy(` + cups_read_rw_config(swat_t) + cups_stream_connect(swat_t) +') + +optional_policy(` + inetd_service_domain(swat_t, swat_exec_t) +') + +optional_policy(` + kerberos_use(swat_t) +') + +######################################## +# +# Winbind local policy +# + +allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +dontaudit winbind_t self:capability sys_tty_config; +allow winbind_t self:process { signal_perms getsched setsched }; +allow winbind_t self:fifo_file rw_fifo_file_perms; +allow winbind_t self:unix_dgram_socket create_socket_perms; +allow winbind_t self:unix_stream_socket create_stream_socket_perms; +allow winbind_t self:tcp_socket create_stream_socket_perms; +allow winbind_t self:udp_socket create_socket_perms; + +allow winbind_t nmbd_t:process { signal signull }; + +allow winbind_t nmbd_var_run_t:file read_file_perms; + +allow winbind_t samba_etc_t:dir list_dir_perms; +read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) +read_lnk_files_pattern(winbind_t, samba_etc_t, samba_etc_t) + +manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) + +manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) +manage_files_pattern(winbind_t, samba_log_t, samba_log_t) +manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) + +manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) +manage_files_pattern(winbind_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) +files_list_var_lib(winbind_t) + +rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) + +allow winbind_t winbind_log_t:file manage_file_perms; +logging_log_filetrans(winbind_t, winbind_log_t, file) + +manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) + +manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) +manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) +files_pid_filetrans(winbind_t, winbind_var_run_t, file) + +kernel_read_kernel_sysctls(winbind_t) +kernel_read_system_state(winbind_t) + +corecmd_exec_bin(winbind_t) + +corenet_all_recvfrom_unlabeled(winbind_t) +corenet_all_recvfrom_netlabel(winbind_t) +corenet_tcp_sendrecv_generic_if(winbind_t) +corenet_udp_sendrecv_generic_if(winbind_t) +corenet_raw_sendrecv_generic_if(winbind_t) +corenet_tcp_sendrecv_generic_node(winbind_t) +corenet_udp_sendrecv_generic_node(winbind_t) +corenet_raw_sendrecv_generic_node(winbind_t) +corenet_tcp_sendrecv_all_ports(winbind_t) +corenet_udp_sendrecv_all_ports(winbind_t) +corenet_tcp_bind_generic_node(winbind_t) +corenet_udp_bind_generic_node(winbind_t) +corenet_tcp_connect_smbd_port(winbind_t) +corenet_tcp_connect_epmap_port(winbind_t) +corenet_tcp_connect_all_unreserved_ports(winbind_t) + +dev_read_sysfs(winbind_t) +dev_read_urand(winbind_t) + +fs_getattr_all_fs(winbind_t) +fs_search_auto_mountpoints(winbind_t) + +auth_domtrans_chk_passwd(winbind_t) +auth_use_nsswitch(winbind_t) +auth_manage_cache(winbind_t) + +domain_use_interactive_fds(winbind_t) + +files_read_etc_files(winbind_t) +files_read_usr_symlinks(winbind_t) + +logging_send_syslog_msg(winbind_t) + +miscfiles_read_localization(winbind_t) + +userdom_dontaudit_use_unpriv_user_fds(winbind_t) +userdom_manage_user_home_content_dirs(winbind_t) +userdom_manage_user_home_content_files(winbind_t) +userdom_manage_user_home_content_symlinks(winbind_t) +userdom_manage_user_home_content_pipes(winbind_t) +userdom_manage_user_home_content_sockets(winbind_t) +userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) + +optional_policy(` + kerberos_use(winbind_t) +') + +optional_policy(` + seutil_sigchld_newrole(winbind_t) +') + +optional_policy(` + udev_read_db(winbind_t) +') + +######################################## +# +# Winbind helper local policy +# + +allow winbind_helper_t self:unix_dgram_socket create_socket_perms; +allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; + +allow winbind_helper_t samba_etc_t:dir list_dir_perms; +read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) +read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) + +allow winbind_helper_t samba_var_t:dir search_dir_perms; +files_list_var_lib(winbind_helper_t) + +allow winbind_t smbcontrol_t:process signal; + +stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) + +term_list_ptys(winbind_helper_t) + +domain_use_interactive_fds(winbind_helper_t) + +auth_use_nsswitch(winbind_helper_t) + +logging_send_syslog_msg(winbind_helper_t) + +miscfiles_read_localization(winbind_helper_t) + +userdom_use_user_terminals(winbind_helper_t) + +optional_policy(` + apache_append_log(winbind_helper_t) +') + +optional_policy(` + squid_read_log(winbind_helper_t) + squid_append_log(winbind_helper_t) + squid_rw_stream_sockets(winbind_helper_t) +') + +######################################## +# +# samba_unconfined_script_t local policy +# + +optional_policy(` + type samba_unconfined_script_t; + type samba_unconfined_script_exec_t; + domain_type(samba_unconfined_script_t) + domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) + corecmd_shell_entry_type(samba_unconfined_script_t) + role system_r types samba_unconfined_script_t; + + allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; + allow smbd_t samba_unconfined_script_exec_t:file ioctl; + + unconfined_domain(samba_unconfined_script_t) + + tunable_policy(`samba_run_unconfined',` + domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) + ') +') diff --git a/policy/modules/contrib/sambagui.fc b/policy/modules/contrib/sambagui.fc new file mode 100644 index 00000000..c13d607c --- /dev/null +++ b/policy/modules/contrib/sambagui.fc @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) diff --git a/policy/modules/contrib/sambagui.if b/policy/modules/contrib/sambagui.if new file mode 100644 index 00000000..b31ed107 --- /dev/null +++ b/policy/modules/contrib/sambagui.if @@ -0,0 +1,2 @@ +## <summary>system-config-samba dbus service policy</summary> + diff --git a/policy/modules/contrib/sambagui.te b/policy/modules/contrib/sambagui.te new file mode 100644 index 00000000..1898dbde --- /dev/null +++ b/policy/modules/contrib/sambagui.te @@ -0,0 +1,61 @@ +policy_module(sambagui, 1.1.0) + +######################################## +# +# Declarations +# + +type sambagui_t; +type sambagui_exec_t; +dbus_system_domain(sambagui_t, sambagui_exec_t) + +######################################## +# +# system-config-samba local policy +# + +allow sambagui_t self:capability dac_override; +allow sambagui_t self:fifo_file rw_fifo_file_perms; +allow sambagui_t self:unix_dgram_socket create_socket_perms; + +# read meminfo +kernel_read_system_state(sambagui_t) + +# execut apps of system-config-samba +corecmd_exec_shell(sambagui_t) +corecmd_exec_bin(sambagui_t) + +dev_dontaudit_read_urand(sambagui_t) + +files_read_etc_files(sambagui_t) +files_search_var_lib(sambagui_t) +files_read_usr_files(sambagui_t) + +auth_use_nsswitch(sambagui_t) + +logging_send_syslog_msg(sambagui_t) + +miscfiles_read_localization(sambagui_t) + +optional_policy(` + consoletype_exec(sambagui_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(sambagui_t) +') + +optional_policy(` + policykit_dbus_chat(sambagui_t) +') + +optional_policy(` + # handling with samba conf files + samba_append_log(sambagui_t) + samba_manage_config(sambagui_t) + samba_manage_var_files(sambagui_t) + samba_read_secrets(sambagui_t) + samba_initrc_domtrans(sambagui_t) + samba_domtrans_smbd(sambagui_t) + samba_domtrans_nmbd(sambagui_t) +') diff --git a/policy/modules/contrib/samhain.fc b/policy/modules/contrib/samhain.fc new file mode 100644 index 00000000..94b2f738 --- /dev/null +++ b/policy/modules/contrib/samhain.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,s0) + +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh) + +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0) +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0) + +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh) + +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) +/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) + +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh) diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if new file mode 100644 index 00000000..c040ebf8 --- /dev/null +++ b/policy/modules/contrib/samhain.if @@ -0,0 +1,292 @@ +## <summary>Samhain - check file integrity</summary> + +####################################### +## <summary> +## The template containing the most basic rules +## common to the samhain domains. +## </summary> +## <param name="samhaindomain_prefix"> +## <summary> +## The prefix of the samhain domains(e.g., samhain +## for the domain of command line access, samhaind +## for the domain started by init script). +## </summary> +## </param> +## <rolebase/> +# +template(`samhain_service_template',` + gen_require(` + type etc_t, samhain_etc_t, samhain_exec_t; + type samhain_log_t, samhain_var_run_t; + ') + + type $1_t; + domain_type($1_t) + domain_entry_file($1_t, samhain_exec_t) + + allow $1_t self:capability { dac_override dac_read_search fowner ipc_lock }; + dontaudit $1_t self:capability { sys_resource sys_ptrace }; + allow $1_t self:fd use; + allow $1_t self:process { setsched setrlimit signull }; + + allow $1_t samhain_etc_t:file read_file_perms; + files_search_etc($1_t) + + manage_files_pattern($1_t, samhain_log_t, samhain_log_t) + logging_log_filetrans($1_t, samhain_log_t, file) + + manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t) + files_pid_filetrans($1_t, samhain_var_run_t, file) + + # Samhain needs to get the attribute of /proc/kcore. + kernel_getattr_core_if($1_t) + + corecmd_list_bin($1_t) + corecmd_read_bin_symlinks($1_t) + + # To get entropy + dev_read_urand($1_t) + dev_dontaudit_read_rand($1_t) + + # Get the attributes of all kinds of files in the rootfs. + dev_getattr_all_blk_files($1_t) + dev_getattr_all_chr_files($1_t) + dev_getattr_generic_blk_files($1_t) + dev_getattr_generic_chr_files($1_t) + + files_getattr_all_dirs($1_t) + files_getattr_all_files($1_t) + files_getattr_all_symlinks($1_t) + files_getattr_all_pipes($1_t) + files_getattr_all_sockets($1_t) + files_getattr_all_mountpoints($1_t) + files_read_all_files($1_t) + files_read_all_symlinks($1_t) + + # Get the attribute of other filesystems mountpoint, such as /selinux + # /proc, /sys and /tmp, but not the contents inside, which suggests + # that following rules should be set in samhain configuration file: + # [Attributes] + # file = /tmp + # file = /proc + # file = /sys + # file = /selinux + # [IgnoreALL] + # dir = -1/tmp + # dir = -1/proc + # dir = -1/sys + # dir = -1/selinux + fs_getattr_all_dirs($1_t) + + # Samhain pid, log and log.lock files are all in directories of s0, + # while samhain daemon is running with the clearance level. + mls_file_write_all_levels($1_t) + + # Read from utmp when monitoring login/logout events. + auth_read_login_records($1_t) + + # Read from wtmp when monitoring login/logout events. + init_read_utmp($1_t) + + logging_send_syslog_msg($1_t) +') + +######################################## +## <summary> +## Execute samhain in the samhain domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samhain_domtrans',` + gen_require(` + type samhain_t, samhain_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, samhain_exec_t, samhain_t) +') + +######################################## +## <summary> +## Execute samhain in the samhain domain with the clearance security +## level and allow the specifiled role the samhain domain. +## </summary> +## <desc> +## <p> +## Execute samhain in the samhain domain with the clearance security +## level and allow the specifiled role the samhain domain. +## </p> +## <p> +## The range_transition rule used in this interface requires that +## the calling domain should have the clearance security level +## otherwise the MLS constraint for process transition would fail. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed to access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samhain_run',` + gen_require(` + type samhain_t, samhain_exec_t; + ') + + samhain_domtrans($1) + role $2 types samhain_t; + + ifdef(`enable_mls', ` + range_transition $1 samhain_exec_t:process mls_systemhigh; + ') +') + +######################################## +## <summary> +## Manage samhain configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_manage_config_files',` + gen_require(` + type samhain_etc_t; + ') + + files_rw_etc_dirs($1) + allow $1 samhain_etc_t:file manage_file_perms; +') + +######################################## +## <summary> +## Manage samhain database files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_manage_db_files',` + gen_require(` + type samhain_db_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, samhain_db_t, samhain_db_t) +') + +####################################### +## <summary> +## Manage samhain init script files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_manage_init_script_files',` + gen_require(` + type samhain_initrc_exec_t; + ') + + files_search_etc($1) + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t) +') + +######################################## +## <summary> +## Manage samhain log and log.lock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_manage_log_files',` + gen_require(` + type samhain_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, samhain_log_t, samhain_log_t) +') + +######################################## +## <summary> +## Manage samhain pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_manage_pid_files',` + gen_require(` + type samhain_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t) +') + +####################################### +## <summary> +## All of the rules required to administrate +## the samhain environment. +## </summary> +## <desc> +## <p> +## This interface assumes that the calling domain has been able to +## remove an entry from /var/lib/ or /var/log/ and belongs to the +## mlsfilewrite attribute, since samhain files may be of clearance +## security level while their parent directories are of s0. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_admin',` + gen_require(` + type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t; + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; + ') + + allow $1 samhain_t:process { ptrace signal_perms }; + ps_process_pattern($1, samhain_t) + + allow $1 samhaind_t:process { ptrace signal_perms }; + ps_process_pattern($1, samhaind_t) + + files_list_var_lib($1) + admin_pattern($1, samhain_db_t) + + files_list_etc($1) + admin_pattern($1, samhain_etc_t) + admin_pattern($1, samhain_initrc_exec_t) + + logging_list_logs($1) + admin_pattern($1, samhain_log_t) + + files_list_pids($1) + admin_pattern($1, samhain_var_run_t) +') diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te new file mode 100644 index 00000000..acd17003 --- /dev/null +++ b/policy/modules/contrib/samhain.te @@ -0,0 +1,76 @@ +policy_module(samhain, 1.1.0) + +######################################## +# +# Declarations +# + +type samhain_etc_t; +files_config_file(samhain_etc_t) + +type samhain_exec_t; +corecmd_executable_file(samhain_exec_t) + +type samhain_log_t; +logging_log_file(samhain_log_t) + +# Filesystem signature database +type samhain_db_t; +files_type(samhain_db_t) + +type samhain_initrc_exec_t; +init_script_file(samhain_initrc_exec_t) + +type samhain_var_run_t; +files_pid_file(samhain_var_run_t) + +# Domain for command line access +samhain_service_template(samhain) +application_domain(samhain_t, samhain_exec_t) + +# Domain for samhain service started by samhain init script +samhain_service_template(samhaind) + +ifdef(`enable_mcs',` + # This is system instead of daemon to work around + # a type transition conflict + init_ranged_system_domain(samhaind_t, samhain_exec_t, mcs_systemhigh) +') + +ifdef(`enable_mls',` + # This is system instead of daemon to work around + # a type transition conflict + init_ranged_system_domain(samhaind_t, samhain_exec_t, mls_systemhigh) +') + +######################################## +# +# Samhain local policy +# + +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t) +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir }) + +domain_use_interactive_fds(samhain_t) + +seutil_sigchld_newrole(samhain_t) + +userdom_use_user_terminals(samhain_t) + +######################################## +# +# Samhaind local policy +# + +# Need signal_perms to send SIGABRT/SIGKILL to termiate samhain_t +# Need signull to get the status of samhain_t +allow samhaind_t { samhain_t self }:process signal_perms; + +# Only needed when starting samhain daemon from its init script. +can_exec(samhaind_t, samhain_exec_t) + +read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t) + +# init script ptys are the stdin/out/err +# when using run_init +init_use_script_ptys(samhaind_t) diff --git a/policy/modules/contrib/sanlock.fc b/policy/modules/contrib/sanlock.fc new file mode 100644 index 00000000..5d1826c4 --- /dev/null +++ b/policy/modules/contrib/sanlock.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) + +/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) + +/var/log/sanlock\.log gen_context(system_u:object_r:sanlock_log_t,s0) + +/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) diff --git a/policy/modules/contrib/sanlock.if b/policy/modules/contrib/sanlock.if new file mode 100644 index 00000000..cfe31720 --- /dev/null +++ b/policy/modules/contrib/sanlock.if @@ -0,0 +1,107 @@ +## <summary>policy for sanlock</summary> + +######################################## +## <summary> +## Execute a domain transition to run sanlock. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sanlock_domtrans',` + gen_require(` + type sanlock_t, sanlock_exec_t; + ') + + domtrans_pattern($1, sanlock_exec_t, sanlock_t) +') + +######################################## +## <summary> +## Execute sanlock server in the sanlock domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`sanlock_initrc_domtrans',` + gen_require(` + type sanlock_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, sanlock_initrc_exec_t) +') + +###################################### +## <summary> +## Create, read, write, and delete sanlock PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sanlock_manage_pid_files',` + gen_require(` + type sanlock_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, sanlock_var_run_t, sanlock_var_run_t) +') + +######################################## +## <summary> +## Connect to sanlock over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sanlock_stream_connect',` + gen_require(` + type sanlock_t, sanlock_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an sanlock environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sanlock_admin',` + gen_require(` + type sanlock_t; + type sanlock_initrc_exec_t; + ') + + allow $1 sanlock_t:process signal_perms; + ps_process_pattern($1, sanlock_t) + + sanlock_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 sanlock_initrc_exec_t system_r; + allow $2 system_r; +') diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te new file mode 100644 index 00000000..e02eb6c9 --- /dev/null +++ b/policy/modules/contrib/sanlock.te @@ -0,0 +1,93 @@ +policy_module(sanlock, 1.0.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow confined virtual guests to manage nfs files +## </p> +## </desc> +gen_tunable(sanlock_use_nfs, false) + +## <desc> +## <p> +## Allow confined virtual guests to manage cifs files +## </p> +## </desc> +gen_tunable(sanlock_use_samba, false) + +type sanlock_t; +type sanlock_exec_t; +init_daemon_domain(sanlock_t, sanlock_exec_t) + +type sanlock_var_run_t; +files_pid_file(sanlock_var_run_t) + +type sanlock_log_t; +logging_log_file(sanlock_log_t) + +type sanlock_initrc_exec_t; +init_script_file(sanlock_initrc_exec_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh) +') + +######################################## +# +# sanlock local policy +# +allow sanlock_t self:capability { sys_nice ipc_lock }; +allow sanlock_t self:process { setsched signull }; +allow sanlock_t self:fifo_file rw_fifo_file_perms; +allow sanlock_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) +logging_log_filetrans(sanlock_t, sanlock_log_t, file) + +manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) + +kernel_read_system_state(sanlock_t) + +domain_use_interactive_fds(sanlock_t) + +files_read_etc_files(sanlock_t) + +storage_raw_rw_fixed_disk(sanlock_t) + +dev_read_urand(sanlock_t) + +init_read_utmp(sanlock_t) +init_dontaudit_write_utmp(sanlock_t) + +logging_send_syslog_msg(sanlock_t) + +miscfiles_read_localization(sanlock_t) + +tunable_policy(`sanlock_use_nfs',` + fs_manage_nfs_dirs(sanlock_t) + fs_manage_nfs_files(sanlock_t) + fs_manage_nfs_named_sockets(sanlock_t) + fs_read_nfs_symlinks(sanlock_t) +') + +tunable_policy(`sanlock_use_samba',` + fs_manage_cifs_dirs(sanlock_t) + fs_manage_cifs_files(sanlock_t) + fs_manage_cifs_named_sockets(sanlock_t) + fs_read_cifs_symlinks(sanlock_t) +') + +optional_policy(` + virt_manage_lib_files(sanlock_t) +') diff --git a/policy/modules/contrib/sasl.fc b/policy/modules/contrib/sasl.fc new file mode 100644 index 00000000..7e586796 --- /dev/null +++ b/policy/modules/contrib/sasl.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) + +# +# /usr +# +/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) + +# +# /var +# +/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) +/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if new file mode 100644 index 00000000..f1aea88a --- /dev/null +++ b/policy/modules/contrib/sasl.if @@ -0,0 +1,58 @@ +## <summary>SASL authentication server</summary> + +######################################## +## <summary> +## Connect to SASL. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sasl_connect',` + gen_require(` + type saslauthd_t, saslauthd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an sasl environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sasl_admin',` + gen_require(` + type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t; + type saslauthd_initrc_exec_t; + ') + + allow $1 saslauthd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, saslauthd_t) + + init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 saslauthd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, saslauthd_tmp_t) + + files_list_pids($1) + admin_pattern($1, saslauthd_var_run_t) +') diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te new file mode 100644 index 00000000..9d9f8cef --- /dev/null +++ b/policy/modules/contrib/sasl.te @@ -0,0 +1,110 @@ +policy_module(sasl, 1.14.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow sasl to read shadow +## </p> +## </desc> +gen_tunable(allow_saslauthd_read_shadow, false) + +type saslauthd_t; +type saslauthd_exec_t; +init_daemon_domain(saslauthd_t, saslauthd_exec_t) + +type saslauthd_initrc_exec_t; +init_script_file(saslauthd_initrc_exec_t) + +type saslauthd_tmp_t; +files_tmp_file(saslauthd_tmp_t) + +type saslauthd_var_run_t; +files_pid_file(saslauthd_var_run_t) + +######################################## +# +# Local policy +# + +allow saslauthd_t self:capability { setgid setuid }; +dontaudit saslauthd_t self:capability sys_tty_config; +allow saslauthd_t self:process signal_perms; +allow saslauthd_t self:fifo_file rw_fifo_file_perms; +allow saslauthd_t self:unix_dgram_socket create_socket_perms; +allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; +allow saslauthd_t self:tcp_socket create_socket_perms; + +allow saslauthd_t saslauthd_tmp_t:dir setattr; +manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) +files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) + +manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) +manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) +files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file) + +kernel_read_kernel_sysctls(saslauthd_t) +kernel_read_system_state(saslauthd_t) + +corenet_all_recvfrom_unlabeled(saslauthd_t) +corenet_all_recvfrom_netlabel(saslauthd_t) +corenet_tcp_sendrecv_generic_if(saslauthd_t) +corenet_tcp_sendrecv_generic_node(saslauthd_t) +corenet_tcp_sendrecv_all_ports(saslauthd_t) +corenet_tcp_connect_pop_port(saslauthd_t) +corenet_sendrecv_pop_client_packets(saslauthd_t) + +dev_read_urand(saslauthd_t) + +fs_getattr_all_fs(saslauthd_t) +fs_search_auto_mountpoints(saslauthd_t) + +selinux_compute_access_vector(saslauthd_t) + +auth_use_pam(saslauthd_t) + +domain_use_interactive_fds(saslauthd_t) + +files_read_etc_files(saslauthd_t) +files_dontaudit_read_etc_runtime_files(saslauthd_t) +files_search_var_lib(saslauthd_t) +files_dontaudit_getattr_home_dir(saslauthd_t) +files_dontaudit_getattr_tmp_dirs(saslauthd_t) + +init_dontaudit_stream_connect_script(saslauthd_t) + +logging_send_syslog_msg(saslauthd_t) + +miscfiles_read_localization(saslauthd_t) +miscfiles_read_generic_certs(saslauthd_t) + +seutil_dontaudit_read_config(saslauthd_t) + +userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) +userdom_dontaudit_search_user_home_dirs(saslauthd_t) + +# cjp: typeattribute doesnt work in conditionals +auth_can_read_shadow_passwords(saslauthd_t) +tunable_policy(`allow_saslauthd_read_shadow',` + auth_tunable_read_shadow(saslauthd_t) +') + +optional_policy(` + kerberos_keytab_template(saslauthd, saslauthd_t) +') + +optional_policy(` + mysql_search_db(saslauthd_t) + mysql_stream_connect(saslauthd_t) +') + +optional_policy(` + seutil_sigchld_newrole(saslauthd_t) +') + +optional_policy(` + udev_read_db(saslauthd_t) +') diff --git a/policy/modules/contrib/sblim.fc b/policy/modules/contrib/sblim.fc new file mode 100644 index 00000000..17a8a85d --- /dev/null +++ b/policy/modules/contrib/sblim.fc @@ -0,0 +1,5 @@ +/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) + +/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) + +/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/policy/modules/contrib/sblim.if b/policy/modules/contrib/sblim.if new file mode 100644 index 00000000..fa24879e --- /dev/null +++ b/policy/modules/contrib/sblim.if @@ -0,0 +1,73 @@ +## <summary> policy for SBLIM Gatherer </summary> + +######################################## +## <summary> +## Transition to gatherd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sblim_domtrans_gatherd',` + gen_require(` + type sblim_gatherd_t, sblim_gatherd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t) +') + +######################################## +## <summary> +## Read gatherd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sblim_read_pid_files',` + gen_require(` + type sblim_var_run_t; + ') + + files_search_pids($1) + allow $1 sblim_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an gatherd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sblim_admin',` + gen_require(` + type sblim_gatherd_t; + type sblim_reposd_t; + type sblim_var_run_t; + ') + + allow $1 sblim_gatherd_t:process signal_perms; + ps_process_pattern($1, sblim_gatherd_t) + + allow $1 sblim_reposd_t:process signal_perms; + ps_process_pattern($1, sblim_reposd_t) + + files_search_pids($1) + admin_pattern($1, sblim_var_run_t) +') diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te new file mode 100644 index 00000000..869f9761 --- /dev/null +++ b/policy/modules/contrib/sblim.te @@ -0,0 +1,104 @@ +policy_module(sblim, 1.0.0) + +######################################## +# +# Declarations +# + +attribute sblim_domain; + +type sblim_gatherd_t, sblim_domain; +type sblim_gatherd_exec_t; +init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t) + +type sblim_reposd_t, sblim_domain; +type sblim_reposd_exec_t; +init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) + +type sblim_var_run_t; +files_pid_file(sblim_var_run_t) + +######################################## +# +# sblim_gatherd local policy +# +allow sblim_gatherd_t self:capability dac_override; +allow sblim_gatherd_t self:process signal; +allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; +allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_fs_sysctls(sblim_gatherd_t) +kernel_read_kernel_sysctls(sblim_gatherd_t) + +corecmd_exec_bin(sblim_gatherd_t) +corecmd_exec_shell(sblim_gatherd_t) + +corenet_tcp_connect_repository_port(sblim_gatherd_t) + +dev_read_rand(sblim_gatherd_t) +dev_read_urand(sblim_gatherd_t) + +domain_read_all_domains_state(sblim_gatherd_t) + +fs_getattr_all_fs(sblim_gatherd_t) + +sysnet_dns_name_resolve(sblim_gatherd_t) + +term_getattr_pty_fs(sblim_gatherd_t) + +init_read_utmp(sblim_gatherd_t) + +userdom_signull_unpriv_users(sblim_gatherd_t) + +optional_policy(` + locallogin_signull(sblim_gatherd_t) +') + +optional_policy(` + rpc_search_nfs_state_data(sblim_gatherd_t) +') + +optional_policy(` + ssh_signull(sblim_gatherd_t) +') + +optional_policy(` + virt_stream_connect(sblim_gatherd_t) +') + +optional_policy(` + xen_stream_connect(sblim_gatherd_t) + xen_stream_connect_xenstore(sblim_gatherd_t) +') + +####################################### +# +# sblim_reposd local policy +# + +domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t) + +corenet_tcp_bind_all_nodes(sblim_reposd_t) +corenet_tcp_bind_repository_port(sblim_reposd_t) + +###################################### +# +# sblim_domain local policy +# + +allow sblim_domain self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) +manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) +manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) + +kernel_read_network_state(sblim_domain) +kernel_read_system_state(sblim_domain) + +dev_read_sysfs(sblim_domain) + +logging_send_syslog_msg(sblim_domain) + +files_read_etc_files(sblim_domain) + +miscfiles_read_localization(sblim_domain) diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc new file mode 100644 index 00000000..c8254dd8 --- /dev/null +++ b/policy/modules/contrib/screen.fc @@ -0,0 +1,15 @@ +# +# /home +# +HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) +HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) + +# +# /usr +# +/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) + +# +# /var +# +/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if new file mode 100644 index 00000000..c50a4443 --- /dev/null +++ b/policy/modules/contrib/screen.if @@ -0,0 +1,162 @@ +## <summary>GNU terminal multiplexer</summary> + +####################################### +## <summary> +## The role template for the screen module. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`screen_role_template',` + gen_require(` + type screen_exec_t, screen_tmp_t; + type screen_home_t, screen_var_run_t; + ') + + ######################################## + # + # Declarations + # + + type $1_screen_t; + userdom_user_application_domain($1_screen_t, screen_exec_t) + domain_interactive_fd($1_screen_t) + role $2 types $1_screen_t; + + ######################################## + # + # Local policy + # + + allow $1_screen_t self:capability { setuid setgid fsetid }; + allow $1_screen_t self:process signal_perms; + allow $1_screen_t self:fifo_file rw_fifo_file_perms; + allow $1_screen_t self:tcp_socket create_stream_socket_perms; + allow $1_screen_t self:udp_socket create_socket_perms; + # Internal screen networking + allow $1_screen_t self:fd use; + allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto }; + allow $1_screen_t self:unix_dgram_socket create_socket_perms; + + manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) + manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) + manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) + files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir }) + + # Create fifo + manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) + manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) + manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) + files_pid_filetrans($1_screen_t, screen_var_run_t, dir) + + allow $1_screen_t screen_home_t:dir list_dir_perms; + manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t) + manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t) + userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) + read_files_pattern($1_screen_t, screen_home_t, screen_home_t) + read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) + + allow $1_screen_t $3:process signal; + + domtrans_pattern($3, screen_exec_t, $1_screen_t) + allow $3 $1_screen_t:process { signal sigchld }; + dontaudit $3 $1_screen_t:unix_stream_socket { read write }; + allow $1_screen_t $3:process signal; + + manage_fifo_files_pattern($3, screen_home_t, screen_home_t) + manage_dirs_pattern($3, screen_home_t, screen_home_t) + manage_files_pattern($3, screen_home_t, screen_home_t) + manage_lnk_files_pattern($3, screen_home_t, screen_home_t) + relabel_dirs_pattern($3, screen_home_t, screen_home_t) + relabel_files_pattern($3, screen_home_t, screen_home_t) + relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) + + manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) + manage_files_pattern($3, screen_var_run_t, screen_var_run_t) + manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) + manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) + + kernel_read_system_state($1_screen_t) + kernel_read_kernel_sysctls($1_screen_t) + + corecmd_list_bin($1_screen_t) + corecmd_read_bin_files($1_screen_t) + corecmd_read_bin_symlinks($1_screen_t) + corecmd_read_bin_pipes($1_screen_t) + corecmd_read_bin_sockets($1_screen_t) + # Revert to the user domain when a shell is executed. + corecmd_shell_domtrans($1_screen_t, $3) + corecmd_bin_domtrans($1_screen_t, $3) + + corenet_all_recvfrom_unlabeled($1_screen_t) + corenet_all_recvfrom_netlabel($1_screen_t) + corenet_tcp_sendrecv_generic_if($1_screen_t) + corenet_udp_sendrecv_generic_if($1_screen_t) + corenet_tcp_sendrecv_generic_node($1_screen_t) + corenet_udp_sendrecv_generic_node($1_screen_t) + corenet_tcp_sendrecv_all_ports($1_screen_t) + corenet_udp_sendrecv_all_ports($1_screen_t) + corenet_tcp_connect_all_ports($1_screen_t) + + dev_dontaudit_getattr_all_chr_files($1_screen_t) + dev_dontaudit_getattr_all_blk_files($1_screen_t) + # for SSP + dev_read_urand($1_screen_t) + + domain_use_interactive_fds($1_screen_t) + + files_search_tmp($1_screen_t) + files_search_home($1_screen_t) + files_list_home($1_screen_t) + files_read_usr_files($1_screen_t) + files_read_etc_files($1_screen_t) + + fs_search_auto_mountpoints($1_screen_t) + fs_getattr_xattr_fs($1_screen_t) + + auth_domtrans_chk_passwd($1_screen_t) + auth_use_nsswitch($1_screen_t) + auth_dontaudit_read_shadow($1_screen_t) + auth_dontaudit_exec_utempter($1_screen_t) + + # Write to utmp. + init_rw_utmp($1_screen_t) + + logging_send_syslog_msg($1_screen_t) + + miscfiles_read_localization($1_screen_t) + + seutil_read_config($1_screen_t) + + userdom_use_user_terminals($1_screen_t) + userdom_create_user_pty($1_screen_t) + userdom_user_home_domtrans($1_screen_t, $3) + userdom_setattr_user_ptys($1_screen_t) + userdom_setattr_user_ttys($1_screen_t) + + tunable_policy(`use_samba_home_dirs',` + fs_cifs_domtrans($1_screen_t, $3) + fs_read_cifs_symlinks($1_screen_t) + fs_list_cifs($1_screen_t) + ') + + tunable_policy(`use_nfs_home_dirs',` + fs_nfs_domtrans($1_screen_t, $3) + fs_list_nfs($1_screen_t) + fs_read_nfs_symlinks($1_screen_t) + ') +') diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te new file mode 100644 index 00000000..25836261 --- /dev/null +++ b/policy/modules/contrib/screen.te @@ -0,0 +1,25 @@ +policy_module(screen, 2.5.0) + +######################################## +# +# Declarations +# + +type screen_exec_t; +application_executable_file(screen_exec_t) + +type screen_home_t; +typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t }; +typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; +userdom_user_home_content(screen_home_t) + +type screen_tmp_t; +typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; +typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; +userdom_user_tmp_file(screen_tmp_t) + +type screen_var_run_t; +typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; +typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; +files_pid_file(screen_var_run_t) +ubac_constrained(screen_var_run_t) diff --git a/policy/modules/contrib/sectoolm.fc b/policy/modules/contrib/sectoolm.fc new file mode 100644 index 00000000..1ed68709 --- /dev/null +++ b/policy/modules/contrib/sectoolm.fc @@ -0,0 +1,4 @@ +/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) + +/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) +/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) diff --git a/policy/modules/contrib/sectoolm.if b/policy/modules/contrib/sectoolm.if new file mode 100644 index 00000000..90074511 --- /dev/null +++ b/policy/modules/contrib/sectoolm.if @@ -0,0 +1,2 @@ +## <summary>Sectool security audit tool</summary> + diff --git a/policy/modules/contrib/sectoolm.te b/policy/modules/contrib/sectoolm.te new file mode 100644 index 00000000..c8ef84b9 --- /dev/null +++ b/policy/modules/contrib/sectoolm.te @@ -0,0 +1,106 @@ +policy_module(sectoolm, 1.0.0) + +######################################## +# +# Declarations +# + +type sectoolm_t; +type sectoolm_exec_t; +dbus_system_domain(sectoolm_t, sectoolm_exec_t) + +type sectool_var_lib_t; +files_type(sectool_var_lib_t) + +type sectool_var_log_t; +logging_log_file(sectool_var_log_t) + +type sectool_tmp_t; +files_tmp_file(sectool_tmp_t) + +######################################## +# +# sectool local policy +# + +allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; +allow sectoolm_t self:process { getcap getsched signull setsched }; +dontaudit sectoolm_t self:process { execstack execmem }; +allow sectoolm_t self:fifo_file rw_fifo_file_perms; +allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto }; + +manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) +manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) +files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir }) + +manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) +manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) +files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir }) + +manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t) +logging_log_filetrans(sectoolm_t, sectool_var_log_t, file) + +kernel_read_net_sysctls(sectoolm_t) +kernel_read_network_state(sectoolm_t) +kernel_read_kernel_sysctls(sectoolm_t) + +corecmd_exec_bin(sectoolm_t) +corecmd_exec_shell(sectoolm_t) + +dev_read_sysfs(sectoolm_t) +dev_read_urand(sectoolm_t) +dev_getattr_all_blk_files(sectoolm_t) +dev_getattr_all_chr_files(sectoolm_t) + +domain_getattr_all_domains(sectoolm_t) +domain_read_all_domains_state(sectoolm_t) + +files_getattr_all_pipes(sectoolm_t) +files_getattr_all_sockets(sectoolm_t) +files_read_all_files(sectoolm_t) +files_read_all_symlinks(sectoolm_t) + +fs_getattr_all_fs(sectoolm_t) +fs_list_noxattr_fs(sectoolm_t) + +selinux_validate_context(sectoolm_t) + +# tcp_wrappers test +application_exec_all(sectoolm_t) + +auth_use_nsswitch(sectoolm_t) + +# tests related to network +hostname_exec(sectoolm_t) + +# tests related to network +iptables_domtrans(sectoolm_t) + +libs_exec_ld_so(sectoolm_t) + +logging_send_syslog_msg(sectoolm_t) + +# tests related to network +sysnet_domtrans_ifconfig(sectoolm_t) + +userdom_manage_user_tmp_sockets(sectoolm_t) + +optional_policy(` + mount_exec(sectoolm_t) +') + +optional_policy(` + policykit_dbus_chat(sectoolm_t) +') + +# suid test using +# rpm -Vf option +optional_policy(` + prelink_domtrans(sectoolm_t) +') + +optional_policy(` + rpm_exec(sectoolm_t) + rpm_dontaudit_manage_db(sectoolm_t) +') + diff --git a/policy/modules/contrib/sendmail.fc b/policy/modules/contrib/sendmail.fc new file mode 100644 index 00000000..a86ec50e --- /dev/null +++ b/policy/modules/contrib/sendmail.fc @@ -0,0 +1,6 @@ + +/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0) +/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) + +/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if new file mode 100644 index 00000000..7e94c7cf --- /dev/null +++ b/policy/modules/contrib/sendmail.if @@ -0,0 +1,297 @@ +## <summary>Policy for sendmail.</summary> + +######################################## +## <summary> +## Sendmail stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_stub',` + gen_require(` + type sendmail_t; + ') +') + +######################################## +## <summary> +## Allow attempts to read and write to +## sendmail unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_rw_pipes',` + gen_require(` + type sendmail_t; + ') + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Domain transition to sendmail. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sendmail_domtrans',` + gen_require(` + type sendmail_t; + ') + + mta_sendmail_domtrans($1, sendmail_t) + + allow sendmail_t $1:fd use; + allow sendmail_t $1:fifo_file rw_file_perms; + allow sendmail_t $1:process sigchld; +') + +######################################## +## <summary> +## Execute the sendmail program in the sendmail domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the sendmail domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`sendmail_run',` + gen_require(` + type sendmail_t; + ') + + sendmail_domtrans($1) + role $2 types sendmail_t; +') + +######################################## +## <summary> +## Send generic signals to sendmail. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_signal',` + gen_require(` + type sendmail_t; + ') + + allow $1 sendmail_t:process signal; +') + +######################################## +## <summary> +## Read and write sendmail TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_rw_tcp_sockets',` + gen_require(` + type sendmail_t; + ') + + allow $1 sendmail_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## sendmail TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`sendmail_dontaudit_rw_tcp_sockets',` + gen_require(` + type sendmail_t; + ') + + dontaudit $1 sendmail_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Read and write sendmail unix_stream_sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_rw_unix_stream_sockets',` + gen_require(` + type sendmail_t; + ') + + allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## sendmail unix_stream_sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`sendmail_dontaudit_rw_unix_stream_sockets',` + gen_require(` + type sendmail_t; + ') + + dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; +') + +######################################## +## <summary> +## Read sendmail logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sendmail_read_log',` + gen_require(` + type sendmail_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, sendmail_log_t, sendmail_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete sendmail logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sendmail_manage_log',` + gen_require(` + type sendmail_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, sendmail_log_t, sendmail_log_t) +') + +######################################## +## <summary> +## Create sendmail logs with the correct type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_create_log',` + gen_require(` + type sendmail_log_t; + ') + + logging_log_filetrans($1, sendmail_log_t, file) +') + +######################################## +## <summary> +## Manage sendmail tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sendmail_manage_tmp_files',` + gen_require(` + type sendmail_tmp_t; + ') + + files_search_tmp($1) + manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t) +') + +######################################## +## <summary> +## Execute sendmail in the unconfined sendmail domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sendmail_domtrans_unconfined',` + gen_require(` + type unconfined_sendmail_t; + ') + + mta_sendmail_domtrans($1, unconfined_sendmail_t) +') + +######################################## +## <summary> +## Execute sendmail in the unconfined sendmail domain, and +## allow the specified role the unconfined sendmail domain, +## and use the caller's terminal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sendmail_run_unconfined',` + gen_require(` + type unconfined_sendmail_t; + ') + + sendmail_domtrans_unconfined($1) + role $2 types unconfined_sendmail_t; +') diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te new file mode 100644 index 00000000..22dac1fe --- /dev/null +++ b/policy/modules/contrib/sendmail.te @@ -0,0 +1,187 @@ +policy_module(sendmail, 1.11.0) + +######################################## +# +# Declarations +# + +type sendmail_log_t; +logging_log_file(sendmail_log_t) + +type sendmail_tmp_t; +files_tmp_file(sendmail_tmp_t) + +type sendmail_var_run_t; +files_pid_file(sendmail_var_run_t) + +type sendmail_t; +mta_sendmail_mailserver(sendmail_t) +mta_mailserver_delivery(sendmail_t) +mta_mailserver_sender(sendmail_t) + +type unconfined_sendmail_t; +application_domain(unconfined_sendmail_t, sendmail_exec_t) +role system_r types unconfined_sendmail_t; + +######################################## +# +# Sendmail local policy +# + +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; +allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; +allow sendmail_t self:fifo_file rw_fifo_file_perms; +allow sendmail_t self:unix_stream_socket create_stream_socket_perms; +allow sendmail_t self:unix_dgram_socket create_socket_perms; +allow sendmail_t self:tcp_socket create_stream_socket_perms; +allow sendmail_t self:udp_socket create_socket_perms; + +allow sendmail_t sendmail_log_t:dir setattr; +manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) +logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) + +manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) +manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) +files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) + +allow sendmail_t sendmail_var_run_t:file manage_file_perms; +files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) + +kernel_read_network_state(sendmail_t) +kernel_read_kernel_sysctls(sendmail_t) +# for piping mail to a command +kernel_read_system_state(sendmail_t) + +corenet_all_recvfrom_unlabeled(sendmail_t) +corenet_all_recvfrom_netlabel(sendmail_t) +corenet_tcp_sendrecv_generic_if(sendmail_t) +corenet_tcp_sendrecv_generic_node(sendmail_t) +corenet_tcp_sendrecv_all_ports(sendmail_t) +corenet_tcp_bind_generic_node(sendmail_t) +corenet_tcp_bind_smtp_port(sendmail_t) +corenet_tcp_connect_all_ports(sendmail_t) +corenet_sendrecv_smtp_server_packets(sendmail_t) +corenet_sendrecv_smtp_client_packets(sendmail_t) + +dev_read_urand(sendmail_t) +dev_read_sysfs(sendmail_t) + +fs_getattr_all_fs(sendmail_t) +fs_search_auto_mountpoints(sendmail_t) +fs_rw_anon_inodefs_files(sendmail_t) + +term_dontaudit_use_console(sendmail_t) +term_dontaudit_use_generic_ptys(sendmail_t) + +# for piping mail to a command +corecmd_exec_shell(sendmail_t) +corecmd_exec_bin(sendmail_t) + +domain_use_interactive_fds(sendmail_t) + +files_read_etc_files(sendmail_t) +files_read_usr_files(sendmail_t) +files_search_spool(sendmail_t) +# for piping mail to a command +files_read_etc_runtime_files(sendmail_t) + +init_use_fds(sendmail_t) +init_use_script_ptys(sendmail_t) +# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console +init_read_utmp(sendmail_t) +init_dontaudit_write_utmp(sendmail_t) + +auth_use_nsswitch(sendmail_t) + +# Read /usr/lib/sasl2/.* +libs_read_lib_files(sendmail_t) + +logging_send_syslog_msg(sendmail_t) +logging_dontaudit_write_generic_logs(sendmail_t) + +miscfiles_read_generic_certs(sendmail_t) +miscfiles_read_localization(sendmail_t) + +userdom_dontaudit_use_unpriv_user_fds(sendmail_t) +userdom_dontaudit_search_user_home_dirs(sendmail_t) + +mta_read_config(sendmail_t) +mta_etc_filetrans_aliases(sendmail_t) +# Write to /etc/aliases and /etc/mail. +mta_manage_aliases(sendmail_t) +# Write to /var/spool/mail and /var/spool/mqueue. +mta_manage_queue(sendmail_t) +mta_manage_spool(sendmail_t) +mta_sendmail_exec(sendmail_t) + +optional_policy(` + cron_read_pipes(sendmail_t) +') + +optional_policy(` + clamav_search_lib(sendmail_t) + clamav_stream_connect(sendmail_t) +') + +optional_policy(` + cyrus_stream_connect(sendmail_t) +') + +optional_policy(` + exim_domtrans(sendmail_t) +') + +optional_policy(` + fail2ban_read_lib_files(sendmail_t) + fail2ban_rw_stream_sockets(sendmail_t) +') + +optional_policy(` + kerberos_keytab_template(sendmail, sendmail_t) +') + +optional_policy(` + milter_stream_connect_all(sendmail_t) +') + +optional_policy(` + munin_dontaudit_search_lib(sendmail_t) +') + +optional_policy(` + postfix_domtrans_master(sendmail_t) + postfix_read_config(sendmail_t) + postfix_search_spool(sendmail_t) +') + +optional_policy(` + procmail_domtrans(sendmail_t) + procmail_rw_tmp_files(sendmail_t) +') + +optional_policy(` + seutil_sigchld_newrole(sendmail_t) +') + +optional_policy(` + sasl_connect(sendmail_t) +') + +optional_policy(` + udev_read_db(sendmail_t) +') + +optional_policy(` + uucp_domtrans_uux(sendmail_t) +') + +######################################## +# +# Unconfined sendmail local policy +# Allow unconfined domain to run newalias and have transitions work +# + +optional_policy(` + mta_etc_filetrans_aliases(unconfined_sendmail_t) + unconfined_domain(unconfined_sendmail_t) +') diff --git a/policy/modules/contrib/setroubleshoot.fc b/policy/modules/contrib/setroubleshoot.fc new file mode 100644 index 00000000..397a5225 --- /dev/null +++ b/policy/modules/contrib/setroubleshoot.fc @@ -0,0 +1,9 @@ +/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) + +/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) + +/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) + +/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) diff --git a/policy/modules/contrib/setroubleshoot.if b/policy/modules/contrib/setroubleshoot.if new file mode 100644 index 00000000..bcdd16c7 --- /dev/null +++ b/policy/modules/contrib/setroubleshoot.if @@ -0,0 +1,135 @@ +## <summary>SELinux troubleshooting service</summary> + +######################################## +## <summary> +## Connect to setroubleshootd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`setroubleshoot_stream_connect',` + gen_require(` + type setroubleshootd_t, setroubleshoot_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) + allow $1 setroubleshoot_var_run_t:sock_file read; +') + +######################################## +## <summary> +## Dontaudit attempts to connect to setroubleshootd +## over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`setroubleshoot_dontaudit_stream_connect',` + gen_require(` + type setroubleshootd_t, setroubleshoot_var_run_t; + ') + + dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; + dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## Send and receive messages from +## setroubleshoot over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`setroubleshoot_dbus_chat',` + gen_require(` + type setroubleshootd_t; + class dbus send_msg; + ') + + allow $1 setroubleshootd_t:dbus send_msg; + allow setroubleshootd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Do not audit send and receive messages from +## setroubleshoot over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`setroubleshoot_dontaudit_dbus_chat',` + gen_require(` + type setroubleshootd_t; + class dbus send_msg; + ') + + dontaudit $1 setroubleshootd_t:dbus send_msg; + dontaudit setroubleshootd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## setroubleshoot fixit over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`setroubleshoot_dbus_chat_fixit',` + gen_require(` + type setroubleshoot_fixit_t; + class dbus send_msg; + ') + + allow $1 setroubleshoot_fixit_t:dbus send_msg; + allow setroubleshoot_fixit_t $1:dbus send_msg; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an setroubleshoot environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`setroubleshoot_admin',` + gen_require(` + type setroubleshootd_t, setroubleshoot_log_t; + type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; + ') + + allow $1 setroubleshootd_t:process { ptrace signal_perms }; + ps_process_pattern($1, setroubleshootd_t) + + logging_list_logs($1) + admin_pattern($1, setroubleshoot_log_t) + + files_list_var_lib($1) + admin_pattern($1, setroubleshoot_var_lib_t) + + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te new file mode 100644 index 00000000..086cd5fe --- /dev/null +++ b/policy/modules/contrib/setroubleshoot.te @@ -0,0 +1,177 @@ +policy_module(setroubleshoot, 1.11.0) + +######################################## +# +# Declarations +# + +type setroubleshootd_t alias setroubleshoot_t; +type setroubleshootd_exec_t; +domain_type(setroubleshootd_t) +init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) + +type setroubleshoot_fixit_t; +type setroubleshoot_fixit_exec_t; +dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) + +type setroubleshoot_var_lib_t; +files_type(setroubleshoot_var_lib_t) + +# log files +type setroubleshoot_var_log_t; +logging_log_file(setroubleshoot_var_log_t) + +# pid files +type setroubleshoot_var_run_t; +files_pid_file(setroubleshoot_var_run_t) + +######################################## +# +# setroubleshootd local policy +# + +allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; +allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; +allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; +allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; + +# database files +allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; +manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) +files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir }) + +# log files +allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr; +manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) +manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) +logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) + +# pid file +manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) +manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) +files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(setroubleshootd_t) +kernel_read_system_state(setroubleshootd_t) +kernel_read_net_sysctls(setroubleshootd_t) +kernel_read_network_state(setroubleshootd_t) + +corecmd_exec_bin(setroubleshootd_t) +corecmd_exec_shell(setroubleshootd_t) + +corenet_all_recvfrom_unlabeled(setroubleshootd_t) +corenet_all_recvfrom_netlabel(setroubleshootd_t) +corenet_tcp_sendrecv_generic_if(setroubleshootd_t) +corenet_tcp_sendrecv_generic_node(setroubleshootd_t) +corenet_tcp_sendrecv_all_ports(setroubleshootd_t) +corenet_tcp_bind_generic_node(setroubleshootd_t) +corenet_tcp_connect_smtp_port(setroubleshootd_t) +corenet_sendrecv_smtp_client_packets(setroubleshootd_t) + +dev_read_urand(setroubleshootd_t) +dev_read_sysfs(setroubleshootd_t) +dev_getattr_all_blk_files(setroubleshootd_t) +dev_getattr_all_chr_files(setroubleshootd_t) + +domain_dontaudit_search_all_domains_state(setroubleshootd_t) +domain_signull_all_domains(setroubleshootd_t) + +files_read_usr_files(setroubleshootd_t) +files_read_etc_files(setroubleshootd_t) +files_list_all(setroubleshootd_t) +files_getattr_all_files(setroubleshootd_t) +files_getattr_all_pipes(setroubleshootd_t) +files_getattr_all_sockets(setroubleshootd_t) +files_read_all_symlinks(setroubleshootd_t) + +fs_getattr_all_dirs(setroubleshootd_t) +fs_getattr_all_files(setroubleshootd_t) +fs_read_fusefs_symlinks(setroubleshootd_t) +fs_list_inotifyfs(setroubleshootd_t) +fs_dontaudit_read_nfs_files(setroubleshootd_t) +fs_dontaudit_read_cifs_files(setroubleshootd_t) + +selinux_get_enforce_mode(setroubleshootd_t) +selinux_validate_context(setroubleshootd_t) + +term_dontaudit_use_all_ptys(setroubleshootd_t) +term_dontaudit_use_all_ttys(setroubleshootd_t) + +auth_use_nsswitch(setroubleshootd_t) + +init_read_utmp(setroubleshootd_t) +init_dontaudit_write_utmp(setroubleshootd_t) + +miscfiles_read_localization(setroubleshootd_t) + +locallogin_dontaudit_use_fds(setroubleshootd_t) + +logging_send_audit_msgs(setroubleshootd_t) +logging_send_syslog_msg(setroubleshootd_t) +logging_stream_connect_dispatcher(setroubleshootd_t) + +modutils_read_module_config(setroubleshootd_t) + +seutil_read_config(setroubleshootd_t) +seutil_read_file_contexts(setroubleshootd_t) +seutil_read_bin_policy(setroubleshootd_t) + +userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) + +optional_policy(` + dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) +') + +optional_policy(` + rpm_signull(setroubleshootd_t) + rpm_read_db(setroubleshootd_t) + rpm_dontaudit_manage_db(setroubleshootd_t) + rpm_use_script_fds(setroubleshootd_t) +') + +######################################## +# +# setroubleshoot_fixit local policy +# + +allow setroubleshoot_fixit_t self:capability sys_nice; +allow setroubleshoot_fixit_t self:process { setsched getsched }; +allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; +allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; + +allow setroubleshoot_fixit_t setroubleshootd_t:process signull; + +setroubleshoot_dbus_chat(setroubleshoot_fixit_t) +setroubleshoot_stream_connect(setroubleshoot_fixit_t) + +kernel_read_system_state(setroubleshoot_fixit_t) + +corecmd_exec_bin(setroubleshoot_fixit_t) +corecmd_exec_shell(setroubleshoot_fixit_t) + +seutil_domtrans_setfiles(setroubleshoot_fixit_t) + +files_read_usr_files(setroubleshoot_fixit_t) +files_read_etc_files(setroubleshoot_fixit_t) +files_list_tmp(setroubleshoot_fixit_t) + +auth_use_nsswitch(setroubleshoot_fixit_t) + +logging_send_audit_msgs(setroubleshoot_fixit_t) +logging_send_syslog_msg(setroubleshoot_fixit_t) + +miscfiles_read_localization(setroubleshoot_fixit_t) + +optional_policy(` + rpm_signull(setroubleshoot_fixit_t) + rpm_read_db(setroubleshoot_fixit_t) + rpm_dontaudit_manage_db(setroubleshoot_fixit_t) + rpm_use_script_fds(setroubleshoot_fixit_t) +') + +optional_policy(` + policykit_dbus_chat(setroubleshoot_fixit_t) + userdom_read_all_users_state(setroubleshoot_fixit_t) +') diff --git a/policy/modules/contrib/shorewall.fc b/policy/modules/contrib/shorewall.fc new file mode 100644 index 00000000..48d13634 --- /dev/null +++ b/policy/modules/contrib/shorewall.fc @@ -0,0 +1,16 @@ +/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) +/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) + +/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) +/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) + +/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) +/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) + +/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + +/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) + +/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if new file mode 100644 index 00000000..781ad7e8 --- /dev/null +++ b/policy/modules/contrib/shorewall.if @@ -0,0 +1,202 @@ +## <summary>Shoreline Firewall high-level tool for configuring netfilter</summary> + +######################################## +## <summary> +## Execute a domain transition to run shorewall. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`shorewall_domtrans',` + gen_require(` + type shorewall_t, shorewall_exec_t; + ') + + domtrans_pattern($1, shorewall_exec_t, shorewall_t) +') + +###################################### +## <summary> +## Execute a domain transition to run shorewall. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`shorewall_lib_domtrans',` + gen_require(` + type shorewall_t, shorewall_var_lib_t; + ') + + domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) +') + +####################################### +## <summary> +## Read shorewall etc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_config',` + gen_require(` + type shorewall_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) +') + +####################################### +## <summary> +## Read shorewall PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_pid_files',` + gen_require(` + type shorewall_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +') + +####################################### +## <summary> +## Read and write shorewall PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_rw_pid_files',` + gen_require(` + type shorewall_var_run_t; + ') + + files_search_pids($1) + rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +') + +###################################### +## <summary> +## Read shorewall /var/lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_lib_files',` + gen_require(` + type shorewall_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) +') + +####################################### +## <summary> +## Read and write shorewall /var/lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_rw_lib_files',` + gen_require(` + type shorewall_var_lib_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) +') + +####################################### +## <summary> +## Read shorewall tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_tmp_files',` + gen_require(` + type shorewall_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t) +') + +####################################### +## <summary> +## All of the rules required to administrate +## an shorewall environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`shorewall_admin',` + gen_require(` + type shorewall_t, shorewall_lock_t; + type shorewall_log_t; + type shorewall_initrc_exec_t, shorewall_var_lib_t; + type shorewall_tmp_t, shorewall_etc_t; + ') + + allow $1 shorewall_t:process { ptrace signal_perms }; + ps_process_pattern($1, shorewall_t) + + init_labeled_script_domtrans($1, shorewall_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 shorewall_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, shorewall_etc_t) + + files_list_locks($1) + admin_pattern($1, shorewall_lock_t) + + logging_list_logs($1) + admin_pattern($1, shorewall_log_t) + + files_list_var_lib($1) + admin_pattern($1, shorewall_var_lib_t) + + files_list_tmp($1) + admin_pattern($1, shorewall_tmp_t) +') diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te new file mode 100644 index 00000000..4723c6b9 --- /dev/null +++ b/policy/modules/contrib/shorewall.te @@ -0,0 +1,108 @@ +policy_module(shorewall, 1.3.0) + +######################################## +# +# Declarations +# + +type shorewall_t; +type shorewall_exec_t; +init_daemon_domain(shorewall_t, shorewall_exec_t) + +type shorewall_initrc_exec_t; +init_script_file(shorewall_initrc_exec_t) + +# etc files +type shorewall_etc_t; +files_config_file(shorewall_etc_t) + +# lock files +type shorewall_lock_t; +files_lock_file(shorewall_lock_t) + +# tmp files +type shorewall_tmp_t; +files_tmp_file(shorewall_tmp_t) + +# var/lib files +type shorewall_var_lib_t; +files_type(shorewall_var_lib_t) +domain_entry_file(shorewall_t, shorewall_var_lib_t) + +type shorewall_log_t; +logging_log_file(shorewall_log_t) + +######################################## +# +# shorewall local policy +# + +allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace }; +dontaudit shorewall_t self:capability sys_tty_config; +allow shorewall_t self:fifo_file rw_fifo_file_perms; + +read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) +list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) + +manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) +files_lock_filetrans(shorewall_t, shorewall_lock_t, file) + +manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) +manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) +logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) + +manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) +manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) +files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) + +exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) + +allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; + +kernel_read_kernel_sysctls(shorewall_t) +kernel_read_network_state(shorewall_t) +kernel_read_system_state(shorewall_t) +kernel_rw_net_sysctls(shorewall_t) + +corecmd_exec_bin(shorewall_t) +corecmd_exec_shell(shorewall_t) + +dev_read_urand(shorewall_t) + +domain_read_all_domains_state(shorewall_t) + +files_getattr_kernel_modules(shorewall_t) +files_read_etc_files(shorewall_t) +files_read_usr_files(shorewall_t) +files_search_kernel_modules(shorewall_t) + +fs_getattr_all_fs(shorewall_t) + +init_rw_utmp(shorewall_t) + +logging_send_syslog_msg(shorewall_t) + +miscfiles_read_localization(shorewall_t) + +sysnet_domtrans_ifconfig(shorewall_t) + +userdom_dontaudit_list_user_home_dirs(shorewall_t) + +optional_policy(` + hostname_exec(shorewall_t) +') + +optional_policy(` + iptables_domtrans(shorewall_t) +') + +optional_policy(` + modutils_domtrans_insmod(shorewall_t) +') + +optional_policy(` + ulogd_search_log(shorewall_t) +') diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc new file mode 100644 index 00000000..97671a33 --- /dev/null +++ b/policy/modules/contrib/shutdown.fc @@ -0,0 +1,7 @@ +/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) + +/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + +/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + +/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if new file mode 100644 index 00000000..d0604cfe --- /dev/null +++ b/policy/modules/contrib/shutdown.if @@ -0,0 +1,69 @@ +## <summary>System shutdown command</summary> + +######################################## +## <summary> +## Execute a domain transition to run shutdown. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`shutdown_domtrans',` + gen_require(` + type shutdown_t, shutdown_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, shutdown_exec_t, shutdown_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit shutdown_t $1:socket_class_set { read write }; + dontaudit shutdown_t $1:fifo_file { read write }; + ') +') + +######################################## +## <summary> +## Execute shutdown in the shutdown domain, and +## allow the specified role the shutdown domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`shutdown_run',` + gen_require(` + type shutdown_t; + ') + + shutdown_domtrans($1) + role $2 types shutdown_t; +') + +######################################## +## <summary> +## Get attributes of shutdown executable. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shutdown_getattr_exec_files',` + gen_require(` + type shutdown_exec_t; + ') + + corecmd_search_bin($1) + allow $1 shutdown_exec_t:file getattr_file_perms; +') diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te new file mode 100644 index 00000000..8966ec95 --- /dev/null +++ b/policy/modules/contrib/shutdown.te @@ -0,0 +1,63 @@ +policy_module(shutdown, 1.1.0) + +######################################## +# +# Declarations +# + +type shutdown_t; +type shutdown_exec_t; +application_domain(shutdown_t, shutdown_exec_t) +role system_r types shutdown_t; + +type shutdown_etc_t; +files_config_file(shutdown_etc_t) + +type shutdown_var_run_t; +files_pid_file(shutdown_var_run_t) + +######################################## +# +# shutdown local policy +# + +allow shutdown_t self:capability { dac_override kill setuid sys_tty_config }; +allow shutdown_t self:process { fork signal signull }; + +allow shutdown_t self:fifo_file manage_fifo_file_perms; +allow shutdown_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t) +files_etc_filetrans(shutdown_t, shutdown_etc_t, file) + +manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) +files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) + +domain_use_interactive_fds(shutdown_t) + +files_read_etc_files(shutdown_t) +files_read_generic_pids(shutdown_t) + +term_use_all_terms(shutdown_t) + +auth_use_nsswitch(shutdown_t) +auth_write_login_records(shutdown_t) + +init_dontaudit_write_utmp(shutdown_t) +init_read_utmp(shutdown_t) +init_stream_connect(shutdown_t) +init_telinit(shutdown_t) + +logging_search_logs(shutdown_t) +logging_send_audit_msgs(shutdown_t) + +miscfiles_read_localization(shutdown_t) + +optional_policy(` + dbus_system_bus_client(shutdown_t) + dbus_connect_system_bus(shutdown_t) +') + +optional_policy(` + xserver_dontaudit_write_log(shutdown_t) +') diff --git a/policy/modules/contrib/skype.fc b/policy/modules/contrib/skype.fc new file mode 100644 index 00000000..f7105935 --- /dev/null +++ b/policy/modules/contrib/skype.fc @@ -0,0 +1,11 @@ +HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0) + +# +# /opt +# +/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0) + +# +# /usr +# +/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0) diff --git a/policy/modules/contrib/skype.if b/policy/modules/contrib/skype.if new file mode 100644 index 00000000..789b8f8a --- /dev/null +++ b/policy/modules/contrib/skype.if @@ -0,0 +1,39 @@ +## <summary>Skype softphone.</summary> + +####################################### +## <summary> +## Role access for the skype module. +## </summary> +## <param name="role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +interface(`skype_role',` + gen_require(` + type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t; + ') + + role $1 types skype_t; + + domtrans_pattern($2, skype_exec_t, skype_t) + + allow $2 skype_t:process { ptrace signal_perms }; + dontaudit skype_t $2:unix_stream_socket { connectto }; + + manage_dirs_pattern($2, skype_home_t, skype_home_t) + manage_files_pattern($2, skype_home_t, skype_home_t) + manage_lnk_files_pattern($2, skype_home_t, skype_home_t) + + relabel_dirs_pattern($2, skype_home_t, skype_home_t) + relabel_files_pattern($2, skype_home_t, skype_home_t) + relabel_lnk_files_pattern($2, skype_home_t, skype_home_t) + + ps_process_pattern($2, skype_t) +') diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te new file mode 100644 index 00000000..fde968a1 --- /dev/null +++ b/policy/modules/contrib/skype.te @@ -0,0 +1,111 @@ +policy_module(skype, 0.0.2) + +############################ +# +# Declarations +# + +## <desc> +## <p> +## Be able to manage user files (needed to support sending and receiving files). +## Without this boolean set, only files marked as skype_home_t can be used for +## sending and receiving. +## </p> +## </desc> +gen_tunable(skype_manage_user_content, false) + +type skype_t; +type skype_exec_t; +application_domain(skype_t, skype_exec_t) + +type skype_home_t; +userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir) +userdom_user_home_content(skype_home_t) + +type skype_tmpfs_t; +files_tmpfs_file(skype_tmpfs_t) +ubac_constrained(skype_tmpfs_t) + +############################ +# +# Policy +# + +allow skype_t self:process { getsched setsched execmem signal }; +allow skype_t self:fifo_file rw_fifo_file_perms; +allow skype_t self:unix_stream_socket create_socket_perms; +allow skype_t self:sem create_sem_perms; +allow skype_t self:tcp_socket create_stream_socket_perms; + +# Allow skype to work with its ~/.skype location +manage_dirs_pattern(skype_t, skype_home_t, skype_home_t) +manage_files_pattern(skype_t, skype_home_t, skype_home_t) +manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t) + +# Needed for supporting X11 & shared memory +manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) +manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) +manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) +manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) +fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file }) + +kernel_dontaudit_search_sysctl(skype_t) +kernel_read_network_state(skype_t) +kernel_read_system_state(skype_t) + +corecmd_exec_bin(skype_t) +corecmd_exec_shell(skype_t) + +can_exec(skype_t, skype_exec_t) + +corenet_all_recvfrom_netlabel(skype_t) +corenet_all_recvfrom_unlabeled(skype_t) +corenet_sendrecv_http_client_packets(skype_t) +corenet_tcp_bind_generic_node(skype_t) +corenet_tcp_bind_generic_port(skype_t) +corenet_tcp_connect_generic_port(skype_t) +corenet_tcp_connect_http_port(skype_t) +corenet_tcp_sendrecv_http_port(skype_t) +corenet_udp_bind_generic_node(skype_t) +corenet_udp_bind_generic_port(skype_t) + +dev_dontaudit_search_sysfs(skype_t) +dev_read_sound(skype_t) +dev_read_video_dev(skype_t) +dev_write_sound(skype_t) +dev_write_video_dev(skype_t) + +domain_dontaudit_use_interactive_fds(skype_t) + +files_read_etc_files(skype_t) +files_read_usr_files(skype_t) + +fs_dontaudit_getattr_xattr_fs(skype_t) + +auth_use_nsswitch(skype_t) + +miscfiles_dontaudit_setattr_fonts_dirs(skype_t) +miscfiles_read_localization(skype_t) + +userdom_dontaudit_use_user_ttys(skype_t) +userdom_use_user_ptys(skype_t) + +xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t) + +tunable_policy(`skype_manage_user_content',` + userdom_manage_user_home_content_dirs(skype_t) + userdom_manage_user_home_content_files(skype_t) +') + +optional_policy(` + alsa_read_rw_config(skype_t) +') + +optional_policy(` + dbus_system_bus_client(skype_t) + dbus_session_bus_client(skype_t) +') + +optional_policy(` + xdg_manage_generic_config_home_content(skype_t) +') diff --git a/policy/modules/contrib/slocate.fc b/policy/modules/contrib/slocate.fc new file mode 100644 index 00000000..1951c4b3 --- /dev/null +++ b/policy/modules/contrib/slocate.fc @@ -0,0 +1,2 @@ +/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0) +/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0) diff --git a/policy/modules/contrib/slocate.if b/policy/modules/contrib/slocate.if new file mode 100644 index 00000000..b7505a0b --- /dev/null +++ b/policy/modules/contrib/slocate.if @@ -0,0 +1,41 @@ +## <summary>Update database for mlocate</summary> + +######################################## +## <summary> +## Create the locate log with append mode. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`slocate_create_append_log',` + gen_require(` + type locate_log_t; + ') + + logging_search_logs($1) + create_files_pattern($1, locate_log_t, locate_log_t) + append_files_pattern($1, locate_log_t, locate_log_t) +') + +######################################## +## <summary> +## Read locate lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`locate_read_lib_files',` + gen_require(` + type locate_var_lib_t; + ') + + read_files_pattern($1, locate_var_lib_t, locate_var_lib_t) + allow $1 locate_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te new file mode 100644 index 00000000..a225c02c --- /dev/null +++ b/policy/modules/contrib/slocate.te @@ -0,0 +1,70 @@ +policy_module(slocate, 1.11.0) + +################################# +# +# Declarations +# + +type locate_t; +type locate_exec_t; +init_system_domain(locate_t, locate_exec_t) + +type locate_log_t; +logging_log_file(locate_log_t) + +type locate_var_lib_t; +files_type(locate_var_lib_t) + +######################################## +# +# Local policy +# + +allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; +allow locate_t self:process { execmem execheap execstack signal }; +allow locate_t self:fifo_file rw_fifo_file_perms; +allow locate_t self:unix_stream_socket create_socket_perms; + +manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) +manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) + +kernel_read_system_state(locate_t) +kernel_dontaudit_search_network_state(locate_t) +kernel_dontaudit_search_sysctl(locate_t) + +corecmd_exec_bin(locate_t) + +dev_getattr_all_blk_files(locate_t) +dev_getattr_all_chr_files(locate_t) + +files_list_all(locate_t) +files_dontaudit_read_all_symlinks(locate_t) +files_getattr_all_files(locate_t) +files_getattr_all_pipes(locate_t) +files_getattr_all_sockets(locate_t) +files_read_etc_runtime_files(locate_t) +files_read_etc_files(locate_t) + +fs_getattr_all_fs(locate_t) +fs_getattr_all_files(locate_t) +fs_getattr_all_pipes(locate_t) +fs_getattr_all_symlinks(locate_t) +fs_getattr_all_blk_files(locate_t) +fs_getattr_all_chr_files(locate_t) +fs_list_all(locate_t) +fs_list_inotifyfs(locate_t) +fs_read_noxattr_fs_symlinks(locate_t) + +# getpwnam +auth_use_nsswitch(locate_t) + +miscfiles_read_localization(locate_t) + +ifdef(`enable_mls',` + # On MLS machines will not be allowed to getattr Anything but SystemLow + files_dontaudit_getattr_all_dirs(locate_t) +') + +optional_policy(` + cron_system_entry(locate_t, locate_exec_t) +') diff --git a/policy/modules/contrib/slrnpull.fc b/policy/modules/contrib/slrnpull.fc new file mode 100644 index 00000000..1714ce0e --- /dev/null +++ b/policy/modules/contrib/slrnpull.fc @@ -0,0 +1,10 @@ +# +# /usr +# + +/usr/bin/slrnpull -- gen_context(system_u:object_r:slrnpull_exec_t,s0) + +# +# /var +# +/var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0) diff --git a/policy/modules/contrib/slrnpull.if b/policy/modules/contrib/slrnpull.if new file mode 100644 index 00000000..d7e8289e --- /dev/null +++ b/policy/modules/contrib/slrnpull.if @@ -0,0 +1,42 @@ +## <summary>Service for downloading news feeds the slrn newsreader.</summary> + +######################################## +## <summary> +## Allow the domain to search slrnpull spools. +## </summary> +## <param name="pty_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`slrnpull_search_spool',` + gen_require(` + type slrnpull_spool_t; + ') + + files_search_spool($1) + allow $1 slrnpull_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Allow the domain to create, read, +## write, and delete slrnpull spools. +## </summary> +## <param name="pty_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`slrnpull_manage_spool',` + gen_require(` + type slrnpull_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t) + manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) + manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) +') diff --git a/policy/modules/contrib/slrnpull.te b/policy/modules/contrib/slrnpull.te new file mode 100644 index 00000000..e5e72fd9 --- /dev/null +++ b/policy/modules/contrib/slrnpull.te @@ -0,0 +1,70 @@ +policy_module(slrnpull, 1.4.0) + +######################################## +# +# Declarations +# + +type slrnpull_t; +type slrnpull_exec_t; +init_daemon_domain(slrnpull_t, slrnpull_exec_t) + +type slrnpull_var_run_t; +files_pid_file(slrnpull_var_run_t) + +type slrnpull_spool_t; +files_type(slrnpull_spool_t) + +type slrnpull_log_t; +logging_log_file(slrnpull_log_t) + +######################################## +# +# Local policy +# + +dontaudit slrnpull_t self:capability sys_tty_config; +allow slrnpull_t self:process signal_perms; + +allow slrnpull_t slrnpull_log_t:file manage_file_perms; +logging_log_filetrans(slrnpull_t, slrnpull_log_t, file) + +manage_dirs_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) +manage_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) +manage_lnk_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) +files_search_spool(slrnpull_t) + +manage_files_pattern(slrnpull_t, slrnpull_var_run_t, slrnpull_var_run_t) +files_pid_filetrans(slrnpull_t, slrnpull_var_run_t, file) + +kernel_list_proc(slrnpull_t) +kernel_read_kernel_sysctls(slrnpull_t) +kernel_read_proc_symlinks(slrnpull_t) + +dev_read_sysfs(slrnpull_t) + +domain_use_interactive_fds(slrnpull_t) + +files_read_etc_files(slrnpull_t) + +fs_getattr_all_fs(slrnpull_t) +fs_search_auto_mountpoints(slrnpull_t) + +logging_send_syslog_msg(slrnpull_t) + +miscfiles_read_localization(slrnpull_t) + +userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) +userdom_dontaudit_search_user_home_dirs(slrnpull_t) + +optional_policy(` + cron_system_entry(slrnpull_t, slrnpull_exec_t) +') + +optional_policy(` + seutil_sigchld_newrole(slrnpull_t) +') + +optional_policy(` + udev_read_db(slrnpull_t) +') diff --git a/policy/modules/contrib/smartmon.fc b/policy/modules/contrib/smartmon.fc new file mode 100644 index 00000000..268ae3d6 --- /dev/null +++ b/policy/modules/contrib/smartmon.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) + +# +# /usr +# +/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) + +# +# /var +# +/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) + diff --git a/policy/modules/contrib/smartmon.if b/policy/modules/contrib/smartmon.if new file mode 100644 index 00000000..adea9f92 --- /dev/null +++ b/policy/modules/contrib/smartmon.if @@ -0,0 +1,57 @@ +## <summary>Smart disk monitoring daemon policy</summary> + +####################################### +## <summary> +## Allow caller to read smartmon temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smartmon_read_tmp_files',` + gen_require(` + type fsdaemon_tmp_t; + ') + + allow $1 fsdaemon_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an smartmon environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`smartmon_admin',` + gen_require(` + type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; + type fsdaemon_initrc_exec_t; + ') + + allow $1 fsdaemon_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, fsdaemon_t) + + init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fsdaemon_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, fsdaemon_tmp_t) + + files_list_pids($1) + admin_pattern($1, fsdaemon_var_run_t) +') diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te new file mode 100644 index 00000000..6b3322b7 --- /dev/null +++ b/policy/modules/contrib/smartmon.te @@ -0,0 +1,121 @@ +policy_module(smartmon, 1.11.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Enable additional permissions needed to support +## devices on 3ware controllers. +## </p> +## </desc> +gen_tunable(smartmon_3ware, false) + +type fsdaemon_t; +type fsdaemon_exec_t; +init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) + +type fsdaemon_initrc_exec_t; +init_script_file(fsdaemon_initrc_exec_t) + +type fsdaemon_var_run_t; +files_pid_file(fsdaemon_var_run_t) + +type fsdaemon_tmp_t; +files_tmp_file(fsdaemon_tmp_t) + +ifdef(`enable_mls',` + init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh) +') + +######################################## +# +# Local policy +# + +allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin }; +dontaudit fsdaemon_t self:capability sys_tty_config; +allow fsdaemon_t self:process { getcap setcap signal_perms }; +allow fsdaemon_t self:fifo_file rw_fifo_file_perms; +allow fsdaemon_t self:unix_dgram_socket create_socket_perms; +allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; +allow fsdaemon_t self:udp_socket create_socket_perms; +allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms; + +manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) +manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) +files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) + +manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) +files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) + +kernel_read_kernel_sysctls(fsdaemon_t) +kernel_read_software_raid_state(fsdaemon_t) +kernel_read_system_state(fsdaemon_t) + +corecmd_exec_all_executables(fsdaemon_t) + +corenet_all_recvfrom_unlabeled(fsdaemon_t) +corenet_all_recvfrom_netlabel(fsdaemon_t) +corenet_udp_sendrecv_generic_if(fsdaemon_t) +corenet_udp_sendrecv_generic_node(fsdaemon_t) +corenet_udp_sendrecv_all_ports(fsdaemon_t) + +dev_read_sysfs(fsdaemon_t) +dev_read_urand(fsdaemon_t) + +domain_use_interactive_fds(fsdaemon_t) + +files_exec_etc_files(fsdaemon_t) +files_read_etc_runtime_files(fsdaemon_t) +files_read_usr_files(fsdaemon_t) +# for config +files_read_etc_files(fsdaemon_t) + +fs_getattr_all_fs(fsdaemon_t) +fs_search_auto_mountpoints(fsdaemon_t) + +mls_file_read_all_levels(fsdaemon_t) +#mls_rangetrans_target(fsdaemon_t) + +storage_raw_read_fixed_disk(fsdaemon_t) +storage_raw_write_fixed_disk(fsdaemon_t) +storage_raw_read_removable_device(fsdaemon_t) + +term_dontaudit_search_ptys(fsdaemon_t) + +libs_exec_ld_so(fsdaemon_t) +libs_exec_lib_files(fsdaemon_t) + +logging_send_syslog_msg(fsdaemon_t) + +miscfiles_read_localization(fsdaemon_t) + +seutil_sigchld_newrole(fsdaemon_t) + +sysnet_dns_name_resolve(fsdaemon_t) + +userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) +userdom_dontaudit_search_user_home_dirs(fsdaemon_t) + +tunable_policy(`smartmon_3ware',` + allow fsdaemon_t self:process setfscreate; + + storage_create_fixed_disk_dev(fsdaemon_t) + storage_delete_fixed_disk_dev(fsdaemon_t) + storage_dev_filetrans_fixed_disk(fsdaemon_t) + + selinux_validate_context(fsdaemon_t) + + seutil_read_file_contexts(fsdaemon_t) +') + +optional_policy(` + mta_send_mail(fsdaemon_t) +') + +optional_policy(` + udev_read_db(fsdaemon_t) +') diff --git a/policy/modules/contrib/smokeping.fc b/policy/modules/contrib/smokeping.fc new file mode 100644 index 00000000..9ff2d99d --- /dev/null +++ b/policy/modules/contrib/smokeping.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0) + +/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0) + +/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0) + +/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) + +/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if new file mode 100644 index 00000000..82652781 --- /dev/null +++ b/policy/modules/contrib/smokeping.if @@ -0,0 +1,167 @@ +## <summary>Smokeping network latency measurement.</summary> + +######################################## +## <summary> +## Execute a domain transition to run smokeping. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`smokeping_domtrans',` + gen_require(` + type smokeping_t, smokeping_exec_t; + ') + + domtrans_pattern($1, smokeping_exec_t, smokeping_t) +') + +######################################## +## <summary> +## Execute smokeping server in the smokeping domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`smokeping_initrc_domtrans',` + gen_require(` + type smokeping_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, smokeping_initrc_exec_t) +') + +######################################## +## <summary> +## Read smokeping PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smokeping_read_pid_files',` + gen_require(` + type smokeping_var_run_t; + ') + + files_search_pids($1) + allow $1 smokeping_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Manage smokeping PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smokeping_manage_pid_files',` + gen_require(` + type smokeping_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t) +') + +######################################## +## <summary> +## Get attributes of smokeping lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smokeping_getattr_lib_files',` + gen_require(` + type smokeping_var_lib_t; + ') + + getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read smokeping lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smokeping_read_lib_files',` + gen_require(` + type smokeping_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) +') + +######################################## +## <summary> +## Manage smokeping lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`smokeping_manage_lib_files',` + gen_require(` + type smokeping_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## a smokeping environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`smokeping_admin',` + gen_require(` + type smokeping_t, smokeping_initrc_exec_t; + ') + + allow $1 smokeping_t:process { ptrace signal_perms }; + ps_process_pattern($1, smokeping_t) + + smokeping_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 smokeping_initrc_exec_t system_r; + allow $2 system_r; + + smokeping_manage_pid_files($1) + + smokeping_manage_lib_files($1) +') diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te new file mode 100644 index 00000000..740994ac --- /dev/null +++ b/policy/modules/contrib/smokeping.te @@ -0,0 +1,77 @@ +policy_module(smokeping, 1.1.0) + +######################################## +# +# Declarations +# + +type smokeping_t; +type smokeping_exec_t; +init_daemon_domain(smokeping_t, smokeping_exec_t) + +type smokeping_initrc_exec_t; +init_script_file(smokeping_initrc_exec_t) + +type smokeping_var_run_t; +files_pid_file(smokeping_var_run_t) + +type smokeping_var_lib_t; +files_type(smokeping_var_lib_t) + +######################################## +# +# smokeping local policy +# + +dontaudit smokeping_t self:capability { dac_read_search dac_override }; +allow smokeping_t self:fifo_file rw_fifo_file_perms; +allow smokeping_t self:udp_socket create_socket_perms; +allow smokeping_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) +manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) +files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir }) + +manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) +manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) +files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } ) + +corecmd_read_bin_symlinks(smokeping_t) + +dev_read_urand(smokeping_t) + +files_read_etc_files(smokeping_t) +files_read_usr_files(smokeping_t) +files_search_tmp(smokeping_t) + +auth_use_nsswitch(smokeping_t) +auth_dontaudit_read_shadow(smokeping_t) + +logging_send_syslog_msg(smokeping_t) + +miscfiles_read_localization(smokeping_t) + +mta_send_mail(smokeping_t) + +netutils_domtrans_ping(smokeping_t) + +####################################### +# +# local policy for smokeping cgi scripts +# + +optional_policy(` + apache_content_template(smokeping_cgi) + + allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms; + + manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) + manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) + + getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) + + files_search_tmp(httpd_smokeping_cgi_script_t) + files_search_var_lib(httpd_smokeping_cgi_script_t) + + sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) +') diff --git a/policy/modules/contrib/smoltclient.fc b/policy/modules/contrib/smoltclient.fc new file mode 100644 index 00000000..47cc4405 --- /dev/null +++ b/policy/modules/contrib/smoltclient.fc @@ -0,0 +1,2 @@ +/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) + diff --git a/policy/modules/contrib/smoltclient.if b/policy/modules/contrib/smoltclient.if new file mode 100644 index 00000000..a54079b7 --- /dev/null +++ b/policy/modules/contrib/smoltclient.if @@ -0,0 +1 @@ +## <summary>The Fedora hardware profiler client</summary> diff --git a/policy/modules/contrib/smoltclient.te b/policy/modules/contrib/smoltclient.te new file mode 100644 index 00000000..bc00875d --- /dev/null +++ b/policy/modules/contrib/smoltclient.te @@ -0,0 +1,68 @@ +policy_module(smoltclient, 1.1.0) + +######################################## +# +# Declarations +# + +type smoltclient_t; +type smoltclient_exec_t; +application_domain(smoltclient_t, smoltclient_exec_t) +cron_system_entry(smoltclient_t, smoltclient_exec_t) + +type smoltclient_tmp_t; +files_tmp_file(smoltclient_tmp_t) + +######################################## +# +# Local policy +# + +allow smoltclient_t self:process { setsched getsched }; + +allow smoltclient_t self:fifo_file rw_fifo_file_perms; +allow smoltclient_t self:tcp_socket create_socket_perms; +allow smoltclient_t self:udp_socket create_socket_perms; + +can_exec(smoltclient_t, smoltclient_tmp_t) +manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) +manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) +files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file }) + +kernel_read_system_state(smoltclient_t) +kernel_read_network_state(smoltclient_t) +kernel_read_kernel_sysctls(smoltclient_t) + +corecmd_exec_bin(smoltclient_t) +corecmd_exec_shell(smoltclient_t) + +corenet_tcp_connect_http_port(smoltclient_t) + +dev_read_sysfs(smoltclient_t) + +fs_getattr_all_fs(smoltclient_t) +fs_getattr_all_dirs(smoltclient_t) +fs_list_auto_mountpoints(smoltclient_t) + +files_getattr_generic_locks(smoltclient_t) +files_read_etc_files(smoltclient_t) +files_read_usr_files(smoltclient_t) + +auth_use_nsswitch(smoltclient_t) + +logging_send_syslog_msg(smoltclient_t) + +miscfiles_read_localization(smoltclient_t) + +optional_policy(` + dbus_system_bus_client(smoltclient_t) +') + +optional_policy(` + hal_dbus_chat(smoltclient_t) +') + +optional_policy(` + rpm_exec(smoltclient_t) + rpm_read_db(smoltclient_t) +') diff --git a/policy/modules/contrib/snmp.fc b/policy/modules/contrib/snmp.fc new file mode 100644 index 00000000..623c8fad --- /dev/null +++ b/policy/modules/contrib/snmp.fc @@ -0,0 +1,24 @@ +/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) + +# +# /usr +# +/usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0) + +/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0) + +# +# /var +# +/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + +/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) +/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + +/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) + +/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) + +/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if new file mode 100644 index 00000000..275f9fb5 --- /dev/null +++ b/policy/modules/contrib/snmp.if @@ -0,0 +1,147 @@ +## <summary>Simple network management protocol services</summary> + +######################################## +## <summary> +## Connect to snmpd using a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snmp_stream_connect',` + gen_require(` + type snmpd_t, snmpd_var_lib_t; + ') + + files_search_var_lib($1) + stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) +') + +######################################## +## <summary> +## Use snmp over a TCP connection. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snmp_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Send and receive UDP traffic to SNMP (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snmp_udp_chat',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## Read snmpd libraries. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`snmp_read_snmp_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + + allow $1 snmpd_var_lib_t:dir list_dir_perms; + read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) + read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) +') + +######################################## +## <summary> +## dontaudit Read snmpd libraries. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`snmp_dontaudit_read_snmp_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; + dontaudit $1 snmpd_var_lib_t:file read_file_perms; + dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read }; +') + +######################################## +## <summary> +## dontaudit write snmpd libraries files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`snmp_dontaudit_write_snmp_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + + dontaudit $1 snmpd_var_lib_t:file write; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an snmp environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the snmp domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`snmp_admin',` + gen_require(` + type snmpd_t, snmpd_log_t; + type snmpd_var_lib_t, snmpd_var_run_t; + type snmpd_initrc_exec_t; + ') + + allow $1 snmpd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, snmpd_t) + + init_labeled_script_domtrans($1, snmpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 snmpd_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, snmpd_log_t) + + files_list_var_lib($1) + admin_pattern($1, snmpd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, snmpd_var_run_t) +') diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te new file mode 100644 index 00000000..eb3c1d00 --- /dev/null +++ b/policy/modules/contrib/snmp.te @@ -0,0 +1,172 @@ +policy_module(snmp, 1.12.0) + +######################################## +# +# Declarations +# +type snmpd_t; +type snmpd_exec_t; +init_daemon_domain(snmpd_t, snmpd_exec_t) + +type snmpd_initrc_exec_t; +init_script_file(snmpd_initrc_exec_t) + +type snmpd_log_t; +logging_log_file(snmpd_log_t) + +type snmpd_var_run_t; +files_pid_file(snmpd_var_run_t) + +type snmpd_var_lib_t; +files_type(snmpd_var_lib_t) + +######################################## +# +# Local policy +# +allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; +dontaudit snmpd_t self:capability { sys_module sys_tty_config }; +allow snmpd_t self:process { signal_perms getsched setsched }; +allow snmpd_t self:fifo_file rw_fifo_file_perms; +allow snmpd_t self:unix_dgram_socket create_socket_perms; +allow snmpd_t self:unix_stream_socket create_stream_socket_perms; +allow snmpd_t self:tcp_socket create_stream_socket_perms; +allow snmpd_t self:udp_socket connected_stream_socket_perms; + +allow snmpd_t snmpd_log_t:file manage_file_perms; +logging_log_filetrans(snmpd_t, snmpd_log_t, file) + +manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) +manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) +manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) +files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) +files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) +files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) + +manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) +files_pid_filetrans(snmpd_t, snmpd_var_run_t, file) + +kernel_read_device_sysctls(snmpd_t) +kernel_read_kernel_sysctls(snmpd_t) +kernel_read_fs_sysctls(snmpd_t) +kernel_read_net_sysctls(snmpd_t) +kernel_read_proc_symlinks(snmpd_t) +kernel_read_system_state(snmpd_t) +kernel_read_network_state(snmpd_t) + +corecmd_exec_bin(snmpd_t) +corecmd_exec_shell(snmpd_t) + +corenet_all_recvfrom_unlabeled(snmpd_t) +corenet_all_recvfrom_netlabel(snmpd_t) +corenet_tcp_sendrecv_generic_if(snmpd_t) +corenet_udp_sendrecv_generic_if(snmpd_t) +corenet_tcp_sendrecv_generic_node(snmpd_t) +corenet_udp_sendrecv_generic_node(snmpd_t) +corenet_tcp_sendrecv_all_ports(snmpd_t) +corenet_udp_sendrecv_all_ports(snmpd_t) +corenet_tcp_bind_generic_node(snmpd_t) +corenet_udp_bind_generic_node(snmpd_t) +corenet_tcp_bind_snmp_port(snmpd_t) +corenet_udp_bind_snmp_port(snmpd_t) +corenet_sendrecv_snmp_server_packets(snmpd_t) +corenet_tcp_connect_agentx_port(snmpd_t) +corenet_tcp_bind_agentx_port(snmpd_t) +corenet_udp_bind_agentx_port(snmpd_t) + +dev_list_sysfs(snmpd_t) +dev_read_sysfs(snmpd_t) +dev_read_urand(snmpd_t) +dev_read_rand(snmpd_t) +dev_getattr_usbfs_dirs(snmpd_t) + +domain_use_interactive_fds(snmpd_t) +domain_signull_all_domains(snmpd_t) +domain_read_all_domains_state(snmpd_t) +domain_dontaudit_ptrace_all_domains(snmpd_t) +domain_exec_all_entry_files(snmpd_t) + +files_read_etc_files(snmpd_t) +files_read_usr_files(snmpd_t) +files_read_etc_runtime_files(snmpd_t) +files_search_home(snmpd_t) + +fs_getattr_all_dirs(snmpd_t) +fs_getattr_all_fs(snmpd_t) +fs_search_auto_mountpoints(snmpd_t) + +storage_dontaudit_read_fixed_disk(snmpd_t) +storage_dontaudit_read_removable_device(snmpd_t) + +auth_use_nsswitch(snmpd_t) +auth_read_all_dirs_except_auth_files(snmpd_t) + +init_read_utmp(snmpd_t) +init_dontaudit_write_utmp(snmpd_t) + +logging_send_syslog_msg(snmpd_t) + +miscfiles_read_localization(snmpd_t) + +seutil_dontaudit_search_config(snmpd_t) + +sysnet_read_config(snmpd_t) + +userdom_dontaudit_use_unpriv_user_fds(snmpd_t) +userdom_dontaudit_search_user_home_dirs(snmpd_t) + +ifdef(`distro_redhat', ` + optional_policy(` + rpm_read_db(snmpd_t) + rpm_dontaudit_manage_db(snmpd_t) + ') +') + +optional_policy(` + amanda_dontaudit_read_dumpdates(snmpd_t) +') + +optional_policy(` + consoletype_exec(snmpd_t) +') + +optional_policy(` + cups_read_rw_config(snmpd_t) +') + +optional_policy(` + mta_read_config(snmpd_t) + mta_search_queue(snmpd_t) +') + +optional_policy(` + rpc_search_nfs_state_data(snmpd_t) +') + +optional_policy(` + sendmail_read_log(snmpd_t) +') + +optional_policy(` + seutil_sigchld_newrole(snmpd_t) +') + +optional_policy(` + squid_read_config(snmpd_t) +') + +optional_policy(` + udev_read_db(snmpd_t) +') + +optional_policy(` + virt_stream_connect(snmpd_t) +') + +optional_policy(` + kernel_read_xen_state(snmpd_t) + kernel_write_xen_state(snmpd_t) + + xen_stream_connect(snmpd_t) + xen_stream_connect_xenstore(snmpd_t) +') diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc new file mode 100644 index 00000000..7bedd2f8 --- /dev/null +++ b/policy/modules/contrib/snort.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0) +/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) + +/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) +/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) + +/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) + +/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if new file mode 100644 index 00000000..c117e8b5 --- /dev/null +++ b/policy/modules/contrib/snort.if @@ -0,0 +1,60 @@ +## <summary>Snort network intrusion detection system</summary> + +######################################## +## <summary> +## Execute a domain transition to run snort. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`snort_domtrans',` + gen_require(` + type snort_t, snort_exec_t; + ') + + domtrans_pattern($1, snort_exec_t, snort_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an snort environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the snort domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`snort_admin',` + gen_require(` + type snort_t, snort_var_run_t, snort_log_t; + type snort_etc_t, snort_initrc_exec_t; + ') + + allow $1 snort_t:process { ptrace signal_perms }; + ps_process_pattern($1, snort_t) + + init_labeled_script_domtrans($1, snort_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 snort_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, snort_etc_t) + files_search_etc($1) + + admin_pattern($1, snort_log_t) + logging_search_logs($1) + + admin_pattern($1, snort_var_run_t) + files_search_pids($1) +') diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te new file mode 100644 index 00000000..179bc1b0 --- /dev/null +++ b/policy/modules/contrib/snort.te @@ -0,0 +1,117 @@ +policy_module(snort, 1.10.0) + +######################################## +# +# Declarations +# + +type snort_t; +type snort_exec_t; +init_daemon_domain(snort_t, snort_exec_t) + +type snort_etc_t; +files_config_file(snort_etc_t) + +type snort_initrc_exec_t; +init_script_file(snort_initrc_exec_t) + +type snort_log_t; +logging_log_file(snort_log_t) + +type snort_tmp_t; +files_tmp_file(snort_tmp_t) + +type snort_var_run_t; +files_pid_file(snort_var_run_t) + +######################################## +# +# Local policy +# + +allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; +dontaudit snort_t self:capability sys_tty_config; +allow snort_t self:process signal_perms; +allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow snort_t self:tcp_socket create_stream_socket_perms; +allow snort_t self:udp_socket create_socket_perms; +allow snort_t self:packet_socket create_socket_perms; +allow snort_t self:socket create_socket_perms; +# Snort IPS node. unverified. +allow snort_t self:netlink_firewall_socket { bind create getattr }; + +allow snort_t snort_etc_t:dir list_dir_perms; +allow snort_t snort_etc_t:file read_file_perms; +allow snort_t snort_etc_t:lnk_file { getattr read }; + +manage_files_pattern(snort_t, snort_log_t, snort_log_t) +create_dirs_pattern(snort_t, snort_log_t, snort_log_t) +logging_log_filetrans(snort_t, snort_log_t, { file dir }) + +manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) +manage_files_pattern(snort_t, snort_tmp_t, snort_tmp_t) +files_tmp_filetrans(snort_t, snort_tmp_t, { file dir }) + +manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t) +files_pid_filetrans(snort_t, snort_var_run_t, file) + +kernel_read_kernel_sysctls(snort_t) +kernel_read_sysctl(snort_t) +kernel_list_proc(snort_t) +kernel_read_proc_symlinks(snort_t) +kernel_request_load_module(snort_t) +kernel_dontaudit_read_system_state(snort_t) +kernel_read_network_state(snort_t) + +corenet_all_recvfrom_unlabeled(snort_t) +corenet_all_recvfrom_netlabel(snort_t) +corenet_tcp_sendrecv_generic_if(snort_t) +corenet_udp_sendrecv_generic_if(snort_t) +corenet_raw_sendrecv_generic_if(snort_t) +corenet_tcp_sendrecv_generic_node(snort_t) +corenet_udp_sendrecv_generic_node(snort_t) +corenet_raw_sendrecv_generic_node(snort_t) +corenet_tcp_sendrecv_all_ports(snort_t) +corenet_udp_sendrecv_all_ports(snort_t) +corenet_tcp_connect_prelude_port(snort_t) + +dev_read_sysfs(snort_t) +dev_read_rand(snort_t) +dev_read_urand(snort_t) +dev_read_usbmon_dev(snort_t) +# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon +# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect? +dev_rw_generic_usb_dev(snort_t) + +domain_use_interactive_fds(snort_t) + +files_read_etc_files(snort_t) +files_dontaudit_read_etc_runtime_files(snort_t) + +fs_getattr_all_fs(snort_t) +fs_search_auto_mountpoints(snort_t) + +init_read_utmp(snort_t) + +logging_send_syslog_msg(snort_t) + +miscfiles_read_localization(snort_t) + +sysnet_read_config(snort_t) +# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager +sysnet_dns_name_resolve(snort_t) + +userdom_dontaudit_use_unpriv_user_fds(snort_t) +userdom_dontaudit_search_user_home_dirs(snort_t) + +optional_policy(` + prelude_manage_spool(snort_t) +') + +optional_policy(` + seutil_sigchld_newrole(snort_t) +') + +optional_policy(` + udev_read_db(snort_t) +') diff --git a/policy/modules/contrib/sosreport.fc b/policy/modules/contrib/sosreport.fc new file mode 100644 index 00000000..a40478eb --- /dev/null +++ b/policy/modules/contrib/sosreport.fc @@ -0,0 +1 @@ +/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if new file mode 100644 index 00000000..94c01b54 --- /dev/null +++ b/policy/modules/contrib/sosreport.if @@ -0,0 +1,129 @@ +## <summary>sosreport - Generate debugging information for system</summary> + +######################################## +## <summary> +## Execute a domain transition to run sosreport. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sosreport_domtrans',` + gen_require(` + type sosreport_t, sosreport_exec_t; + ') + + domtrans_pattern($1, sosreport_exec_t, sosreport_t) +') + +######################################## +## <summary> +## Execute sosreport in the sosreport domain, and +## allow the specified role the sosreport domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`sosreport_run',` + gen_require(` + type sosreport_t; + ') + + sosreport_domtrans($1) + role $2 types sosreport_t; +') + +######################################## +## <summary> +## Role access for sosreport +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`sosreport_role',` + gen_require(` + type sosreport_t; + ') + + role $1 types sosreport_t; + + sosreport_domtrans($2) + + ps_process_pattern($2, sosreport_t) + allow $2 sosreport_t:process signal; +') + +######################################## +## <summary> +## Allow the specified domain to read +## sosreport tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sosreport_read_tmp_files',` + gen_require(` + type sosreport_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) +') + +######################################## +## <summary> +## Append sosreport tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sosreport_append_tmp_files',` + gen_require(` + type sosreport_tmp_t; + ') + + append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) +') + +######################################## +## <summary> +## Delete sosreport tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sosreport_delete_tmp_files',` + gen_require(` + type sosreport_tmp_t; + ') + + files_delete_tmp_dir_entry($1) + delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) +') diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te new file mode 100644 index 00000000..ebaff2f4 --- /dev/null +++ b/policy/modules/contrib/sosreport.te @@ -0,0 +1,148 @@ +policy_module(sosreport, 1.1.0) + +######################################## +# +# Declarations +# + +type sosreport_t; +type sosreport_exec_t; +application_domain(sosreport_t, sosreport_exec_t) +role system_r types sosreport_t; + +type sosreport_tmp_t; +files_tmp_file(sosreport_tmp_t) + +type sosreport_tmpfs_t; +files_tmpfs_file(sosreport_tmpfs_t) + +######################################## +# +# sosreport local policy +# + +allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; +allow sosreport_t self:process { setsched signull }; +allow sosreport_t self:fifo_file rw_fifo_file_perms; +allow sosreport_t self:tcp_socket create_stream_socket_perms; +allow sosreport_t self:udp_socket create_socket_perms; +allow sosreport_t self:unix_dgram_socket create_socket_perms; +allow sosreport_t self:netlink_route_socket r_netlink_socket_perms; +allow sosreport_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) + +manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) +fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) + +kernel_read_network_state(sosreport_t) +kernel_read_all_sysctls(sosreport_t) +kernel_read_software_raid_state(sosreport_t) +kernel_search_debugfs(sosreport_t) +kernel_read_messages(sosreport_t) + +corecmd_exec_all_executables(sosreport_t) + +dev_getattr_all_chr_files(sosreport_t) +dev_getattr_all_blk_files(sosreport_t) +dev_getattr_mtrr_dev(sosreport_t) +dev_read_rand(sosreport_t) +dev_read_urand(sosreport_t) +dev_read_raw_memory(sosreport_t) +dev_read_sysfs(sosreport_t) + +domain_getattr_all_domains(sosreport_t) +domain_read_all_domains_state(sosreport_t) +domain_getattr_all_sockets(sosreport_t) +domain_getattr_all_pipes(sosreport_t) +domain_signull_all_domains(sosreport_t) + +files_getattr_all_sockets(sosreport_t) +files_exec_etc_files(sosreport_t) +files_list_all(sosreport_t) +files_read_config_files(sosreport_t) +files_read_etc_files(sosreport_t) +files_read_generic_tmp_files(sosreport_t) +files_read_usr_files(sosreport_t) +files_read_var_lib_files(sosreport_t) +files_read_var_symlinks(sosreport_t) +files_read_kernel_modules(sosreport_t) +files_read_all_symlinks(sosreport_t) +# for blkid.tab +files_manage_etc_runtime_files(sosreport_t) +files_etc_filetrans_etc_runtime(sosreport_t, file) + +fs_getattr_all_fs(sosreport_t) +fs_list_inotifyfs(sosreport_t) + +# some config files do not have configfile attribute +# sosreport needs to read various files on system +auth_read_all_files_except_auth_files(sosreport_t) +auth_use_nsswitch(sosreport_t) + +init_domtrans_script(sosreport_t) + +libs_domtrans_ldconfig(sosreport_t) + +logging_read_all_logs(sosreport_t) +logging_send_syslog_msg(sosreport_t) + +miscfiles_read_localization(sosreport_t) + +# needed by modinfo +modutils_read_module_deps(sosreport_t) + +sysnet_read_config(sosreport_t) + +optional_policy(` + abrt_manage_pid_files(sosreport_t) +') + +optional_policy(` + cups_stream_connect(sosreport_t) +') + +optional_policy(` + dmesg_domtrans(sosreport_t) +') + +optional_policy(` + fstools_domtrans(sosreport_t) +') + +optional_policy(` + dbus_system_bus_client(sosreport_t) + + optional_policy(` + hal_dbus_chat(sosreport_t) + ') +') + +optional_policy(` + lvm_domtrans(sosreport_t) +') + +optional_policy(` + mount_domtrans(sosreport_t) +') + +optional_policy(` + pulseaudio_stream_connect(sosreport_t) +') + +optional_policy(` + rpm_exec(sosreport_t) + rpm_dontaudit_manage_db(sosreport_t) + rpm_read_db(sosreport_t) +') + +optional_policy(` + xserver_stream_connect(sosreport_t) +') + +optional_policy(` + unconfined_domain(sosreport_t) +') diff --git a/policy/modules/contrib/soundserver.fc b/policy/modules/contrib/soundserver.fc new file mode 100644 index 00000000..d89b2cb6 --- /dev/null +++ b/policy/modules/contrib/soundserver.fc @@ -0,0 +1,13 @@ +/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) +/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0) +/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) + +/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) +/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0) + +/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) + +/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) +/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) + +/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if new file mode 100644 index 00000000..93fe7bf8 --- /dev/null +++ b/policy/modules/contrib/soundserver.if @@ -0,0 +1,57 @@ +## <summary>sound server for network audio server programs, nasd, yiff, etc</summary> + +######################################## +## <summary> +## Connect to the sound server over a TCP socket (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`soundserver_tcp_connect',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## All of the rules required to administrate +## an soundd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the soundd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`soundserver_admin',` + gen_require(` + type soundd_t, soundd_etc_t; + type soundd_tmp_t, soundd_var_run_t; + type soundd_initrc_exec_t; + ') + + allow $1 soundd_t:process { ptrace signal_perms }; + ps_process_pattern($1, soundd_t) + + init_labeled_script_domtrans($1, soundd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 soundd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, soundd_etc_t) + + files_list_tmp($1) + admin_pattern($1, soundd_tmp_t) + + files_list_pids($1) + admin_pattern($1, soundd_var_run_t) +') diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te new file mode 100644 index 00000000..3217605d --- /dev/null +++ b/policy/modules/contrib/soundserver.te @@ -0,0 +1,114 @@ +policy_module(soundserver, 1.8.0) + +######################################## +# +# Declarations +# + +type soundd_t; +type soundd_exec_t; +init_daemon_domain(soundd_t, soundd_exec_t) + +type soundd_etc_t alias etc_soundd_t; +files_config_file(soundd_etc_t) + +type soundd_initrc_exec_t; +init_script_file(soundd_initrc_exec_t) + +type soundd_state_t; +files_type(soundd_state_t) + +type soundd_tmp_t; +files_tmp_file(soundd_tmp_t) + +# for yiff - probably need some rules for the client support too +type soundd_tmpfs_t; +files_tmpfs_file(soundd_tmpfs_t) + +type soundd_var_run_t; +files_pid_file(soundd_var_run_t) + +######################################## +# +# Declarations +# + +allow soundd_t self:capability dac_override; +dontaudit soundd_t self:capability sys_tty_config; +allow soundd_t self:process { setpgid signal_perms }; +allow soundd_t self:tcp_socket create_stream_socket_perms; +allow soundd_t self:udp_socket create_socket_perms; +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms }; + +# for yiff +allow soundd_t self:shm create_shm_perms; + +read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) +read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) + +manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t) +manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t) + +manage_dirs_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t) +manage_files_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t) +files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir }) + +manage_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) +manage_lnk_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) +manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) +manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) +fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) +manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) +manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) +files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(soundd_t) +kernel_list_proc(soundd_t) +kernel_read_proc_symlinks(soundd_t) + +corenet_all_recvfrom_unlabeled(soundd_t) +corenet_all_recvfrom_netlabel(soundd_t) +corenet_tcp_sendrecv_generic_if(soundd_t) +corenet_udp_sendrecv_generic_if(soundd_t) +corenet_tcp_sendrecv_generic_node(soundd_t) +corenet_udp_sendrecv_generic_node(soundd_t) +corenet_tcp_sendrecv_all_ports(soundd_t) +corenet_udp_sendrecv_all_ports(soundd_t) +corenet_tcp_bind_generic_node(soundd_t) +corenet_tcp_bind_soundd_port(soundd_t) +corenet_sendrecv_soundd_server_packets(soundd_t) + +dev_read_sysfs(soundd_t) +dev_read_sound(soundd_t) +dev_write_sound(soundd_t) + +domain_use_interactive_fds(soundd_t) + +files_read_etc_files(soundd_t) +files_read_etc_runtime_files(soundd_t) + +fs_getattr_all_fs(soundd_t) +fs_search_auto_mountpoints(soundd_t) + +logging_send_syslog_msg(soundd_t) + +miscfiles_read_localization(soundd_t) + +sysnet_read_config(soundd_t) + +userdom_dontaudit_use_unpriv_user_fds(soundd_t) +userdom_dontaudit_search_user_home_dirs(soundd_t) + +optional_policy(` + alsa_domtrans(soundd_t) +') + +optional_policy(` + seutil_sigchld_newrole(soundd_t) +') + +optional_policy(` + udev_read_db(soundd_t) +') diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc new file mode 100644 index 00000000..6b3abf9e --- /dev/null +++ b/policy/modules/contrib/spamassassin.fc @@ -0,0 +1,15 @@ +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) + +/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) +/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) + +/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) + +/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) + +/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + +/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if new file mode 100644 index 00000000..c954f319 --- /dev/null +++ b/policy/modules/contrib/spamassassin.if @@ -0,0 +1,227 @@ +## <summary>Filter used for removing unsolicited email.</summary> + +######################################## +## <summary> +## Role access for spamassassin +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`spamassassin_role',` + gen_require(` + type spamc_t, spamc_exec_t, spamc_tmp_t; + type spamassassin_t, spamassassin_exec_t; + type spamassassin_home_t, spamassassin_tmp_t; + ') + + role $1 types { spamc_t spamassassin_t }; + + domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) + ps_process_pattern($2, spamassassin_t) + + domtrans_pattern($2, spamc_exec_t, spamc_t) + ps_process_pattern($2, spamc_t) + + manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) + manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t) + manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) + relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) + relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) + relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) +') + +######################################## +## <summary> +## Execute the standalone spamassassin +## program in the caller directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_exec',` + gen_require(` + type spamassassin_exec_t; + ') + + can_exec($1, spamassassin_exec_t) + +') + +######################################## +## <summary> +## Singnal the spam assassin daemon +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_signal_spamd',` + gen_require(` + type spamd_t; + ') + + allow $1 spamd_t:process signal; +') + +######################################## +## <summary> +## Execute the spamassassin daemon +## program in the caller directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_exec_spamd',` + gen_require(` + type spamd_exec_t; + ') + + can_exec($1, spamd_exec_t) +') + +######################################## +## <summary> +## Execute spamassassin client in the spamassassin client domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`spamassassin_domtrans_client',` + gen_require(` + type spamc_t, spamc_exec_t; + ') + + domtrans_pattern($1, spamc_exec_t, spamc_t) +') + +######################################## +## <summary> +## Execute the spamassassin client +## program in the caller directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_exec_client',` + gen_require(` + type spamc_exec_t; + ') + + can_exec($1, spamc_exec_t) +') + +######################################## +## <summary> +## Execute spamassassin standalone client in the user spamassassin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`spamassassin_domtrans_local_client',` + gen_require(` + type spamassassin_t, spamassassin_exec_t; + ') + + domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) +') + +######################################## +## <summary> +## read spamd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_read_lib_files',` + gen_require(` + type spamd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## spamd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_manage_lib_files',` + gen_require(` + type spamd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) +') + +######################################## +## <summary> +## Read temporary spamd file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`spamassassin_read_spamd_tmp_files',` + gen_require(` + type spamd_tmp_t; + ') + + allow $1 spamd_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to get attributes of temporary +## spamd sockets/ +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` + gen_require(` + type spamd_tmp_t; + ') + + dontaudit $1 spamd_tmp_t:sock_file getattr; +') diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te new file mode 100644 index 00000000..1bbf73bb --- /dev/null +++ b/policy/modules/contrib/spamassassin.te @@ -0,0 +1,449 @@ +policy_module(spamassassin, 2.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow user spamassassin clients to use the network. +## </p> +## </desc> +gen_tunable(spamassassin_can_network, false) + +## <desc> +## <p> +## Allow spamd to read/write user home directories. +## </p> +## </desc> +gen_tunable(spamd_enable_home_dirs, true) + +type spamassassin_t; +type spamassassin_exec_t; +typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; +typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; +userdom_user_application_domain(spamassassin_t, spamassassin_exec_t) + +type spamassassin_home_t; +typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; +typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; +userdom_user_home_content(spamassassin_home_t) + +type spamassassin_tmp_t; +typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; +typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; +userdom_user_tmp_file(spamassassin_tmp_t) + +type spamc_t; +type spamc_exec_t; +typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; +typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; +userdom_user_application_domain(spamc_t, spamc_exec_t) + +type spamc_tmp_t; +typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; +typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; +userdom_user_tmp_file(spamc_tmp_t) + +type spamd_t; +type spamd_exec_t; +init_daemon_domain(spamd_t, spamd_exec_t) + +type spamd_spool_t; +files_type(spamd_spool_t) + +type spamd_tmp_t; +files_tmp_file(spamd_tmp_t) + +# var/lib files +type spamd_var_lib_t; +files_type(spamd_var_lib_t) + +type spamd_var_run_t; +files_pid_file(spamd_var_run_t) + +############################## +# +# Standalone program local policy +# + +allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamassassin_t self:fd use; +allow spamassassin_t self:fifo_file rw_fifo_file_perms; +allow spamassassin_t self:sock_file read_sock_file_perms; +allow spamassassin_t self:unix_dgram_socket create_socket_perms; +allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; +allow spamassassin_t self:unix_dgram_socket sendto; +allow spamassassin_t self:unix_stream_socket connectto; +allow spamassassin_t self:shm create_shm_perms; +allow spamassassin_t self:sem create_sem_perms; +allow spamassassin_t self:msgq create_msgq_perms; +allow spamassassin_t self:msg { send receive }; + +manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) +manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) +files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) + +manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(spamassassin_t) + +dev_read_urand(spamassassin_t) + +fs_search_auto_mountpoints(spamassassin_t) + +# this should probably be removed +corecmd_list_bin(spamassassin_t) +corecmd_read_bin_symlinks(spamassassin_t) +corecmd_read_bin_files(spamassassin_t) +corecmd_read_bin_pipes(spamassassin_t) +corecmd_read_bin_sockets(spamassassin_t) + +domain_use_interactive_fds(spamassassin_t) + +files_read_etc_files(spamassassin_t) +files_read_etc_runtime_files(spamassassin_t) +files_list_home(spamassassin_t) +files_read_usr_files(spamassassin_t) +files_dontaudit_search_var(spamassassin_t) + +logging_send_syslog_msg(spamassassin_t) + +miscfiles_read_localization(spamassassin_t) + +# cjp: this could probably be removed +seutil_read_config(spamassassin_t) + +sysnet_dns_name_resolve(spamassassin_t) + +# set tunable if you have spamassassin do DNS lookups +tunable_policy(`spamassassin_can_network',` + allow spamassassin_t self:tcp_socket create_stream_socket_perms; + allow spamassassin_t self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled(spamassassin_t) + corenet_all_recvfrom_netlabel(spamassassin_t) + corenet_tcp_sendrecv_generic_if(spamassassin_t) + corenet_udp_sendrecv_generic_if(spamassassin_t) + corenet_tcp_sendrecv_generic_node(spamassassin_t) + corenet_udp_sendrecv_generic_node(spamassassin_t) + corenet_tcp_sendrecv_all_ports(spamassassin_t) + corenet_udp_sendrecv_all_ports(spamassassin_t) + corenet_tcp_connect_all_ports(spamassassin_t) + corenet_sendrecv_all_client_packets(spamassassin_t) + + sysnet_read_config(spamassassin_t) +') + +tunable_policy(`spamd_enable_home_dirs',` + userdom_manage_user_home_content_dirs(spamd_t) + userdom_manage_user_home_content_files(spamd_t) + userdom_manage_user_home_content_symlinks(spamd_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamassassin_t) + fs_manage_nfs_files(spamassassin_t) + fs_manage_nfs_symlinks(spamassassin_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamassassin_t) + fs_manage_cifs_files(spamassassin_t) + fs_manage_cifs_symlinks(spamassassin_t) +') + +optional_policy(` + # Write pid file and socket in ~/.evolution/cache/tmp + evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) +') + +optional_policy(` + tunable_policy(`spamassassin_can_network && allow_ypbind',` + nis_use_ypbind_uncond(spamassassin_t) + ') +') + +optional_policy(` + mta_read_config(spamassassin_t) + sendmail_stub(spamassassin_t) +') + +######################################## +# +# Client local policy +# + +allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamc_t self:fd use; +allow spamc_t self:fifo_file rw_fifo_file_perms; +allow spamc_t self:sock_file read_sock_file_perms; +allow spamc_t self:shm create_shm_perms; +allow spamc_t self:sem create_sem_perms; +allow spamc_t self:msgq create_msgq_perms; +allow spamc_t self:msg { send receive }; +allow spamc_t self:unix_dgram_socket create_socket_perms; +allow spamc_t self:unix_stream_socket create_stream_socket_perms; +allow spamc_t self:unix_dgram_socket sendto; +allow spamc_t self:unix_stream_socket connectto; +allow spamc_t self:tcp_socket create_stream_socket_perms; +allow spamc_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) +manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) +files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) + +# Allow connecting to a local spamd +allow spamc_t spamd_t:unix_stream_socket connectto; +allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; + +kernel_read_kernel_sysctls(spamc_t) + +corenet_all_recvfrom_unlabeled(spamc_t) +corenet_all_recvfrom_netlabel(spamc_t) +corenet_tcp_sendrecv_generic_if(spamc_t) +corenet_udp_sendrecv_generic_if(spamc_t) +corenet_tcp_sendrecv_generic_node(spamc_t) +corenet_udp_sendrecv_generic_node(spamc_t) +corenet_tcp_sendrecv_all_ports(spamc_t) +corenet_udp_sendrecv_all_ports(spamc_t) +corenet_tcp_connect_all_ports(spamc_t) +corenet_sendrecv_all_client_packets(spamc_t) + +fs_search_auto_mountpoints(spamc_t) + +# cjp: these should probably be removed: +corecmd_list_bin(spamc_t) +corecmd_read_bin_symlinks(spamc_t) +corecmd_read_bin_files(spamc_t) +corecmd_read_bin_pipes(spamc_t) +corecmd_read_bin_sockets(spamc_t) + +domain_use_interactive_fds(spamc_t) + +files_read_etc_files(spamc_t) +files_read_etc_runtime_files(spamc_t) +files_read_usr_files(spamc_t) +files_dontaudit_search_var(spamc_t) +# cjp: this may be removable: +files_list_home(spamc_t) + +logging_send_syslog_msg(spamc_t) + +miscfiles_read_localization(spamc_t) + +# cjp: this should probably be removed: +seutil_read_config(spamc_t) + +sysnet_read_config(spamc_t) + +optional_policy(` + # Allow connection to spamd socket above + evolution_stream_connect(spamc_t) +') + +optional_policy(` + # Needed for pyzor/razor called from spamd + milter_manage_spamass_state(spamc_t) +') + +optional_policy(` + nis_use_ypbind(spamc_t) +') + +optional_policy(` + nscd_socket_use(spamc_t) +') + +optional_policy(` + mta_read_config(spamc_t) + sendmail_stub(spamc_t) +') + +######################################## +# +# Server local policy +# + +# Spamassassin, when run as root and using per-user config files, +# setuids to the user running spamc. Comment this if you are not +# using this ability. + +allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; +dontaudit spamd_t self:capability sys_tty_config; +allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamd_t self:fd use; +allow spamd_t self:fifo_file rw_fifo_file_perms; +allow spamd_t self:sock_file read_sock_file_perms; +allow spamd_t self:shm create_shm_perms; +allow spamd_t self:sem create_sem_perms; +allow spamd_t self:msgq create_msgq_perms; +allow spamd_t self:msg { send receive }; +allow spamd_t self:unix_dgram_socket create_socket_perms; +allow spamd_t self:unix_stream_socket create_stream_socket_perms; +allow spamd_t self:unix_dgram_socket sendto; +allow spamd_t self:unix_stream_socket connectto; +allow spamd_t self:tcp_socket create_stream_socket_perms; +allow spamd_t self:udp_socket create_socket_perms; +allow spamd_t self:netlink_route_socket r_netlink_socket_perms; + +manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) +manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) +files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) + +manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) + +# var/lib files for spamd +allow spamd_t spamd_var_lib_t:dir list_dir_perms; +read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) + +manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) + +kernel_read_all_sysctls(spamd_t) +kernel_read_system_state(spamd_t) + +corenet_all_recvfrom_unlabeled(spamd_t) +corenet_all_recvfrom_netlabel(spamd_t) +corenet_tcp_sendrecv_generic_if(spamd_t) +corenet_udp_sendrecv_generic_if(spamd_t) +corenet_tcp_sendrecv_generic_node(spamd_t) +corenet_udp_sendrecv_generic_node(spamd_t) +corenet_tcp_sendrecv_all_ports(spamd_t) +corenet_udp_sendrecv_all_ports(spamd_t) +corenet_tcp_bind_generic_node(spamd_t) +corenet_tcp_bind_spamd_port(spamd_t) +corenet_tcp_connect_razor_port(spamd_t) +corenet_tcp_connect_smtp_port(spamd_t) +corenet_sendrecv_razor_client_packets(spamd_t) +corenet_sendrecv_spamd_server_packets(spamd_t) +# spamassassin 3.1 needs this for its +# DnsResolver.pm module which binds to +# random ports >= 1024. +corenet_udp_bind_generic_node(spamd_t) +corenet_udp_bind_generic_port(spamd_t) +corenet_udp_bind_imaze_port(spamd_t) +corenet_dontaudit_udp_bind_all_ports(spamd_t) +corenet_sendrecv_imaze_server_packets(spamd_t) +corenet_sendrecv_generic_server_packets(spamd_t) + +dev_read_sysfs(spamd_t) +dev_read_urand(spamd_t) + +fs_getattr_all_fs(spamd_t) +fs_search_auto_mountpoints(spamd_t) + +auth_dontaudit_read_shadow(spamd_t) + +corecmd_exec_bin(spamd_t) + +domain_use_interactive_fds(spamd_t) + +files_read_usr_files(spamd_t) +files_read_etc_files(spamd_t) +files_read_etc_runtime_files(spamd_t) +# /var/lib/spamassin +files_read_var_lib_files(spamd_t) + +init_dontaudit_rw_utmp(spamd_t) + +logging_send_syslog_msg(spamd_t) + +miscfiles_read_localization(spamd_t) + +sysnet_read_config(spamd_t) +sysnet_use_ldap(spamd_t) +sysnet_dns_name_resolve(spamd_t) + +userdom_use_unpriv_users_fds(spamd_t) +userdom_search_user_home_dirs(spamd_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(spamd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(spamd_t) +') + +optional_policy(` + amavis_manage_lib_files(spamd_t) +') + +optional_policy(` + cron_system_entry(spamd_t, spamd_exec_t) +') + +optional_policy(` + daemontools_service_domain(spamd_t, spamd_exec_t) +') + +optional_policy(` + dcc_domtrans_client(spamd_t) + dcc_stream_connect_dccifd(spamd_t) +') + +optional_policy(` + milter_manage_spamass_state(spamd_t) +') + +optional_policy(` + corenet_tcp_connect_mysqld_port(spamd_t) + corenet_sendrecv_mysqld_client_packets(spamd_t) + + mysql_search_db(spamd_t) + mysql_stream_connect(spamd_t) +') + +optional_policy(` + nis_use_ypbind(spamd_t) +') + +optional_policy(` + postfix_read_config(spamd_t) +') + +optional_policy(` + corenet_tcp_connect_postgresql_port(spamd_t) + corenet_sendrecv_postgresql_client_packets(spamd_t) + + postgresql_stream_connect(spamd_t) +') + +optional_policy(` + pyzor_domtrans(spamd_t) + pyzor_signal(spamd_t) +') + +optional_policy(` + razor_domtrans(spamd_t) +') + +optional_policy(` + seutil_sigchld_newrole(spamd_t) +') + +optional_policy(` + sendmail_stub(spamd_t) + mta_read_config(spamd_t) +') + +optional_policy(` + udev_read_db(spamd_t) +') diff --git a/policy/modules/contrib/speedtouch.fc b/policy/modules/contrib/speedtouch.fc new file mode 100644 index 00000000..9760d154 --- /dev/null +++ b/policy/modules/contrib/speedtouch.fc @@ -0,0 +1,2 @@ +/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0) + diff --git a/policy/modules/contrib/speedtouch.if b/policy/modules/contrib/speedtouch.if new file mode 100644 index 00000000..826e2db0 --- /dev/null +++ b/policy/modules/contrib/speedtouch.if @@ -0,0 +1 @@ +## <summary>Alcatel speedtouch USB ADSL modem</summary> diff --git a/policy/modules/contrib/speedtouch.te b/policy/modules/contrib/speedtouch.te new file mode 100644 index 00000000..ade10f5e --- /dev/null +++ b/policy/modules/contrib/speedtouch.te @@ -0,0 +1,61 @@ +policy_module(speedtouch, 1.4.0) + +####################################### +# +# Rules for the speedmgmt_t domain. +# + +type speedmgmt_t; +type speedmgmt_exec_t; +init_daemon_domain(speedmgmt_t, speedmgmt_exec_t) + +type speedmgmt_tmp_t; +files_tmp_file(speedmgmt_tmp_t) + +type speedmgmt_var_run_t; +files_pid_file(speedmgmt_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit speedmgmt_t self:capability sys_tty_config; +allow speedmgmt_t self:process signal_perms; + +manage_dirs_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) +manage_files_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) +files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir }) + +manage_files_pattern(speedmgmt_t, speedmgmt_var_run_t, speedmgmt_var_run_t) +files_pid_filetrans(speedmgmt_t, speedmgmt_var_run_t, file) + +kernel_read_kernel_sysctls(speedmgmt_t) +kernel_list_proc(speedmgmt_t) +kernel_read_proc_symlinks(speedmgmt_t) + +dev_read_sysfs(speedmgmt_t) +dev_read_usbfs(speedmgmt_t) + +domain_use_interactive_fds(speedmgmt_t) + +files_read_etc_files(speedmgmt_t) +files_read_usr_files(speedmgmt_t) + +fs_getattr_all_fs(speedmgmt_t) +fs_search_auto_mountpoints(speedmgmt_t) + +logging_send_syslog_msg(speedmgmt_t) + +miscfiles_read_localization(speedmgmt_t) + +userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t) +userdom_dontaudit_search_user_home_dirs(speedmgmt_t) + +optional_policy(` + seutil_sigchld_newrole(speedmgmt_t) +') + +optional_policy(` + udev_read_db(speedmgmt_t) +') diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc new file mode 100644 index 00000000..6cc4a90a --- /dev/null +++ b/policy/modules/contrib/squid.fc @@ -0,0 +1,14 @@ +/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) +/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) + +/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) +/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) +/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) +/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) + +/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) +/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) +/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) +/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if new file mode 100644 index 00000000..d2496bd7 --- /dev/null +++ b/policy/modules/contrib/squid.if @@ -0,0 +1,233 @@ +## <summary>Squid caching http proxy server</summary> + +######################################## +## <summary> +## Execute squid in the squid domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`squid_domtrans',` + gen_require(` + type squid_t, squid_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, squid_exec_t, squid_t) +') + +######################################## +## <summary> +## Execute squid +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_exec',` + gen_require(` + type squid_exec_t; + ') + + can_exec($1, squid_exec_t) +') + +######################################## +## <summary> +## Send generic signals to squid. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_signal',` + gen_require(` + type squid_t; + ') + + allow $1 squid_t:process signal; +') + +######################################## +## <summary> +## Allow read and write squid +## unix domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_rw_stream_sockets',` + gen_require(` + type squid_t; + ') + + allow $1 squid_t:unix_stream_socket { getattr read write }; +') + +######################################## +## <summary> +## Do not audit attempts to search squid cache dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_dontaudit_search_cache',` + gen_require(` + type squid_cache_t; + ') + + dontaudit $1 squid_cache_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read squid configuration file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_read_config',` + gen_require(` + type squid_conf_t; + ') + + files_search_etc($1) + read_files_pattern($1, squid_conf_t, squid_conf_t) +') + +######################################## +## <summary> +## Append squid logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_read_log',` + gen_require(` + type squid_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, squid_log_t, squid_log_t) +') + +######################################## +## <summary> +## Append squid logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_append_log',` + gen_require(` + type squid_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, squid_log_t, squid_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## squid logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_manage_logs',` + gen_require(` + type squid_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, squid_log_t, squid_log_t) +') + +######################################## +## <summary> +## Use squid services by connecting over TCP. (Deprecated) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_use',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## <summary> +## All of the rules required to administrate +## an squid environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the squid domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_admin',` + gen_require(` + type squid_t, squid_cache_t, squid_conf_t; + type squid_log_t, squid_var_run_t; + type squid_initrc_exec_t; + ') + + allow $1 squid_t:process { ptrace signal_perms }; + ps_process_pattern($1, squid_t) + + init_labeled_script_domtrans($1, squid_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 squid_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var($1) + admin_pattern($1, squid_cache_t) + + files_list_etc($1) + admin_pattern($1, squid_conf_t) + + logging_list_logs($1) + admin_pattern($1, squid_log_t) + + files_list_pids($1) + admin_pattern($1, squid_var_run_t) +') diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te new file mode 100644 index 00000000..4b2230e7 --- /dev/null +++ b/policy/modules/contrib/squid.te @@ -0,0 +1,208 @@ +policy_module(squid, 1.10.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow squid to connect to all ports, not just +## HTTP, FTP, and Gopher ports. +## </p> +## </desc> +gen_tunable(squid_connect_any, false) + +## <desc> +## <p> +## Allow squid to run as a transparent proxy (TPROXY) +## </p> +## </desc> +gen_tunable(squid_use_tproxy, false) + +type squid_t; +type squid_exec_t; +init_daemon_domain(squid_t, squid_exec_t) + +# type for /var/cache/squid +type squid_cache_t; +files_type(squid_cache_t) + +type squid_conf_t; +files_type(squid_conf_t) + +type squid_initrc_exec_t; +init_script_file(squid_initrc_exec_t) + +type squid_log_t; +logging_log_file(squid_log_t) + +type squid_tmpfs_t; +files_tmpfs_file(squid_tmpfs_t) + +type squid_var_run_t; +files_pid_file(squid_var_run_t) + +######################################## +# +# Local policy +# + +allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; +dontaudit squid_t self:capability sys_tty_config; +allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; +allow squid_t self:fifo_file rw_fifo_file_perms; +allow squid_t self:sock_file read_sock_file_perms; +allow squid_t self:fd use; +allow squid_t self:shm create_shm_perms; +allow squid_t self:sem create_sem_perms; +allow squid_t self:msgq create_msgq_perms; +allow squid_t self:msg { send receive }; +allow squid_t self:unix_stream_socket create_stream_socket_perms; +allow squid_t self:unix_dgram_socket create_socket_perms; +allow squid_t self:unix_dgram_socket sendto; +allow squid_t self:unix_stream_socket connectto; +allow squid_t self:tcp_socket create_stream_socket_perms; +allow squid_t self:udp_socket create_socket_perms; + +# Grant permissions to create, access, and delete cache files. +manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) +manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) +manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) + +allow squid_t squid_conf_t:dir list_dir_perms; +read_files_pattern(squid_t, squid_conf_t, squid_conf_t) +read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t) + +can_exec(squid_t, squid_exec_t) + +manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) +manage_files_pattern(squid_t, squid_log_t, squid_log_t) +manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) +logging_log_filetrans(squid_t, squid_log_t, { file dir }) + +#squid requires the following when run in diskd mode, the recommended setting +manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) +fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) + +manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) +files_pid_filetrans(squid_t, squid_var_run_t, file) + +kernel_read_kernel_sysctls(squid_t) +kernel_read_system_state(squid_t) + +files_dontaudit_getattr_boot_dirs(squid_t) + +corenet_all_recvfrom_unlabeled(squid_t) +corenet_all_recvfrom_netlabel(squid_t) +corenet_tcp_sendrecv_generic_if(squid_t) +corenet_udp_sendrecv_generic_if(squid_t) +corenet_tcp_sendrecv_generic_node(squid_t) +corenet_udp_sendrecv_generic_node(squid_t) +corenet_tcp_sendrecv_all_ports(squid_t) +corenet_udp_sendrecv_all_ports(squid_t) +corenet_tcp_bind_generic_node(squid_t) +corenet_udp_bind_generic_node(squid_t) +corenet_tcp_bind_http_port(squid_t) +corenet_tcp_bind_http_cache_port(squid_t) +corenet_udp_bind_http_cache_port(squid_t) +corenet_tcp_bind_ftp_port(squid_t) +corenet_tcp_bind_gopher_port(squid_t) +corenet_udp_bind_gopher_port(squid_t) +corenet_tcp_bind_squid_port(squid_t) +corenet_udp_bind_squid_port(squid_t) +corenet_udp_bind_wccp_port(squid_t) +corenet_tcp_connect_ftp_port(squid_t) +corenet_tcp_connect_gopher_port(squid_t) +corenet_tcp_connect_http_port(squid_t) +corenet_tcp_connect_http_cache_port(squid_t) +corenet_tcp_connect_pgpkeyserver_port(squid_t) +corenet_sendrecv_ftp_client_packets(squid_t) +corenet_sendrecv_gopher_client_packets(squid_t) +corenet_sendrecv_http_client_packets(squid_t) +corenet_sendrecv_http_server_packets(squid_t) +corenet_sendrecv_http_cache_server_packets(squid_t) +corenet_sendrecv_http_cache_client_packets(squid_t) +corenet_sendrecv_pgpkeyserver_client_packets(squid_t) +corenet_sendrecv_squid_client_packets(squid_t) +corenet_sendrecv_squid_server_packets(squid_t) +corenet_sendrecv_wccp_server_packets(squid_t) + +dev_read_sysfs(squid_t) +dev_read_urand(squid_t) + +fs_getattr_all_fs(squid_t) +fs_search_auto_mountpoints(squid_t) +fs_list_inotifyfs(squid_t) + +selinux_dontaudit_getattr_dir(squid_t) + +term_dontaudit_getattr_pty_dirs(squid_t) + +# to allow running programs from /usr/lib/squid (IE unlinkd) +corecmd_exec_bin(squid_t) +corecmd_exec_shell(squid_t) + +domain_use_interactive_fds(squid_t) + +files_read_etc_files(squid_t) +files_read_etc_runtime_files(squid_t) +files_read_usr_files(squid_t) +files_search_spool(squid_t) +files_dontaudit_getattr_tmp_dirs(squid_t) +files_getattr_home_dir(squid_t) + +auth_use_nsswitch(squid_t) +auth_domtrans_chk_passwd(squid_t) + +# to allow running programs from /usr/lib/squid (IE unlinkd) +libs_exec_lib_files(squid_t) + +logging_send_syslog_msg(squid_t) + +miscfiles_read_generic_certs(squid_t) +miscfiles_read_localization(squid_t) + +userdom_use_unpriv_users_fds(squid_t) +userdom_dontaudit_search_user_home_dirs(squid_t) + +tunable_policy(`squid_connect_any',` + corenet_tcp_connect_all_ports(squid_t) + corenet_tcp_bind_all_ports(squid_t) + corenet_sendrecv_all_packets(squid_t) +') + +tunable_policy(`squid_use_tproxy',` + allow squid_t self:capability net_admin; + corenet_tcp_bind_netport_port(squid_t) +') + +optional_policy(` + apache_content_template(squid) + + allow httpd_squid_script_t self:tcp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled(httpd_squid_script_t) + corenet_all_recvfrom_netlabel(httpd_squid_script_t) + corenet_tcp_connect_http_cache_port(httpd_squid_script_t) + + sysnet_dns_name_resolve(httpd_squid_script_t) + + squid_read_config(httpd_squid_script_t) +') + +optional_policy(` + cron_system_entry(squid_t, squid_exec_t) +') + +optional_policy(` + samba_domtrans_winbind_helper(squid_t) +') + +optional_policy(` + seutil_sigchld_newrole(squid_t) +') + +optional_policy(` + udev_read_db(squid_t) +') diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc new file mode 100644 index 00000000..4271815b --- /dev/null +++ b/policy/modules/contrib/sssd.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) + +/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) + +/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) + +/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) + +/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) + +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if new file mode 100644 index 00000000..941380a7 --- /dev/null +++ b/policy/modules/contrib/sssd.if @@ -0,0 +1,255 @@ +## <summary>System Security Services Daemon</summary> + +######################################## +## <summary> +## Execute a domain transition to run sssd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sssd_domtrans',` + gen_require(` + type sssd_t, sssd_exec_t; + ') + + domtrans_pattern($1, sssd_exec_t, sssd_t) +') + +######################################## +## <summary> +## Execute sssd server in the sssd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sssd_initrc_domtrans',` + gen_require(` + type sssd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, sssd_initrc_exec_t) +') + +######################################## +## <summary> +## Read sssd public files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_read_public_files',` + gen_require(` + type sssd_public_t; + ') + + sssd_search_lib($1) + read_files_pattern($1, sssd_public_t, sssd_public_t) +') + +######################################## +## <summary> +## Read sssd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_read_pid_files',` + gen_require(` + type sssd_var_run_t; + ') + + files_search_pids($1) + allow $1 sssd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Manage sssd var_run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_manage_pids',` + gen_require(` + type sssd_var_run_t; + ') + + manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) + manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) +') + +######################################## +## <summary> +## Search sssd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_search_lib',` + gen_require(` + type sssd_var_lib_t; + ') + + allow $1 sssd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Do not audit attempts to search sssd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`sssd_dontaudit_search_lib',` + gen_require(` + type sssd_var_lib_t; + ') + + dontaudit $1 sssd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read sssd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_read_lib_files',` + gen_require(` + type sssd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## sssd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_manage_lib_files',` + gen_require(` + type sssd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) +') + +######################################## +## <summary> +## Send and receive messages from +## sssd over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_dbus_chat',` + gen_require(` + type sssd_t; + class dbus send_msg; + ') + + allow $1 sssd_t:dbus send_msg; + allow sssd_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Connect to sssd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sssd_stream_connect',` + gen_require(` + type sssd_t, sssd_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an sssd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the sssd domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the user terminal. +## </summary> +## </param> +## <rolecap/> +# +interface(`sssd_admin',` + gen_require(` + type sssd_t, sssd_public_t; + type sssd_initrc_exec_t; + ') + + allow $1 sssd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, sssd_t, sssd_t) + + # Allow sssd_t to restart the apache service + sssd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 sssd_initrc_exec_t system_r; + allow $2 system_r; + + sssd_manage_pids($1) + + sssd_manage_lib_files($1) + + admin_pattern($1, sssd_public_t) +') diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te new file mode 100644 index 00000000..8ffa2577 --- /dev/null +++ b/policy/modules/contrib/sssd.te @@ -0,0 +1,90 @@ +policy_module(sssd, 1.1.0) + +######################################## +# +# Declarations +# + +type sssd_t; +type sssd_exec_t; +init_daemon_domain(sssd_t, sssd_exec_t) + +type sssd_initrc_exec_t; +init_script_file(sssd_initrc_exec_t) + +type sssd_public_t; +files_pid_file(sssd_public_t) + +type sssd_var_lib_t; +files_type(sssd_var_lib_t) + +type sssd_var_log_t; +logging_log_file(sssd_var_log_t) + +type sssd_var_run_t; +files_pid_file(sssd_var_run_t) + +######################################## +# +# sssd local policy +# +allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; +allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; +allow sssd_t self:fifo_file rw_file_perms; +allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) +manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) + +manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) + +manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) +logging_log_filetrans(sssd_t, sssd_var_log_t, file) + +manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) + +kernel_read_system_state(sssd_t) + +corecmd_exec_bin(sssd_t) + +dev_read_urand(sssd_t) + +domain_read_all_domains_state(sssd_t) +domain_obj_id_change_exemption(sssd_t) + +files_list_tmp(sssd_t) +files_read_etc_files(sssd_t) +files_read_usr_files(sssd_t) + +fs_list_inotifyfs(sssd_t) + +selinux_validate_context(sssd_t) + +seutil_read_file_contexts(sssd_t) + +mls_file_read_to_clearance(sssd_t) + +auth_use_nsswitch(sssd_t) +auth_domtrans_chk_passwd(sssd_t) +auth_domtrans_upd_passwd(sssd_t) + +init_read_utmp(sssd_t) + +logging_send_syslog_msg(sssd_t) +logging_send_audit_msgs(sssd_t) + +miscfiles_read_localization(sssd_t) + +optional_policy(` + dbus_system_bus_client(sssd_t) + dbus_connect_system_bus(sssd_t) +') + +optional_policy(` + kerberos_manage_host_rcache(sssd_t) +') diff --git a/policy/modules/contrib/stunnel.fc b/policy/modules/contrib/stunnel.fc new file mode 100644 index 00000000..50e29aa8 --- /dev/null +++ b/policy/modules/contrib/stunnel.fc @@ -0,0 +1,7 @@ +/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) + +/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) + +/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) + +/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) diff --git a/policy/modules/contrib/stunnel.if b/policy/modules/contrib/stunnel.if new file mode 100644 index 00000000..6073656f --- /dev/null +++ b/policy/modules/contrib/stunnel.if @@ -0,0 +1,25 @@ +## <summary>SSL Tunneling Proxy</summary> + +######################################## +## <summary> +## Define the specified domain as a stunnel inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the stunnel inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`stunnel_service_domain',` + gen_require(` + type stunnel_t; + ') + + domtrans_pattern(stunnel_t,$2,$1) + allow $1 stunnel_t:tcp_socket rw_socket_perms; +') diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te new file mode 100644 index 00000000..f646c666 --- /dev/null +++ b/policy/modules/contrib/stunnel.te @@ -0,0 +1,123 @@ +policy_module(stunnel, 1.10.0) + +######################################## +# +# Declarations +# + +type stunnel_t; +domain_type(stunnel_t) +role system_r types stunnel_t; + +type stunnel_exec_t; +domain_entry_file(stunnel_t, stunnel_exec_t) + +ifdef(`distro_gentoo',` + init_daemon_domain(stunnel_t, stunnel_exec_t) +',` + inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) +') + +type stunnel_etc_t; +files_config_file(stunnel_etc_t) + +type stunnel_tmp_t; +files_tmp_file(stunnel_tmp_t) + +type stunnel_var_run_t; +files_pid_file(stunnel_var_run_t) + +######################################## +# +# Local policy +# + +allow stunnel_t self:capability { setgid setuid sys_chroot }; +allow stunnel_t self:process signal_perms; +allow stunnel_t self:fifo_file rw_fifo_file_perms; +allow stunnel_t self:tcp_socket create_stream_socket_perms; +allow stunnel_t self:udp_socket create_socket_perms; + +allow stunnel_t stunnel_etc_t:dir list_dir_perms; +allow stunnel_t stunnel_etc_t:file read_file_perms; +allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; + +manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) +manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) +files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) + +manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) +manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) +files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file }) + +kernel_read_kernel_sysctls(stunnel_t) +kernel_read_system_state(stunnel_t) +kernel_read_network_state(stunnel_t) + +corecmd_exec_bin(stunnel_t) + +corenet_all_recvfrom_unlabeled(stunnel_t) +corenet_all_recvfrom_netlabel(stunnel_t) +corenet_tcp_sendrecv_generic_if(stunnel_t) +corenet_udp_sendrecv_generic_if(stunnel_t) +corenet_tcp_sendrecv_generic_node(stunnel_t) +corenet_udp_sendrecv_generic_node(stunnel_t) +corenet_tcp_sendrecv_all_ports(stunnel_t) +corenet_udp_sendrecv_all_ports(stunnel_t) +corenet_tcp_bind_generic_node(stunnel_t) +corenet_tcp_connect_all_ports(stunnel_t) + +fs_getattr_all_fs(stunnel_t) + +auth_use_nsswitch(stunnel_t) + +logging_send_syslog_msg(stunnel_t) + +miscfiles_read_localization(stunnel_t) + +sysnet_read_config(stunnel_t) + +ifdef(`distro_gentoo', ` + dontaudit stunnel_t self:capability sys_tty_config; + allow stunnel_t self:udp_socket create_socket_perms; + + dev_read_sysfs(stunnel_t) + + fs_search_auto_mountpoints(stunnel_t) + + domain_use_interactive_fds(stunnel_t) + + userdom_dontaudit_use_unpriv_user_fds(stunnel_t) + userdom_dontaudit_search_user_home_dirs(stunnel_t) + + optional_policy(` + daemontools_service_domain(stunnel_t, stunnel_exec_t) + ') + + optional_policy(` + seutil_sigchld_newrole(stunnel_t) + ') + + optional_policy(` + udev_read_db(stunnel_t) + ') +',` + allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + + dev_read_urand(stunnel_t) + + files_read_etc_files(stunnel_t) + files_read_etc_runtime_files(stunnel_t) + files_search_home(stunnel_t) + + optional_policy(` + kerberos_use(stunnel_t) + ') +') + +# hack since this port has no interfaces since it doesnt +# have net_contexts +gen_require(` + type stunnel_port_t; +') +allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/policy/modules/contrib/sxid.fc b/policy/modules/contrib/sxid.fc new file mode 100644 index 00000000..bc3797bc --- /dev/null +++ b/policy/modules/contrib/sxid.fc @@ -0,0 +1,6 @@ +/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0) +/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0) + +/var/log/setuid.* -- gen_context(system_u:object_r:sxid_log_t,s0) +/var/log/setuid\.today.* -- gen_context(system_u:object_r:sxid_log_t,s0) +/var/log/sxid\.log.* -- gen_context(system_u:object_r:sxid_log_t,s0) diff --git a/policy/modules/contrib/sxid.if b/policy/modules/contrib/sxid.if new file mode 100644 index 00000000..dd8ac62e --- /dev/null +++ b/policy/modules/contrib/sxid.if @@ -0,0 +1,22 @@ +## <summary>SUID/SGID program monitoring</summary> + +######################################## +## <summary> +## Allow the specified domain to read +## sxid log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sxid_read_log',` + gen_require(` + type sxid_log_t; + ') + + logging_search_logs($1) + allow $1 sxid_log_t:file read_file_perms; +') diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te new file mode 100644 index 00000000..045fb862 --- /dev/null +++ b/policy/modules/contrib/sxid.te @@ -0,0 +1,97 @@ +policy_module(sxid, 1.6.0) + +######################################## +# +# Declarations +# + +type sxid_t; +type sxid_exec_t; +application_domain(sxid_t, sxid_exec_t) + +type sxid_log_t; +logging_log_file(sxid_log_t) + +type sxid_tmp_t; +files_tmp_file(sxid_tmp_t) + +######################################## +# +# Local policy +# + +allow sxid_t self:capability { dac_override dac_read_search fsetid }; +dontaudit sxid_t self:capability { setuid setgid sys_tty_config }; +allow sxid_t self:process signal_perms; +allow sxid_t self:fifo_file rw_fifo_file_perms; +allow sxid_t self:tcp_socket create_stream_socket_perms; +allow sxid_t self:udp_socket create_socket_perms; + +allow sxid_t sxid_log_t:file manage_file_perms; +logging_log_filetrans(sxid_t, sxid_log_t, file) + +manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) +manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) +files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir }) + +kernel_read_system_state(sxid_t) +kernel_read_kernel_sysctls(sxid_t) + +corecmd_exec_bin(sxid_t) +corecmd_exec_shell(sxid_t) + +corenet_all_recvfrom_unlabeled(sxid_t) +corenet_all_recvfrom_netlabel(sxid_t) +corenet_tcp_sendrecv_generic_if(sxid_t) +corenet_udp_sendrecv_generic_if(sxid_t) +corenet_tcp_sendrecv_generic_node(sxid_t) +corenet_udp_sendrecv_generic_node(sxid_t) +corenet_tcp_sendrecv_all_ports(sxid_t) +corenet_udp_sendrecv_all_ports(sxid_t) + +dev_read_sysfs(sxid_t) +dev_getattr_all_blk_files(sxid_t) +dev_getattr_all_chr_files(sxid_t) + +domain_use_interactive_fds(sxid_t) + +files_list_all(sxid_t) +files_getattr_all_symlinks(sxid_t) +files_getattr_all_pipes(sxid_t) +files_getattr_all_sockets(sxid_t) + +fs_getattr_xattr_fs(sxid_t) +fs_search_auto_mountpoints(sxid_t) +fs_list_all(sxid_t) + +term_dontaudit_use_console(sxid_t) + +auth_read_all_files_except_auth_files(sxid_t) +auth_dontaudit_getattr_shadow(sxid_t) + +init_use_fds(sxid_t) +init_use_script_ptys(sxid_t) + +logging_send_syslog_msg(sxid_t) + +miscfiles_read_localization(sxid_t) + +mount_exec(sxid_t) + +sysnet_read_config(sxid_t) + +userdom_dontaudit_use_unpriv_user_fds(sxid_t) + +cron_system_entry(sxid_t, sxid_exec_t) + +optional_policy(` + mta_send_mail(sxid_t) +') + +optional_policy(` + seutil_sigchld_newrole(sxid_t) +') + +optional_policy(` + udev_read_db(sxid_t) +') diff --git a/policy/modules/contrib/sysstat.fc b/policy/modules/contrib/sysstat.fc new file mode 100644 index 00000000..08d999cf --- /dev/null +++ b/policy/modules/contrib/sysstat.fc @@ -0,0 +1,8 @@ + +/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) +/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) +/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) + +/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) +/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) +/var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if new file mode 100644 index 00000000..7a23b3b8 --- /dev/null +++ b/policy/modules/contrib/sysstat.if @@ -0,0 +1,21 @@ +## <summary>Policy for sysstat. Reports on various system states</summary> + +######################################## +## <summary> +## Manage sysstat logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sysstat_manage_log',` + gen_require(` + type sysstat_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, sysstat_log_t, sysstat_log_t) +') diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te new file mode 100644 index 00000000..52f0d6c2 --- /dev/null +++ b/policy/modules/contrib/sysstat.te @@ -0,0 +1,70 @@ +policy_module(sysstat, 1.6.0) + +######################################## +# +# Declarations +# + +type sysstat_t; +type sysstat_exec_t; +init_system_domain(sysstat_t, sysstat_exec_t) +role system_r types sysstat_t; + +type sysstat_log_t; +logging_log_file(sysstat_log_t) + +######################################## +# +# Local policy +# + +allow sysstat_t self:capability { dac_override sys_resource sys_tty_config }; +dontaudit sysstat_t self:capability sys_admin; +allow sysstat_t self:fifo_file rw_fifo_file_perms; + +can_exec(sysstat_t, sysstat_exec_t) + +manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) +manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) +manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) +logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) + +# get info from /proc +kernel_read_system_state(sysstat_t) +kernel_read_network_state(sysstat_t) +kernel_read_kernel_sysctls(sysstat_t) +kernel_read_fs_sysctls(sysstat_t) +kernel_read_rpc_sysctls(sysstat_t) + +corecmd_exec_bin(sysstat_t) + +dev_read_urand(sysstat_t) +dev_read_sysfs(sysstat_t) + +files_search_var(sysstat_t) +# for mtab +files_read_etc_runtime_files(sysstat_t) +#for fstab +files_read_etc_files(sysstat_t) + +fs_getattr_xattr_fs(sysstat_t) +fs_list_inotifyfs(sysstat_t) + +term_use_console(sysstat_t) +term_use_all_terms(sysstat_t) + +init_use_fds(sysstat_t) + +locallogin_use_fds(sysstat_t) + +miscfiles_read_localization(sysstat_t) + +userdom_dontaudit_list_user_home_dirs(sysstat_t) + +optional_policy(` + cron_system_entry(sysstat_t, sysstat_exec_t) +') + +optional_policy(` + logging_send_syslog_msg(sysstat_t) +') diff --git a/policy/modules/contrib/tcpd.fc b/policy/modules/contrib/tcpd.fc new file mode 100644 index 00000000..2e8d7a1d --- /dev/null +++ b/policy/modules/contrib/tcpd.fc @@ -0,0 +1,2 @@ + +/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0) diff --git a/policy/modules/contrib/tcpd.if b/policy/modules/contrib/tcpd.if new file mode 100644 index 00000000..2075ebb5 --- /dev/null +++ b/policy/modules/contrib/tcpd.if @@ -0,0 +1,45 @@ +## <summary>Policy for TCP daemon.</summary> + +######################################## +## <summary> +## Execute tcpd in the tcpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tcpd_domtrans',` + gen_require(` + type tcpd_t, tcpd_exec_t; + ') + + domtrans_pattern($1, tcpd_exec_t, tcpd_t) +') + +######################################## +## <summary> +## Create a domain for services that +## utilize tcp wrappers. +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +# +interface(`tcpd_wrapped_domain',` + gen_require(` + type tcpd_t; + role system_r; + ') + + domtrans_pattern(tcpd_t, $2, $1) + role system_r types $1; +') diff --git a/policy/modules/contrib/tcpd.te b/policy/modules/contrib/tcpd.te new file mode 100644 index 00000000..7038b559 --- /dev/null +++ b/policy/modules/contrib/tcpd.te @@ -0,0 +1,50 @@ +policy_module(tcpd, 1.4.0) + +######################################## +# +# Declarations +# +type tcpd_t; +type tcpd_exec_t; +inetd_tcp_service_domain(tcpd_t, tcpd_exec_t) +role system_r types tcpd_t; + +type tcpd_tmp_t; +files_tmp_file(tcpd_tmp_t) + +######################################## +# +# Local policy +# +allow tcpd_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) +manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) +files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) + +corenet_all_recvfrom_unlabeled(tcpd_t) +corenet_all_recvfrom_netlabel(tcpd_t) +corenet_tcp_sendrecv_generic_if(tcpd_t) +corenet_tcp_sendrecv_generic_node(tcpd_t) +corenet_tcp_sendrecv_all_ports(tcpd_t) + +fs_getattr_xattr_fs(tcpd_t) + +# Run other daemons in the inetd child domain. +corecmd_search_bin(tcpd_t) + +files_read_etc_files(tcpd_t) +# no good reason for files_dontaudit_search_var, probably nscd +files_dontaudit_search_var(tcpd_t) + +logging_send_syslog_msg(tcpd_t) + +miscfiles_read_localization(tcpd_t) + +sysnet_read_config(tcpd_t) + +inetd_domtrans_child(tcpd_t) + +optional_policy(` + nis_use_ypbind(tcpd_t) +') diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc new file mode 100644 index 00000000..1a6527cd --- /dev/null +++ b/policy/modules/contrib/tcsd.fc @@ -0,0 +1,3 @@ +/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) +/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) +/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) diff --git a/policy/modules/contrib/tcsd.if b/policy/modules/contrib/tcsd.if new file mode 100644 index 00000000..595f5a7e --- /dev/null +++ b/policy/modules/contrib/tcsd.if @@ -0,0 +1,150 @@ +## <summary>TSS Core Services (TCS) daemon (tcsd) policy</summary> + +######################################## +## <summary> +## Execute a domain transition to run tcsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tcsd_domtrans',` + gen_require(` + type tcsd_t, tcsd_exec_t; + ') + + domtrans_pattern($1, tcsd_exec_t, tcsd_t) +') + +######################################## +## <summary> +## Execute tcsd server in the tcsd domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`tcsd_initrc_domtrans',` + gen_require(` + type tcsd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, tcsd_initrc_exec_t) +') + +######################################## +## <summary> +## Search tcsd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tcsd_search_lib',` + gen_require(` + type tcsd_var_lib_t; + ') + + allow $1 tcsd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Manage tcsd lib dirs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tcsd_manage_lib_dirs',` + gen_require(` + type tcsd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) +') + +######################################## +## <summary> +## Read tcsd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tcsd_read_lib_files',` + gen_require(` + type tcsd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## tcsd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tcsd_manage_lib_files',` + gen_require(` + type tcsd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an tcsd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tcsd_admin',` + gen_require(` + type tcsd_t; + type tcsd_initrc_exec_t; + type tcsd_var_lib_t; + ') + + allow $1 tcsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, tcsd_t) + + tcsd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 tcsd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_var_lib($1) + admin_pattern($1, tcsd_var_lib_t) +') diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te new file mode 100644 index 00000000..ee9f3c6e --- /dev/null +++ b/policy/modules/contrib/tcsd.te @@ -0,0 +1,50 @@ +policy_module(tcsd, 1.0.0) + +######################################## +# +# Declarations +# + +type tcsd_t; +type tcsd_exec_t; +domain_type(tcsd_t) +init_daemon_domain(tcsd_t, tcsd_exec_t) + +type tcsd_initrc_exec_t; +init_script_file(tcsd_initrc_exec_t) + +type tcsd_var_lib_t; +files_type(tcsd_var_lib_t) + +######################################## +# +# tcsd local policy +# + +allow tcsd_t self:capability { dac_override setuid }; +allow tcsd_t self:process { signal sigkill }; +allow tcsd_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) +manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) +files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir }) + +# Accept connections on the TCS port over loopback. +corenet_all_recvfrom_unlabeled(tcsd_t) +corenet_tcp_bind_generic_node(tcsd_t) +corenet_tcp_bind_tcs_port(tcsd_t) + +dev_read_urand(tcsd_t) +# Access /dev/tpm0. +dev_rw_tpm(tcsd_t) + +files_read_etc_files(tcsd_t) +files_read_usr_files(tcsd_t) + +auth_use_nsswitch(tcsd_t) + +logging_send_syslog_msg(tcsd_t) + +miscfiles_read_localization(tcsd_t) + +sysnet_dns_name_resolve(tcsd_t) diff --git a/policy/modules/contrib/telepathy.fc b/policy/modules/contrib/telepathy.fc new file mode 100644 index 00000000..b07ee196 --- /dev/null +++ b/policy/modules/contrib/telepathy.fc @@ -0,0 +1,18 @@ +HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) +HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) +HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) +HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) +HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) +HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0) +HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) + +/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0) +/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) +/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0) +/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) +/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0) +/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) +/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) +/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if new file mode 100644 index 00000000..6bf75ef9 --- /dev/null +++ b/policy/modules/contrib/telepathy.if @@ -0,0 +1,178 @@ +## <summary>Telepathy communications framework.</summary> + +####################################### +## <summary> +## Creates basic types for telepathy +## domain +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +# +template(`telepathy_domain_template',` + gen_require(` + attribute telepathy_domain; + attribute telepathy_executable; + ') + + type telepathy_$1_t, telepathy_domain; + type telepathy_$1_exec_t, telepathy_executable; + userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) + + type telepathy_$1_tmp_t; + userdom_user_tmp_file(telepathy_$1_tmp_t) +') + +####################################### +## <summary> +## Role access for telepathy domains +### that executes via dbus-session +## </summary> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`telepathy_role', ` + gen_require(` + attribute telepathy_domain; + type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; + type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; + type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; + type telepathy_sofiasip_exec_t, telepathy_idle_exec_t; + type telepathy_logger_t, telepathy_logger_exec_t; + type telepathy_mission_control_exec_t, telepathy_salut_exec_t; + type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; + type telepathy_msn_exec_t; + ') + + role $1 types telepathy_domain; + + allow $2 telepathy_domain:process signal_perms; + ps_process_pattern($2, telepathy_domain) + + telepathy_gabble_stream_connect($2) + telepathy_msn_stream_connect($2) + telepathy_salut_stream_connect($2) + + dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t) + dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) + dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t) + dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t) + dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t) + dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t) + dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) + dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) + dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) +') + +######################################## +## <summary> +## Stream connect to Telepathy Gabble +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_gabble_stream_connect', ` + gen_require(` + type telepathy_gabble_t, telepathy_gabble_tmp_t; + ') + + stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) + files_search_tmp($1) +') + +######################################## +## <summary> +## Send DBus messages to and from +## Telepathy Gabble. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_gabble_dbus_chat', ` + gen_require(` + type telepathy_gabble_t; + class dbus send_msg; + ') + + allow $1 telepathy_gabble_t:dbus send_msg; + allow telepathy_gabble_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Read telepathy mission control state. +## </summary> +## <param name="role_prefix"> +## <summary> +## Prefix to be used. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_mission_control_read_state',` + gen_require(` + type telepathy_mission_control_t; + ') + + kernel_search_proc($1) + ps_process_pattern($1, telepathy_mission_control_t) +') + +####################################### +## <summary> +## Stream connect to telepathy MSN managers +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_msn_stream_connect', ` + gen_require(` + type telepathy_msn_t, telepathy_msn_tmp_t; + ') + + stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) + files_search_tmp($1) +') + +######################################## +## <summary> +## Stream connect to Telepathy Salut +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`telepathy_salut_stream_connect', ` + gen_require(` + type telepathy_salut_t, telepathy_salut_tmp_t; + ') + + stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) + files_search_tmp($1) +') diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te new file mode 100644 index 00000000..ad6a38d8 --- /dev/null +++ b/policy/modules/contrib/telepathy.te @@ -0,0 +1,380 @@ +policy_module(telepathy, 1.2.0) + +######################################## +# +# Declarations. +# + +## <desc> +## <p> +## Allow the Telepathy connection managers +## to connect to any generic TCP port. +## </p> +## </desc> +gen_tunable(telepathy_tcp_connect_generic_network_ports, false) + +## <desc> +## <p> +## Allow the Telepathy connection managers +## to connect to any network port. +## </p> +## </desc> +gen_tunable(telepathy_connect_all_ports, false) + +attribute telepathy_domain; +attribute telepathy_executable; + +telepathy_domain_template(gabble) + +type telepathy_gabble_cache_home_t; +userdom_user_home_content(telepathy_gabble_cache_home_t) + +telepathy_domain_template(idle) +telepathy_domain_template(logger) + +type telepathy_logger_cache_home_t; +userdom_user_home_content(telepathy_logger_cache_home_t) + +type telepathy_logger_data_home_t; +userdom_user_home_content(telepathy_logger_data_home_t) + +telepathy_domain_template(mission_control) + +type telepathy_mission_control_home_t; +userdom_user_home_content(telepathy_mission_control_home_t) + +type telepathy_mission_control_cache_home_t; +userdom_user_home_content(telepathy_mission_control_cache_home_t) + +telepathy_domain_template(msn) +telepathy_domain_template(salut) +telepathy_domain_template(sofiasip) +telepathy_domain_template(stream_engine) +telepathy_domain_template(sunshine) + +type telepathy_sunshine_home_t; +userdom_user_home_content(telepathy_sunshine_home_t) + +####################################### +# +# Telepathy Gabble local policy. +# + +allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms; +allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto }; + +manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) +manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) +files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) + +corenet_all_recvfrom_netlabel(telepathy_gabble_t) +corenet_all_recvfrom_unlabeled(telepathy_gabble_t) +corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) +corenet_tcp_sendrecv_generic_node(telepathy_gabble_t) +corenet_tcp_connect_http_port(telepathy_gabble_t) +corenet_tcp_connect_jabber_client_port(telepathy_gabble_t) +corenet_tcp_connect_vnc_port(telepathy_gabble_t) +corenet_sendrecv_http_client_packets(telepathy_gabble_t) +corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) +corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) + +dev_read_rand(telepathy_gabble_t) + +files_read_config_files(telepathy_gabble_t) +files_read_usr_files(telepathy_gabble_t) + +fs_getattr_all_fs(telepathy_gabble_t) + +miscfiles_read_all_certs(telepathy_gabble_t) + +tunable_policy(`telepathy_connect_all_ports',` + corenet_tcp_connect_all_ports(telepathy_gabble_t) + corenet_tcp_sendrecv_all_ports(telepathy_gabble_t) + corenet_udp_sendrecv_all_ports(telepathy_gabble_t) +') + +tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_tcp_connect_generic_port(telepathy_gabble_t) + corenet_sendrecv_generic_client_packets(telepathy_gabble_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(telepathy_gabble_t) + fs_manage_nfs_files(telepathy_gabble_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(telepathy_gabble_t) + fs_manage_cifs_files(telepathy_gabble_t) +') + +optional_policy(` + dbus_system_bus_client(telepathy_gabble_t) +') + +####################################### +# +# Telepathy Idle local policy. +# + +corenet_all_recvfrom_netlabel(telepathy_idle_t) +corenet_all_recvfrom_unlabeled(telepathy_idle_t) +corenet_tcp_sendrecv_generic_if(telepathy_idle_t) +corenet_tcp_sendrecv_generic_node(telepathy_idle_t) +corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) +corenet_tcp_connect_ircd_port(telepathy_idle_t) +corenet_sendrecv_ircd_client_packets(telepathy_idle_t) + +dev_read_rand(telepathy_idle_t) + +files_read_etc_files(telepathy_idle_t) + +tunable_policy(`telepathy_connect_all_ports',` + corenet_tcp_connect_all_ports(telepathy_idle_t) + corenet_tcp_sendrecv_all_ports(telepathy_idle_t) + corenet_udp_sendrecv_all_ports(telepathy_idle_t) +') + +tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_tcp_connect_generic_port(telepathy_idle_t) + corenet_sendrecv_generic_client_packets(telepathy_idle_t) +') + +####################################### +# +# Telepathy Logger local policy. +# + +allow telepathy_logger_t self:unix_stream_socket create_socket_perms; + +manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) + +manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) +manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) + +files_read_etc_files(telepathy_logger_t) +files_read_usr_files(telepathy_logger_t) +files_search_pids(telepathy_logger_t) + +fs_getattr_all_fs(telepathy_logger_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(telepathy_logger_t) + fs_manage_nfs_files(telepathy_logger_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(telepathy_logger_t) + fs_manage_cifs_files(telepathy_logger_t) +') + +####################################### +# +# Telepathy Mission-Control local policy. +# + +manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) +manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) +userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) + +dev_read_rand(telepathy_mission_control_t) + +fs_getattr_all_fs(telepathy_mission_control_t) + +files_read_etc_files(telepathy_mission_control_t) +files_read_usr_files(telepathy_mission_control_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(telepathy_mission_control_t) + fs_manage_nfs_files(telepathy_mission_control_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(telepathy_mission_control_t) + fs_manage_cifs_files(telepathy_mission_control_t) +') + +####################################### +# +# Telepathy Butterfly and Haze local policy. +# + +allow telepathy_msn_t self:process setsched; +allow telepathy_msn_t self:unix_dgram_socket { write create connect }; + +manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) +userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) + +corenet_all_recvfrom_netlabel(telepathy_msn_t) +corenet_all_recvfrom_unlabeled(telepathy_msn_t) +corenet_tcp_sendrecv_generic_if(telepathy_msn_t) +corenet_tcp_sendrecv_generic_node(telepathy_msn_t) +corenet_tcp_bind_generic_node(telepathy_msn_t) +corenet_tcp_connect_http_port(telepathy_msn_t) +corenet_tcp_connect_mmcc_port(telepathy_msn_t) +corenet_tcp_connect_msnp_port(telepathy_msn_t) +corenet_tcp_connect_sip_port(telepathy_msn_t) +corenet_sendrecv_http_client_packets(telepathy_msn_t) +corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) +corenet_sendrecv_msnp_client_packets(telepathy_msn_t) + +corecmd_exec_bin(telepathy_msn_t) +corecmd_exec_shell(telepathy_msn_t) +corecmd_read_bin_symlinks(telepathy_msn_t) + +files_read_etc_files(telepathy_msn_t) +files_read_usr_files(telepathy_msn_t) + +libs_exec_ldconfig(telepathy_msn_t) + +logging_send_syslog_msg(telepathy_msn_t) + +miscfiles_read_all_certs(telepathy_msn_t) + +tunable_policy(`telepathy_connect_all_ports',` + corenet_tcp_connect_all_ports(telepathy_msn_t) + corenet_tcp_sendrecv_all_ports(telepathy_msn_t) + corenet_udp_sendrecv_all_ports(telepathy_msn_t) +') + +tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_tcp_connect_generic_port(telepathy_msn_t) + corenet_sendrecv_generic_client_packets(telepathy_msn_t) +') + +optional_policy(` + dbus_system_bus_client(telepathy_msn_t) + + optional_policy(` + networkmanager_dbus_chat(telepathy_msn_t) + ') +') + +####################################### +# +# Telepathy Salut local policy. +# + +allow telepathy_salut_t self:tcp_socket create_stream_socket_perms; + +manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) +files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) + +corenet_all_recvfrom_netlabel(telepathy_salut_t) +corenet_all_recvfrom_unlabeled(telepathy_salut_t) +corenet_tcp_sendrecv_generic_if(telepathy_salut_t) +corenet_tcp_sendrecv_generic_node(telepathy_salut_t) +corenet_tcp_bind_generic_node(telepathy_salut_t) +corenet_tcp_bind_presence_port(telepathy_salut_t) +corenet_tcp_connect_presence_port(telepathy_salut_t) +corenet_sendrecv_presence_server_packets(telepathy_salut_t) + +files_read_etc_files(telepathy_salut_t) + +tunable_policy(`telepathy_connect_all_ports',` + corenet_tcp_connect_all_ports(telepathy_salut_t) + corenet_tcp_sendrecv_all_ports(telepathy_salut_t) + corenet_udp_sendrecv_all_ports(telepathy_salut_t) +') + +tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_tcp_connect_generic_port(telepathy_salut_t) + corenet_sendrecv_generic_client_packets(telepathy_salut_t) +') + +optional_policy(` + dbus_system_bus_client(telepathy_salut_t) + + optional_policy(` + avahi_dbus_chat(telepathy_salut_t) + ') +') + +####################################### +# +# Telepathy Sofiasip local policy. +# + +allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; +allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms; + +corenet_all_recvfrom_netlabel(telepathy_sofiasip_t) +corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t) +corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) +corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t) +corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t) +corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t) +corenet_tcp_bind_generic_node(telepathy_sofiasip_t) +corenet_raw_bind_generic_node(telepathy_sofiasip_t) +corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t) +corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t) +corenet_tcp_connect_sip_port(telepathy_sofiasip_t) +corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) + +kernel_request_load_module(telepathy_sofiasip_t) + +tunable_policy(`telepathy_connect_all_ports',` + corenet_tcp_connect_all_ports(telepathy_sofiasip_t) + corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) + corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t) +') + +tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_tcp_connect_generic_port(telepathy_sofiasip_t) + corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) +') + +####################################### +# +# Telepathy Sunshine local policy. +# + +manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) +manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) +userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file }) +userdom_search_user_home_dirs(telepathy_sunshine_t) + +manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) +exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) +files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) + +corecmd_exec_bin(telepathy_sunshine_t) + +files_read_etc_files(telepathy_sunshine_t) +files_read_usr_files(telepathy_sunshine_t) + +optional_policy(` + xserver_read_xdm_pid(telepathy_sunshine_t) + xserver_stream_connect(telepathy_sunshine_t) +') + +####################################### +# +# telepathy domains common policy +# + +allow telepathy_domain self:process { getsched signal sigkill }; +allow telepathy_domain self:fifo_file rw_fifo_file_perms; +allow telepathy_domain self:tcp_socket create_socket_perms; +allow telepathy_domain self:udp_socket create_socket_perms; + +dev_read_urand(telepathy_domain) + +kernel_read_system_state(telepathy_domain) + +fs_search_auto_mountpoints(telepathy_domain) + +auth_use_nsswitch(telepathy_domain) + +miscfiles_read_localization(telepathy_domain) + +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(telepathy_domain) +') + +optional_policy(` + xserver_rw_xdm_pipes(telepathy_domain) +') diff --git a/policy/modules/contrib/telnet.fc b/policy/modules/contrib/telnet.fc new file mode 100644 index 00000000..7405170a --- /dev/null +++ b/policy/modules/contrib/telnet.fc @@ -0,0 +1,4 @@ + +/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) + +/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) diff --git a/policy/modules/contrib/telnet.if b/policy/modules/contrib/telnet.if new file mode 100644 index 00000000..58e7ec00 --- /dev/null +++ b/policy/modules/contrib/telnet.if @@ -0,0 +1 @@ +## <summary>Telnet daemon</summary> diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te new file mode 100644 index 00000000..6de3d82e --- /dev/null +++ b/policy/modules/contrib/telnet.te @@ -0,0 +1,102 @@ +policy_module(telnet, 1.10.0) + +######################################## +# +# Declarations +# + +type telnetd_t; +type telnetd_exec_t; +inetd_service_domain(telnetd_t, telnetd_exec_t) +role system_r types telnetd_t; + +type telnetd_devpts_t; #, userpty_type; +term_login_pty(telnetd_devpts_t) + +type telnetd_tmp_t; +files_tmp_file(telnetd_tmp_t) + +type telnetd_var_run_t; +files_pid_file(telnetd_var_run_t) + +######################################## +# +# Local policy +# + +allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override }; +allow telnetd_t self:process signal_perms; +allow telnetd_t self:fifo_file rw_fifo_file_perms; +allow telnetd_t self:tcp_socket connected_stream_socket_perms; +allow telnetd_t self:udp_socket create_socket_perms; +# for identd; cjp: this should probably only be inetd_child rules? +allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow telnetd_t self:capability { setuid setgid }; + +allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; +term_create_pty(telnetd_t, telnetd_devpts_t) + +manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) +manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) +files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) + +manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) +files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) + +kernel_read_kernel_sysctls(telnetd_t) +kernel_read_system_state(telnetd_t) +kernel_read_network_state(telnetd_t) + +corenet_all_recvfrom_unlabeled(telnetd_t) +corenet_all_recvfrom_netlabel(telnetd_t) +corenet_tcp_sendrecv_generic_if(telnetd_t) +corenet_udp_sendrecv_generic_if(telnetd_t) +corenet_tcp_sendrecv_generic_node(telnetd_t) +corenet_udp_sendrecv_generic_node(telnetd_t) +corenet_tcp_sendrecv_all_ports(telnetd_t) +corenet_udp_sendrecv_all_ports(telnetd_t) + +dev_read_urand(telnetd_t) + +domain_interactive_fd(telnetd_t) + +fs_getattr_xattr_fs(telnetd_t) + +auth_rw_login_records(telnetd_t) +auth_use_nsswitch(telnetd_t) + +corecmd_search_bin(telnetd_t) + +files_read_usr_files(telnetd_t) +files_read_etc_files(telnetd_t) +files_read_etc_runtime_files(telnetd_t) +# for identd; cjp: this should probably only be inetd_child rules? +files_search_home(telnetd_t) + +init_rw_utmp(telnetd_t) + +logging_send_syslog_msg(telnetd_t) + +miscfiles_read_localization(telnetd_t) + +seutil_read_config(telnetd_t) + +userdom_search_user_home_dirs(telnetd_t) +userdom_setattr_user_ptys(telnetd_t) + +optional_policy(` + kerberos_keytab_template(telnetd, telnetd_t) + kerberos_manage_host_rcache(telnetd_t) +') + +optional_policy(` + remotelogin_domtrans(telnetd_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_search_nfs(telnetd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_search_cifs(telnetd_t) +') diff --git a/policy/modules/contrib/tftp.fc b/policy/modules/contrib/tftp.fc new file mode 100644 index 00000000..25eee439 --- /dev/null +++ b/policy/modules/contrib/tftp.fc @@ -0,0 +1,8 @@ + +/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) +/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) + +/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) +/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) + +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if new file mode 100644 index 00000000..38bb3127 --- /dev/null +++ b/policy/modules/contrib/tftp.if @@ -0,0 +1,67 @@ +## <summary>Trivial file transfer protocol daemon</summary> + +######################################## +## <summary> +## Read tftp content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tftp_read_content',` + gen_require(` + type tftpdir_t; + ') + + read_files_pattern($1, tftpdir_t, tftpdir_t) +') + +######################################## +## <summary> +## Manage tftp /var/lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tftp_manage_rw_content',` + gen_require(` + type tftpdir_rw_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an tftp environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tftp_admin',` + gen_require(` + type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; + ') + + allow $1 tftpd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, tftpd_t) + + admin_pattern($1, tftpdir_rw_t) + + admin_pattern($1, tftpdir_t) + + files_list_pids($1) + admin_pattern($1, tftpd_var_run_t) +') diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te new file mode 100644 index 00000000..d50c10d0 --- /dev/null +++ b/policy/modules/contrib/tftp.te @@ -0,0 +1,106 @@ +policy_module(tftp, 1.12.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow tftp to modify public files +## used for public file transfer services. +## </p> +## </desc> +gen_tunable(tftp_anon_write, false) + +type tftpd_t; +type tftpd_exec_t; +init_daemon_domain(tftpd_t, tftpd_exec_t) + +type tftpd_var_run_t; +files_pid_file(tftpd_var_run_t) + +type tftpdir_t; +files_type(tftpdir_t) + +type tftpdir_rw_t; +files_type(tftpdir_rw_t) + +######################################## +# +# Local policy +# + +allow tftpd_t self:capability { setgid setuid sys_chroot }; +allow tftpd_t self:tcp_socket create_stream_socket_perms; +allow tftpd_t self:udp_socket create_socket_perms; +allow tftpd_t self:unix_dgram_socket create_socket_perms; +allow tftpd_t self:unix_stream_socket create_stream_socket_perms; +dontaudit tftpd_t self:capability sys_tty_config; + +allow tftpd_t tftpdir_t:dir list_dir_perms; +allow tftpd_t tftpdir_t:file read_file_perms; +allow tftpd_t tftpdir_t:lnk_file { getattr read }; + +manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) +manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) +manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) + +manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) +files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) + +kernel_read_system_state(tftpd_t) +kernel_read_kernel_sysctls(tftpd_t) + +corenet_all_recvfrom_unlabeled(tftpd_t) +corenet_all_recvfrom_netlabel(tftpd_t) +corenet_tcp_sendrecv_generic_if(tftpd_t) +corenet_udp_sendrecv_generic_if(tftpd_t) +corenet_tcp_sendrecv_generic_node(tftpd_t) +corenet_udp_sendrecv_generic_node(tftpd_t) +corenet_tcp_sendrecv_all_ports(tftpd_t) +corenet_udp_sendrecv_all_ports(tftpd_t) +corenet_tcp_bind_generic_node(tftpd_t) +corenet_udp_bind_generic_node(tftpd_t) +corenet_udp_bind_tftp_port(tftpd_t) +corenet_sendrecv_tftp_server_packets(tftpd_t) + +dev_read_sysfs(tftpd_t) + +fs_getattr_all_fs(tftpd_t) +fs_search_auto_mountpoints(tftpd_t) + +domain_use_interactive_fds(tftpd_t) + +files_read_etc_files(tftpd_t) +files_read_etc_runtime_files(tftpd_t) +files_read_var_files(tftpd_t) +files_read_var_symlinks(tftpd_t) +files_search_var(tftpd_t) + +auth_use_nsswitch(tftpd_t) + +logging_send_syslog_msg(tftpd_t) + +miscfiles_read_localization(tftpd_t) +miscfiles_read_public_files(tftpd_t) + +userdom_dontaudit_use_unpriv_user_fds(tftpd_t) +userdom_dontaudit_use_user_terminals(tftpd_t) +userdom_dontaudit_search_user_home_dirs(tftpd_t) + +tunable_policy(`tftp_anon_write',` + miscfiles_manage_public_files(tftpd_t) +') + +optional_policy(` + inetd_udp_service_domain(tftpd_t, tftpd_exec_t) +') + +optional_policy(` + seutil_sigchld_newrole(tftpd_t) +') + +optional_policy(` + udev_read_db(tftpd_t) +') diff --git a/policy/modules/contrib/tgtd.fc b/policy/modules/contrib/tgtd.fc new file mode 100644 index 00000000..8294f6fc --- /dev/null +++ b/policy/modules/contrib/tgtd.fc @@ -0,0 +1,3 @@ +/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) +/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) +/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if new file mode 100644 index 00000000..c2ed23a8 --- /dev/null +++ b/policy/modules/contrib/tgtd.if @@ -0,0 +1,46 @@ +## <summary>Linux Target Framework Daemon.</summary> +## <desc> +## <p> +## Linux target framework (tgt) aims to simplify various +## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation +## and maintenance. Our key goals are the clean integration into +## the scsi-mid layer and implementing a great portion of tgt +## in user space. +## </p> +## </desc> + +##################################### +## <summary> +## Allow read and write access to tgtd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tgtd_rw_semaphores',` + gen_require(` + type tgtd_t; + ') + + allow $1 tgtd_t:sem rw_sem_perms; +') + +###################################### +## <summary> +## Manage tgtd sempaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tgtd_manage_semaphores',` + gen_require(` + type tgtd_t; + ') + + allow $1 tgtd_t:sem create_sem_perms; +') diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te new file mode 100644 index 00000000..80fe75ce --- /dev/null +++ b/policy/modules/contrib/tgtd.te @@ -0,0 +1,66 @@ +policy_module(tgtd, 1.2.0) + +######################################## +# +# TGTD personal declarations. +# + +type tgtd_t; +type tgtd_exec_t; +init_daemon_domain(tgtd_t, tgtd_exec_t) + +type tgtd_initrc_exec_t; +init_script_file(tgtd_initrc_exec_t) + +type tgtd_tmp_t; +files_tmp_file(tgtd_tmp_t) + +type tgtd_tmpfs_t; +files_tmpfs_file(tgtd_tmpfs_t) + +type tgtd_var_lib_t; +files_type(tgtd_var_lib_t) + +######################################## +# +# TGTD personal policy. +# + +allow tgtd_t self:capability sys_resource; +allow tgtd_t self:process { setrlimit signal }; +allow tgtd_t self:fifo_file rw_fifo_file_perms; +allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow tgtd_t self:shm create_shm_perms; +allow tgtd_t self:sem create_sem_perms; +allow tgtd_t self:tcp_socket create_stream_socket_perms; +allow tgtd_t self:udp_socket create_socket_perms; +allow tgtd_t self:unix_dgram_socket create_socket_perms; + +manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t) +files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file }) + +manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t) +fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file) + +manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) +manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) +files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) + +kernel_read_fs_sysctls(tgtd_t) + +corenet_all_recvfrom_netlabel(tgtd_t) +corenet_all_recvfrom_unlabeled(tgtd_t) +corenet_tcp_sendrecv_generic_if(tgtd_t) +corenet_tcp_sendrecv_generic_node(tgtd_t) +corenet_tcp_sendrecv_iscsi_port(tgtd_t) +corenet_tcp_bind_generic_node(tgtd_t) +corenet_tcp_bind_iscsi_port(tgtd_t) +corenet_sendrecv_iscsi_server_packets(tgtd_t) + +files_read_etc_files(tgtd_t) + +storage_manage_fixed_disk(tgtd_t) + +logging_send_syslog_msg(tgtd_t) + +miscfiles_read_localization(tgtd_t) diff --git a/policy/modules/contrib/thunderbird.fc b/policy/modules/contrib/thunderbird.fc new file mode 100644 index 00000000..fb43a7b4 --- /dev/null +++ b/policy/modules/contrib/thunderbird.fc @@ -0,0 +1,6 @@ +# +# /usr +# +/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) + +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0) diff --git a/policy/modules/contrib/thunderbird.if b/policy/modules/contrib/thunderbird.if new file mode 100644 index 00000000..a76e9f94 --- /dev/null +++ b/policy/modules/contrib/thunderbird.if @@ -0,0 +1,63 @@ +## <summary>Thunderbird email client</summary> + +######################################## +## <summary> +## Role access for thunderbird +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`thunderbird_role',` + gen_require(` + type thunderbird_t, thunderbird_exec_t; + type thunderbird_home_t, thunderbird_tmpfs_t; + ') + + role $1 types thunderbird_t; + + domain_auto_trans($2, thunderbird_exec_t, thunderbird_t) + allow $2 thunderbird_t:fd use; + allow $2 thunderbird_t:shm { associate getattr }; + allow $2 thunderbird_t:unix_stream_socket connectto; + allow thunderbird_t $2:fd use; + allow thunderbird_t $2:process sigchld; + allow thunderbird_t $2:unix_stream_socket connectto; + + # allow ps to show thunderbird and allow the user to kill it + ps_process_pattern($2, thunderbird_t) + allow $2 thunderbird_t:process signal; + + # Access ~/.thunderbird + manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) + manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t) + manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) + relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) + relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t) + relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) +') + +######################################## +## <summary> +## Run thunderbird in the user thunderbird domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`thunderbird_domtrans',` + gen_require(` + type thunderbird_t, thunderbird_exec_t; + ') + + domtrans_pattern($1, thunderbird_exec_t, thunderbird_t) +') diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te new file mode 100644 index 00000000..bf37d98b --- /dev/null +++ b/policy/modules/contrib/thunderbird.te @@ -0,0 +1,208 @@ +policy_module(thunderbird, 2.3.0) + +######################################## +# +# Declarations +# + +type thunderbird_t; +type thunderbird_exec_t; +typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; +typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; +userdom_user_application_domain(thunderbird_t, thunderbird_exec_t) + +type thunderbird_home_t; +typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; +typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t }; +userdom_user_home_content(thunderbird_home_t) + +type thunderbird_tmpfs_t; +typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t }; +typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t }; +userdom_user_tmpfs_file(thunderbird_tmpfs_t) + +######################################## +# +# Local policy +# + +allow thunderbird_t self:capability sys_nice; +allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; +allow thunderbird_t self:fifo_file { ioctl read write getattr }; +allow thunderbird_t self:unix_dgram_socket { create connect }; +allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind }; +allow thunderbird_t self:tcp_socket create_socket_perms; +allow thunderbird_t self:shm { read write create destroy unix_read unix_write }; + +# Access ~/.thunderbird +manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) +manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) +manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) +userdom_search_user_home_dirs(thunderbird_t) + +manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) +fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +# Allow netstat +kernel_read_network_state(thunderbird_t) +kernel_read_net_sysctls(thunderbird_t) +kernel_read_system_state(thunderbird_t) + +# Startup shellscript +corecmd_exec_shell(thunderbird_t) + +corenet_all_recvfrom_unlabeled(thunderbird_t) +corenet_all_recvfrom_netlabel(thunderbird_t) +corenet_tcp_sendrecv_generic_if(thunderbird_t) +corenet_tcp_sendrecv_generic_node(thunderbird_t) +corenet_tcp_sendrecv_ipp_port(thunderbird_t) +corenet_tcp_sendrecv_ldap_port(thunderbird_t) +corenet_tcp_sendrecv_innd_port(thunderbird_t) +corenet_tcp_sendrecv_smtp_port(thunderbird_t) +corenet_tcp_sendrecv_pop_port(thunderbird_t) +corenet_tcp_sendrecv_http_port(thunderbird_t) +corenet_tcp_connect_ipp_port(thunderbird_t) +corenet_tcp_connect_ldap_port(thunderbird_t) +corenet_tcp_connect_innd_port(thunderbird_t) +corenet_tcp_connect_smtp_port(thunderbird_t) +corenet_tcp_connect_pop_port(thunderbird_t) +corenet_tcp_connect_http_port(thunderbird_t) +corenet_sendrecv_ipp_client_packets(thunderbird_t) +corenet_sendrecv_ldap_client_packets(thunderbird_t) +corenet_sendrecv_innd_client_packets(thunderbird_t) +corenet_sendrecv_smtp_client_packets(thunderbird_t) +corenet_sendrecv_pop_client_packets(thunderbird_t) +corenet_sendrecv_http_client_packets(thunderbird_t) + +dev_read_urand(thunderbird_t) +dev_dontaudit_search_sysfs(thunderbird_t) + +files_list_tmp(thunderbird_t) +files_read_usr_files(thunderbird_t) +files_read_etc_files(thunderbird_t) +files_read_etc_runtime_files(thunderbird_t) +files_read_var_files(thunderbird_t) +files_read_var_symlinks(thunderbird_t) +files_dontaudit_getattr_all_tmp_files(thunderbird_t) +files_dontaudit_getattr_boot_dirs(thunderbird_t) +files_dontaudit_getattr_lost_found_dirs(thunderbird_t) +files_dontaudit_search_mnt(thunderbird_t) + +fs_getattr_xattr_fs(thunderbird_t) +fs_list_inotifyfs(thunderbird_t) +# Access ~/.thunderbird +fs_search_auto_mountpoints(thunderbird_t) + +auth_use_nsswitch(thunderbird_t) + +miscfiles_read_fonts(thunderbird_t) +miscfiles_read_localization(thunderbird_t) + +userdom_manage_user_tmp_dirs(thunderbird_t) +userdom_read_user_tmp_files(thunderbird_t) +userdom_manage_user_tmp_sockets(thunderbird_t) +# .kde/....gtkrc +userdom_read_user_home_content_files(thunderbird_t) + +xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) +xserver_read_xdm_tmp_files(thunderbird_t) +xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) + +# Access ~/.thunderbird +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(thunderbird_t) + fs_manage_nfs_files(thunderbird_t) + fs_manage_nfs_symlinks(thunderbird_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(thunderbird_t) + fs_manage_cifs_files(thunderbird_t) + fs_manage_cifs_symlinks(thunderbird_t) +') + +tunable_policy(`mail_read_content && use_nfs_home_dirs',` + files_list_home(thunderbird_t) + + fs_list_auto_mountpoints(thunderbird_t) + fs_read_nfs_files(thunderbird_t) + fs_read_nfs_symlinks(thunderbird_t) +',` + files_dontaudit_list_home(thunderbird_t) + + fs_dontaudit_list_auto_mountpoints(thunderbird_t) + fs_dontaudit_list_nfs(thunderbird_t) + fs_dontaudit_read_nfs_files(thunderbird_t) +') + +tunable_policy(`mail_read_content && use_samba_home_dirs',` + files_list_home(thunderbird_t) + + fs_list_auto_mountpoints(thunderbird_t) + fs_read_cifs_files(thunderbird_t) + fs_read_cifs_symlinks(thunderbird_t) +',` + files_dontaudit_list_home(thunderbird_t) + + fs_dontaudit_list_auto_mountpoints(thunderbird_t) + fs_dontaudit_read_cifs_files(thunderbird_t) + fs_dontaudit_list_cifs(thunderbird_t) +') + +tunable_policy(`mail_read_content',` + userdom_list_user_tmp(thunderbird_t) + userdom_read_user_tmp_files(thunderbird_t) + userdom_read_user_tmp_symlinks(thunderbird_t) + userdom_search_user_home_dirs(thunderbird_t) + userdom_read_user_home_content_files(thunderbird_t) + + ifndef(`enable_mls',` + fs_search_removable(thunderbird_t) + fs_read_removable_files(thunderbird_t) + fs_read_removable_symlinks(thunderbird_t) + ') +',` + files_dontaudit_list_tmp(thunderbird_t) + files_dontaudit_list_home(thunderbird_t) + + fs_dontaudit_list_removable(thunderbird_t) + fs_dontaudit_read_removable_files(thunderbird_t) + + userdom_dontaudit_list_user_tmp(thunderbird_t) + userdom_dontaudit_read_user_tmp_files(thunderbird_t) + userdom_dontaudit_list_user_home_dirs(thunderbird_t) + userdom_dontaudit_read_user_home_content_files(thunderbird_t) +') + +optional_policy(` + dbus_system_bus_client(thunderbird_t) + dbus_session_bus_client(thunderbird_t) +') + +optional_policy(` + cups_read_rw_config(thunderbird_t) + cups_dbus_chat(thunderbird_t) +') + +optional_policy(` + gnome_stream_connect_gconf(thunderbird_t) + gnome_domtrans_gconfd(thunderbird_t) + gnome_manage_config(thunderbird_t) +') + +optional_policy(` + gpg_domtrans(thunderbird_t) +') + +optional_policy(` + lpd_domtrans_lpr(thunderbird_t) +') + +optional_policy(` + mozilla_read_user_home_files(thunderbird_t) + mozilla_domtrans(thunderbird_t) + mozilla_dbus_chat(thunderbird_t) +') diff --git a/policy/modules/contrib/timidity.fc b/policy/modules/contrib/timidity.fc new file mode 100644 index 00000000..ed5eef38 --- /dev/null +++ b/policy/modules/contrib/timidity.fc @@ -0,0 +1,2 @@ + +/usr/bin/timidity -- gen_context(system_u:object_r:timidity_exec_t,s0) diff --git a/policy/modules/contrib/timidity.if b/policy/modules/contrib/timidity.if new file mode 100644 index 00000000..989b2409 --- /dev/null +++ b/policy/modules/contrib/timidity.if @@ -0,0 +1 @@ +## <summary>MIDI to WAV converter and player configured as a service</summary> diff --git a/policy/modules/contrib/timidity.te b/policy/modules/contrib/timidity.te new file mode 100644 index 00000000..67b5592f --- /dev/null +++ b/policy/modules/contrib/timidity.te @@ -0,0 +1,85 @@ +policy_module(timidity, 1.9.0) + +# Note: You only need this policy if you want to run timidity as a server + +######################################## +# +# Declarations +# + +type timidity_t; +type timidity_exec_t; +init_daemon_domain(timidity_t, timidity_exec_t) +application_domain(timidity_t, timidity_exec_t) + +type timidity_tmpfs_t; +files_tmpfs_file(timidity_tmpfs_t) + +######################################## +# +# Local policy +# + +allow timidity_t self:capability { dac_override dac_read_search }; +dontaudit timidity_t self:capability sys_tty_config; +allow timidity_t self:process { signal_perms getsched }; +allow timidity_t self:shm create_shm_perms; +allow timidity_t self:unix_stream_socket create_stream_socket_perms; +allow timidity_t self:tcp_socket create_stream_socket_perms; +allow timidity_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) +manage_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) +manage_lnk_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) +manage_fifo_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) +manage_sock_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) +fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(timidity_t) +# read /proc/cpuinfo +kernel_read_system_state(timidity_t) + +corenet_all_recvfrom_unlabeled(timidity_t) +corenet_all_recvfrom_netlabel(timidity_t) +corenet_tcp_sendrecv_generic_if(timidity_t) +corenet_udp_sendrecv_generic_if(timidity_t) +corenet_tcp_sendrecv_generic_node(timidity_t) +corenet_udp_sendrecv_generic_node(timidity_t) +corenet_tcp_sendrecv_all_ports(timidity_t) +corenet_udp_sendrecv_all_ports(timidity_t) + +dev_read_sysfs(timidity_t) +dev_read_sound(timidity_t) +dev_write_sound(timidity_t) + +fs_search_auto_mountpoints(timidity_t) + +domain_use_interactive_fds(timidity_t) + +files_search_tmp(timidity_t) +# read /usr/share/alsa/alsa.conf +files_read_usr_files(timidity_t) +# read /etc/esd.conf +files_read_etc_files(timidity_t) + +# read libartscbackend.la +libs_read_lib_files(timidity_t) + +logging_send_syslog_msg(timidity_t) + +sysnet_read_config(timidity_t) + +userdom_dontaudit_use_unpriv_user_fds(timidity_t) + +# stupid timidity won't start if it can't search its current directory. +# allow this so /etc/init.d/alsasound start works from /root +# cjp: this should be fixed if possible so this rule can be removed. +userdom_search_user_home_dirs(timidity_t) + +optional_policy(` + seutil_sigchld_newrole(timidity_t) +') + +optional_policy(` + udev_read_db(timidity_t) +') diff --git a/policy/modules/contrib/tmpreaper.fc b/policy/modules/contrib/tmpreaper.fc new file mode 100644 index 00000000..fcc10e89 --- /dev/null +++ b/policy/modules/contrib/tmpreaper.fc @@ -0,0 +1,7 @@ +ifdef(`distro_debian',` +/etc/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) +/etc/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) +') + +/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) +/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) diff --git a/policy/modules/contrib/tmpreaper.if b/policy/modules/contrib/tmpreaper.if new file mode 100644 index 00000000..8dfbd809 --- /dev/null +++ b/policy/modules/contrib/tmpreaper.if @@ -0,0 +1,21 @@ +## <summary>Manage temporary directory sizes and file ages</summary> + +######################################## +## <summary> +## Execute tmpreaper in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tmpreaper_exec',` + gen_require(` + type tmpreaper_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + can_exec($1, tmpreaper_exec_t) +') diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te new file mode 100644 index 00000000..0521d5af --- /dev/null +++ b/policy/modules/contrib/tmpreaper.te @@ -0,0 +1,74 @@ +policy_module(tmpreaper, 1.6.0) + +######################################## +# +# Declarations +# + +type tmpreaper_t; +type tmpreaper_exec_t; +application_domain(tmpreaper_t, tmpreaper_exec_t) +role system_r types tmpreaper_t; + +######################################## +# +# Local Policy +# + +allow tmpreaper_t self:process { fork sigchld }; +allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; + +dev_read_urand(tmpreaper_t) + +fs_getattr_xattr_fs(tmpreaper_t) + +files_read_etc_files(tmpreaper_t) +files_read_var_lib_files(tmpreaper_t) +files_purge_tmp(tmpreaper_t) +# why does it need setattr? +files_setattr_all_tmp_dirs(tmpreaper_t) +files_getattr_all_dirs(tmpreaper_t) +files_getattr_all_files(tmpreaper_t) + +mls_file_read_all_levels(tmpreaper_t) +mls_file_write_all_levels(tmpreaper_t) + +logging_send_syslog_msg(tmpreaper_t) + +miscfiles_read_localization(tmpreaper_t) +miscfiles_delete_man_pages(tmpreaper_t) + +cron_system_entry(tmpreaper_t, tmpreaper_exec_t) + +ifdef(`distro_redhat',` + userdom_list_user_home_content(tmpreaper_t) + userdom_delete_user_home_content_dirs(tmpreaper_t) + userdom_delete_user_home_content_files(tmpreaper_t) + userdom_delete_user_home_content_symlinks(tmpreaper_t) +') + +optional_policy(` + amavis_manage_spool_files(tmpreaper_t) +') + +optional_policy(` + apache_list_cache(tmpreaper_t) + apache_delete_cache_files(tmpreaper_t) + apache_setattr_cache_dirs(tmpreaper_t) +') + +optional_policy(` + kismet_manage_log(tmpreaper_t) +') + +optional_policy(` + lpd_manage_spool(tmpreaper_t) +') + +optional_policy(` + rpm_manage_cache(tmpreaper_t) +') + +optional_policy(` + unconfined_domain(tmpreaper_t) +') diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc new file mode 100644 index 00000000..e2e06b28 --- /dev/null +++ b/policy/modules/contrib/tor.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0) +/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0) + +/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) +/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) + +/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) +/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) + +/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) + +/var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if new file mode 100644 index 00000000..904f13e1 --- /dev/null +++ b/policy/modules/contrib/tor.if @@ -0,0 +1,64 @@ +## <summary>TOR, the onion router</summary> + +######################################## +## <summary> +## Execute a domain transition to run TOR. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tor_domtrans',` + gen_require(` + type tor_t, tor_exec_t; + ') + + domtrans_pattern($1, tor_exec_t, tor_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an tor environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the tor domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`tor_admin',` + gen_require(` + type tor_t, tor_var_log_t, tor_etc_t; + type tor_var_lib_t, tor_var_run_t; + type tor_initrc_exec_t; + ') + + allow $1 tor_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, tor_t) + + init_labeled_script_domtrans($1, tor_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 tor_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, tor_etc_t) + + files_list_var_lib($1) + admin_pattern($1, tor_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, tor_var_log_t) + + files_list_pids($1) + admin_pattern($1, tor_var_run_t) +') diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te new file mode 100644 index 00000000..c842cadf --- /dev/null +++ b/policy/modules/contrib/tor.te @@ -0,0 +1,120 @@ +policy_module(tor, 1.8.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow tor daemon to bind +## tcp sockets to all unreserved ports. +## </p> +## </desc> +gen_tunable(tor_bind_all_unreserved_ports, false) + +type tor_t; +type tor_exec_t; +init_daemon_domain(tor_t, tor_exec_t) + +# etc/tor +type tor_etc_t; +files_config_file(tor_etc_t) + +type tor_initrc_exec_t; +init_script_file(tor_initrc_exec_t) + +# var/lib/tor +type tor_var_lib_t; +files_type(tor_var_lib_t) + +# log files +type tor_var_log_t; +logging_log_file(tor_var_log_t) + +# pid files +type tor_var_run_t; +files_pid_file(tor_var_run_t) + +######################################## +# +# tor local policy +# + +allow tor_t self:capability { setgid setuid sys_tty_config }; +allow tor_t self:fifo_file rw_fifo_file_perms; +allow tor_t self:unix_stream_socket create_stream_socket_perms; +allow tor_t self:netlink_route_socket r_netlink_socket_perms; +allow tor_t self:tcp_socket create_stream_socket_perms; + +# configuration files +allow tor_t tor_etc_t:dir list_dir_perms; +read_files_pattern(tor_t, tor_etc_t, tor_etc_t) +read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t) + +# var/lib/tor files +manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) +manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) +manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) +files_usr_filetrans(tor_t, tor_var_lib_t, file) +files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file }) +files_var_lib_filetrans(tor_t, tor_var_lib_t, file) + +# log files +allow tor_t tor_var_log_t:dir setattr; +manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) +manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) +logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) + +# pid file +manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t) +manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) +manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) +files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) + +kernel_read_system_state(tor_t) + +# networking basics +corenet_all_recvfrom_unlabeled(tor_t) +corenet_all_recvfrom_netlabel(tor_t) +corenet_tcp_sendrecv_generic_if(tor_t) +corenet_udp_sendrecv_generic_if(tor_t) +corenet_tcp_sendrecv_generic_node(tor_t) +corenet_udp_sendrecv_generic_node(tor_t) +corenet_tcp_sendrecv_all_ports(tor_t) +corenet_udp_sendrecv_dns_port(tor_t) +corenet_tcp_sendrecv_all_reserved_ports(tor_t) +corenet_tcp_bind_generic_node(tor_t) +corenet_udp_bind_generic_node(tor_t) +corenet_tcp_bind_tor_port(tor_t) +corenet_udp_bind_dns_port(tor_t) +corenet_sendrecv_tor_server_packets(tor_t) +corenet_sendrecv_dns_server_packets(tor_t) +# TOR will need to connect to various ports +corenet_tcp_connect_all_ports(tor_t) +corenet_sendrecv_all_client_packets(tor_t) +# ... especially including port 80 and other privileged ports +corenet_tcp_connect_all_reserved_ports(tor_t) + +# tor uses crypto and needs random +dev_read_urand(tor_t) + +domain_use_interactive_fds(tor_t) + +files_read_etc_files(tor_t) +files_read_etc_runtime_files(tor_t) +files_read_usr_files(tor_t) + +auth_use_nsswitch(tor_t) + +logging_send_syslog_msg(tor_t) + +miscfiles_read_localization(tor_t) + +tunable_policy(`tor_bind_all_unreserved_ports', ` + corenet_tcp_bind_all_unreserved_ports(tor_t) +') + +optional_policy(` + seutil_sigchld_newrole(tor_t) +') diff --git a/policy/modules/contrib/transproxy.fc b/policy/modules/contrib/transproxy.fc new file mode 100644 index 00000000..ce33f179 --- /dev/null +++ b/policy/modules/contrib/transproxy.fc @@ -0,0 +1,3 @@ +/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0) + +/var/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0) diff --git a/policy/modules/contrib/transproxy.if b/policy/modules/contrib/transproxy.if new file mode 100644 index 00000000..23323f9a --- /dev/null +++ b/policy/modules/contrib/transproxy.if @@ -0,0 +1 @@ +## <summary>HTTP transperant proxy</summary> diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te new file mode 100644 index 00000000..95cf0c07 --- /dev/null +++ b/policy/modules/contrib/transproxy.te @@ -0,0 +1,65 @@ +policy_module(transproxy, 1.7.0) + +######################################## +# +# Declarations +# + +type transproxy_t; +type transproxy_exec_t; +init_daemon_domain(transproxy_t, transproxy_exec_t) + +type transproxy_var_run_t; +files_pid_file(transproxy_var_run_t) + +######################################## +# +# Local policy +# + +allow transproxy_t self:capability { setgid setuid }; +dontaudit transproxy_t self:capability sys_tty_config; +allow transproxy_t self:process signal_perms; +allow transproxy_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(transproxy_t, transproxy_var_run_t, transproxy_var_run_t) +files_pid_filetrans(transproxy_t, transproxy_var_run_t, file) + +kernel_read_kernel_sysctls(transproxy_t) +kernel_list_proc(transproxy_t) +kernel_read_proc_symlinks(transproxy_t) + +corenet_all_recvfrom_unlabeled(transproxy_t) +corenet_all_recvfrom_netlabel(transproxy_t) +corenet_tcp_sendrecv_generic_if(transproxy_t) +corenet_tcp_sendrecv_generic_node(transproxy_t) +corenet_tcp_sendrecv_all_ports(transproxy_t) +corenet_tcp_bind_generic_node(transproxy_t) +corenet_tcp_bind_transproxy_port(transproxy_t) +corenet_sendrecv_transproxy_server_packets(transproxy_t) + +dev_read_sysfs(transproxy_t) + +domain_use_interactive_fds(transproxy_t) + +files_read_etc_files(transproxy_t) + +fs_getattr_all_fs(transproxy_t) +fs_search_auto_mountpoints(transproxy_t) + +logging_send_syslog_msg(transproxy_t) + +miscfiles_read_localization(transproxy_t) + +sysnet_read_config(transproxy_t) + +userdom_dontaudit_use_unpriv_user_fds(transproxy_t) +userdom_dontaudit_search_user_home_dirs(transproxy_t) + +optional_policy(` + seutil_sigchld_newrole(transproxy_t) +') + +optional_policy(` + udev_read_db(transproxy_t) +') diff --git a/policy/modules/contrib/tripwire.fc b/policy/modules/contrib/tripwire.fc new file mode 100644 index 00000000..962662fd --- /dev/null +++ b/policy/modules/contrib/tripwire.fc @@ -0,0 +1,10 @@ + +/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0) + +/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0) +/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0) +/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0) +/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0) + +/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0) +/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0) diff --git a/policy/modules/contrib/tripwire.if b/policy/modules/contrib/tripwire.if new file mode 100644 index 00000000..27abd880 --- /dev/null +++ b/policy/modules/contrib/tripwire.if @@ -0,0 +1,190 @@ +## <summary>Tripwire file integrity checker.</summary> +## <desc> +## <p> +## Tripwire file integrity checker. +## </p> +## <p> +## NOTE: Tripwire creates temp file in its current working directory. +## This policy does not allow write access to home directories, so +## users will need to either cd to a directory where they have write +## permission, or set the TEMPDIRECTORY variable in the tripwire config +## file. The latter is preferable, as then the file_type_auto_trans +## rules will kick in and label the files as private to tripwire. +## </p> +## </desc> + +######################################## +## <summary> +## Execute tripwire in the tripwire domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tripwire_domtrans_tripwire',` + gen_require(` + type tripwire_t, tripwire_exec_t; + ') + + domtrans_pattern($1, tripwire_exec_t, tripwire_t) +') + +######################################## +## <summary> +## Execute tripwire in the tripwire domain, and +## allow the specified role the tripwire domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tripwire_run_tripwire',` + gen_require(` + type tripwire_t; + ') + + tripwire_domtrans_tripwire($1) + role $2 types tripwire_t; +') + +######################################## +## <summary> +## Execute twadmin in the twadmin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tripwire_domtrans_twadmin',` + gen_require(` + type twadmin_t, twadmin_exec_t; + ') + + domtrans_pattern($1, twadmin_exec_t, twadmin_t) +') + +######################################## +## <summary> +## Execute twadmin in the twadmin domain, and +## allow the specified role the twadmin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tripwire_run_twadmin',` + gen_require(` + type twadmin_t; + ') + + tripwire_domtrans_twadmin($1) + role $2 types twadmin_t; +') + +######################################## +## <summary> +## Execute twprint in the twprint domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tripwire_domtrans_twprint',` + gen_require(` + type twprint_t, twprint_exec_t; + ') + + domtrans_pattern($1, twprint_exec_t, twprint_t) +') + +######################################## +## <summary> +## Execute twprint in the twprint domain, and +## allow the specified role the twprint domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tripwire_run_twprint',` + gen_require(` + type twprint_t; + ') + + tripwire_domtrans_twprint($1) + role $2 types twprint_t; +') + +######################################## +## <summary> +## Execute siggen in the siggen domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tripwire_domtrans_siggen',` + gen_require(` + type siggen_t, siggen_exec_t; + ') + + domtrans_pattern($1, siggen_exec_t, siggen_t) +') + +######################################## +## <summary> +## Execute siggen in the siggen domain, and +## allow the specified role the siggen domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tripwire_run_siggen',` + gen_require(` + type siggen_t; + ') + + tripwire_domtrans_siggen($1) + role $2 types siggen_t; +') diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te new file mode 100644 index 00000000..2ae8b62c --- /dev/null +++ b/policy/modules/contrib/tripwire.te @@ -0,0 +1,146 @@ +policy_module(tripwire, 1.2.0) + +######################################## +# +# Declarations +# + +type siggen_t; +type siggen_exec_t; +application_domain(siggen_t, siggen_exec_t) + +type tripwire_t; +type tripwire_exec_t; +application_domain(tripwire_t, tripwire_exec_t) +role system_r types tripwire_t; + +type tripwire_etc_t; +files_config_file(tripwire_etc_t) + +type tripwire_report_t; +files_type(tripwire_report_t) + +type tripwire_tmp_t; +files_tmp_file(tripwire_tmp_t) + +type tripwire_var_lib_t; +files_type(tripwire_var_lib_t) + +type twadmin_t; +type twadmin_exec_t; +application_domain(twadmin_t, twadmin_exec_t) + +type twprint_t; +type twprint_exec_t; +application_domain(twprint_t, twprint_exec_t) + +######################################## +# +# Tripwire local policy +# + +allow tripwire_t self:capability { setgid setuid dac_override }; + +allow tripwire_t tripwire_etc_t:dir list_dir_perms; +read_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t) +read_lnk_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t) +files_search_etc(tripwire_t) + +# Tripwire report files +manage_dirs_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) +manage_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) +manage_lnk_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) + +manage_dirs_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) +manage_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) +manage_lnk_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) +manage_fifo_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) +manage_sock_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) +files_tmp_filetrans(tripwire_t, tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(tripwire_t, tripwire_var_lib_t, tripwire_var_lib_t) +files_var_lib_filetrans(tripwire_t, tripwire_var_lib_t, file) + +kernel_read_system_state(tripwire_t) +kernel_read_network_state(tripwire_t) +kernel_read_software_raid_state(tripwire_t) +kernel_getattr_core_if(tripwire_t) +kernel_getattr_message_if(tripwire_t) +kernel_read_kernel_sysctls(tripwire_t) + +corecmd_exec_shell(tripwire_t) +corecmd_exec_bin(tripwire_t) + +domain_use_interactive_fds(tripwire_t) + +files_read_all_files(tripwire_t) +files_read_all_symlinks(tripwire_t) +files_getattr_all_pipes(tripwire_t) +files_getattr_all_sockets(tripwire_t) + +logging_send_syslog_msg(tripwire_t) + +userdom_use_user_terminals(tripwire_t) + +optional_policy(` + cron_system_entry(tripwire_t, tripwire_exec_t) +') + +######################################## +# +# Twadmin local policy +# + +manage_dirs_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t) +manage_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t) +manage_lnk_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t) + +domain_use_interactive_fds(twadmin_t) + +logging_send_syslog_msg(twadmin_t) + +miscfiles_read_localization(twadmin_t) + +userdom_use_user_terminals(twadmin_t) + +######################################## +# +# Twprint local policy +# + +allow twprint_t tripwire_etc_t:dir list_dir_perms; +read_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t) +read_lnk_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t) + +allow twprint_t tripwire_report_t:dir list_dir_perms; +read_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t) +read_lnk_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t) + +allow twprint_t tripwire_var_lib_t:dir list_dir_perms; +read_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t) +read_lnk_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t) +files_search_var_lib(twprint_t) + +domain_use_interactive_fds(twprint_t) + +logging_send_syslog_msg(twprint_t) + +miscfiles_read_localization(twprint_t) + +userdom_use_user_terminals(twprint_t) + +######################################## +# +# Siggen local policy +# + +domain_use_interactive_fds(siggen_t) + +# Need permission to read files +files_read_all_files(siggen_t) + +logging_send_syslog_msg(siggen_t) + +miscfiles_read_localization(siggen_t) + +userdom_use_user_terminals(siggen_t) diff --git a/policy/modules/contrib/tuned.fc b/policy/modules/contrib/tuned.fc new file mode 100644 index 00000000..639c962c --- /dev/null +++ b/policy/modules/contrib/tuned.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0) + +/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) + +/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) +/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) + +/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if new file mode 100644 index 00000000..54b86059 --- /dev/null +++ b/policy/modules/contrib/tuned.if @@ -0,0 +1,129 @@ +## <summary>Dynamic adaptive system tuning daemon</summary> + +######################################## +## <summary> +## Execute a domain transition to run tuned. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tuned_domtrans',` + gen_require(` + type tuned_t, tuned_exec_t; + ') + + domtrans_pattern($1, tuned_exec_t, tuned_t) +') + +####################################### +## <summary> +## Execute tuned in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tuned_exec',` + gen_require(` + type tuned_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, tuned_exec_t) +') + +###################################### +## <summary> +## Read tuned PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tuned_read_pid_files',` + gen_require(` + type tuned_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, tuned_var_run_t, tuned_var_run_t) +') + +####################################### +## <summary> +## Manage tuned PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tuned_manage_pid_files',` + gen_require(` + type tuned_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t) +') + +######################################## +## <summary> +## Execute tuned server in the tuned domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tuned_initrc_domtrans',` + gen_require(` + type tuned_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, tuned_initrc_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an tuned environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tuned_admin',` + gen_require(` + type tuned_t, tuned_var_run_t; + type tuned_initrc_exec_t; + ') + + allow $1 tuned_t:process { ptrace signal_perms }; + ps_process_pattern($1, tuned_t) + + tuned_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 tuned_initrc_exec_t system_r; + allow $2 system_r; + + files_search_pids($1) + admin_pattern($1, tuned_var_run_t) +') diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te new file mode 100644 index 00000000..db9d2a59 --- /dev/null +++ b/policy/modules/contrib/tuned.te @@ -0,0 +1,64 @@ +policy_module(tuned, 1.1.0) + +######################################## +# +# Declarations +# + +type tuned_t; +type tuned_exec_t; +init_daemon_domain(tuned_t, tuned_exec_t) + +type tuned_initrc_exec_t; +init_script_file(tuned_initrc_exec_t) + +type tuned_log_t; +logging_log_file(tuned_log_t) + +type tuned_var_run_t; +files_pid_file(tuned_var_run_t) + +######################################## +# +# tuned local policy +# + +dontaudit tuned_t self:capability { dac_override sys_tty_config }; + +manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) +manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) +logging_log_filetrans(tuned_t, tuned_log_t, file) + +manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) +files_pid_filetrans(tuned_t, tuned_var_run_t, file) + +corecmd_exec_shell(tuned_t) +corecmd_exec_bin(tuned_t) + +kernel_read_system_state(tuned_t) +kernel_read_network_state(tuned_t) + +dev_read_urand(tuned_t) +dev_read_sysfs(tuned_t) +# to allow cpu tuning +dev_rw_netcontrol(tuned_t) + +files_read_etc_files(tuned_t) +files_read_usr_files(tuned_t) +files_dontaudit_search_home(tuned_t) + +logging_send_syslog_msg(tuned_t) + +miscfiles_read_localization(tuned_t) + +userdom_dontaudit_search_user_home_dirs(tuned_t) + +# to allow disk tuning +optional_policy(` + fstools_domtrans(tuned_t) +') + +# to allow network interface tuning +optional_policy(` + sysnet_domtrans_ifconfig(tuned_t) +') diff --git a/policy/modules/contrib/tvtime.fc b/policy/modules/contrib/tvtime.fc new file mode 100644 index 00000000..8698a613 --- /dev/null +++ b/policy/modules/contrib/tvtime.fc @@ -0,0 +1,5 @@ +# +# /usr +# +/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0) + diff --git a/policy/modules/contrib/tvtime.if b/policy/modules/contrib/tvtime.if new file mode 100644 index 00000000..8d89f211 --- /dev/null +++ b/policy/modules/contrib/tvtime.if @@ -0,0 +1,40 @@ +## <summary> tvtime - a high quality television application </summary> + +######################################## +## <summary> +## Role access for tvtime +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`tvtime_role',` + gen_require(` + type tvtime_t, tvtime_exec_t; + type tvtime_home_t, tvtime_tmpfs_t; + ') + + role $1 types tvtime_t; + + # Type transition + domtrans_pattern($2, tvtime_exec_t, tvtime_t) + + # X access, Home files + manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t) + manage_files_pattern($2, tvtime_home_t, tvtime_home_t) + manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) + relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t) + relabel_files_pattern($2, tvtime_home_t, tvtime_home_t) + relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) + + # Allow the user domain to signal/ps. + ps_process_pattern($2, tvtime_t) + allow $2 tvtime_t:process signal_perms; +') diff --git a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te new file mode 100644 index 00000000..531b1f12 --- /dev/null +++ b/policy/modules/contrib/tvtime.te @@ -0,0 +1,90 @@ +policy_module(tvtime, 2.2.0) + +######################################## +# +# Declarations +# + +type tvtime_t; +type tvtime_exec_t; +typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t }; +typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t }; +userdom_user_application_domain(tvtime_t, tvtime_exec_t) + +type tvtime_home_t alias tvtime_rw_t; +typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t }; +typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t }; +userdom_user_home_content(tvtime_home_t) + +type tvtime_tmp_t; +typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t }; +typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t }; +userdom_user_tmp_file(tvtime_tmp_t) + +type tvtime_tmpfs_t; +typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t }; +typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t }; +userdom_user_tmpfs_file(tvtime_tmpfs_t) + +######################################## +# +# Local policy +# + +allow tvtime_t self:capability { setuid sys_nice sys_resource }; +allow tvtime_t self:process setsched; +allow tvtime_t self:unix_dgram_socket rw_socket_perms; +allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; + +# X access, Home files +manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir) + +manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) +manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) +files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir }) + +manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) +fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file }) + +kernel_read_all_sysctls(tvtime_t) +kernel_get_sysvipc_info(tvtime_t) + +dev_read_urand(tvtime_t) +dev_read_realtime_clock(tvtime_t) +dev_read_sound(tvtime_t) + +files_read_usr_files(tvtime_t) +files_search_pids(tvtime_t) +# Read /etc/tvtime +files_read_etc_files(tvtime_t) + +# X access, Home files +fs_search_auto_mountpoints(tvtime_t) + +miscfiles_read_localization(tvtime_t) +miscfiles_read_fonts(tvtime_t) + +userdom_use_user_terminals(tvtime_t) +userdom_read_user_home_content_files(tvtime_t) + +# X access, Home files +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(tvtime_t) + fs_manage_nfs_files(tvtime_t) + fs_manage_nfs_symlinks(tvtime_t) +') +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(tvtime_t) + fs_manage_cifs_files(tvtime_t) + fs_manage_cifs_symlinks(tvtime_t) +') + +optional_policy(` + xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) +') diff --git a/policy/modules/contrib/tzdata.fc b/policy/modules/contrib/tzdata.fc new file mode 100644 index 00000000..04b85488 --- /dev/null +++ b/policy/modules/contrib/tzdata.fc @@ -0,0 +1 @@ +/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0) diff --git a/policy/modules/contrib/tzdata.if b/policy/modules/contrib/tzdata.if new file mode 100644 index 00000000..01c6c864 --- /dev/null +++ b/policy/modules/contrib/tzdata.if @@ -0,0 +1,45 @@ +## <summary>Time zone updater</summary> + +######################################## +## <summary> +## Execute a domain transition to run tzdata. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tzdata_domtrans',` + gen_require(` + type tzdata_t, tzdata_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, tzdata_exec_t, tzdata_t) +') + +######################################## +## <summary> +## Execute the tzdata program in the tzdata domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to allow the tzdata domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`tzdata_run',` + gen_require(` + type tzdata_t; + ') + + tzdata_domtrans($1) + role $2 types tzdata_t; +') diff --git a/policy/modules/contrib/tzdata.te b/policy/modules/contrib/tzdata.te new file mode 100644 index 00000000..d0f2a640 --- /dev/null +++ b/policy/modules/contrib/tzdata.te @@ -0,0 +1,36 @@ +policy_module(tzdata, 1.4.0) + +######################################## +# +# Declarations +# + +type tzdata_t; +type tzdata_exec_t; +init_daemon_domain(tzdata_t, tzdata_exec_t) +application_domain(tzdata_t, tzdata_exec_t) + +######################################## +# +# tzdata local policy +# + +files_read_etc_files(tzdata_t) +files_search_spool(tzdata_t) + +fs_getattr_xattr_fs(tzdata_t) + +term_dontaudit_list_ptys(tzdata_t) + +locallogin_dontaudit_use_fds(tzdata_t) + +miscfiles_read_localization(tzdata_t) +miscfiles_manage_localization(tzdata_t) +miscfiles_etc_filetrans_localization(tzdata_t) + +userdom_use_user_terminals(tzdata_t) + +# tzdata looks for /var/spool/postfix/etc/localtime. +optional_policy(` + postfix_search_spool(tzdata_t) +') diff --git a/policy/modules/contrib/ucspitcp.fc b/policy/modules/contrib/ucspitcp.fc new file mode 100644 index 00000000..667d0b5f --- /dev/null +++ b/policy/modules/contrib/ucspitcp.fc @@ -0,0 +1,3 @@ + +/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0) +/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0) diff --git a/policy/modules/contrib/ucspitcp.if b/policy/modules/contrib/ucspitcp.if new file mode 100644 index 00000000..c1feba4f --- /dev/null +++ b/policy/modules/contrib/ucspitcp.if @@ -0,0 +1,38 @@ +## <summary>ucspitcp policy</summary> +## <desc> +## <p> +## Policy for DJB's ucspi-tcpd +## </p> +## </desc> + +######################################## +## <summary> +## Define a specified domain as a ucspitcp service. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`ucspitcp_service_domain', ` + gen_require(` + type ucspitcp_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domain_auto_trans(ucspitcp_t, $2, $1) + allow $1 ucspitcp_t:fd use; + allow $1 ucspitcp_t:process sigchld; + allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms; +') diff --git a/policy/modules/contrib/ucspitcp.te b/policy/modules/contrib/ucspitcp.te new file mode 100644 index 00000000..a0794bf5 --- /dev/null +++ b/policy/modules/contrib/ucspitcp.te @@ -0,0 +1,93 @@ +policy_module(ucspitcp, 1.3.0) + +######################################## +# +# Declarations +# + +type rblsmtpd_t; +type rblsmtpd_exec_t; +init_system_domain(rblsmtpd_t, rblsmtpd_exec_t) +role system_r types rblsmtpd_t; + +type ucspitcp_t; +type ucspitcp_exec_t; +init_system_domain(ucspitcp_t, ucspitcp_exec_t) +role system_r types ucspitcp_t; + +######################################## +# +# Local policy for rblsmtpd +# + +ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t) + +corecmd_search_bin(rblsmtpd_t) + +corenet_all_recvfrom_unlabeled(rblsmtpd_t) +corenet_all_recvfrom_netlabel(rblsmtpd_t) +corenet_tcp_sendrecv_generic_if(rblsmtpd_t) +corenet_udp_sendrecv_generic_if(rblsmtpd_t) +corenet_tcp_sendrecv_generic_node(rblsmtpd_t) +corenet_udp_sendrecv_generic_node(rblsmtpd_t) +corenet_tcp_sendrecv_all_ports(rblsmtpd_t) +corenet_udp_sendrecv_all_ports(rblsmtpd_t) +corenet_tcp_bind_generic_node(rblsmtpd_t) +corenet_udp_bind_generic_port(rblsmtpd_t) + +files_read_etc_files(rblsmtpd_t) +files_search_var(rblsmtpd_t) + +optional_policy(` + daemontools_ipc_domain(rblsmtpd_t) +') + +######################################## +# +# Local policy for tcpserver +# + +allow ucspitcp_t self:capability { setgid setuid }; +allow ucspitcp_t self:fifo_file rw_fifo_file_perms; +allow ucspitcp_t self:tcp_socket create_stream_socket_perms; +allow ucspitcp_t self:udp_socket create_socket_perms; + +corecmd_search_bin(ucspitcp_t) + +# base networking: +corenet_all_recvfrom_unlabeled(ucspitcp_t) +corenet_all_recvfrom_netlabel(ucspitcp_t) +corenet_tcp_sendrecv_generic_if(ucspitcp_t) +corenet_udp_sendrecv_generic_if(ucspitcp_t) +corenet_tcp_sendrecv_generic_node(ucspitcp_t) +corenet_udp_sendrecv_generic_node(ucspitcp_t) +corenet_tcp_sendrecv_all_ports(ucspitcp_t) +corenet_udp_sendrecv_all_ports(ucspitcp_t) +corenet_tcp_bind_generic_node(ucspitcp_t) +corenet_udp_bind_generic_node(ucspitcp_t) + +# server ports: +corenet_tcp_bind_ftp_port(ucspitcp_t) +corenet_tcp_bind_ftp_data_port(ucspitcp_t) +corenet_tcp_bind_http_port(ucspitcp_t) +corenet_tcp_bind_smtp_port(ucspitcp_t) +corenet_tcp_bind_dns_port(ucspitcp_t) +corenet_udp_bind_dns_port(ucspitcp_t) +corenet_udp_bind_generic_port(ucspitcp_t) + +# server packets: +corenet_sendrecv_ftp_server_packets(ucspitcp_t) +corenet_sendrecv_http_server_packets(ucspitcp_t) +corenet_sendrecv_smtp_server_packets(ucspitcp_t) +corenet_sendrecv_dns_server_packets(ucspitcp_t) +corenet_sendrecv_generic_server_packets(ucspitcp_t) + +files_search_var(ucspitcp_t) +files_read_etc_files(ucspitcp_t) + +sysnet_read_config(ucspitcp_t) + +optional_policy(` + daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) + daemontools_read_svc(ucspitcp_t) +') diff --git a/policy/modules/contrib/ulogd.fc b/policy/modules/contrib/ulogd.fc new file mode 100644 index 00000000..831b4a36 --- /dev/null +++ b/policy/modules/contrib/ulogd.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) +/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) + +/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) +/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) + +/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if new file mode 100644 index 00000000..d23be5ce --- /dev/null +++ b/policy/modules/contrib/ulogd.if @@ -0,0 +1,142 @@ +## <summary>Iptables/netfilter userspace logging daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run ulogd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ulogd_domtrans',` + gen_require(` + type ulogd_t, ulogd_exec_t; + ') + + domtrans_pattern($1, ulogd_exec_t, ulogd_t) +') + +######################################## +## <summary> +## Allow the specified domain to read +## ulogd configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ulogd_read_config',` + gen_require(` + type ulogd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) +') + +######################################## +## <summary> +## Allow the specified domain to read ulogd's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ulogd_read_log',` + gen_require(` + type ulogd_var_log_t; + ') + + logging_search_logs($1) + allow $1 ulogd_var_log_t:dir list_dir_perms; + read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) +') + +####################################### +## <summary> +## Allow the specified domain to search ulogd's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ulogd_search_log',` + gen_require(` + type ulogd_var_log_t; + ') + + logging_search_logs($1) + allow $1 ulogd_var_log_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Allow the specified domain to append to ulogd's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ulogd_append_log',` + gen_require(` + type ulogd_var_log_t; + ') + + logging_search_logs($1) + allow $1 ulogd_var_log_t:dir list_dir_perms; + allow $1 ulogd_var_log_t:file append_file_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an ulogd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`ulogd_admin',` + gen_require(` + type ulogd_t, ulogd_etc_t, ulogd_modules_t; + type ulogd_var_log_t, ulogd_initrc_exec_t; + ') + + allow $1 ulogd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ulogd_t) + + init_labeled_script_domtrans($1, ulogd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ulogd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, ulogd_etc_t) + + logging_list_logs($1) + admin_pattern($1, ulogd_var_log_t) + + files_list_usr($1) + admin_pattern($1, ulogd_modules_t) +') diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te new file mode 100644 index 00000000..3b953f57 --- /dev/null +++ b/policy/modules/contrib/ulogd.te @@ -0,0 +1,67 @@ +policy_module(ulogd, 1.2.0) + +######################################## +# +# Declarations +# + +type ulogd_t; +type ulogd_exec_t; +init_daemon_domain(ulogd_t, ulogd_exec_t) + +# config files +type ulogd_etc_t; +files_type(ulogd_etc_t) + +type ulogd_initrc_exec_t; +init_script_file(ulogd_initrc_exec_t) + +# /usr/lib files +type ulogd_modules_t; +files_type(ulogd_modules_t) + +# log files +type ulogd_var_log_t; +logging_log_file(ulogd_var_log_t) + +######################################## +# +# ulogd local policy +# + +allow ulogd_t self:capability net_admin; +allow ulogd_t self:netlink_nflog_socket create_socket_perms; + +# config files +read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) + +# modules for ulogd +list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) +mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) + +# log files +manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) +logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) + +files_read_etc_files(ulogd_t) +files_read_usr_files(ulogd_t) + +miscfiles_read_localization(ulogd_t) + +optional_policy(` + allow ulogd_t self:tcp_socket create_stream_socket_perms; + + mysql_stream_connect(ulogd_t) + mysql_tcp_connect(ulogd_t) + + sysnet_dns_name_resolve(ulogd_t) +') + +optional_policy(` + allow ulogd_t self:tcp_socket create_stream_socket_perms; + + postgresql_stream_connect(ulogd_t) + postgresql_tcp_connect(ulogd_t) + + sysnet_dns_name_resolve(ulogd_t) +') diff --git a/policy/modules/contrib/uml.fc b/policy/modules/contrib/uml.fc new file mode 100644 index 00000000..b8b9520c --- /dev/null +++ b/policy/modules/contrib/uml.fc @@ -0,0 +1,14 @@ +# +# HOME_DIR/ +# +HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0) + +# +# /usr +# +/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0) + +# +# /var +# +/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) diff --git a/policy/modules/contrib/uml.if b/policy/modules/contrib/uml.if new file mode 100644 index 00000000..d2ab7cba --- /dev/null +++ b/policy/modules/contrib/uml.if @@ -0,0 +1,99 @@ +## <summary>Policy for UML</summary> + +######################################## +## <summary> +## Role access for uml +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`uml_role',` + gen_require(` + type uml_t, uml_exec_t; + type uml_ro_t, uml_rw_t, uml_tmp_t; + type uml_devpts_t, uml_tmpfs_t; + ') + + role $1 types uml_t; + + # Transition from the user domain to this domain. + domtrans_pattern($2, uml_exec_t, uml_t) + + # for mconsole + allow $2 uml_t:unix_dgram_socket sendto; + allow uml_t $2:unix_dgram_socket sendto; + + # allow ps, ptrace, signal + ps_process_pattern($2, uml_t) + allow $2 uml_t:process { ptrace signal_perms }; + + allow $2 uml_ro_t:dir list_dir_perms; + read_files_pattern($2, uml_ro_t, uml_ro_t) + read_lnk_files_pattern($2, uml_ro_t, uml_ro_t) + + manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) + + manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) + manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) + relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) + relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) + + manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t) + manage_files_pattern($2, uml_tmp_t, uml_tmp_t) + manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t) + manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t) +') + +######################################## +## <summary> +## Set attributes on uml utility socket files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uml_setattr_util_sockets',` + gen_require(` + type uml_switch_var_run_t; + ') + + allow $1 uml_switch_var_run_t:sock_file setattr; +') + +######################################## +## <summary> +## Manage uml utility files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uml_manage_util_files',` + gen_require(` + type uml_switch_var_run_t; + ') + + manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) + manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) +') diff --git a/policy/modules/contrib/uml.te b/policy/modules/contrib/uml.te new file mode 100644 index 00000000..ff094e52 --- /dev/null +++ b/policy/modules/contrib/uml.te @@ -0,0 +1,188 @@ +policy_module(uml, 2.2.0) + +######################################## +# +# Declarations +# + +type uml_t; +type uml_exec_t; +typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t }; +typealias uml_t alias { auditadm_uml_t secadm_uml_t }; +userdom_user_application_domain(uml_t, uml_exec_t) + +type uml_ro_t; +typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t }; +typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t }; +userdom_user_home_content(uml_ro_t) + +type uml_rw_t; +typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t }; +typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t }; +userdom_user_home_content(uml_rw_t) + +type uml_tmp_t; +typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; +typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t }; +userdom_user_tmp_file(uml_tmp_t) + +type uml_tmpfs_t; +typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t }; +typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t }; +userdom_user_tmpfs_file(uml_tmpfs_t) + +type uml_devpts_t; +typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t }; +typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t }; +term_pty(uml_devpts_t) +ubac_constrained(uml_devpts_t) + +type uml_switch_t; +type uml_switch_exec_t; +init_daemon_domain(uml_switch_t, uml_switch_exec_t) + +type uml_switch_var_run_t; +files_pid_file(uml_switch_var_run_t) + +######################################## +# +# Local policy +# + +allow uml_t self:fifo_file rw_fifo_file_perms; +allow uml_t self:process { signal_perms ptrace }; +allow uml_t self:unix_stream_socket create_stream_socket_perms; +allow uml_t self:unix_dgram_socket create_socket_perms; +# Use the network. +allow uml_t self:tcp_socket create_stream_socket_perms; +allow uml_t self:udp_socket create_socket_perms; +allow uml_t self:tun_socket create; +# for mconsole +allow uml_t self:unix_dgram_socket sendto; + +# allow the UML thing to happen +allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr }; +term_create_pty(uml_t, uml_devpts_t) + +manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t) +manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t) +files_tmp_filetrans(uml_t, uml_tmp_t, { file dir }) +can_exec(uml_t, uml_tmp_t) + +manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) +fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file }) +can_exec(uml_t, uml_tmpfs_t) + +# access config files +allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms; +read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t }) +read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t }) + +manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_files_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t) +manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t) +userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file }) + +can_exec(uml_t, { uml_exec_t uml_exec_t }) + +kernel_read_system_state(uml_t) +# for SKAS - need something better +kernel_write_proc_files(uml_t) + +# for xterm +corecmd_exec_bin(uml_t) + +corenet_all_recvfrom_unlabeled(uml_t) +corenet_all_recvfrom_netlabel(uml_t) +corenet_tcp_sendrecv_generic_if(uml_t) +corenet_udp_sendrecv_generic_if(uml_t) +corenet_tcp_sendrecv_generic_node(uml_t) +corenet_udp_sendrecv_generic_node(uml_t) +corenet_tcp_sendrecv_all_ports(uml_t) +corenet_udp_sendrecv_all_ports(uml_t) +corenet_tcp_connect_all_ports(uml_t) +corenet_sendrecv_all_client_packets(uml_t) +corenet_rw_tun_tap_dev(uml_t) + +domain_use_interactive_fds(uml_t) + +# for xterm +files_read_etc_files(uml_t) +files_dontaudit_read_etc_runtime_files(uml_t) +# putting uml data under /var is usual... +files_search_var(uml_t) + +fs_getattr_xattr_fs(uml_t) + +init_read_utmp(uml_t) +init_dontaudit_write_utmp(uml_t) + +# for xterm +libs_exec_lib_files(uml_t) + +# Inherit and use descriptors from newrole. +seutil_use_newrole_fds(uml_t) + +# Use the network. +sysnet_read_config(uml_t) + +userdom_use_user_terminals(uml_t) +userdom_attach_admin_tun_iface(uml_t) + +optional_policy(` + nis_use_ypbind(uml_t) +') + +optional_policy(` + virt_attach_tun_iface(uml_t) +') + +######################################## +# +# Local policy +# + +dontaudit uml_switch_t self:capability sys_tty_config; +allow uml_switch_t self:process signal_perms; +allow uml_switch_t self:unix_dgram_socket create_socket_perms; +allow uml_switch_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) +manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) +files_pid_filetrans(uml_switch_t, uml_switch_var_run_t, file) + +kernel_read_kernel_sysctls(uml_switch_t) +kernel_list_proc(uml_switch_t) +kernel_read_proc_symlinks(uml_switch_t) + +dev_read_sysfs(uml_switch_t) + +domain_use_interactive_fds(uml_switch_t) + +fs_getattr_all_fs(uml_switch_t) +fs_search_auto_mountpoints(uml_switch_t) + +term_dontaudit_use_console(uml_switch_t) + +init_use_fds(uml_switch_t) +init_use_script_ptys(uml_switch_t) + +logging_send_syslog_msg(uml_switch_t) + +miscfiles_read_localization(uml_switch_t) + +userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) +userdom_dontaudit_search_user_home_dirs(uml_switch_t) + +optional_policy(` + seutil_sigchld_newrole(uml_switch_t) +') + +optional_policy(` + udev_read_db(uml_switch_t) +') diff --git a/policy/modules/contrib/updfstab.fc b/policy/modules/contrib/updfstab.fc new file mode 100644 index 00000000..e534c88b --- /dev/null +++ b/policy/modules/contrib/updfstab.fc @@ -0,0 +1,3 @@ + +/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0) +/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0) diff --git a/policy/modules/contrib/updfstab.if b/policy/modules/contrib/updfstab.if new file mode 100644 index 00000000..4d4b60e0 --- /dev/null +++ b/policy/modules/contrib/updfstab.if @@ -0,0 +1,21 @@ +## <summary>Red Hat utility to change /etc/fstab.</summary> + +######################################## +## <summary> +## Execute updfstab in the updfstab domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`updfstab_domtrans',` + gen_require(` + type updfstab_t, updfstab_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, updfstab_exec_t, updfstab_t) +') diff --git a/policy/modules/contrib/updfstab.te b/policy/modules/contrib/updfstab.te new file mode 100644 index 00000000..ef12ed52 --- /dev/null +++ b/policy/modules/contrib/updfstab.te @@ -0,0 +1,116 @@ +policy_module(updfstab, 1.5.0) + +######################################## +# +# Declarations +# + +type updfstab_t; +type updfstab_exec_t; +init_system_domain(updfstab_t, updfstab_exec_t) + +######################################## +# +# Local policy +# + +allow updfstab_t self:capability dac_override; +dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; +allow updfstab_t self:process signal_perms; +allow updfstab_t self:fifo_file rw_fifo_file_perms; + +kernel_use_fds(updfstab_t) +kernel_read_kernel_sysctls(updfstab_t) +kernel_dontaudit_write_kernel_sysctl(updfstab_t) +# for /proc/partitions +kernel_read_system_state(updfstab_t) +# cjp: why is this required +kernel_change_ring_buffer_level(updfstab_t) + +dev_read_sysfs(updfstab_t) +dev_manage_generic_symlinks(updfstab_t) + +fs_getattr_xattr_fs(updfstab_t) +fs_getattr_tmpfs(updfstab_t) +fs_getattr_tmpfs_dirs(updfstab_t) +fs_search_auto_mountpoints(updfstab_t) + +selinux_get_fs_mount(updfstab_t) +selinux_validate_context(updfstab_t) +selinux_compute_access_vector(updfstab_t) +selinux_compute_create_context(updfstab_t) +selinux_compute_relabel_context(updfstab_t) +selinux_compute_user_contexts(updfstab_t) + +storage_raw_read_fixed_disk(updfstab_t) +storage_raw_write_fixed_disk(updfstab_t) +storage_raw_read_removable_device(updfstab_t) +storage_raw_write_removable_device(updfstab_t) +storage_read_scsi_generic(updfstab_t) +storage_write_scsi_generic(updfstab_t) + +term_dontaudit_use_console(updfstab_t) + +corecmd_exec_bin(updfstab_t) + +domain_use_interactive_fds(updfstab_t) + +files_manage_mnt_files(updfstab_t) +files_manage_mnt_dirs(updfstab_t) +files_manage_mnt_symlinks(updfstab_t) +files_manage_etc_files(updfstab_t) +files_dontaudit_search_home(updfstab_t) +# for /etc/mtab +files_read_etc_runtime_files(updfstab_t) + +init_use_fds(updfstab_t) +init_use_script_ptys(updfstab_t) + +logging_send_syslog_msg(updfstab_t) +logging_search_logs(updfstab_t) + +miscfiles_read_localization(updfstab_t) + +seutil_read_config(updfstab_t) +seutil_read_default_contexts(updfstab_t) +seutil_read_file_contexts(updfstab_t) + +userdom_dontaudit_search_user_home_content(updfstab_t) +userdom_dontaudit_use_unpriv_user_fds(updfstab_t) + +optional_policy(` + auth_domtrans_pam_console(updfstab_t) +') + +optional_policy(` + init_dbus_chat_script(updfstab_t) + + dbus_system_bus_client(updfstab_t) +') + +optional_policy(` + fstools_getattr_swap_files(updfstab_t) +') + +optional_policy(` + hal_stream_connect(updfstab_t) + hal_dbus_chat(updfstab_t) +') + +optional_policy(` + modutils_read_module_config(updfstab_t) + modutils_exec_insmod(updfstab_t) + modutils_read_module_deps(updfstab_t) +') + +optional_policy(` + nscd_socket_use(updfstab_t) +') + +optional_policy(` + seutil_sigchld_newrole(updfstab_t) +') + +optional_policy(` + udev_read_db(updfstab_t) +') diff --git a/policy/modules/contrib/uptime.fc b/policy/modules/contrib/uptime.fc new file mode 100644 index 00000000..e30d6fc0 --- /dev/null +++ b/policy/modules/contrib/uptime.fc @@ -0,0 +1,6 @@ + +/etc/uptimed\.conf -- gen_context(system_u:object_r:uptimed_etc_t,s0) + +/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0) + +/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0) diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if new file mode 100644 index 00000000..447abf76 --- /dev/null +++ b/policy/modules/contrib/uptime.if @@ -0,0 +1 @@ +## <summary>Uptime daemon</summary> diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te new file mode 100644 index 00000000..c2cf97e2 --- /dev/null +++ b/policy/modules/contrib/uptime.te @@ -0,0 +1,73 @@ +policy_module(uptime, 1.4.0) + +######################################## +# +# Declarations +# + +type uptimed_t; +type uptimed_exec_t; +init_daemon_domain(uptimed_t, uptimed_exec_t) + +type uptimed_etc_t alias etc_uptimed_t; +files_config_file(uptimed_etc_t) + +type uptimed_spool_t; +files_type(uptimed_spool_t) + +type uptimed_var_run_t; +files_pid_file(uptimed_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit uptimed_t self:capability sys_tty_config; +allow uptimed_t self:process signal_perms; +allow uptimed_t self:fifo_file write_file_perms; + +allow uptimed_t uptimed_etc_t:file read_file_perms; +files_search_etc(uptimed_t) + +allow uptimed_t uptimed_spool_t:file manage_file_perms; + +manage_files_pattern(uptimed_t, uptimed_var_run_t, uptimed_var_run_t) +files_pid_filetrans(uptimed_t, uptimed_var_run_t, file) + +manage_dirs_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) +manage_files_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) +files_spool_filetrans(uptimed_t, uptimed_spool_t, { dir file }) + +kernel_read_system_state(uptimed_t) +kernel_read_kernel_sysctls(uptimed_t) + +corecmd_exec_shell(uptimed_t) + +dev_read_sysfs(uptimed_t) + +domain_use_interactive_fds(uptimed_t) + +files_read_etc_runtime_files(uptimed_t) + +fs_getattr_all_fs(uptimed_t) +fs_search_auto_mountpoints(uptimed_t) + +logging_send_syslog_msg(uptimed_t) + +miscfiles_read_localization(uptimed_t) + +userdom_dontaudit_use_unpriv_user_fds(uptimed_t) +userdom_dontaudit_search_user_home_dirs(uptimed_t) + +optional_policy(` + mta_send_mail(uptimed_t) +') + +optional_policy(` + seutil_sigchld_newrole(uptimed_t) +') + +optional_policy(` + udev_read_db(uptimed_t) +') diff --git a/policy/modules/contrib/usbmodules.fc b/policy/modules/contrib/usbmodules.fc new file mode 100644 index 00000000..a008efb5 --- /dev/null +++ b/policy/modules/contrib/usbmodules.fc @@ -0,0 +1,9 @@ +# +# /sbin +# +/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) + +# +# /usr +# +/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) diff --git a/policy/modules/contrib/usbmodules.if b/policy/modules/contrib/usbmodules.if new file mode 100644 index 00000000..b7eade34 --- /dev/null +++ b/policy/modules/contrib/usbmodules.if @@ -0,0 +1,46 @@ +## <summary>List kernel modules of USB devices</summary> + +######################################## +## <summary> +## Execute usbmodules in the usbmodules domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usbmodules_domtrans',` + gen_require(` + type usbmodules_t, usbmodules_exec_t; + ') + + domtrans_pattern($1, usbmodules_exec_t, usbmodules_t) +') + +######################################## +## <summary> +## Execute usbmodules in the usbmodules domain, and +## allow the specified role the usbmodules domain, +## and use the caller's terminal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`usbmodules_run',` + gen_require(` + type usbmodules_t; + ') + + usbmodules_domtrans($1) + role $2 types usbmodules_t; +') diff --git a/policy/modules/contrib/usbmodules.te b/policy/modules/contrib/usbmodules.te new file mode 100644 index 00000000..74354da7 --- /dev/null +++ b/policy/modules/contrib/usbmodules.te @@ -0,0 +1,47 @@ +policy_module(usbmodules, 1.2.0) + +######################################## +# +# Declarations +# + +type usbmodules_t; +type usbmodules_exec_t; +init_system_domain(usbmodules_t, usbmodules_exec_t) +role system_r types usbmodules_t; + +######################################## +# +# Local policy +# + +kernel_list_proc(usbmodules_t) + +files_list_kernel_modules(usbmodules_t) + +dev_list_usbfs(usbmodules_t) +# allow usb device access +dev_rw_usbfs(usbmodules_t) + +files_list_etc(usbmodules_t) +# needs etc_t read access for the hotplug config, maybe should have a new type +files_read_etc_files(usbmodules_t) + +term_read_console(usbmodules_t) +term_write_console(usbmodules_t) + +init_use_fds(usbmodules_t) + +miscfiles_read_hwdata(usbmodules_t) + +modutils_read_module_deps(usbmodules_t) + +userdom_use_user_terminals(usbmodules_t) + +optional_policy(` + hotplug_read_config(usbmodules_t) +') + +optional_policy(` + logging_send_syslog_msg(usbmodules_t) +') diff --git a/policy/modules/contrib/usbmuxd.fc b/policy/modules/contrib/usbmuxd.fc new file mode 100644 index 00000000..40b8b8d3 --- /dev/null +++ b/policy/modules/contrib/usbmuxd.fc @@ -0,0 +1,3 @@ +/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) diff --git a/policy/modules/contrib/usbmuxd.if b/policy/modules/contrib/usbmuxd.if new file mode 100644 index 00000000..53792d33 --- /dev/null +++ b/policy/modules/contrib/usbmuxd.if @@ -0,0 +1,39 @@ +## <summary>USB multiplexing daemon for communicating with Apple iPod Touch and iPhone</summary> + +######################################## +## <summary> +## Execute a domain transition to run usbmuxd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usbmuxd_domtrans',` + gen_require(` + type usbmuxd_t, usbmuxd_exec_t; + ') + + domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t) +') + +##################################### +## <summary> +## Connect to usbmuxd over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`usbmuxd_stream_connect',` + gen_require(` + type usbmuxd_t, usbmuxd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) +') diff --git a/policy/modules/contrib/usbmuxd.te b/policy/modules/contrib/usbmuxd.te new file mode 100644 index 00000000..4440aa68 --- /dev/null +++ b/policy/modules/contrib/usbmuxd.te @@ -0,0 +1,42 @@ +policy_module(usbmuxd, 1.1.0) + +######################################## +# +# Declarations +# + +type usbmuxd_t; +type usbmuxd_exec_t; +application_domain(usbmuxd_t, usbmuxd_exec_t) +role system_r types usbmuxd_t; + +type usbmuxd_var_run_t; +files_pid_file(usbmuxd_var_run_t) + +######################################## +# +# usbmuxd local policy +# + +allow usbmuxd_t self:capability { kill setgid setuid }; +allow usbmuxd_t self:process { fork signal signull }; +allow usbmuxd_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) + +kernel_read_kernel_sysctls(usbmuxd_t) +kernel_read_system_state(usbmuxd_t) + +dev_read_sysfs(usbmuxd_t) +dev_rw_generic_usb_dev(usbmuxd_t) + +files_read_etc_files(usbmuxd_t) + +miscfiles_read_localization(usbmuxd_t) + +auth_use_nsswitch(usbmuxd_t) + +logging_send_syslog_msg(usbmuxd_t) diff --git a/policy/modules/contrib/userhelper.fc b/policy/modules/contrib/userhelper.fc new file mode 100644 index 00000000..e70b0e8b --- /dev/null +++ b/policy/modules/contrib/userhelper.fc @@ -0,0 +1,9 @@ +# +# /etc +# +/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) + +# +# /usr +# +/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) diff --git a/policy/modules/contrib/userhelper.if b/policy/modules/contrib/userhelper.if new file mode 100644 index 00000000..65baaac6 --- /dev/null +++ b/policy/modules/contrib/userhelper.if @@ -0,0 +1,257 @@ +## <summary>SELinux utility to run a shell with a new role</summary> + +####################################### +## <summary> +## The role template for the userhelper module. +## </summary> +## <param name="userrole_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The user role. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The user domain associated with the role. +## </summary> +## </param> +# +template(`userhelper_role_template',` + gen_require(` + attribute userhelper_type; + type userhelper_exec_t, userhelper_conf_t; + ') + + ######################################## + # + # Declarations + # + + type $1_userhelper_t, userhelper_type; + userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) + domain_role_change_exemption($1_userhelper_t) + domain_obj_id_change_exemption($1_userhelper_t) + domain_interactive_fd($1_userhelper_t) + domain_subj_id_change_exemption($1_userhelper_t) + role $2 types $1_userhelper_t; + + ######################################## + # + # Local policy + # + allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; + allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_userhelper_t self:process setexec; + allow $1_userhelper_t self:fd use; + allow $1_userhelper_t self:fifo_file rw_fifo_file_perms; + allow $1_userhelper_t self:shm create_shm_perms; + allow $1_userhelper_t self:sem create_sem_perms; + allow $1_userhelper_t self:msgq create_msgq_perms; + allow $1_userhelper_t self:msg { send receive }; + allow $1_userhelper_t self:unix_dgram_socket create_socket_perms; + allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms; + allow $1_userhelper_t self:unix_dgram_socket sendto; + allow $1_userhelper_t self:unix_stream_socket connectto; + allow $1_userhelper_t self:sock_file read_sock_file_perms; + + #Transition to the derived domain. + domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) + + allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; + rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) + + can_exec($1_userhelper_t, userhelper_exec_t) + + dontaudit $3 $1_userhelper_t:process signal; + + kernel_read_all_sysctls($1_userhelper_t) + kernel_getattr_debugfs($1_userhelper_t) + kernel_read_system_state($1_userhelper_t) + + # Execute shells + corecmd_exec_shell($1_userhelper_t) + # By default, revert to the calling domain when a program is executed + corecmd_bin_domtrans($1_userhelper_t, $3) + + # Inherit descriptors from the current session. + domain_use_interactive_fds($1_userhelper_t) + # for when the user types "exec userhelper" at the command line + domain_sigchld_interactive_fds($1_userhelper_t) + + dev_read_urand($1_userhelper_t) + # Read /dev directories and any symbolic links. + dev_list_all_dev_nodes($1_userhelper_t) + + files_list_var_lib($1_userhelper_t) + # Read the /etc/security/default_type file + files_read_etc_files($1_userhelper_t) + # Read /var. + files_read_var_files($1_userhelper_t) + files_read_var_symlinks($1_userhelper_t) + # for some PAM modules and for cwd + files_search_home($1_userhelper_t) + + fs_search_auto_mountpoints($1_userhelper_t) + fs_read_nfs_files($1_userhelper_t) + fs_read_nfs_symlinks($1_userhelper_t) + + # Allow $1_userhelper to obtain contexts to relabel TTYs + selinux_get_fs_mount($1_userhelper_t) + selinux_validate_context($1_userhelper_t) + selinux_compute_access_vector($1_userhelper_t) + selinux_compute_create_context($1_userhelper_t) + selinux_compute_relabel_context($1_userhelper_t) + selinux_compute_user_contexts($1_userhelper_t) + + # Read the devpts root directory. + term_list_ptys($1_userhelper_t) + # Relabel terminals. + term_relabel_all_ttys($1_userhelper_t) + term_relabel_all_ptys($1_userhelper_t) + # Access terminals. + term_use_all_ttys($1_userhelper_t) + term_use_all_ptys($1_userhelper_t) + + auth_domtrans_chk_passwd($1_userhelper_t) + auth_manage_pam_pid($1_userhelper_t) + auth_manage_var_auth($1_userhelper_t) + auth_search_pam_console_data($1_userhelper_t) + + # Inherit descriptors from the current session. + init_use_fds($1_userhelper_t) + # Write to utmp. + init_manage_utmp($1_userhelper_t) + init_pid_filetrans_utmp($1_userhelper_t) + + miscfiles_read_localization($1_userhelper_t) + + seutil_read_config($1_userhelper_t) + seutil_read_default_contexts($1_userhelper_t) + + # Allow $1_userhelper_t to transition to user domains. + userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) + userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) + + ifdef(`distro_redhat',` + optional_policy(` + # Allow transitioning to rpm_t, for up2date + rpm_domtrans($1_userhelper_t) + ') + ') + + optional_policy(` + logging_send_syslog_msg($1_userhelper_t) + ') + + optional_policy(` + nis_use_ypbind($1_userhelper_t) + ') + + optional_policy(` + nscd_socket_use($1_userhelper_t) + ') + + optional_policy(` + tunable_policy(`! secure_mode',` + #if we are not in secure mode then we can transition to sysadm_t + sysadm_bin_spec_domtrans($1_userhelper_t) + sysadm_entry_spec_domtrans($1_userhelper_t) + ') + ') +') + +######################################## +## <summary> +## Search the userhelper configuration directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userhelper_search_config',` + gen_require(` + type userhelper_conf_t; + ') + + allow $1 userhelper_conf_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Do not audit attempts to search +## the userhelper configuration directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`userhelper_dontaudit_search_config',` + gen_require(` + type userhelper_conf_t; + ') + + dontaudit $1 userhelper_conf_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Allow domain to use userhelper file descriptor. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userhelper_use_fd',` + gen_require(` + attribute userhelper_type; + ') + + allow $1 userhelper_type:fd use; +') + +######################################## +## <summary> +## Allow domain to send sigchld to userhelper. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userhelper_sigchld',` + gen_require(` + attribute userhelper_type; + ') + + allow $1 userhelper_type:process sigchld; +') + +######################################## +## <summary> +## Execute the userhelper program in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userhelper_exec',` + gen_require(` + type userhelper_exec_t; + ') + + can_exec($1, userhelper_exec_t) +') diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te new file mode 100644 index 00000000..f25ed61f --- /dev/null +++ b/policy/modules/contrib/userhelper.te @@ -0,0 +1,14 @@ +policy_module(userhelper, 1.7.0) + +######################################## +# +# Declarations +# + +attribute userhelper_type; + +type userhelper_conf_t; +files_type(userhelper_conf_t) + +type userhelper_exec_t; +application_executable_file(userhelper_exec_t) diff --git a/policy/modules/contrib/usernetctl.fc b/policy/modules/contrib/usernetctl.fc new file mode 100644 index 00000000..aa07e1e4 --- /dev/null +++ b/policy/modules/contrib/usernetctl.fc @@ -0,0 +1,2 @@ + +/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0) diff --git a/policy/modules/contrib/usernetctl.if b/policy/modules/contrib/usernetctl.if new file mode 100644 index 00000000..d45c7151 --- /dev/null +++ b/policy/modules/contrib/usernetctl.if @@ -0,0 +1,45 @@ +## <summary>User network interface configuration helper</summary> + +######################################## +## <summary> +## Execute usernetctl in the usernetctl domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usernetctl_domtrans',` + gen_require(` + type usernetctl_t, usernetctl_exec_t; + ') + + domtrans_pattern($1, usernetctl_exec_t, usernetctl_t) +') + +######################################## +## <summary> +## Execute usernetctl in the usernetctl domain, and +## allow the specified role the usernetctl domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`usernetctl_run',` + gen_require(` + attribute_role usernetctl_roles; + ') + + usernetctl_domtrans($1) + roleattribute $2 usernetctl_roles; +') diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te new file mode 100644 index 00000000..19c70bb1 --- /dev/null +++ b/policy/modules/contrib/usernetctl.te @@ -0,0 +1,90 @@ +policy_module(usernetctl, 1.6.0) + +######################################## +# +# Declarations +# + +attribute_role usernetctl_roles; + +type usernetctl_t; +type usernetctl_exec_t; +application_domain(usernetctl_t, usernetctl_exec_t) +domain_interactive_fd(usernetctl_t) +role usernetctl_roles types usernetctl_t; + +######################################## +# +# Local policy +# + +allow usernetctl_t self:capability { setuid setgid dac_override }; +allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow usernetctl_t self:fd use; +allow usernetctl_t self:fifo_file rw_fifo_file_perms; +allow usernetctl_t self:shm create_shm_perms; +allow usernetctl_t self:sem create_sem_perms; +allow usernetctl_t self:msgq create_msgq_perms; +allow usernetctl_t self:msg { send receive }; +allow usernetctl_t self:unix_dgram_socket create_socket_perms; +allow usernetctl_t self:unix_stream_socket create_stream_socket_perms; +allow usernetctl_t self:unix_dgram_socket sendto; +allow usernetctl_t self:unix_stream_socket connectto; + +can_exec(usernetctl_t, usernetctl_exec_t) + +kernel_read_system_state(usernetctl_t) +kernel_read_kernel_sysctls(usernetctl_t) + +corecmd_list_bin(usernetctl_t) +corecmd_exec_bin(usernetctl_t) +corecmd_exec_shell(usernetctl_t) + +domain_dontaudit_read_all_domains_state(usernetctl_t) + +files_read_etc_files(usernetctl_t) +files_exec_etc_files(usernetctl_t) +files_read_etc_runtime_files(usernetctl_t) +files_list_pids(usernetctl_t) +files_list_home(usernetctl_t) +files_read_usr_files(usernetctl_t) + +fs_search_auto_mountpoints(usernetctl_t) + +auth_use_nsswitch(usernetctl_t) + +logging_send_syslog_msg(usernetctl_t) + +miscfiles_read_localization(usernetctl_t) + +seutil_read_config(usernetctl_t) + +sysnet_read_config(usernetctl_t) +sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) +sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) + +userdom_use_user_terminals(usernetctl_t) + +optional_policy(` + consoletype_run(usernetctl_t, usernetctl_roles) +') + +optional_policy(` + hostname_exec(usernetctl_t) +') + +optional_policy(` + iptables_run(usernetctl_t, usernetctl_roles) +') + +optional_policy(` + modutils_run_insmod(usernetctl_t, usernetctl_roles) +') + +optional_policy(` + nis_use_ypbind(usernetctl_t) +') + +optional_policy(` + ppp_run(usernetctl_t, usernetctl_roles) +') diff --git a/policy/modules/contrib/uucp.fc b/policy/modules/contrib/uucp.fc new file mode 100644 index 00000000..e1c0d8d8 --- /dev/null +++ b/policy/modules/contrib/uucp.fc @@ -0,0 +1,11 @@ + +/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0) + +/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0) + +/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) +/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) + +/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) + +/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0) diff --git a/policy/modules/contrib/uucp.if b/policy/modules/contrib/uucp.if new file mode 100644 index 00000000..ebc5414f --- /dev/null +++ b/policy/modules/contrib/uucp.if @@ -0,0 +1,120 @@ +## <summary>Unix to Unix Copy</summary> + +######################################## +## <summary> +## Execute the uucico program in the +## uucpd_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`uucp_domtrans',` + gen_require(` + type uucpd_t, uucpd_exec_t; + ') + + domtrans_pattern($1, uucpd_exec_t, uucpd_t) +') + +######################################## +## <summary> +## Allow the specified domain to append +## to uucp log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uucp_append_log',` + gen_require(` + type uucpd_log_t; + ') + + logging_search_logs($1) + allow $1 uucpd_log_t:dir list_dir_perms; + append_files_pattern($1, uucpd_log_t, uucpd_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete uucp spool files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uucp_manage_spool',` + gen_require(` + type uucpd_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t) + manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t) + manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t) +') + +######################################## +## <summary> +## Execute the master uux program in the +## uux_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`uucp_domtrans_uux',` + gen_require(` + type uux_t, uux_exec_t; + ') + + domtrans_pattern($1, uux_exec_t, uux_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an uucp environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`uucp_admin',` + gen_require(` + type uucpd_t, uucpd_tmp_t, uucpd_log_t; + type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t; + type uucpd_var_run_t; + ') + + allow $1 uucpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, uucpd_t) + + logging_list_logs($1) + admin_pattern($1, uucpd_log_t) + + files_list_spool($1) + admin_pattern($1, uucpd_spool_t) + + admin_pattern($1, uucpd_ro_t) + + admin_pattern($1, uucpd_rw_t) + + files_list_tmp($1) + admin_pattern($1, uucpd_tmp_t) + + files_list_pids($1) + admin_pattern($1, uucpd_var_run_t) +') diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te new file mode 100644 index 00000000..d4349e90 --- /dev/null +++ b/policy/modules/contrib/uucp.te @@ -0,0 +1,149 @@ +policy_module(uucp, 1.12.0) + +######################################## +# +# Declarations +# +type uucpd_t; +type uucpd_exec_t; +inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) + +type uucpd_lock_t; +files_lock_file(uucpd_lock_t) + +type uucpd_tmp_t; +files_tmp_file(uucpd_tmp_t) + +type uucpd_var_run_t; +files_pid_file(uucpd_var_run_t) + +type uucpd_rw_t; +files_type(uucpd_rw_t) + +type uucpd_ro_t; +files_type(uucpd_ro_t) + +type uucpd_spool_t; +files_type(uucpd_spool_t) + +type uucpd_log_t; +logging_log_file(uucpd_log_t) + +type uux_t; +type uux_exec_t; +application_domain(uux_t, uux_exec_t) +role system_r types uux_t; + +######################################## +# +# UUCPd Local policy +# +allow uucpd_t self:capability { setuid setgid }; +allow uucpd_t self:process signal_perms; +allow uucpd_t self:fifo_file rw_fifo_file_perms; +allow uucpd_t self:tcp_socket connected_stream_socket_perms; +allow uucpd_t self:udp_socket create_socket_perms; +allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + +allow uucpd_t uucpd_log_t:dir setattr; +manage_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t) +logging_log_filetrans(uucpd_t, uucpd_log_t, { file dir }) + +allow uucpd_t uucpd_ro_t:dir list_dir_perms; +read_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t) +read_lnk_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t) + +manage_dirs_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) +manage_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) +manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) + +uucp_manage_spool(uucpd_t) + +manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) +manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) +files_search_locks(uucpd_t) + +manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) +manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) +files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir }) + +manage_files_pattern(uucpd_t, uucpd_var_run_t, uucpd_var_run_t) +files_pid_filetrans(uucpd_t, uucpd_var_run_t, file) + +kernel_read_kernel_sysctls(uucpd_t) +kernel_read_system_state(uucpd_t) +kernel_read_network_state(uucpd_t) + +corenet_all_recvfrom_unlabeled(uucpd_t) +corenet_all_recvfrom_netlabel(uucpd_t) +corenet_tcp_sendrecv_generic_if(uucpd_t) +corenet_udp_sendrecv_generic_if(uucpd_t) +corenet_tcp_sendrecv_generic_node(uucpd_t) +corenet_udp_sendrecv_generic_node(uucpd_t) +corenet_tcp_sendrecv_all_ports(uucpd_t) +corenet_udp_sendrecv_all_ports(uucpd_t) +corenet_tcp_connect_ssh_port(uucpd_t) + +dev_read_urand(uucpd_t) + +fs_getattr_xattr_fs(uucpd_t) + +corecmd_exec_bin(uucpd_t) +corecmd_exec_shell(uucpd_t) + +files_read_etc_files(uucpd_t) +files_search_home(uucpd_t) +files_search_spool(uucpd_t) + +term_setattr_controlling_term(uucpd_t) + +auth_use_nsswitch(uucpd_t) + +logging_send_syslog_msg(uucpd_t) + +miscfiles_read_localization(uucpd_t) + +mta_send_mail(uucpd_t) + +optional_policy(` + cron_system_entry(uucpd_t, uucpd_exec_t) +') + +optional_policy(` + kerberos_use(uucpd_t) +') + +optional_policy(` + ssh_exec(uucpd_t) +') + +######################################## +# +# UUX Local policy +# + +allow uux_t self:capability { setuid setgid }; +allow uux_t self:fifo_file write_fifo_file_perms; + +uucp_append_log(uux_t) +uucp_manage_spool(uux_t) + +corecmd_exec_bin(uux_t) + +files_read_etc_files(uux_t) + +fs_rw_anon_inodefs_files(uux_t) + +logging_send_syslog_msg(uux_t) + +miscfiles_read_localization(uux_t) + +optional_policy(` + mta_send_mail(uux_t) + mta_read_queue(uux_t) + sendmail_dontaudit_rw_unix_stream_sockets(uux_t) +') + +optional_policy(` + nscd_socket_use(uux_t) +') diff --git a/policy/modules/contrib/uuidd.fc b/policy/modules/contrib/uuidd.fc new file mode 100644 index 00000000..a7c93816 --- /dev/null +++ b/policy/modules/contrib/uuidd.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) + +/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) + +/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0) + +/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0) diff --git a/policy/modules/contrib/uuidd.if b/policy/modules/contrib/uuidd.if new file mode 100644 index 00000000..5d43bd56 --- /dev/null +++ b/policy/modules/contrib/uuidd.if @@ -0,0 +1,190 @@ +## <summary>policy for uuidd</summary> + +######################################## +## <summary> +## Transition to uuidd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`uuidd_domtrans',` + gen_require(` + type uuidd_t, uuidd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, uuidd_exec_t, uuidd_t) +') + +######################################## +## <summary> +## Execute uuidd server in the uuidd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_initrc_domtrans',` + gen_require(` + type uuidd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, uuidd_initrc_exec_t) +') + +######################################## +## <summary> +## Search uuidd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_search_lib',` + gen_require(` + type uuidd_var_lib_t; + ') + + allow $1 uuidd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read uuidd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_read_lib_files',` + gen_require(` + type uuidd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) +') + +######################################## +## <summary> +## Manage uuidd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_manage_lib_files',` + gen_require(` + type uuidd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) +') + +######################################## +## <summary> +## Manage uuidd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_manage_lib_dirs',` + gen_require(` + type uuidd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) +') + +######################################## +## <summary> +## Read uuidd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_read_pid_files',` + gen_require(` + type uuidd_var_run_t; + ') + + files_search_pids($1) + allow $1 uuidd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Connect to uuidd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`uuidd_stream_connect_manager',` + gen_require(` + type uuidd_t, uuidd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an uuidd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`uuidd_admin',` + gen_require(` + type uuidd_t, uuidd_initrc_exec_t; + type uuidd_var_run_t, uuidd_var_lib_t; + ') + + allow $1 uuidd_t:process signal_perms; + ps_process_pattern($1, uuidd_t) + + uuidd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 uuidd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_var_lib($1) + admin_pattern($1, uuidd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, uuidd_var_run_t) +') diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te new file mode 100644 index 00000000..04589dc0 --- /dev/null +++ b/policy/modules/contrib/uuidd.te @@ -0,0 +1,44 @@ +policy_module(uuidd, 1.0.0) + +######################################## +# +# Declarations +# + +type uuidd_t; +type uuidd_exec_t; +init_daemon_domain(uuidd_t, uuidd_exec_t) + +type uuidd_initrc_exec_t; +init_script_file(uuidd_initrc_exec_t) + +type uuidd_var_lib_t; +files_type(uuidd_var_lib_t) + +type uuidd_var_run_t; +files_pid_file(uuidd_var_run_t) + +######################################## +# +# uuidd local policy +# +allow uuidd_t self:capability setuid; +allow uuidd_t self:process signal; +allow uuidd_t self:fifo_file rw_fifo_file_perms; +allow uuidd_t self:unix_stream_socket create_stream_socket_perms; +allow uuidd_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) +manage_files_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) + +manage_dirs_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) +manage_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) +manage_sock_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) + +dev_read_urand(uuidd_t) + +domain_use_interactive_fds(uuidd_t) + +files_read_etc_files(uuidd_t) + +miscfiles_read_localization(uuidd_t) diff --git a/policy/modules/contrib/uwimap.fc b/policy/modules/contrib/uwimap.fc new file mode 100644 index 00000000..43bdef0c --- /dev/null +++ b/policy/modules/contrib/uwimap.fc @@ -0,0 +1,2 @@ + +/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0) diff --git a/policy/modules/contrib/uwimap.if b/policy/modules/contrib/uwimap.if new file mode 100644 index 00000000..83376844 --- /dev/null +++ b/policy/modules/contrib/uwimap.if @@ -0,0 +1,20 @@ +## <summary>University of Washington IMAP toolkit POP3 and IMAP mail server</summary> + +######################################## +## <summary> +## Execute the UW IMAP/POP3 servers with a domain transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`uwimap_domtrans',` + gen_require(` + type imapd_t, imapd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, imapd_exec_t, imapd_t) +') diff --git a/policy/modules/contrib/uwimap.te b/policy/modules/contrib/uwimap.te new file mode 100644 index 00000000..46d98116 --- /dev/null +++ b/policy/modules/contrib/uwimap.te @@ -0,0 +1,98 @@ +policy_module(uwimap, 1.9.0) + +######################################## +# +# Declarations +# + +type imapd_t; +type imapd_exec_t; +init_daemon_domain(imapd_t, imapd_exec_t) + +type imapd_tmp_t; +files_tmp_file(imapd_tmp_t) + +type imapd_var_run_t; +files_pid_file(imapd_var_run_t) + +######################################## +# +# Local policy +# + +allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; +dontaudit imapd_t self:capability sys_tty_config; +allow imapd_t self:process signal_perms; +allow imapd_t self:fifo_file rw_fifo_file_perms; +allow imapd_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) +manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) +files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir }) + +manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t) +files_pid_filetrans(imapd_t, imapd_var_run_t, file) + +kernel_read_kernel_sysctls(imapd_t) +kernel_list_proc(imapd_t) +kernel_read_proc_symlinks(imapd_t) + +corenet_all_recvfrom_unlabeled(imapd_t) +corenet_all_recvfrom_netlabel(imapd_t) +corenet_tcp_sendrecv_generic_if(imapd_t) +corenet_tcp_sendrecv_generic_node(imapd_t) +corenet_tcp_sendrecv_all_ports(imapd_t) +corenet_tcp_bind_generic_node(imapd_t) +corenet_tcp_bind_pop_port(imapd_t) +corenet_tcp_connect_all_ports(imapd_t) +corenet_sendrecv_pop_server_packets(imapd_t) +corenet_sendrecv_all_client_packets(imapd_t) + +dev_read_sysfs(imapd_t) +#urandom, for ssl +dev_read_rand(imapd_t) +dev_read_urand(imapd_t) + +domain_use_interactive_fds(imapd_t) + +#read /etc/ for hostname nsswitch.conf +files_read_etc_files(imapd_t) + +fs_getattr_all_fs(imapd_t) +fs_search_auto_mountpoints(imapd_t) + +auth_domtrans_chk_passwd(imapd_t) + +logging_send_syslog_msg(imapd_t) + +miscfiles_read_localization(imapd_t) + +sysnet_read_config(imapd_t) + +userdom_dontaudit_use_unpriv_user_fds(imapd_t) +# cjp: this is excessive, should be limited to the +# mail directories +userdom_manage_user_home_content_dirs(imapd_t) +userdom_manage_user_home_content_files(imapd_t) +userdom_manage_user_home_content_symlinks(imapd_t) +userdom_manage_user_home_content_pipes(imapd_t) +userdom_manage_user_home_content_sockets(imapd_t) +userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file fifo_file sock_file }) + +mta_rw_spool(imapd_t) + +optional_policy(` + inetd_tcp_service_domain(imapd_t, imapd_exec_t) +') + +optional_policy(` + seutil_sigchld_newrole(imapd_t) +') + +optional_policy(` + tcpd_wrapped_domain(imapd_t, imapd_exec_t) +') + +optional_policy(` + udev_read_db(imapd_t) +') diff --git a/policy/modules/contrib/varnishd.fc b/policy/modules/contrib/varnishd.fc new file mode 100644 index 00000000..194d123c --- /dev/null +++ b/policy/modules/contrib/varnishd.fc @@ -0,0 +1,18 @@ +/etc/rc\.d/init\.d/varnish -- gen_context(system_u:object_r:varnishd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/varnishlog -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) +/etc/rc\.d/init\.d/varnishncsa -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) + +/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0) + +/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0) +/usr/bin/varnisncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0) + +/usr/sbin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0) + +/var/lib/varnish(/.*)? gen_context(system_u:object_r:varnishd_var_lib_t,s0) + +/var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0) + +/var/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0) +/var/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) +/var/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) diff --git a/policy/modules/contrib/varnishd.if b/policy/modules/contrib/varnishd.if new file mode 100644 index 00000000..93975d6d --- /dev/null +++ b/policy/modules/contrib/varnishd.if @@ -0,0 +1,216 @@ +## <summary>Varnishd http accelerator daemon</summary> + +####################################### +## <summary> +## Execute varnishd in the varnishd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`varnishd_domtrans',` + gen_require(` + type varnishd_t, varnishd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, varnishd_exec_t, varnishd_t) +') + +####################################### +## <summary> +## Execute varnishd +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_exec',` + gen_require(` + type varnishd_exec_t; + ') + + can_exec($1, varnishd_exec_t) +') + +###################################### +## <summary> +## Read varnishd configuration file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_read_config',` + gen_require(` + type varnishd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) +') + +##################################### +## <summary> +## Read varnish lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_read_lib_files',` + gen_require(` + type varnishd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) +') + +####################################### +## <summary> +## Read varnish logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_read_log',` + gen_require(` + type varnishlog_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, varnishlog_log_t, varnishlog_log_t) +') + +###################################### +## <summary> +## Append varnish logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_append_log',` + gen_require(` + type varnishlog_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, varnishlog_log_t, varnishlog_log_t) +') + +##################################### +## <summary> +## Manage varnish logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`varnishd_manage_log',` + gen_require(` + type varnishlog_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t) +') + +###################################### +## <summary> +## All of the rules required to administrate +## an varnishlog environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the varnishlog domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`varnishd_admin_varnishlog',` + gen_require(` + type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; + type varnishlog_var_run_t; + ') + + allow $1 varnishlog_t:process { ptrace signal_perms }; + ps_process_pattern($1, varnishlog_t) + + init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 varnishlog_initrc_exec_t system_r; + allow $2 system_r; + + files_list_pids($1) + admin_pattern($1, varnishlog_var_run_t) + + logging_list_logs($1) + admin_pattern($1, varnishlog_log_t) +') + +####################################### +## <summary> +## All of the rules required to administrate +## an varnishd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the varnishd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`varnishd_admin',` + gen_require(` + type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; + type varnishd_var_run_t, varnishd_tmp_t; + type varnishd_initrc_exec_t; + ') + + allow $1 varnishd_t:process { ptrace signal_perms }; + ps_process_pattern($1, varnishd_t) + + init_labeled_script_domtrans($1, varnishd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 varnishd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var_lib($1) + admin_pattern($1, varnishd_var_lib_t) + + files_list_etc($1) + admin_pattern($1, varnishd_etc_t) + + files_list_pids($1) + admin_pattern($1, varnishd_var_run_t) + + files_list_tmp($1) + admin_pattern($1, varnishd_tmp_t) +') diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te new file mode 100644 index 00000000..f9310f3a --- /dev/null +++ b/policy/modules/contrib/varnishd.te @@ -0,0 +1,118 @@ +policy_module(varnishd, 1.2.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow varnishd to connect to all ports, +## not just HTTP. +## </p> +## </desc> +gen_tunable(varnishd_connect_any, false) + +type varnishd_t; +type varnishd_exec_t; +init_daemon_domain(varnishd_t, varnishd_exec_t) + +type varnishd_initrc_exec_t; +init_script_file(varnishd_initrc_exec_t) + +type varnishd_etc_t; +files_type(varnishd_etc_t) + +type varnishd_tmp_t; +files_tmp_file(varnishd_tmp_t) + +type varnishd_var_lib_t; +files_type(varnishd_var_lib_t) + +type varnishd_var_run_t; +files_pid_file(varnishd_var_run_t) + +type varnishlog_t; +type varnishlog_exec_t; +init_daemon_domain(varnishlog_t, varnishlog_exec_t) + +type varnishlog_initrc_exec_t; +init_script_file(varnishlog_initrc_exec_t) + +type varnishlog_var_run_t; +files_pid_file(varnishlog_var_run_t) + +type varnishlog_log_t; +files_type(varnishlog_log_t) + +######################################## +# +# varnishd local policy +# + +allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; +dontaudit varnishd_t self:capability sys_tty_config; +allow varnishd_t self:process signal; +allow varnishd_t self:fifo_file rw_fifo_file_perms; +allow varnishd_t self:tcp_socket create_stream_socket_perms; +allow varnishd_t self:udp_socket create_socket_perms; + +read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t) +list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t) + +manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t) +manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t) +files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir }) + +exec_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) +manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) +manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) +files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file }) + +manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t) +files_pid_filetrans(varnishd_t, varnishd_var_run_t, file) + +kernel_read_system_state(varnishd_t) + +corecmd_exec_bin(varnishd_t) +corecmd_exec_shell(varnishd_t) + +corenet_tcp_sendrecv_generic_if(varnishd_t) +corenet_tcp_bind_generic_node(varnishd_t) +corenet_tcp_bind_http_port(varnishd_t) +corenet_tcp_bind_http_cache_port(varnishd_t) +corenet_tcp_bind_varnishd_port(varnishd_t) +corenet_tcp_connect_http_cache_port(varnishd_t) +corenet_tcp_connect_http_port(varnishd_t) + +dev_read_urand(varnishd_t) + +fs_getattr_all_fs(varnishd_t) + +auth_use_nsswitch(varnishd_t) + +logging_send_syslog_msg(varnishd_t) + +miscfiles_read_localization(varnishd_t) + +sysnet_read_config(varnishd_t) + +tunable_policy(`varnishd_connect_any',` + corenet_tcp_connect_all_ports(varnishd_t) + corenet_tcp_bind_all_ports(varnishd_t) +') + +####################################### +# +# varnishlog local policy +# + +manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t) +files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file) + +manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) +manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) +logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir }) + +files_search_var_lib(varnishlog_t) +read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t) diff --git a/policy/modules/contrib/vbetool.fc b/policy/modules/contrib/vbetool.fc new file mode 100644 index 00000000..d00970f1 --- /dev/null +++ b/policy/modules/contrib/vbetool.fc @@ -0,0 +1 @@ +/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0) diff --git a/policy/modules/contrib/vbetool.if b/policy/modules/contrib/vbetool.if new file mode 100644 index 00000000..f46ab176 --- /dev/null +++ b/policy/modules/contrib/vbetool.if @@ -0,0 +1,45 @@ +## <summary>run real-mode video BIOS code to alter hardware state</summary> + +######################################## +## <summary> +## Execute vbetool application in the vbetool domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vbetool_domtrans',` + gen_require(` + type vbetool_t, vbetool_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, vbetool_exec_t, vbetool_t) +') + +######################################## +## <summary> +## Execute vbetool in the vbetool domain, and +## allow the specified role the vbetool domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`vbetool_run',` + gen_require(` + type vbetool_t; + ') + + vbetool_domtrans($1) + role $2 types vbetool_t; +') diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te new file mode 100644 index 00000000..001c93c7 --- /dev/null +++ b/policy/modules/contrib/vbetool.te @@ -0,0 +1,51 @@ +policy_module(vbetool, 1.6.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Ignore vbetool mmap_zero errors. +## </p> +## </desc> +gen_tunable(vbetool_mmap_zero_ignore, false) + +type vbetool_t; +type vbetool_exec_t; +init_system_domain(vbetool_t, vbetool_exec_t) + +######################################## +# +# Local policy +# + +allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; +allow vbetool_t self:process execmem; + +dev_wx_raw_memory(vbetool_t) +dev_read_raw_memory(vbetool_t) +dev_rwx_zero(vbetool_t) +dev_rw_sysfs(vbetool_t) +dev_rw_xserver_misc(vbetool_t) +dev_rw_mtrr(vbetool_t) + +domain_mmap_low(vbetool_t) + +mls_file_read_all_levels(vbetool_t) +mls_file_write_all_levels(vbetool_t) + +term_use_unallocated_ttys(vbetool_t) + +miscfiles_read_localization(vbetool_t) + +tunable_policy(`vbetool_mmap_zero_ignore',` + dontaudit vbetool_t self:memprotect mmap_zero; +') + +optional_policy(` + hal_rw_pid_files(vbetool_t) + hal_write_log(vbetool_t) + hal_dontaudit_append_lib_files(vbetool_t) +') diff --git a/policy/modules/contrib/vdagent.fc b/policy/modules/contrib/vdagent.fc new file mode 100644 index 00000000..21c5f418 --- /dev/null +++ b/policy/modules/contrib/vdagent.fc @@ -0,0 +1,7 @@ +/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) + +/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) +/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0) + +/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) +/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if new file mode 100644 index 00000000..e59a0745 --- /dev/null +++ b/policy/modules/contrib/vdagent.if @@ -0,0 +1,124 @@ +## <summary>policy for vdagent</summary> + +######################################## +## <summary> +## Execute a domain transition to run vdagent. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vdagent_domtrans',` + gen_require(` + type vdagent_t, vdagent_exec_t; + ') + + domtrans_pattern($1, vdagent_exec_t, vdagent_t) +') + +##################################### +## <summary> +## Getattr on vdagent executable. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vdagent_getattr_exec_files',` + gen_require(` + type vdagent_exec_t; + ') + + allow $1 vdagent_exec_t:file getattr; +') + +####################################### +## <summary> +## Get the attributes of vdagent logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vdagent_getattr_log',` + gen_require(` + type vdagent_log_t; + ') + + logging_search_logs($1) + allow $1 vdagent_log_t:file getattr_file_perms; +') + +######################################## +## <summary> +## Read vdagent PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vdagent_read_pid_files',` + gen_require(` + type vdagent_var_run_t; + ') + + files_search_pids($1) + allow $1 vdagent_var_run_t:file read_file_perms; +') + +##################################### +## <summary> +## Connect to vdagent over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vdagent_stream_connect',` + gen_require(` + type vdagent_var_run_t, vdagent_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an vdagent environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vdagent_admin',` + gen_require(` + type vdagent_t, vdagent_var_run_t; + ') + + allow $1 vdagent_t:process signal_perms; + ps_process_pattern($1, vdagent_t) + + files_search_pids($1) + admin_pattern($1, vdagent_var_run_t) +') diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te new file mode 100644 index 00000000..29e24e28 --- /dev/null +++ b/policy/modules/contrib/vdagent.te @@ -0,0 +1,51 @@ +policy_module(vdagent, 1.0.0) + +######################################## +# +# Declarations +# + +type vdagent_t; +type vdagent_exec_t; +init_daemon_domain(vdagent_t, vdagent_exec_t) + +type vdagent_var_run_t; +files_pid_file(vdagent_var_run_t) + +type vdagent_log_t; +logging_log_file(vdagent_log_t) + +######################################## +# +# vdagent local policy +# + +dontaudit vdagent_t self:capability sys_admin; + +allow vdagent_t self:fifo_file rw_fifo_file_perms; +allow vdagent_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) +manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) +manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) +files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) +manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) +logging_log_filetrans(vdagent_t, vdagent_log_t, file) + +dev_rw_input_dev(vdagent_t) +dev_read_sysfs(vdagent_t) +dev_dontaudit_write_mtrr(vdagent_t) + +files_read_etc_files(vdagent_t) + +miscfiles_read_localization(vdagent_t) + +optional_policy(` + consolekit_dbus_chat(vdagent_t) +') + +optional_policy(` + dbus_system_bus_client(vdagent_t) +') diff --git a/policy/modules/contrib/vde.fc b/policy/modules/contrib/vde.fc new file mode 100644 index 00000000..ab984b06 --- /dev/null +++ b/policy/modules/contrib/vde.fc @@ -0,0 +1,5 @@ +/etc/init.d/vde -- gen_context(system_u:object_r:vde_initrc_exec_t,s0) +/usr/bin/vde_switch -- gen_context(system_u:object_r:vde_exec_t,s0) +/usr/sbin/vde_tunctl -- gen_context(system_u:object_r:vde_exec_t,s0) +/var/run/vde\.ctl(/.*)? gen_context(system_u:object_r:vde_var_run_t,s0) +/tmp/vde.[0-9-]* -s gen_context(system_u:object_r:vde_tmp_t,s0) diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if new file mode 100644 index 00000000..c5c71b03 --- /dev/null +++ b/policy/modules/contrib/vde.if @@ -0,0 +1,65 @@ +## <summary>Virtual Distributed Ethernet switch service</summary> + +######################################## +## <summary> +# The rules needed to manage the VDE switches +## </summary> +## <param name="role"> +## <summary> +## The role to be allowed to manage the vde domain. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vde_role',` + gen_require(` + type vde_t, vde_tmp_t; + type vde_var_run_t; + type vde_initrc_exec_t, vde_exec_t; + ') + + role $1 types vde_t; + + allow $2 vde_t:process { ptrace signal_perms }; + allow vde_t $2:process { sigchld signull }; + allow vde_t $2:fd use; + allow vde_t $2:tun_socket { relabelfrom }; + allow vde_t self:tun_socket { relabelfrom relabelto }; + ps_process_pattern($2, vde_t) + + domain_auto_trans($2, vde_exec_t, vde_t) +') + +######################################## +## <summary> +# Allow communication with the VDE service +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vde_connect',` + gen_require(` + type vde_t, vde_var_run_t, vde_tmp_t; + ') + + allow $1 vde_var_run_t:sock_file write_sock_file_perms; + allow $1 vde_t:unix_stream_socket { connectto }; + allow $1 vde_t:unix_dgram_socket { sendto }; + allow vde_t $1:unix_dgram_socket { sendto }; + + allow $1 vde_tmp_t:sock_file manage_sock_file_perms; + files_tmp_filetrans($1, vde_tmp_t, sock_file) + + tunable_policy(`gentoo_try_dontaudit',` + dontaudit $1 vde_var_run_t:sock_file { setattr }; + ') +') diff --git a/policy/modules/contrib/vde.te b/policy/modules/contrib/vde.te new file mode 100644 index 00000000..3b894916 --- /dev/null +++ b/policy/modules/contrib/vde.te @@ -0,0 +1,49 @@ +policy_module(vde, 0.0.1) + +######################################## +# +# Declarations +# + +type vde_t; +type vde_exec_t; +init_daemon_domain(vde_t, vde_exec_t) + +type vde_initrc_exec_t; +init_script_file(vde_initrc_exec_t) + +type vde_var_lib_t; +files_type(vde_var_lib_t) + +type vde_var_run_t; +files_pid_file(vde_var_run_t) + +type vde_tmp_t; +files_tmp_file(vde_tmp_t) + +######################################## +# +# Local policy +# + +allow vde_t self:process { signal_perms getcap setcap }; +allow vde_t self:capability { chown net_admin dac_override fowner fsetid }; + +allow vde_t vde_tmp_t:sock_file manage_sock_file_perms; +allow vde_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow vde_t self:unix_dgram_socket create_socket_perms; +files_tmp_filetrans(vde_t, vde_tmp_t, sock_file) + +manage_dirs_pattern(vde_t, vde_var_run_t, vde_var_run_t) +manage_files_pattern(vde_t, vde_var_run_t, vde_var_run_t) +manage_sock_files_pattern(vde_t, vde_var_run_t, vde_var_run_t) +files_pid_filetrans(vde_t, vde_var_run_t, { dir file sock_file unix_dgram_socket }) + +files_read_etc_files(vde_t) + +domain_use_interactive_fds(vde_t) +userdom_use_user_terminals(vde_t) +miscfiles_read_localization(vde_t) +corenet_rw_tun_tap_dev(vde_t) + +logging_send_syslog_msg(vde_t) diff --git a/policy/modules/contrib/vhostmd.fc b/policy/modules/contrib/vhostmd.fc new file mode 100644 index 00000000..c1fb3292 --- /dev/null +++ b/policy/modules/contrib/vhostmd.fc @@ -0,0 +1,5 @@ +/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) + +/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) + +/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if new file mode 100644 index 00000000..1f872b5e --- /dev/null +++ b/policy/modules/contrib/vhostmd.if @@ -0,0 +1,224 @@ +## <summary>Virtual host metrics daemon</summary> + +######################################## +## <summary> +## Execute a domain transition to run vhostmd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vhostmd_domtrans',` + gen_require(` + type vhostmd_t, vhostmd_exec_t; + ') + + domtrans_pattern($1, vhostmd_exec_t, vhostmd_t) +') + +######################################## +## <summary> +## Execute vhostmd server in the vhostmd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vhostmd_initrc_domtrans',` + gen_require(` + type vhostmd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, vhostmd_initrc_exec_t) +') + +######################################## +## <summary> +## Allow domain to read, vhostmd tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_read_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + allow $1 vhostmd_tmpfs_t:file read_file_perms; + files_search_tmp($1) +') + +######################################## +## <summary> +## Do not audit attempts to read, +## vhostmd tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`vhostmd_dontaudit_read_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + dontaudit $1 vhostmd_tmpfs_t:file read_file_perms; +') + +####################################### +## <summary> +## Allow domain to read and write vhostmd tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_rw_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) + files_search_tmp($1) +') + +######################################## +## <summary> +## Create, read, write, and delete vhostmd tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_manage_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) + files_search_tmp($1) +') + +######################################## +## <summary> +## Read vhostmd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_read_pid_files',` + gen_require(` + type vhostmd_var_run_t; + ') + + files_search_pids($1) + allow $1 vhostmd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Manage vhostmd var_run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_manage_pid_files',` + gen_require(` + type vhostmd_var_run_t; + ') + + manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) +') + +######################################## +## <summary> +## Connect to vhostmd over an unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vhostmd_stream_connect',` + gen_require(` + type vhostmd_t, vhostmd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t) +') + +####################################### +## <summary> +## Dontaudit read and write to vhostmd +## over an unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`vhostmd_dontaudit_rw_stream_connect',` + gen_require(` + type vhostmd_t; + ') + + dontaudit $1 vhostmd_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an vhostmd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vhostmd_admin',` + gen_require(` + type vhostmd_t, vhostmd_initrc_exec_t; + ') + + allow $1 vhostmd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, vhostmd_t) + + vhostmd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 vhostmd_initrc_exec_t system_r; + allow $2 system_r; + + vhostmd_manage_tmpfs_files($1) + + vhostmd_manage_pid_files($1) + +') diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te new file mode 100644 index 00000000..32a3c135 --- /dev/null +++ b/policy/modules/contrib/vhostmd.te @@ -0,0 +1,76 @@ +policy_module(vhostmd, 1.0.0) + +######################################## +# +# Declarations +# + +type vhostmd_t; +type vhostmd_exec_t; +init_daemon_domain(vhostmd_t, vhostmd_exec_t) + +type vhostmd_initrc_exec_t; +init_script_file(vhostmd_initrc_exec_t) + +type vhostmd_tmpfs_t; +files_tmpfs_file(vhostmd_tmpfs_t) + +type vhostmd_var_run_t; +files_pid_file(vhostmd_var_run_t) + +######################################## +# +# vhostmd local policy +# + +allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; +allow vhostmd_t self:process { setsched getsched }; +allow vhostmd_t self:fifo_file rw_file_perms; + +manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir }) + +manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) +manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) +files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir }) + +kernel_read_system_state(vhostmd_t) +kernel_read_network_state(vhostmd_t) +kernel_write_xen_state(vhostmd_t) + +corecmd_exec_bin(vhostmd_t) +corecmd_exec_shell(vhostmd_t) + +corenet_tcp_connect_soundd_port(vhostmd_t) + +files_read_etc_files(vhostmd_t) +files_read_usr_files(vhostmd_t) + +dev_read_sysfs(vhostmd_t) + +auth_use_nsswitch(vhostmd_t) + +logging_send_syslog_msg(vhostmd_t) + +miscfiles_read_localization(vhostmd_t) + +optional_policy(` + hostname_exec(vhostmd_t) +') + +optional_policy(` + rpm_exec(vhostmd_t) + rpm_read_db(vhostmd_t) +') + +optional_policy(` + virt_stream_connect(vhostmd_t) +') + +optional_policy(` + xen_domtrans_xm(vhostmd_t) + xen_stream_connect(vhostmd_t) + xen_stream_connect_xenstore(vhostmd_t) + xen_stream_connect_xm(vhostmd_t) +') diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc new file mode 100644 index 00000000..2124b6ad --- /dev/null +++ b/policy/modules/contrib/virt.fc @@ -0,0 +1,29 @@ +HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) + +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) + +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) + +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) + +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) + +/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if new file mode 100644 index 00000000..7c5d8d82 --- /dev/null +++ b/policy/modules/contrib/virt.if @@ -0,0 +1,518 @@ +## <summary>Libvirt virtualization API</summary> + +######################################## +## <summary> +## Creates types and rules for a basic +## qemu process domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`virt_domain_template',` + gen_require(` + type virtd_t; + attribute virt_image_type; + attribute virt_domain; + ') + + type $1_t, virt_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) + role system_r types $1_t; + + type $1_devpts_t; + term_pty($1_devpts_t) + + type $1_tmp_t; + files_tmp_file($1_tmp_t) + + type $1_tmpfs_t; + files_tmpfs_file($1_tmpfs_t) + + type $1_image_t, virt_image_type; + files_type($1_image_t) + dev_node($1_image_t) + + type $1_var_run_t; + files_pid_file($1_var_run_t) + + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; + term_create_pty($1_t, $1_devpts_t) + + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) + rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) + + manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) + + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) + + stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain) + manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) + manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) + + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, { dir file }) + stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) + + optional_policy(` + xserver_rw_shm($1_t) + ') +') + +######################################## +## <summary> +## Make the specified type usable as a virt image +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a virtual image +## </summary> +## </param> +# +interface(`virt_image',` + gen_require(` + attribute virt_image_type; + ') + + typeattribute $1 virt_image_type; + files_type($1) + + # virt images can be assigned to blk devices + dev_node($1) +') + +######################################## +## <summary> +## Execute a domain transition to run virt. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virt_domtrans',` + gen_require(` + type virtd_t, virtd_exec_t; + ') + + domtrans_pattern($1, virtd_exec_t, virtd_t) +') + +####################################### +## <summary> +## Connect to virt over an unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_stream_connect',` + gen_require(` + type virtd_t, virt_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) +') + +######################################## +## <summary> +## Allow domain to attach to virt TUN devices +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_attach_tun_iface',` + gen_require(` + type virtd_t; + ') + + allow $1 virtd_t:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') + +######################################## +## <summary> +## Read virt config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_config',` + gen_require(` + type virt_etc_t; + type virt_etc_rw_t; + ') + + files_search_etc($1) + read_files_pattern($1, virt_etc_t, virt_etc_t) + read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +') + +######################################## +## <summary> +## manage virt config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_config',` + gen_require(` + type virt_etc_t; + type virt_etc_rw_t; + ') + + files_search_etc($1) + manage_files_pattern($1, virt_etc_t, virt_etc_t) + manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +') + +######################################## +## <summary> +## Allow domain to manage virt image files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_content',` + gen_require(` + type virt_content_t; + ') + + virt_search_lib($1) + allow $1 virt_content_t:dir list_dir_perms; + list_dirs_pattern($1, virt_content_t, virt_content_t) + read_files_pattern($1, virt_content_t, virt_content_t) + read_lnk_files_pattern($1, virt_content_t, virt_content_t) + read_blk_files_pattern($1, virt_content_t, virt_content_t) + + tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## Read virt PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_pid_files',` + gen_require(` + type virt_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, virt_var_run_t, virt_var_run_t) +') + +######################################## +## <summary> +## Manage virt pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_pid_files',` + gen_require(` + type virt_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, virt_var_run_t, virt_var_run_t) +') + +######################################## +## <summary> +## Search virt lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_search_lib',` + gen_require(` + type virt_var_lib_t; + ') + + allow $1 virt_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read virt lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_lib_files',` + gen_require(` + type virt_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_lib_files',` + gen_require(` + type virt_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +') + +######################################## +## <summary> +## Allow the specified domain to read virt's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`virt_read_log',` + gen_require(` + type virt_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## <summary> +## Allow the specified domain to append +## virt log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_append_log',` + gen_require(` + type virt_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## <summary> +## Allow domain to manage virt log files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_log',` + gen_require(` + type virt_log_t; + ') + + manage_dirs_pattern($1, virt_log_t, virt_log_t) + manage_files_pattern($1, virt_log_t, virt_log_t) + manage_lnk_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## <summary> +## Allow domain to read virt image files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_images',` + gen_require(` + type virt_var_lib_t; + attribute virt_image_type; + ') + + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + list_dirs_pattern($1, virt_image_type, virt_image_type) + read_files_pattern($1, virt_image_type, virt_image_type) + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + read_blk_files_pattern($1, virt_image_type, virt_image_type) + + tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## Create, read, write, and delete +## svirt cache files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_svirt_cache',` + gen_require(` + type svirt_cache_t; + ') + + files_search_var($1) + manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t) + manage_files_pattern($1, svirt_cache_t, svirt_cache_t) + manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) +') + +######################################## +## <summary> +## Allow domain to manage virt image files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_images',` + gen_require(` + type virt_var_lib_t; + attribute virt_image_type; + ') + + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + manage_dirs_pattern($1, virt_image_type, virt_image_type) + manage_files_pattern($1, virt_image_type, virt_image_type) + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + rw_blk_files_pattern($1, virt_image_type, virt_image_type) + + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + fs_read_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_manage_cifs_files($1) + fs_manage_cifs_files($1) + fs_read_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## All of the rules required to administrate +## an virt environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`virt_admin',` + gen_require(` + type virtd_t, virtd_initrc_exec_t; + ') + + allow $1 virtd_t:process { ptrace signal_perms }; + ps_process_pattern($1, virtd_t) + + init_labeled_script_domtrans($1, virtd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 virtd_initrc_exec_t system_r; + allow $2 system_r; + + virt_manage_pid_files($1) + + virt_manage_lib_files($1) + + virt_manage_log($1) +') diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te new file mode 100644 index 00000000..fadbd88a --- /dev/null +++ b/policy/modules/contrib/virt.te @@ -0,0 +1,473 @@ +policy_module(virt, 1.4.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow virt to use serial/parallell communication ports +## </p> +## </desc> +gen_tunable(virt_use_comm, false) + +## <desc> +## <p> +## Allow virt to read fuse files +## </p> +## </desc> +gen_tunable(virt_use_fusefs, false) + +## <desc> +## <p> +## Allow virt to manage nfs files +## </p> +## </desc> +gen_tunable(virt_use_nfs, false) + +## <desc> +## <p> +## Allow virt to manage cifs files +## </p> +## </desc> +gen_tunable(virt_use_samba, false) + +## <desc> +## <p> +## Allow virt to manage device configuration, (pci) +## </p> +## </desc> +gen_tunable(virt_use_sysfs, false) + +## <desc> +## <p> +## Allow virt to use usb devices +## </p> +## </desc> +gen_tunable(virt_use_usb, true) + +virt_domain_template(svirt) +role system_r types svirt_t; + +type svirt_cache_t; +files_type(svirt_cache_t) + +attribute virt_domain; +attribute virt_image_type; + +type virt_etc_t; +files_config_file(virt_etc_t) + +type virt_etc_rw_t; +files_type(virt_etc_rw_t) + +# virt Image files +type virt_image_t; # customizable +virt_image(virt_image_t) + +# virt Image files +type virt_content_t; # customizable +virt_image(virt_content_t) +userdom_user_home_content(virt_content_t) + +type virt_log_t; +logging_log_file(virt_log_t) + +type virt_tmp_t; +files_tmp_file(virt_tmp_t) + +type virt_var_run_t; +files_pid_file(virt_var_run_t) + +type virt_var_lib_t; +files_type(virt_var_lib_t) + +type virtd_t; +type virtd_exec_t; +init_daemon_domain(virtd_t, virtd_exec_t) +domain_obj_id_change_exemption(virtd_t) +domain_subj_id_change_exemption(virtd_t) + +type virtd_initrc_exec_t; +init_script_file(virtd_initrc_exec_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) +') + +######################################## +# +# svirt local policy +# + +allow svirt_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) + +read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) + +allow svirt_t svirt_image_t:dir search_dir_perms; +manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) +manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) +fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) + +list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_t, virt_content_t, virt_content_t) +dontaudit svirt_t virt_content_t:file write_file_perms; +dontaudit svirt_t virt_content_t:dir write; + +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) +corenet_udp_bind_generic_node(svirt_t) +corenet_udp_bind_all_ports(svirt_t) +corenet_tcp_bind_all_ports(svirt_t) +corenet_tcp_connect_all_ports(svirt_t) + +dev_list_sysfs(svirt_t) + +userdom_search_user_home_content(svirt_t) +userdom_read_user_home_content_symlinks(svirt_t) +userdom_read_all_users_state(svirt_t) + +tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(svirt_t) + dev_rw_printer(svirt_t) +') + +tunable_policy(`virt_use_fusefs',` + fs_read_fusefs_files(svirt_t) + fs_read_fusefs_symlinks(svirt_t) +') + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_t) + fs_manage_nfs_files(svirt_t) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(svirt_t) + fs_manage_cifs_files(svirt_t) +') + +tunable_policy(`virt_use_sysfs',` + dev_rw_sysfs(svirt_t) +') + +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(svirt_t) + fs_manage_dos_dirs(svirt_t) + fs_manage_dos_files(svirt_t) +') + +optional_policy(` + xen_rw_image_files(svirt_t) +') + +######################################## +# +# virtd local policy +# + +allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; + +allow virtd_t self:fifo_file rw_fifo_file_perms; +allow virtd_t self:unix_stream_socket create_stream_socket_perms; +allow virtd_t self:tcp_socket create_stream_socket_perms; +allow virtd_t self:tun_socket create_socket_perms; +allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t) +manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t) + +manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) +manage_files_pattern(virtd_t, virt_content_t, virt_content_t) + +allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; + +read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) +read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) + +manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) + +manage_files_pattern(virtd_t, virt_image_type, virt_image_type) +manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) +allow virtd_t virt_image_type:file { relabelfrom relabelto }; +allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; + +manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) +manage_files_pattern(virtd_t, virt_log_t, virt_log_t) +logging_log_filetrans(virtd_t, virt_log_t, { file dir }) + +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) +can_exec(virtd_t, virt_tmp_t) + +manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) + +manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) + +kernel_read_system_state(virtd_t) +kernel_read_network_state(virtd_t) +kernel_rw_net_sysctls(virtd_t) +kernel_request_load_module(virtd_t) +kernel_search_debugfs(virtd_t) + +corecmd_exec_bin(virtd_t) +corecmd_exec_shell(virtd_t) + +corenet_all_recvfrom_unlabeled(virtd_t) +corenet_all_recvfrom_netlabel(virtd_t) +corenet_tcp_sendrecv_generic_if(virtd_t) +corenet_tcp_sendrecv_generic_node(virtd_t) +corenet_tcp_sendrecv_all_ports(virtd_t) +corenet_tcp_bind_generic_node(virtd_t) +corenet_tcp_bind_virt_port(virtd_t) +corenet_tcp_bind_vnc_port(virtd_t) +corenet_tcp_connect_vnc_port(virtd_t) +corenet_tcp_connect_soundd_port(virtd_t) +corenet_rw_tun_tap_dev(virtd_t) + +dev_rw_sysfs(virtd_t) +dev_read_rand(virtd_t) +dev_rw_kvm(virtd_t) +dev_getattr_all_chr_files(virtd_t) +dev_rw_mtrr(virtd_t) + +# Init script handling +domain_use_interactive_fds(virtd_t) +domain_read_all_domains_state(virtd_t) + +files_read_usr_files(virtd_t) +files_read_etc_files(virtd_t) +files_read_etc_runtime_files(virtd_t) +files_search_all(virtd_t) +files_read_kernel_modules(virtd_t) +files_read_usr_src_files(virtd_t) +files_manage_etc_files(virtd_t) + +fs_list_auto_mountpoints(virtd_t) +fs_getattr_xattr_fs(virtd_t) +fs_rw_anon_inodefs_files(virtd_t) +fs_list_inotifyfs(virtd_t) +fs_manage_cgroup_dirs(virtd_t) +fs_rw_cgroup_files(virtd_t) + +mcs_process_set_categories(virtd_t) + +storage_manage_fixed_disk(virtd_t) +storage_relabel_fixed_disk(virtd_t) +storage_raw_write_removable_device(virtd_t) +storage_raw_read_removable_device(virtd_t) + +term_getattr_pty_fs(virtd_t) +term_use_generic_ptys(virtd_t) +term_use_ptmx(virtd_t) + +auth_use_nsswitch(virtd_t) + +miscfiles_read_localization(virtd_t) +miscfiles_read_generic_certs(virtd_t) +miscfiles_read_hwdata(virtd_t) + +modutils_read_module_deps(virtd_t) +modutils_read_module_config(virtd_t) +modutils_manage_module_config(virtd_t) + +logging_send_syslog_msg(virtd_t) + +seutil_read_config(virtd_t) +seutil_read_default_contexts(virtd_t) + +sysnet_domtrans_ifconfig(virtd_t) +sysnet_read_config(virtd_t) + +userdom_getattr_all_users(virtd_t) +userdom_list_user_home_content(virtd_t) +userdom_read_all_users_state(virtd_t) +userdom_read_user_home_content_files(virtd_t) + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virtd_t) + fs_manage_nfs_files(virtd_t) + fs_read_nfs_symlinks(virtd_t) +') + +tunable_policy(`virt_use_samba',` + fs_manage_nfs_files(virtd_t) + fs_manage_cifs_files(virtd_t) + fs_read_cifs_symlinks(virtd_t) +') + +optional_policy(` + brctl_domtrans(virtd_t) +') + +optional_policy(` + dbus_system_bus_client(virtd_t) + + optional_policy(` + avahi_dbus_chat(virtd_t) + ') + + optional_policy(` + consolekit_dbus_chat(virtd_t) + ') + + optional_policy(` + hal_dbus_chat(virtd_t) + ') +') + +optional_policy(` + dnsmasq_domtrans(virtd_t) + dnsmasq_signal(virtd_t) + dnsmasq_kill(virtd_t) + dnsmasq_read_pid_files(virtd_t) + dnsmasq_signull(virtd_t) +') + +optional_policy(` + iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) + + # Manages /etc/sysconfig/system-config-firewall + iptables_manage_config(virtd_t) +') + +optional_policy(` + kerberos_keytab_template(virtd, virtd_t) +') + +optional_policy(` + lvm_domtrans(virtd_t) +') + +optional_policy(` + policykit_dbus_chat(virtd_t) + policykit_domtrans_auth(virtd_t) + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +') + +optional_policy(` + qemu_domtrans(virtd_t) + qemu_read_state(virtd_t) + qemu_signal(virtd_t) + qemu_kill(virtd_t) + qemu_setsched(virtd_t) +') + +optional_policy(` + sasl_connect(virtd_t) +') + +optional_policy(` + kernel_read_xen_state(virtd_t) + kernel_write_xen_state(virtd_t) + + xen_stream_connect(virtd_t) + xen_stream_connect_xenstore(virtd_t) + xen_read_image_files(virtd_t) +') + +optional_policy(` + udev_domtrans(virtd_t) + udev_read_db(virtd_t) +') + +optional_policy(` + unconfined_domain(virtd_t) +') + +######################################## +# +# virtual domains common policy +# + +allow virt_domain self:capability { dac_read_search dac_override kill }; +allow virt_domain self:process { execmem execstack signal getsched signull }; +allow virt_domain self:fifo_file rw_file_perms; +allow virt_domain self:shm create_shm_perms; +allow virt_domain self:unix_stream_socket create_stream_socket_perms; +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow virt_domain self:tcp_socket create_stream_socket_perms; + +append_files_pattern(virt_domain, virt_log_t, virt_log_t) + +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +kernel_read_system_state(virt_domain) + +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + +corenet_all_recvfrom_unlabeled(virt_domain) +corenet_all_recvfrom_netlabel(virt_domain) +corenet_tcp_sendrecv_generic_if(virt_domain) +corenet_tcp_sendrecv_generic_node(virt_domain) +corenet_tcp_sendrecv_all_ports(virt_domain) +corenet_tcp_bind_generic_node(virt_domain) +corenet_tcp_bind_vnc_port(virt_domain) +corenet_rw_tun_tap_dev(virt_domain) +corenet_tcp_bind_virt_migration_port(virt_domain) +corenet_tcp_connect_virt_migration_port(virt_domain) + +dev_read_rand(virt_domain) +dev_read_sound(virt_domain) +dev_read_urand(virt_domain) +dev_write_sound(virt_domain) +dev_rw_ksm(virt_domain) +dev_rw_kvm(virt_domain) +dev_rw_qemu(virt_domain) + +domain_use_interactive_fds(virt_domain) + +files_read_etc_files(virt_domain) +files_read_usr_files(virt_domain) +files_read_var_files(virt_domain) +files_search_all(virt_domain) + +fs_getattr_tmpfs(virt_domain) +fs_rw_anon_inodefs_files(virt_domain) +fs_rw_tmpfs_files(virt_domain) + +term_use_all_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) +term_use_ptmx(virt_domain) + +auth_use_nsswitch(virt_domain) + +logging_send_syslog_msg(virt_domain) + +miscfiles_read_localization(virt_domain) + +optional_policy(` + ptchown_domtrans(virt_domain) +') + +optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) + virt_read_content(virt_domain) + virt_stream_connect(virt_domain) +') diff --git a/policy/modules/contrib/vlock.fc b/policy/modules/contrib/vlock.fc new file mode 100644 index 00000000..621d5fda --- /dev/null +++ b/policy/modules/contrib/vlock.fc @@ -0,0 +1 @@ +/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) diff --git a/policy/modules/contrib/vlock.if b/policy/modules/contrib/vlock.if new file mode 100644 index 00000000..c5eeea08 --- /dev/null +++ b/policy/modules/contrib/vlock.if @@ -0,0 +1,46 @@ +## <summary>Lock one or more sessions on the Linux console.</summary> + +####################################### +## <summary> +## Execute vlock in the vlock domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vlock_domtrans',` + gen_require(` + type vlock_t, vlock_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, vlock_exec_t, vlock_t) +') + +######################################## +## <summary> +## Execute vlock in the vlock domain, and +## allow the specified role the vlock domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed to access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vlock_run',` + gen_require(` + type vlock_t; + ') + + vlock_domtrans($1) + role $2 types vlock_t; +') diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te new file mode 100644 index 00000000..25110934 --- /dev/null +++ b/policy/modules/contrib/vlock.te @@ -0,0 +1,53 @@ +policy_module(vlock, 1.1.0) + +######################################## +# +# Declarations +# + +type vlock_t; +type vlock_exec_t; +application_domain(vlock_t, vlock_exec_t) + +######################################## +# +# Local policy +# + +# --enable-pam is recommended when configuring vlock, making it +# unnecessary to be a setuid program. +dontaudit vlock_t self:capability { setuid setgid }; +allow vlock_t self:fd use; +allow vlock_t self:fifo_file rw_fifo_file_perms; +allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow vlock_t self:unix_dgram_socket { create connect }; + +kernel_read_system_state(vlock_t) + +corecmd_list_bin(vlock_t) +corecmd_read_bin_symlinks(vlock_t) + +# Must call this interface otherwise PAM session will fail +# with message of "terminal=? res=failed" +domain_use_interactive_fds(vlock_t) + +files_dontaudit_search_home(vlock_t) +files_read_etc_files(vlock_t) + +# pam_tally2 module could be used by vlock for authentication, +# /var/log/tallylog's SL is usually s0, while the caller's SL could +# be higher than s0. +mls_file_write_all_levels(vlock_t) + +selinux_dontaudit_getattr_fs(vlock_t) + +auth_domtrans_chk_passwd(vlock_t) + +init_dontaudit_rw_utmp(vlock_t) + +logging_send_syslog_msg(vlock_t) + +miscfiles_read_localization(vlock_t) + +userdom_dontaudit_search_user_home_dirs(vlock_t) +userdom_use_user_terminals(vlock_t) diff --git a/policy/modules/contrib/vmware.fc b/policy/modules/contrib/vmware.fc new file mode 100644 index 00000000..f647c7e1 --- /dev/null +++ b/policy/modules/contrib/vmware.fc @@ -0,0 +1,71 @@ +# +# HOME_DIR/ +# +HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) +HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0) +HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) + +# +# /etc +# +/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0) + +# +# /usr +# +/usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) + +/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) +/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) + +ifdef(`distro_redhat',` +/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +') + +/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) +/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) + +/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) + +ifdef(`distro_gentoo',` +/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) +/opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) +') + +/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) +/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) + +/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) +/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0) +/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --git a/policy/modules/contrib/vmware.if b/policy/modules/contrib/vmware.if new file mode 100644 index 00000000..853f5754 --- /dev/null +++ b/policy/modules/contrib/vmware.if @@ -0,0 +1,104 @@ +## <summary>VMWare Workstation virtual machines</summary> + +######################################## +## <summary> +## Role access for vmware +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`vmware_role',` + gen_require(` + type vmware_t, vmware_exec_t; + ') + + role $1 types vmware_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, vmware_exec_t, vmware_t) + + # allow ps to show vmware and allow the user to kill it + ps_process_pattern($2, vmware_t) + allow $2 vmware_t:process signal; +') + +######################################## +## <summary> +## Execute vmware host executables +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vmware_exec_host',` + gen_require(` + type vmware_host_exec_t; + ') + + can_exec($1, vmware_host_exec_t) +') + +######################################## +## <summary> +## Read VMWare system configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vmware_read_system_config',` + gen_require(` + type vmware_sys_conf_t; + ') + + allow $1 vmware_sys_conf_t:file { getattr read }; +') + +######################################## +## <summary> +## Append to VMWare system configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vmware_append_system_config',` + gen_require(` + type vmware_sys_conf_t; + ') + + allow $1 vmware_sys_conf_t:file append; +') + +######################################## +## <summary> +## Append to VMWare log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vmware_append_log',` + gen_require(` + type vmware_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, vmware_log_t, vmware_log_t) +') diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te new file mode 100644 index 00000000..fed68080 --- /dev/null +++ b/policy/modules/contrib/vmware.te @@ -0,0 +1,282 @@ +policy_module(vmware, 2.5.0) + +######################################## +# +# Declarations +# + +# VMWare user program +type vmware_t; +type vmware_exec_t; +typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t }; +typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t }; +userdom_user_application_domain(vmware_t, vmware_exec_t) + +type vmware_conf_t; +typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t }; +typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t }; +userdom_user_home_content(vmware_conf_t) + +type vmware_file_t; +typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t }; +typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t }; +userdom_user_home_content(vmware_file_t) + +# VMWare host programs +type vmware_host_t; +type vmware_host_exec_t; +init_daemon_domain(vmware_host_t, vmware_host_exec_t) + +type vmware_host_pid_t alias vmware_var_run_t; +files_pid_file(vmware_host_pid_t) + +type vmware_host_tmp_t; +userdom_user_tmp_file(vmware_host_tmp_t) + +type vmware_log_t; +typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t }; +typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t }; +logging_log_file(vmware_log_t) +ubac_constrained(vmware_log_t) + +type vmware_pid_t; +typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t }; +typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t }; +files_pid_file(vmware_pid_t) +ubac_constrained(vmware_pid_t) + +# Systemwide configuration files +type vmware_sys_conf_t; +files_type(vmware_sys_conf_t) + +type vmware_tmp_t; +typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t }; +typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t }; +userdom_user_tmp_file(vmware_tmp_t) + +type vmware_tmpfs_t; +typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t }; +typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t }; +userdom_user_tmpfs_file(vmware_tmpfs_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh) +') + +######################################## +# +# VMWare host local policy +# + +allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; +dontaudit vmware_host_t self:capability sys_tty_config; +allow vmware_host_t self:process { execstack execmem signal_perms }; +allow vmware_host_t self:fifo_file rw_fifo_file_perms; +allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; +allow vmware_host_t self:rawip_socket create_socket_perms; +allow vmware_host_t self:tcp_socket create_socket_perms; + +can_exec(vmware_host_t, vmware_host_exec_t) + +# cjp: the ro and rw files should be split up +manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) +manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) + +manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir }) + +manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) +manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) +files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) + +manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) +logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) + +kernel_read_kernel_sysctls(vmware_host_t) +kernel_read_system_state(vmware_host_t) +kernel_read_network_state(vmware_host_t) + +corenet_all_recvfrom_unlabeled(vmware_host_t) +corenet_all_recvfrom_netlabel(vmware_host_t) +corenet_tcp_sendrecv_generic_if(vmware_host_t) +corenet_udp_sendrecv_generic_if(vmware_host_t) +corenet_raw_sendrecv_generic_if(vmware_host_t) +corenet_tcp_sendrecv_generic_node(vmware_host_t) +corenet_udp_sendrecv_generic_node(vmware_host_t) +corenet_raw_sendrecv_generic_node(vmware_host_t) +corenet_tcp_sendrecv_all_ports(vmware_host_t) +corenet_udp_sendrecv_all_ports(vmware_host_t) +corenet_raw_bind_generic_node(vmware_host_t) +corenet_tcp_bind_generic_node(vmware_host_t) +corenet_udp_bind_generic_node(vmware_host_t) +corenet_tcp_connect_all_ports(vmware_host_t) +corenet_sendrecv_all_client_packets(vmware_host_t) +corenet_sendrecv_all_server_packets(vmware_host_t) + +corecmd_exec_bin(vmware_host_t) +corecmd_exec_shell(vmware_host_t) + +dev_getattr_all_blk_files(vmware_host_t) +dev_read_sysfs(vmware_host_t) +dev_read_urand(vmware_host_t) +dev_rw_vmware(vmware_host_t) + +domain_use_interactive_fds(vmware_host_t) +domain_dontaudit_read_all_domains_state(vmware_host_t) + +files_list_tmp(vmware_host_t) +files_read_etc_files(vmware_host_t) +files_read_etc_runtime_files(vmware_host_t) +files_read_usr_files(vmware_host_t) + +fs_getattr_all_fs(vmware_host_t) +fs_search_auto_mountpoints(vmware_host_t) + +storage_getattr_fixed_disk_dev(vmware_host_t) + +term_dontaudit_use_console(vmware_host_t) + +init_use_fds(vmware_host_t) +init_use_script_ptys(vmware_host_t) + +libs_exec_ld_so(vmware_host_t) + +logging_send_syslog_msg(vmware_host_t) + +miscfiles_read_localization(vmware_host_t) + +sysnet_dns_name_resolve(vmware_host_t) +sysnet_domtrans_ifconfig(vmware_host_t) + +userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) +userdom_dontaudit_search_user_home_dirs(vmware_host_t) + +netutils_domtrans_ping(vmware_host_t) + +optional_policy(` + hostname_exec(vmware_host_t) +') + +optional_policy(` + modutils_domtrans_insmod(vmware_host_t) +') + +optional_policy(` + samba_read_config(vmware_host_t) +') + +optional_policy(` + seutil_sigchld_newrole(vmware_host_t) +') + +optional_policy(` + shutdown_domtrans(vmware_host_t) +') + +optional_policy(` + udev_read_db(vmware_host_t) +') + +optional_policy(` + xserver_read_tmp_files(vmware_host_t) + xserver_read_xdm_pid(vmware_host_t) +') + +############################## +# +# VMWare guest local policy +# + +allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; +dontaudit vmware_t self:capability sys_tty_config; +allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow vmware_t self:process { execmem execstack }; +allow vmware_t self:fd use; +allow vmware_t self:fifo_file rw_fifo_file_perms; +allow vmware_t self:unix_dgram_socket { create_socket_perms sendto }; +allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow vmware_t self:shm create_shm_perms; +allow vmware_t self:sem create_sem_perms; +allow vmware_t self:msgq create_msgq_perms; +allow vmware_t self:msg { send receive }; + +can_exec(vmware_t, vmware_exec_t) + +# User configuration files +allow vmware_t vmware_conf_t:file manage_file_perms; + +# VMWare disks +manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t) +manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t) + +allow vmware_t vmware_tmp_t:file execute; +manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) +manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) +manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) +files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir }) + +manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) +fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +# Read clobal configuration files +allow vmware_t vmware_sys_conf_t:dir list_dir_perms; +read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) +read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) + +manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) +files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file }) + +kernel_read_system_state(vmware_t) +kernel_read_network_state(vmware_t) +kernel_read_kernel_sysctls(vmware_t) + +# startup scripts +corecmd_exec_bin(vmware_t) +corecmd_exec_shell(vmware_t) + +dev_read_raw_memory(vmware_t) +dev_write_raw_memory(vmware_t) +dev_read_mouse(vmware_t) +dev_write_sound(vmware_t) +dev_read_realtime_clock(vmware_t) +dev_rwx_vmware(vmware_t) +dev_rw_usbfs(vmware_t) +dev_search_sysfs(vmware_t) + +domain_use_interactive_fds(vmware_t) + +files_read_etc_files(vmware_t) +files_read_etc_runtime_files(vmware_t) +files_read_usr_files(vmware_t) +files_list_home(vmware_t) + +fs_getattr_all_fs(vmware_t) +fs_search_auto_mountpoints(vmware_t) + +storage_raw_read_removable_device(vmware_t) +storage_raw_write_removable_device(vmware_t) + +# startup scripts run ldd +libs_exec_ld_so(vmware_t) +# Access X11 config files +libs_read_lib_files(vmware_t) + +miscfiles_read_localization(vmware_t) + +userdom_use_user_terminals(vmware_t) +userdom_list_user_home_dirs(vmware_t) +# cjp: why? +userdom_read_user_home_content_files(vmware_t) + +sysnet_dns_name_resolve(vmware_t) +sysnet_read_config(vmware_t) + +xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t) diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc new file mode 100644 index 00000000..11533ccc --- /dev/null +++ b/policy/modules/contrib/vnstatd.fc @@ -0,0 +1,7 @@ +/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) + +/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) + +/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) + +/var/run/vnstat\.pid gen_context(system_u:object_r:vnstatd_var_run_t,s0) diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if new file mode 100644 index 00000000..727fe953 --- /dev/null +++ b/policy/modules/contrib/vnstatd.if @@ -0,0 +1,143 @@ +## <summary>Console network traffic monitor.</summary> + +######################################## +## <summary> +## Execute a domain transition to run vnstat. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vnstatd_domtrans_vnstat',` + gen_require(` + type vnstat_t, vnstat_exec_t; + ') + + domtrans_pattern($1, vnstat_exec_t, vnstat_t) +') + +######################################## +## <summary> +## Execute a domain transition to run vnstatd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vnstatd_domtrans',` + gen_require(` + type vnstatd_t, vnstatd_exec_t; + ') + + domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) +') + +######################################## +## <summary> +## Search vnstatd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vnstatd_search_lib',` + gen_require(` + type vnstatd_var_lib_t; + ') + + allow $1 vnstatd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Manage vnstatd lib dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vnstatd_manage_lib_dirs',` + gen_require(` + type vnstatd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) +') + +######################################## +## <summary> +## Read vnstatd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vnstatd_read_lib_files',` + gen_require(` + type vnstatd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## vnstatd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vnstatd_manage_lib_files',` + gen_require(` + type vnstatd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an vnstatd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vnstatd_admin',` + gen_require(` + type vnstatd_t, vnstatd_var_lib_t; + ') + + allow $1 vnstatd_t:process { ptrace signal_perms }; + ps_process_pattern($1, vnstatd_t) + + files_list_var_lib($1) + admin_pattern($1, vnstatd_var_lib_t) +') diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te new file mode 100644 index 00000000..8121937a --- /dev/null +++ b/policy/modules/contrib/vnstatd.te @@ -0,0 +1,80 @@ +policy_module(vnstatd, 1.0.0) + +######################################## +# +# Declarations +# + +type vnstat_t; +type vnstat_exec_t; +application_domain(vnstat_t, vnstat_exec_t) + +type vnstatd_t; +type vnstatd_exec_t; +init_daemon_domain(vnstatd_t, vnstatd_exec_t) + +type vnstatd_var_lib_t; +files_type(vnstatd_var_lib_t) + +type vnstatd_var_run_t; +files_pid_file(vnstatd_var_run_t) + +######################################## +# +# vnstatd local policy +# + +allow vnstatd_t self:process signal; +allow vnstatd_t self:fifo_file rw_fifo_file_perms; +allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) + +manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) +manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) +files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file }) + +kernel_read_network_state(vnstatd_t) +kernel_read_system_state(vnstatd_t) + +domain_use_interactive_fds(vnstatd_t) + +files_read_etc_files(vnstatd_t) + +fs_getattr_xattr_fs(vnstatd_t) + +logging_send_syslog_msg(vnstatd_t) + +miscfiles_read_localization(vnstatd_t) + +optional_policy(` + cron_system_entry(vnstat_t, vnstat_exec_t) +') + +######################################## +# +# vnstat local policy +# + +allow vnstat_t self:process signal; +allow vnstat_t self:fifo_file rw_fifo_file_perms; +allow vnstat_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) + +kernel_read_network_state(vnstat_t) +kernel_read_system_state(vnstat_t) + +domain_use_interactive_fds(vnstat_t) + +files_read_etc_files(vnstat_t) + +fs_getattr_xattr_fs(vnstat_t) + +logging_send_syslog_msg(vnstat_t) + +miscfiles_read_localization(vnstat_t) diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc new file mode 100644 index 00000000..076dcc3e --- /dev/null +++ b/policy/modules/contrib/vpn.fc @@ -0,0 +1,13 @@ +# +# sbin +# +/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +# +# /usr +# +/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --git a/policy/modules/contrib/vpn.if b/policy/modules/contrib/vpn.if new file mode 100644 index 00000000..7b93e071 --- /dev/null +++ b/policy/modules/contrib/vpn.if @@ -0,0 +1,138 @@ +## <summary>Virtual Private Networking client</summary> + +######################################## +## <summary> +## Execute VPN clients in the vpnc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vpn_domtrans',` + gen_require(` + type vpnc_t, vpnc_exec_t; + ') + + domtrans_pattern($1, vpnc_exec_t, vpnc_t) +') + +######################################## +## <summary> +## Execute VPN clients in the vpnc domain, and +## allow the specified role the vpnc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vpn_run',` + gen_require(` + attribute_role vpnc_roles; + ') + + vpn_domtrans($1) + roleattribute $2 vpnc_roles; +') + +######################################## +## <summary> +## Send VPN clients the kill signal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vpn_kill',` + gen_require(` + type vpnc_t; + ') + + allow $1 vpnc_t:process sigkill; +') + +######################################## +## <summary> +## Send generic signals to VPN clients. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vpn_signal',` + gen_require(` + type vpnc_t; + ') + + allow $1 vpnc_t:process signal; +') + +######################################## +## <summary> +## Send signull to VPN clients. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vpn_signull',` + gen_require(` + type vpnc_t; + ') + + allow $1 vpnc_t:process signull; +') + +######################################## +## <summary> +## Send and receive messages from +## Vpnc over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vpn_dbus_chat',` + gen_require(` + type vpnc_t; + class dbus send_msg; + ') + + allow $1 vpnc_t:dbus send_msg; + allow vpnc_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Relabelfrom from vpnc socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vpn_relabelfrom_tun_socket',` + gen_require(` + type vpnc_t; + ') + + allow $1 vpnc_t:tun_socket relabelfrom; +') diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te new file mode 100644 index 00000000..83a80ba1 --- /dev/null +++ b/policy/modules/contrib/vpn.te @@ -0,0 +1,125 @@ +policy_module(vpn, 1.15.0) + +######################################## +# +# Declarations +# + +attribute_role vpnc_roles; +roleattribute system_r vpnc_roles; + +type vpnc_t; +type vpnc_exec_t; +application_domain(vpnc_t, vpnc_exec_t) +role vpnc_roles types vpnc_t; + +type vpnc_tmp_t; +files_tmp_file(vpnc_tmp_t) + +type vpnc_var_run_t; +files_pid_file(vpnc_var_run_t) + +######################################## +# +# Local policy +# + +allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw }; +allow vpnc_t self:process { getsched signal }; +allow vpnc_t self:fifo_file rw_fifo_file_perms; +allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; +allow vpnc_t self:tcp_socket create_stream_socket_perms; +allow vpnc_t self:udp_socket create_socket_perms; +allow vpnc_t self:rawip_socket create_socket_perms; +allow vpnc_t self:unix_dgram_socket create_socket_perms; +allow vpnc_t self:unix_stream_socket create_socket_perms; +allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; +# cjp: this needs to be fixed +allow vpnc_t self:socket create_socket_perms; + +manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) +manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) +files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) + +manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) +manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) +files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir}) + +kernel_read_system_state(vpnc_t) +kernel_read_network_state(vpnc_t) +kernel_read_all_sysctls(vpnc_t) +kernel_request_load_module(vpnc_t) +kernel_rw_net_sysctls(vpnc_t) + +corenet_all_recvfrom_unlabeled(vpnc_t) +corenet_all_recvfrom_netlabel(vpnc_t) +corenet_tcp_sendrecv_generic_if(vpnc_t) +corenet_udp_sendrecv_generic_if(vpnc_t) +corenet_raw_sendrecv_generic_if(vpnc_t) +corenet_tcp_sendrecv_generic_node(vpnc_t) +corenet_udp_sendrecv_generic_node(vpnc_t) +corenet_raw_sendrecv_generic_node(vpnc_t) +corenet_tcp_sendrecv_all_ports(vpnc_t) +corenet_udp_sendrecv_all_ports(vpnc_t) +corenet_udp_bind_generic_node(vpnc_t) +corenet_udp_bind_generic_port(vpnc_t) +corenet_udp_bind_isakmp_port(vpnc_t) +corenet_udp_bind_ipsecnat_port(vpnc_t) +corenet_tcp_connect_all_ports(vpnc_t) +corenet_sendrecv_all_client_packets(vpnc_t) +corenet_sendrecv_isakmp_server_packets(vpnc_t) +corenet_sendrecv_generic_server_packets(vpnc_t) +corenet_rw_tun_tap_dev(vpnc_t) + +dev_read_rand(vpnc_t) +dev_read_urand(vpnc_t) +dev_read_sysfs(vpnc_t) + +domain_use_interactive_fds(vpnc_t) + +fs_getattr_xattr_fs(vpnc_t) +fs_getattr_tmpfs(vpnc_t) + +term_use_all_ptys(vpnc_t) +term_use_all_ttys(vpnc_t) + +corecmd_exec_all_executables(vpnc_t) + +files_exec_etc_files(vpnc_t) +files_read_etc_runtime_files(vpnc_t) +files_read_etc_files(vpnc_t) +files_dontaudit_search_home(vpnc_t) + +auth_use_nsswitch(vpnc_t) + +libs_exec_ld_so(vpnc_t) +libs_exec_lib_files(vpnc_t) + +locallogin_use_fds(vpnc_t) + +logging_send_syslog_msg(vpnc_t) +logging_dontaudit_search_logs(vpnc_t) + +miscfiles_read_localization(vpnc_t) + +seutil_dontaudit_search_config(vpnc_t) +seutil_use_newrole_fds(vpnc_t) + +sysnet_run_ifconfig(vpnc_t, vpnc_roles) +sysnet_etc_filetrans_config(vpnc_t) +sysnet_manage_config(vpnc_t) + +userdom_use_all_users_fds(vpnc_t) +userdom_dontaudit_search_user_home_content(vpnc_t) + +optional_policy(` + dbus_system_bus_client(vpnc_t) + + optional_policy(` + networkmanager_dbus_chat(vpnc_t) + ') +') + +optional_policy(` + networkmanager_attach_tun_iface(vpnc_t) +') diff --git a/policy/modules/contrib/w3c.fc b/policy/modules/contrib/w3c.fc new file mode 100644 index 00000000..a9cc9a85 --- /dev/null +++ b/policy/modules/contrib/w3c.fc @@ -0,0 +1,4 @@ +/usr/lib/cgi-bin/check gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) + +/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) +/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) diff --git a/policy/modules/contrib/w3c.if b/policy/modules/contrib/w3c.if new file mode 100644 index 00000000..8f678a9f --- /dev/null +++ b/policy/modules/contrib/w3c.if @@ -0,0 +1 @@ +## <summary>W3C Markup Validator</summary> diff --git a/policy/modules/contrib/w3c.te b/policy/modules/contrib/w3c.te new file mode 100644 index 00000000..1174ad84 --- /dev/null +++ b/policy/modules/contrib/w3c.te @@ -0,0 +1,24 @@ +policy_module(w3c, 1.0.0) + +######################################## +# +# Declarations +# + +apache_content_template(w3c_validator) + +######################################## +# +# Local policy +# + +corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) +corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) +corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) + +miscfiles_read_generic_certs(httpd_w3c_validator_script_t) + +sysnet_dns_name_resolve(httpd_w3c_validator_script_t) diff --git a/policy/modules/contrib/watchdog.fc b/policy/modules/contrib/watchdog.fc new file mode 100644 index 00000000..7551c51b --- /dev/null +++ b/policy/modules/contrib/watchdog.fc @@ -0,0 +1,5 @@ +/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0) + +/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0) + +/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if new file mode 100644 index 00000000..f8acf10a --- /dev/null +++ b/policy/modules/contrib/watchdog.if @@ -0,0 +1 @@ +## <summary>Software watchdog</summary> diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te new file mode 100644 index 00000000..b10bb053 --- /dev/null +++ b/policy/modules/contrib/watchdog.te @@ -0,0 +1,105 @@ +policy_module(watchdog, 1.7.0) + +################################# +# +# Rules for the watchdog_t domain. +# + +type watchdog_t; +type watchdog_exec_t; +init_daemon_domain(watchdog_t, watchdog_exec_t) + +type watchdog_log_t; +logging_log_file(watchdog_log_t) + +type watchdog_var_run_t; +files_pid_file(watchdog_var_run_t) + +######################################## +# +# Declarations +# + +allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource }; +dontaudit watchdog_t self:capability sys_tty_config; +allow watchdog_t self:process { setsched signal_perms }; +allow watchdog_t self:fifo_file rw_fifo_file_perms; +allow watchdog_t self:unix_stream_socket create_socket_perms; +allow watchdog_t self:tcp_socket create_stream_socket_perms; +allow watchdog_t self:udp_socket create_socket_perms; + +allow watchdog_t watchdog_log_t:file manage_file_perms; +logging_log_filetrans(watchdog_t, watchdog_log_t, file) + +manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) +files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) + +kernel_read_system_state(watchdog_t) +kernel_read_kernel_sysctls(watchdog_t) +kernel_unmount_proc(watchdog_t) + +# for orderly shutdown +corecmd_exec_shell(watchdog_t) + +# cjp: why networking? +corenet_all_recvfrom_unlabeled(watchdog_t) +corenet_all_recvfrom_netlabel(watchdog_t) +corenet_tcp_sendrecv_generic_if(watchdog_t) +corenet_udp_sendrecv_generic_if(watchdog_t) +corenet_tcp_sendrecv_generic_node(watchdog_t) +corenet_udp_sendrecv_generic_node(watchdog_t) +corenet_tcp_sendrecv_all_ports(watchdog_t) +corenet_udp_sendrecv_all_ports(watchdog_t) +corenet_tcp_connect_all_ports(watchdog_t) +corenet_sendrecv_all_client_packets(watchdog_t) + +dev_read_sysfs(watchdog_t) +dev_write_watchdog(watchdog_t) +# do not care about saving the random seed +dev_dontaudit_read_rand(watchdog_t) +dev_dontaudit_read_urand(watchdog_t) + +domain_use_interactive_fds(watchdog_t) +domain_getsession_all_domains(watchdog_t) +domain_sigchld_all_domains(watchdog_t) +domain_sigstop_all_domains(watchdog_t) +domain_signull_all_domains(watchdog_t) +domain_signal_all_domains(watchdog_t) +domain_kill_all_domains(watchdog_t) + +files_read_etc_files(watchdog_t) +# for updating mtab on umount +files_manage_etc_runtime_files(watchdog_t) +files_etc_filetrans_etc_runtime(watchdog_t, file) + +fs_unmount_xattr_fs(watchdog_t) +fs_getattr_all_fs(watchdog_t) +fs_search_auto_mountpoints(watchdog_t) + +# record the fact that we are going down +auth_append_login_records(watchdog_t) + +logging_send_syslog_msg(watchdog_t) + +miscfiles_read_localization(watchdog_t) + +sysnet_read_config(watchdog_t) + +userdom_dontaudit_use_unpriv_user_fds(watchdog_t) +userdom_dontaudit_search_user_home_dirs(watchdog_t) + +optional_policy(` + mta_send_mail(watchdog_t) +') + +optional_policy(` + nis_use_ypbind(watchdog_t) +') + +optional_policy(` + seutil_sigchld_newrole(watchdog_t) +') + +optional_policy(` + udev_read_db(watchdog_t) +') diff --git a/policy/modules/contrib/webadm.fc b/policy/modules/contrib/webadm.fc new file mode 100644 index 00000000..d46378a0 --- /dev/null +++ b/policy/modules/contrib/webadm.fc @@ -0,0 +1 @@ +# No webadm file contexts. diff --git a/policy/modules/contrib/webadm.if b/policy/modules/contrib/webadm.if new file mode 100644 index 00000000..cc34f8b4 --- /dev/null +++ b/policy/modules/contrib/webadm.if @@ -0,0 +1,50 @@ +## <summary>Web administrator role</summary> + +######################################## +## <summary> +## Change to the web administrator role. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`webadm_role_change',` + gen_require(` + role webadm_r; + ') + + allow $1 webadm_r; +') + +######################################## +## <summary> +## Change from the web administrator role. +## </summary> +## <desc> +## <p> +## Change from the web administrator role to +## the specified role. +## </p> +## <p> +## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +## </p> +## </desc> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`webadm_role_change_to',` + gen_require(` + role webadm_r; + ') + + allow webadm_r $1; +') diff --git a/policy/modules/contrib/webadm.te b/policy/modules/contrib/webadm.te new file mode 100644 index 00000000..0ecc7862 --- /dev/null +++ b/policy/modules/contrib/webadm.te @@ -0,0 +1,55 @@ +policy_module(webadm, 1.1.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow webadm to manage files in users home directories +## </p> +## </desc> +gen_tunable(webadm_manage_user_files, false) + +## <desc> +## <p> +## Allow webadm to read files in users home directories +## </p> +## </desc> +gen_tunable(webadm_read_user_files, false) + +role webadm_r; + +userdom_base_user_template(webadm) + +######################################## +# +# webadmin local policy +# + +allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; + +files_dontaudit_search_all_dirs(webadm_t) +files_manage_generic_locks(webadm_t) +files_list_var(webadm_t) + +selinux_get_enforce_mode(webadm_t) +seutil_domtrans_setfiles(webadm_t) + +logging_send_syslog_msg(webadm_t) + +userdom_dontaudit_search_user_home_dirs(webadm_t) + +apache_admin(webadm_t, webadm_r) + +tunable_policy(`webadm_manage_user_files',` + userdom_manage_user_home_content_files(webadm_t) + userdom_read_user_tmp_files(webadm_t) + userdom_write_user_tmp_files(webadm_t) +') + +tunable_policy(`webadm_read_user_files',` + userdom_read_user_home_content_files(webadm_t) + userdom_read_user_tmp_files(webadm_t) +') diff --git a/policy/modules/contrib/webalizer.fc b/policy/modules/contrib/webalizer.fc new file mode 100644 index 00000000..2f40f218 --- /dev/null +++ b/policy/modules/contrib/webalizer.fc @@ -0,0 +1,11 @@ + +# +# /usr +# +/usr/bin/awffull -- gen_context(system_u:object_r:webalizer_exec_t,s0) +/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0) + +# +# /var +# +/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0) diff --git a/policy/modules/contrib/webalizer.if b/policy/modules/contrib/webalizer.if new file mode 100644 index 00000000..3c78e7ca --- /dev/null +++ b/policy/modules/contrib/webalizer.if @@ -0,0 +1,45 @@ +## <summary>Web server log analysis</summary> + +######################################## +## <summary> +## Execute webalizer in the webalizer domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`webalizer_domtrans',` + gen_require(` + type webalizer_t, webalizer_exec_t; + ') + + domtrans_pattern($1, webalizer_exec_t, webalizer_t) +') + +######################################## +## <summary> +## Execute webalizer in the webalizer domain, and +## allow the specified role the webalizer domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`webalizer_run',` + gen_require(` + type webalizer_t; + ') + + webalizer_domtrans($1) + role $2 types webalizer_t; +') diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te new file mode 100644 index 00000000..32b4f76f --- /dev/null +++ b/policy/modules/contrib/webalizer.te @@ -0,0 +1,109 @@ +policy_module(webalizer, 1.12.0) + +######################################## +# +# Declarations +# + +type webalizer_t; +type webalizer_exec_t; +application_domain(webalizer_t, webalizer_exec_t) +role system_r types webalizer_t; + +type webalizer_etc_t; +files_config_file(webalizer_etc_t) + +type webalizer_usage_t; +files_type(webalizer_usage_t) + +type webalizer_tmp_t; +files_tmp_file(webalizer_tmp_t) + +type webalizer_var_lib_t; +files_type(webalizer_var_lib_t) + +type webalizer_write_t; +files_type(webalizer_write_t) + +######################################## +# +# Local policy +# + +allow webalizer_t self:capability dac_override; +allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow webalizer_t self:fd use; +allow webalizer_t self:fifo_file rw_fifo_file_perms; +allow webalizer_t self:sock_file read_sock_file_perms; +allow webalizer_t self:shm create_shm_perms; +allow webalizer_t self:sem create_sem_perms; +allow webalizer_t self:msgq create_msgq_perms; +allow webalizer_t self:msg { send receive }; +allow webalizer_t self:unix_dgram_socket create_socket_perms; +allow webalizer_t self:unix_stream_socket create_stream_socket_perms; +allow webalizer_t self:unix_dgram_socket sendto; +allow webalizer_t self:unix_stream_socket connectto; +allow webalizer_t self:tcp_socket connected_stream_socket_perms; +allow webalizer_t self:udp_socket { connect connected_socket_perms }; +allow webalizer_t self:netlink_route_socket r_netlink_socket_perms; + +allow webalizer_t webalizer_etc_t:file read_file_perms; + +manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) +manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) +files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) + +manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t) +files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file) + +kernel_read_kernel_sysctls(webalizer_t) +kernel_read_system_state(webalizer_t) + +corenet_all_recvfrom_unlabeled(webalizer_t) +corenet_all_recvfrom_netlabel(webalizer_t) +corenet_tcp_sendrecv_generic_if(webalizer_t) +corenet_tcp_sendrecv_generic_node(webalizer_t) +corenet_tcp_sendrecv_all_ports(webalizer_t) + +fs_search_auto_mountpoints(webalizer_t) +fs_getattr_xattr_fs(webalizer_t) +fs_rw_anon_inodefs_files(webalizer_t) + +files_read_etc_files(webalizer_t) +files_read_etc_runtime_files(webalizer_t) + +logging_list_logs(webalizer_t) +logging_send_syslog_msg(webalizer_t) + +miscfiles_read_localization(webalizer_t) +miscfiles_read_public_files(webalizer_t) + +sysnet_dns_name_resolve(webalizer_t) +sysnet_read_config(webalizer_t) + +userdom_use_user_terminals(webalizer_t) +userdom_use_unpriv_users_fds(webalizer_t) +userdom_dontaudit_search_user_home_content(webalizer_t) + +apache_read_log(webalizer_t) +apache_manage_sys_content(webalizer_t) + +optional_policy(` + cron_system_entry(webalizer_t, webalizer_exec_t) +') + +optional_policy(` + ftp_read_log(webalizer_t) +') + +optional_policy(` + nis_use_ypbind(webalizer_t) +') + +optional_policy(` + nscd_socket_use(webalizer_t) +') + +optional_policy(` + squid_read_log(webalizer_t) +') diff --git a/policy/modules/contrib/wine.fc b/policy/modules/contrib/wine.fc new file mode 100644 index 00000000..9d24449f --- /dev/null +++ b/policy/modules/contrib/wine.fc @@ -0,0 +1,21 @@ +HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) + +/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) + +/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) + +/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) + +/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/policy/modules/contrib/wine.if b/policy/modules/contrib/wine.if new file mode 100644 index 00000000..f9a73d04 --- /dev/null +++ b/policy/modules/contrib/wine.if @@ -0,0 +1,178 @@ +## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary> + +####################################### +## <summary> +## The per role template for the wine module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for wine applications. +## </p> +## </desc> +## <param name="userdomain_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +# +template(`wine_role',` + gen_require(` + type wine_exec_t; + ') + + role $1 types wine_t; + + domain_auto_trans($2, wine_exec_t, wine_t) + allow wine_t $2:fd use; + allow wine_t $2:process { sigchld signull }; + allow wine_t $2:unix_stream_socket connectto; + + # Allow the user domain to signal/ps. + ps_process_pattern($2, wine_t) + allow $2 wine_t:process signal_perms; + + allow $2 wine_t:fd use; + allow $2 wine_t:shm { associate getattr }; + allow $2 wine_t:shm { unix_read unix_write }; + allow $2 wine_t:unix_stream_socket connectto; + + # X access, Home files + manage_dirs_pattern($2, wine_home_t, wine_home_t) + manage_files_pattern($2, wine_home_t, wine_home_t) + manage_lnk_files_pattern($2, wine_home_t, wine_home_t) + relabel_dirs_pattern($2, wine_home_t, wine_home_t) + relabel_files_pattern($2, wine_home_t, wine_home_t) + relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) +') + +####################################### +## <summary> +## The role template for the wine module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for wine applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`wine_role_template',` + gen_require(` + type wine_exec_t; + ') + + type $1_wine_t; + domain_type($1_wine_t) + domain_entry_file($1_wine_t, wine_exec_t) + ubac_constrained($1_wine_t) + role $2 types $1_wine_t; + + allow $1_wine_t self:process { execmem execstack }; + allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; + domtrans_pattern($3, wine_exec_t, $1_wine_t) + corecmd_bin_domtrans($1_wine_t, $1_t) + + userdom_unpriv_usertype($1, $1_wine_t) + userdom_manage_user_tmpfs_files($1_wine_t) + + domain_mmap_low($1_wine_t) + + tunable_policy(`wine_mmap_zero_ignore',` + dontaudit $1_wine_t self:memprotect mmap_zero; + ') + + optional_policy(` + xserver_role($1_r, $1_wine_t) + ') +') + +######################################## +## <summary> +## Execute the wine program in the wine domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`wine_domtrans',` + gen_require(` + type wine_t, wine_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wine_exec_t, wine_t) +') + +######################################## +## <summary> +## Execute wine in the wine domain, and +## allow the specified role the wine domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`wine_run',` + gen_require(` + type wine_t; + ') + + wine_domtrans($1) + role $2 types wine_t; +') + +######################################## +## <summary> +## Read and write wine Shared +## memory segments. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wine_rw_shm',` + gen_require(` + type wine_t; + ') + + allow $1 wine_t:shm rw_shm_perms; +') diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te new file mode 100644 index 00000000..7a175163 --- /dev/null +++ b/policy/modules/contrib/wine.te @@ -0,0 +1,62 @@ +policy_module(wine, 1.10.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Ignore wine mmap_zero errors. +## </p> +## </desc> +gen_tunable(wine_mmap_zero_ignore, false) + +type wine_t; +type wine_exec_t; +userdom_user_application_domain(wine_t, wine_exec_t) +role system_r types wine_t; + +type wine_tmp_t; +userdom_user_tmp_file(wine_tmp_t) + +######################################## +# +# Local policy +# + +allow wine_t self:process { execstack execmem execheap }; +allow wine_t self:fifo_file manage_fifo_file_perms; + +can_exec(wine_t, wine_exec_t) + +manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) +manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) +files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) + +domain_mmap_low(wine_t) + +files_execmod_all_files(wine_t) + +userdom_use_user_terminals(wine_t) + +tunable_policy(`wine_mmap_zero_ignore',` + dontaudit wine_t self:memprotect mmap_zero; +') + +optional_policy(` + hal_dbus_chat(wine_t) +') + +optional_policy(` + policykit_dbus_chat(wine_t) +') + +optional_policy(` + unconfined_domain(wine_t) +') + +optional_policy(` + xserver_read_xdm_pid(wine_t) + xserver_rw_shm(wine_t) +') diff --git a/policy/modules/contrib/wireshark.fc b/policy/modules/contrib/wireshark.fc new file mode 100644 index 00000000..96844ae7 --- /dev/null +++ b/policy/modules/contrib/wireshark.fc @@ -0,0 +1,3 @@ +HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0) + +/usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0) diff --git a/policy/modules/contrib/wireshark.if b/policy/modules/contrib/wireshark.if new file mode 100644 index 00000000..ea6ffe65 --- /dev/null +++ b/policy/modules/contrib/wireshark.if @@ -0,0 +1,55 @@ +## <summary>Wireshark packet capture tool.</summary> + +############################################################ +## <summary> +## Role access for wireshark +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`wireshark_role',` + gen_require(` + type wireshark_t, wireshark_exec_t; + type wireshark_home_t, wireshark_tmp_t; + type wireshark_tmpfs_t; + ') + + role $1 types wireshark_t; + + domain_auto_trans($2, wireshark_exec_t, wireshark_t) + allow wireshark_t $2:fd use; + allow wireshark_t $2:process sigchld; + + manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t) + manage_files_pattern($2, wireshark_home_t, wireshark_home_t) + manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) + relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t) + relabel_files_pattern($2, wireshark_home_t, wireshark_home_t) + relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) +') + +######################################## +## <summary> +## Run wireshark in wireshark domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`wireshark_domtrans',` + gen_require(` + type wireshark_t, wireshark_exec_t; + ') + + domtrans_pattern($1, wireshark_exec_t, wireshark_t) +') diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te new file mode 100644 index 00000000..fc0adf86 --- /dev/null +++ b/policy/modules/contrib/wireshark.te @@ -0,0 +1,122 @@ +policy_module(wireshark, 2.3.0) + +######################################## +# +# Declarations +# + +type wireshark_t; +type wireshark_exec_t; +typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t }; +typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t }; +userdom_user_application_domain(wireshark_t, wireshark_exec_t) + +type wireshark_home_t; +typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; +typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t }; +userdom_user_home_content(wireshark_home_t) + +type wireshark_tmp_t; +typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t }; +typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t }; +userdom_user_tmp_file(wireshark_tmp_t) + +type wireshark_tmpfs_t; +typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t }; +typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t }; +userdom_user_tmpfs_file(wireshark_tmpfs_t) + +############################## +# +# Local Policy +# + +allow wireshark_t self:capability { net_admin net_raw setgid }; +allow wireshark_t self:process { signal getsched }; +allow wireshark_t self:fifo_file { getattr read write }; +allow wireshark_t self:shm destroy; +allow wireshark_t self:shm create_shm_perms; +allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms }; +allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write }; +allow wireshark_t self:tcp_socket create_socket_perms; +allow wireshark_t self:udp_socket create_socket_perms; + +# Re-execute itself (why?) +can_exec(wireshark_t, wireshark_exec_t) + +# /home/.wireshark +manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) +manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) +manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) +userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir) + +# Store temporary files +manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) +manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) +files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file }) + +manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) +fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(wireshark_t) +kernel_read_system_state(wireshark_t) +kernel_read_sysctl(wireshark_t) + +corecmd_exec_bin(wireshark_t) +corecmd_search_bin(wireshark_t) + +corenet_tcp_connect_generic_port(wireshark_t) +corenet_tcp_sendrecv_generic_if(wireshark_t) + +dev_read_rand(wireshark_t) +dev_read_sysfs(wireshark_t) +dev_read_urand(wireshark_t) + +files_read_etc_files(wireshark_t) +files_read_usr_files(wireshark_t) + +fs_list_inotifyfs(wireshark_t) +fs_search_auto_mountpoints(wireshark_t) + +libs_read_lib_files(wireshark_t) + +miscfiles_read_fonts(wireshark_t) +miscfiles_read_localization(wireshark_t) + +seutil_use_newrole_fds(wireshark_t) + +sysnet_read_config(wireshark_t) + +userdom_manage_user_home_content_files(wireshark_t) +userdom_use_user_ptys(wireshark_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(wireshark_t) + fs_manage_nfs_files(wireshark_t) + fs_manage_nfs_symlinks(wireshark_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(wireshark_t) + fs_manage_cifs_files(wireshark_t) + fs_manage_cifs_symlinks(wireshark_t) +') + +optional_policy(` + nscd_socket_use(wireshark_t) +') + +# Manual transition from userhelper +optional_policy(` + userhelper_use_fd(wireshark_t) + userhelper_sigchld(wireshark_t) +') + +optional_policy(` + xserver_user_x_domain_template(wireshark, wireshark_t, wireshark_tmpfs_t) + xserver_create_xdm_tmp_sockets(wireshark_t) +') diff --git a/policy/modules/contrib/wm.fc b/policy/modules/contrib/wm.fc new file mode 100644 index 00000000..c1d10a11 --- /dev/null +++ b/policy/modules/contrib/wm.fc @@ -0,0 +1,4 @@ +/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if new file mode 100644 index 00000000..b3efef7b --- /dev/null +++ b/policy/modules/contrib/wm.if @@ -0,0 +1,111 @@ +## <summary>X Window Managers</summary> + +####################################### +## <summary> +## The role template for the wm module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for window manager applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`wm_role_template',` + gen_require(` + type wm_exec_t; + class dbus send_msg; + ') + + type $1_wm_t; + domain_type($1_wm_t) + domain_entry_file($1_wm_t, wm_exec_t) + role $2 types $1_wm_t; + + allow $1_wm_t self:fifo_file rw_fifo_file_perms; + allow $1_wm_t self:process getsched; + allow $1_wm_t self:shm create_shm_perms; + + allow $1_wm_t $3:unix_stream_socket connectto; + allow $3 $1_wm_t:unix_stream_socket connectto; + allow $3 $1_wm_t:process { signal sigchld signull }; + allow $1_wm_t $3:process { signull sigkill }; + + allow $1_wm_t $3:dbus send_msg; + allow $3 $1_wm_t:dbus send_msg; + + domtrans_pattern($3, wm_exec_t, $1_wm_t) + + kernel_read_system_state($1_wm_t) + + corecmd_bin_domtrans($1_wm_t, $3) + corecmd_shell_domtrans($1_wm_t, $3) + + dev_read_urand($1_wm_t) + + files_read_etc_files($1_wm_t) + files_read_usr_files($1_wm_t) + + fs_getattr_tmpfs($1_wm_t) + + mls_file_read_all_levels($1_wm_t) + mls_file_write_all_levels($1_wm_t) + mls_xwin_read_all_levels($1_wm_t) + mls_xwin_write_all_levels($1_wm_t) + mls_fd_use_all_levels($1_wm_t) + + auth_use_nsswitch($1_wm_t) + + application_signull($1_wm_t) + + miscfiles_read_fonts($1_wm_t) + miscfiles_read_localization($1_wm_t) + + optional_policy(` + dbus_system_bus_client($1_wm_t) + dbus_session_bus_client($1_wm_t) + ') + + optional_policy(` + pulseaudio_stream_connect($1_wm_t) + ') + + optional_policy(` + xserver_role($2, $1_wm_t) + xserver_manage_core_devices($1_wm_t) + ') +') + +######################################## +## <summary> +## Execute the wm program in the wm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wm_exec',` + gen_require(` + type wm_exec_t; + ') + + can_exec($1, wm_exec_t) +') diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te new file mode 100644 index 00000000..19d447ed --- /dev/null +++ b/policy/modules/contrib/wm.te @@ -0,0 +1,9 @@ +policy_module(wm, 1.2.0) + +######################################## +# +# Declarations +# + +type wm_exec_t; +corecmd_executable_file(wm_exec_t) diff --git a/policy/modules/contrib/xdg.fc b/policy/modules/contrib/xdg.fc new file mode 100644 index 00000000..49a52d98 --- /dev/null +++ b/policy/modules/contrib/xdg.fc @@ -0,0 +1,8 @@ +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0) +HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0) + +# +# /run +# +/run/user/USER(/.*)? gen_context(system_u:object_r:xdg_runtime_home_t,s0) diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if new file mode 100644 index 00000000..5bde948e --- /dev/null +++ b/policy/modules/contrib/xdg.if @@ -0,0 +1,581 @@ +## <summary>Policy for xdg desktop standard</summary> + +######################################## +## <summary> +## Mark the selected type as an xdg_data_home_type +## </summary> +## <param name="type"> +## <summary> +## Type to give the xdg_data_home_type attribute to +## </summary> +## </param> +# +interface(`xdg_data_home_content',` + gen_require(` + attribute xdg_data_home_type; + ') + + typeattribute $1 xdg_data_home_type; + + userdom_user_home_content($1) +') + +######################################## +## <summary> +## Create objects in an xdg_data_home directory +## with an automatic type transition to +## a specified private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## The type of the object to create. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## The class of the object to be created. +## </summary> +## </param> +# +interface(`xdg_data_home_spec_filetrans',` + gen_require(` + type xdg_data_home_t; + ') + + filetrans_pattern($1, xdg_data_home_t, $2, $3) + + userdom_search_user_home_dirs($1) +') + +# TODO Introduce xdg_data_home_filetrans when named file transitions are supported +# to support a filetrans from user_home_dir_t to xdg_data_home_t (~/.local) + +######################################## +## <summary> +## Mark the selected type as an xdg_cache_home_type +## </summary> +## <param name="type"> +## <summary> +## Type to give the xdg_cache_home_type attribute to +## </summary> +## </param> +# +interface(`xdg_cache_home_content',` + gen_require(` + attribute xdg_cache_home_type; + ') + + typeattribute $1 xdg_cache_home_type; + + userdom_user_home_content($1) +') + +######################################## +## <summary> +## Create objects in an xdg_cache_home directory +## with an automatic type transition to +## a specified private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## The type of the object to create. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## The class of the object to be created. +## </summary> +## </param> +# +interface(`xdg_cache_home_spec_filetrans',` + gen_require(` + type xdg_cache_home_t; + ') + + filetrans_pattern($1, xdg_cache_home_t, $2, $3) + + userdom_search_user_home_dirs($1) +') + +# TODO Introduce xdg_cache_home_filetrans when named file transitions are supported +# to support a filetrans from user_home_dir_t to xdg_cache_home_t (~/.cache) + +######################################## +## <summary> +## Mark the selected type as an xdg_config_home_type +## </summary> +## <param name="type"> +## <summary> +## Type to give the xdg_config_home_type attribute to +## </summary> +## </param> +# +interface(`xdg_config_home_content',` + gen_require(` + attribute xdg_config_home_type; + ') + + typeattribute $1 xdg_config_home_type; + + userdom_user_home_content($1) +') + +######################################## +## <summary> +## Create objects in an xdg_config_home directory +## with an automatic type transition to +## a specified private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## The type of the object to create. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## The class of the object to be created. +## </summary> +## </param> +# +interface(`xdg_config_home_spec_filetrans',` + gen_require(` + type xdg_config_home_t; + ') + + filetrans_pattern($1, xdg_config_home_t, $2, $3) + + userdom_search_user_home_dirs($1) +') + +# TODO Introduce xdg_config_home_filetrans when named file transitions are supported +# to support a filetrans from user_home_dir_t to xdg_config_home_t (~/.config) + +# +######################################## +## <summary> +## Mark the selected type as an xdg_runtime_home_type +## </summary> +## <param name="type"> +## <summary> +## Type to give the xdg_runtime_home_type attribute to +## </summary> +## </param> +# +interface(`xdg_runtime_home_content',` + gen_require(` + attribute xdg_runtime_home_type; + ') + + typeattribute $1 xdg_runtime_home_type; + + userdom_user_home_content($1) +') + +######################################## +## <summary> +## Create objects in an xdg_runtime_home directory +## with an automatic type transition to +## a specified private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## The type of the object to create. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## The class of the object to be created. +## </summary> +## </param> +# +interface(`xdg_runtime_home_spec_filetrans',` + gen_require(` + type xdg_runtime_home_t; + ') + + filetrans_pattern($1, xdg_runtime_home_t, $2, $3) + + files_search_pids($1) +') + +# TODO Introduce xdg_runtime_home_filetrans (if applicable) when named file transitions are supported +# to support a filetrans from whatever /run/user is to xdg_config_home_t + +######################################## +## <summary> +## Read the xdg cache home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_generic_cache_home_files',` + gen_require(` + type xdg_cache_home_t; + ') + + read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Read all xdg_cache_home_type files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_all_cache_home_files',` + gen_require(` + attribute xdg_cache_home_type; + ') + + read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Allow relabeling the xdg cache home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_relabel_generic_cache_home_content',` + gen_require(` + type xdg_cache_home_t; + ') + + relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + + userdom_search_user_home_dirs($1) +') + + +######################################## +## <summary> +## Manage the xdg cache home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_manage_generic_cache_home_content',` + gen_require(` + type xdg_cache_home_t; + ') + + manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Read the xdg config home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_generic_config_home_files',` + gen_require(` + type xdg_config_home_t; + ') + + read_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Read all xdg_config_home_type files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_all_config_home_files',` + gen_require(` + attribute xdg_config_home_type; + ') + + read_files_pattern($1, xdg_config_home_type, xdg_config_home_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Allow relabeling the xdg config home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_relabel_generic_config_home_content',` + gen_require(` + type xdg_config_home_t; + ') + + relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) + relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + + userdom_search_user_home_dirs($1) +') + + +######################################## +## <summary> +## Manage the xdg config home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_manage_generic_config_home_content',` + gen_require(` + type xdg_config_home_t; + ') + + manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) + manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Read the xdg data home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_generic_data_home_files',` + gen_require(` + type xdg_data_home_t; + ') + + read_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Read all xdg_data_home_type files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_all_data_home_files',` + gen_require(` + attribute xdg_data_home_type; + ') + + read_files_pattern($1, xdg_data_home_type, xdg_data_home_type) + + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Allow relabeling the xdg data home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_relabel_generic_data_home_content',` + gen_require(` + type xdg_data_home_t; + ') + + relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) + relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Manage the xdg data home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_manage_generic_data_home_content',` + gen_require(` + type xdg_data_home_t; + ') + + manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) + manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> +## Read the xdg runtime home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_generic_runtime_home_files',` + gen_require(` + type xdg_runtime_home_t; + ') + + read_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + list_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + + files_search_pids($1) +') + +######################################## +## <summary> +## Read all xdg_runtime_home_type files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_read_all_runtime_home_files',` + gen_require(` + attribute xdg_runtime_home_type; + ') + + read_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type) + + files_search_pids($1) +') + +######################################## +## <summary> +## Allow relabeling the xdg runtime home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_relabel_generic_runtime_home_content',` + gen_require(` + type xdg_runtime_home_t; + ') + + relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + + files_search_pids($1) +') + +######################################## +## <summary> +## Manage the xdg runtime home files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_manage_generic_runtime_home_content',` + gen_require(` + type xdg_runtime_home_t; + ') + + manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t) + + files_search_pids($1) +') + diff --git a/policy/modules/contrib/xdg.te b/policy/modules/contrib/xdg.te new file mode 100644 index 00000000..f9088b4c --- /dev/null +++ b/policy/modules/contrib/xdg.te @@ -0,0 +1,26 @@ +policy_module(xdg, 1.0.0) + +######################################## +# +# Declarations +# + +attribute xdg_data_home_type; + +attribute xdg_config_home_type; + +attribute xdg_cache_home_type; + +attribute xdg_runtime_home_type; + +type xdg_data_home_t; +xdg_data_home_content(xdg_data_home_t) + +type xdg_config_home_t; +xdg_config_home_content(xdg_config_home_t) + +type xdg_cache_home_t; +xdg_cache_home_content(xdg_cache_home_t) + +type xdg_runtime_home_t; +xdg_runtime_home_content(xdg_runtime_home_t) diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc new file mode 100644 index 00000000..a865da76 --- /dev/null +++ b/policy/modules/contrib/xen.fc @@ -0,0 +1,43 @@ +/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) + +/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) + +/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) +/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) +/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) + +/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) + +ifdef(`distro_debian',` +/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) +/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) +/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) +/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) +',` +/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) +/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) +/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) +/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) +') + +/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) +/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) +/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) +/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) + +/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) +/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) +/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) +/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) +/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) + +/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) +/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) +/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) +/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) +/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) +/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) +/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) +/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) + +/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if new file mode 100644 index 00000000..77d41b64 --- /dev/null +++ b/policy/modules/contrib/xen.if @@ -0,0 +1,238 @@ +## <summary>Xen hypervisor</summary> + +######################################## +## <summary> +## Execute a domain transition to run xend. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`xen_domtrans',` + gen_require(` + type xend_t, xend_exec_t; + ') + + domtrans_pattern($1, xend_exec_t, xend_t) +') + +######################################## +## <summary> +## Inherit and use xen file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xen_use_fds',` + gen_require(` + type xend_t; + ') + + allow $1 xend_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to inherit +## xen file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`xen_dontaudit_use_fds',` + gen_require(` + type xend_t; + ') + + dontaudit $1 xend_t:fd use; +') + +######################################## +## <summary> +## Read xend image files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xen_read_image_files',` + gen_require(` + type xen_image_t, xend_var_lib_t; + ') + + files_list_var_lib($1) + + list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) + read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) +') + +######################################## +## <summary> +## Allow the specified domain to read/write +## xend image files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xen_rw_image_files',` + gen_require(` + type xen_image_t, xend_var_lib_t; + ') + + files_list_var_lib($1) + allow $1 xend_var_lib_t:dir search_dir_perms; + rw_files_pattern($1, xen_image_t, xen_image_t) +') + +######################################## +## <summary> +## Allow the specified domain to append +## xend log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xen_append_log',` + gen_require(` + type xend_var_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, xend_var_log_t, xend_var_log_t) + dontaudit $1 xend_var_log_t:file write; +') + +######################################## +## <summary> +## Create, read, write, and delete the +## xend log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xen_manage_log',` + gen_require(` + type xend_var_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t) + manage_files_pattern($1, xend_var_log_t, xend_var_log_t) +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## Xen unix domain stream sockets. These +## are leaked file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`xen_dontaudit_rw_unix_stream_sockets',` + gen_require(` + type xend_t; + ') + + dontaudit $1 xend_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Connect to xenstored over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xen_stream_connect_xenstore',` + gen_require(` + type xenstored_t, xenstored_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t) +') + +######################################## +## <summary> +## Connect to xend over an unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xen_stream_connect',` + gen_require(` + type xend_t, xend_var_run_t, xend_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t) + + files_search_var_lib($1) + stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) +') + +######################################## +## <summary> +## Execute a domain transition to run xm. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`xen_domtrans_xm',` + gen_require(` + type xm_t, xm_exec_t; + ') + + domtrans_pattern($1, xm_exec_t, xm_t) +') + +######################################## +## <summary> +## Connect to xm over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xen_stream_connect_xm',` + gen_require(` + type xm_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t) +') diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te new file mode 100644 index 00000000..c4d18e89 --- /dev/null +++ b/policy/modules/contrib/xen.te @@ -0,0 +1,566 @@ +policy_module(xen, 1.11.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow xend to run blktapctrl/tapdisk. +## Not required if using dedicated logical volumes for disk images. +## </p> +## </desc> +gen_tunable(xend_run_blktap, true) + +## <desc> +## <p> +## Allow xend to run qemu-dm. +## Not required if using paravirt and no vfb. +## </p> +## </desc> +gen_tunable(xend_run_qemu, true) + +## <desc> +## <p> +## Allow xen to manage nfs files +## </p> +## </desc> +gen_tunable(xen_use_nfs, false) + +type blktap_t; +type blktap_exec_t; +domain_type(blktap_t) +domain_entry_file(blktap_t, blktap_exec_t) +role system_r types blktap_t; + +type blktap_var_run_t; +files_pid_file(blktap_var_run_t) + +type evtchnd_t; +type evtchnd_exec_t; +init_daemon_domain(evtchnd_t, evtchnd_exec_t) + +# log files +type evtchnd_var_log_t; +logging_log_file(evtchnd_var_log_t) + +# pid files +type evtchnd_var_run_t; +files_pid_file(evtchnd_var_run_t) + +type qemu_dm_t; +type qemu_dm_exec_t; +domain_type(qemu_dm_t) +domain_entry_file(qemu_dm_t, qemu_dm_exec_t) +role system_r types qemu_dm_t; + +# console ptys +type xen_devpts_t; +term_pty(xen_devpts_t) +files_type(xen_devpts_t) + +# Xen Image files +type xen_image_t; # customizable +files_type(xen_image_t) +# xen_image_t can be assigned to blk devices +dev_node(xen_image_t) + +type xenctl_t; +files_type(xenctl_t) + +type xend_t; +type xend_exec_t; +domain_type(xend_t) +init_daemon_domain(xend_t, xend_exec_t) + +# tmp files +type xend_tmp_t; +files_tmp_file(xend_tmp_t) + +# var/lib files +type xend_var_lib_t; +files_type(xend_var_lib_t) +# for mounting an NFS store +files_mountpoint(xend_var_lib_t) + +# log files +type xend_var_log_t; +logging_log_file(xend_var_log_t) + +# pid files +type xend_var_run_t; +files_pid_file(xend_var_run_t) +files_mountpoint(xend_var_run_t) + +type xenstored_t; +type xenstored_exec_t; +init_daemon_domain(xenstored_t, xenstored_exec_t) + +type xenstored_tmp_t; +files_tmp_file(xenstored_tmp_t) + +# var/lib files +type xenstored_var_lib_t; +files_type(xenstored_var_lib_t) +files_mountpoint(xenstored_var_lib_t) + +# log files +type xenstored_var_log_t; +logging_log_file(xenstored_var_log_t) + +# pid files +type xenstored_var_run_t; +files_pid_file(xenstored_var_run_t) + +type xenconsoled_t; +type xenconsoled_exec_t; +init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) + +# pid files +type xenconsoled_var_run_t; +files_pid_file(xenconsoled_var_run_t) + +type xm_t; +type xm_exec_t; +domain_type(xm_t) +init_system_domain(xm_t, xm_exec_t) + +######################################## +# +# blktap local policy +# +# Do we need to allow execution of blktap? +tunable_policy(`xend_run_blktap',` + # If yes, transition to its own domain. + domtrans_pattern(xend_t, blktap_exec_t, blktap_t) + + allow blktap_t self:fifo_file { read write }; + + dev_read_sysfs(blktap_t) + dev_rw_xen(blktap_t) + + files_read_etc_files(blktap_t) + + logging_send_syslog_msg(blktap_t) + + miscfiles_read_localization(blktap_t) + + xen_stream_connect_xenstore(blktap_t) +',` + # If no, then silently refuse to run it. + dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; +') + +####################################### +# +# evtchnd local policy +# + +manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) + +manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) +manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) +manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) +files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) + +######################################## +# +# qemu-dm local policy +# +# Do we need to allow execution of qemu-dm? +tunable_policy(`xend_run_qemu',` + allow qemu_dm_t self:capability sys_resource; + allow qemu_dm_t self:process setrlimit; + allow qemu_dm_t self:fifo_file { read write }; + allow qemu_dm_t self:tcp_socket create_stream_socket_perms; + + # If yes, transition to its own domain. + domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t) + + append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t) + + rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t) + + corenet_tcp_bind_generic_node(qemu_dm_t) + corenet_tcp_bind_vnc_port(qemu_dm_t) + + dev_rw_xen(qemu_dm_t) + + files_read_etc_files(qemu_dm_t) + files_read_usr_files(qemu_dm_t) + + fs_manage_xenfs_dirs(qemu_dm_t) + fs_manage_xenfs_files(qemu_dm_t) + + miscfiles_read_localization(qemu_dm_t) + + xen_stream_connect_xenstore(qemu_dm_t) +',` + # If no, then silently refuse to run it. + dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans }; +') + +######################################## +# +# xend local policy +# + +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; +dontaudit xend_t self:capability { sys_ptrace }; +allow xend_t self:process { signal sigkill }; +dontaudit xend_t self:process ptrace; +# internal communication is often done using fifo and unix sockets. +allow xend_t self:fifo_file rw_fifo_file_perms; +allow xend_t self:unix_stream_socket create_stream_socket_perms; +allow xend_t self:unix_dgram_socket create_socket_perms; +allow xend_t self:netlink_route_socket r_netlink_socket_perms; +allow xend_t self:tcp_socket create_stream_socket_perms; +allow xend_t self:packet_socket create_socket_perms; + +allow xend_t xen_image_t:dir list_dir_perms; +manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) +manage_files_pattern(xend_t, xen_image_t, xen_image_t) +read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t) +rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) + +allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; +dev_filetrans(xend_t, xenctl_t, fifo_file) + +manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) +manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) +files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) + +# pid file +manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) +manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) +manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) +manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) +files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) + +# log files +manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) +manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) +manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) +logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) + +# var/lib files for xend +manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) +manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) +manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) +manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) +files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) + +# transition to store +domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) + +# manage xenstored pid file +manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) + +# mount tmpfs on /var/lib/xenstored +allow xend_t xenstored_var_lib_t:dir read; + +# transition to console +domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) + +kernel_read_kernel_sysctls(xend_t) +kernel_read_system_state(xend_t) +kernel_write_xen_state(xend_t) +kernel_read_xen_state(xend_t) +kernel_rw_net_sysctls(xend_t) +kernel_read_network_state(xend_t) + +corecmd_exec_bin(xend_t) +corecmd_exec_shell(xend_t) + +corenet_all_recvfrom_unlabeled(xend_t) +corenet_all_recvfrom_netlabel(xend_t) +corenet_tcp_sendrecv_generic_if(xend_t) +corenet_tcp_sendrecv_generic_node(xend_t) +corenet_tcp_sendrecv_all_ports(xend_t) +corenet_tcp_bind_generic_node(xend_t) +corenet_tcp_bind_xen_port(xend_t) +corenet_tcp_bind_soundd_port(xend_t) +corenet_tcp_bind_generic_port(xend_t) +corenet_tcp_bind_vnc_port(xend_t) +corenet_tcp_connect_xserver_port(xend_t) +corenet_tcp_connect_xen_port(xend_t) +corenet_sendrecv_xserver_client_packets(xend_t) +corenet_sendrecv_xen_server_packets(xend_t) +corenet_sendrecv_xen_client_packets(xend_t) +corenet_sendrecv_soundd_server_packets(xend_t) +corenet_rw_tun_tap_dev(xend_t) + +dev_read_urand(xend_t) +dev_filetrans_xen(xend_t) +dev_rw_sysfs(xend_t) +dev_rw_xen(xend_t) + +domain_dontaudit_read_all_domains_state(xend_t) +domain_dontaudit_ptrace_all_domains(xend_t) + +files_read_etc_files(xend_t) +files_read_kernel_symbol_table(xend_t) +files_read_kernel_img(xend_t) +files_manage_etc_runtime_files(xend_t) +files_etc_filetrans_etc_runtime(xend_t, file) +files_read_usr_files(xend_t) +files_read_default_symlinks(xend_t) + +term_getattr_all_ptys(xend_t) +term_use_generic_ptys(xend_t) +term_use_ptmx(xend_t) +term_getattr_pty_fs(xend_t) + +init_stream_connect_script(xend_t) + +locallogin_dontaudit_use_fds(xend_t) + +logging_send_syslog_msg(xend_t) + +lvm_domtrans(xend_t) + +miscfiles_read_localization(xend_t) +miscfiles_read_hwdata(xend_t) + +mount_domtrans(xend_t) + +sysnet_domtrans_dhcpc(xend_t) +sysnet_signal_dhcpc(xend_t) +sysnet_domtrans_ifconfig(xend_t) +sysnet_dns_name_resolve(xend_t) +sysnet_delete_dhcpc_pid(xend_t) +sysnet_read_dhcpc_pid(xend_t) +sysnet_rw_dhcp_config(xend_t) + +userdom_dontaudit_search_user_home_dirs(xend_t) + +xen_stream_connect_xenstore(xend_t) + +netutils_domtrans(xend_t) + +optional_policy(` + brctl_domtrans(xend_t) +') + +optional_policy(` + consoletype_exec(xend_t) +') + +######################################## +# +# Xen console local policy +# + +allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; +allow xenconsoled_t self:process setrlimit; +allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; +allow xenconsoled_t self:fifo_file rw_fifo_file_perms; + +allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; + +# pid file +manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) +manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) +files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) + +kernel_read_kernel_sysctls(xenconsoled_t) +kernel_write_xen_state(xenconsoled_t) +kernel_read_xen_state(xenconsoled_t) + +dev_rw_xen(xenconsoled_t) +dev_filetrans_xen(xenconsoled_t) +dev_rw_sysfs(xenconsoled_t) + +domain_dontaudit_ptrace_all_domains(xenconsoled_t) + +files_read_etc_files(xenconsoled_t) +files_read_usr_files(xenconsoled_t) + +fs_list_tmpfs(xenconsoled_t) +fs_manage_xenfs_dirs(xenconsoled_t) +fs_manage_xenfs_files(xenconsoled_t) + +term_create_pty(xenconsoled_t, xen_devpts_t) +term_use_generic_ptys(xenconsoled_t) +term_use_console(xenconsoled_t) + +init_use_fds(xenconsoled_t) +init_use_script_ptys(xenconsoled_t) + +miscfiles_read_localization(xenconsoled_t) + +xen_manage_log(xenconsoled_t) +xen_stream_connect_xenstore(xenconsoled_t) + +optional_policy(` + ptchown_domtrans(xenconsoled_t) +') + +######################################## +# +# Xen store local policy +# + +allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; +allow xenstored_t self:unix_stream_socket create_stream_socket_perms; +allow xenstored_t self:unix_dgram_socket create_socket_perms; + +manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) + +# pid file +manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) +manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) +files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) + +# log files +manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) + +# var/lib files for xenstored +manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) +manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) +manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) +files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file }) + +stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t) + +kernel_write_xen_state(xenstored_t) +kernel_read_xen_state(xenstored_t) + +dev_filetrans_xen(xenstored_t) +dev_rw_xen(xenstored_t) +dev_read_sysfs(xenstored_t) + +files_read_etc_files(xenstored_t) + +files_read_usr_files(xenstored_t) + +fs_manage_xenfs_files(xenstored_t) + +term_use_generic_ptys(xenstored_t) + +init_use_fds(xenstored_t) +init_use_script_ptys(xenstored_t) + +logging_send_syslog_msg(xenstored_t) + +miscfiles_read_localization(xenstored_t) + +xen_append_log(xenstored_t) + +######################################## +# +# xm local policy +# + +allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; +allow xm_t self:process { getsched signal }; + +# internal communication is often done using fifo and unix sockets. +allow xm_t self:fifo_file rw_fifo_file_perms; +allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow xm_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) +manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) +manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) +files_search_var_lib(xm_t) + +allow xm_t xen_image_t:dir rw_dir_perms; +allow xm_t xen_image_t:file read_file_perms; +allow xm_t xen_image_t:blk_file read_blk_file_perms; + +kernel_read_system_state(xm_t) +kernel_read_kernel_sysctls(xm_t) +kernel_read_sysctl(xm_t) +kernel_read_xen_state(xm_t) +kernel_write_xen_state(xm_t) + +corecmd_exec_bin(xm_t) +corecmd_exec_shell(xm_t) + +corenet_tcp_sendrecv_generic_if(xm_t) +corenet_tcp_sendrecv_generic_node(xm_t) +corenet_tcp_connect_soundd_port(xm_t) + +dev_read_urand(xm_t) +dev_read_sysfs(xm_t) + +files_read_etc_runtime_files(xm_t) +files_read_usr_files(xm_t) +files_list_mnt(xm_t) +# Some common macros (you might be able to remove some) +files_read_etc_files(xm_t) + +fs_getattr_all_fs(xm_t) +fs_manage_xenfs_dirs(xm_t) +fs_manage_xenfs_files(xm_t) + +term_use_all_terms(xm_t) + +init_stream_connect_script(xm_t) +init_rw_script_stream_sockets(xm_t) +init_use_fds(xm_t) + +miscfiles_read_localization(xm_t) + +sysnet_dns_name_resolve(xm_t) + +xen_append_log(xm_t) +xen_stream_connect(xm_t) +xen_stream_connect_xenstore(xm_t) + +optional_policy(` + dbus_system_bus_client(xm_t) + + optional_policy(` + hal_dbus_chat(xm_t) + ') +') + +optional_policy(` + virt_domtrans(xm_t) + virt_manage_images(xm_t) + virt_manage_config(xm_t) + virt_stream_connect(xm_t) +') + +######################################## +# +# SSH component local policy +# +optional_policy(` + ssh_basic_client_template(xm, xm_t, system_r) + + kernel_read_xen_state(xm_ssh_t) + kernel_write_xen_state(xm_ssh_t) + + files_search_tmp(xm_ssh_t) + + fs_manage_xenfs_dirs(xm_ssh_t) + fs_manage_xenfs_files(xm_ssh_t) + + #Should have a boolean wrapping these + fs_list_auto_mountpoints(xend_t) + files_search_mnt(xend_t) + fs_getattr_all_fs(xend_t) + fs_read_dos_files(xend_t) + fs_manage_xenfs_dirs(xend_t) + fs_manage_xenfs_files(xend_t) + + tunable_policy(`xen_use_nfs',` + fs_manage_nfs_files(xend_t) + fs_read_nfs_symlinks(xend_t) + ') + + optional_policy(` + unconfined_domain(xend_t) + ') +') diff --git a/policy/modules/contrib/xfs.fc b/policy/modules/contrib/xfs.fc new file mode 100644 index 00000000..8e70038b --- /dev/null +++ b/policy/modules/contrib/xfs.fc @@ -0,0 +1,8 @@ + +/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0) + +/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) +/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0) + +/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) +/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0) diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if new file mode 100644 index 00000000..aa6e5a8d --- /dev/null +++ b/policy/modules/contrib/xfs.if @@ -0,0 +1,59 @@ +## <summary>X Windows Font Server </summary> + +######################################## +## <summary> +## Read a X font server named socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xfs_read_sockets',` + gen_require(` + type xfs_tmp_t; + ') + + files_search_tmp($1) + read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t) +') + +######################################## +## <summary> +## Connect to a X font server over +## a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xfs_stream_connect',` + gen_require(` + type xfs_tmp_t, xfs_t; + ') + + files_search_tmp($1) + stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t) +') + +######################################## +## <summary> +## Allow the specified domain to execute xfs +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xfs_exec',` + gen_require(` + type xfs_exec_t; + ') + + can_exec($1, xfs_exec_t) +') diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te new file mode 100644 index 00000000..11c1b12b --- /dev/null +++ b/policy/modules/contrib/xfs.te @@ -0,0 +1,87 @@ +policy_module(xfs, 1.6.0) + +######################################## +# +# Declarations +# + +type xfs_t; +type xfs_exec_t; +init_daemon_domain(xfs_t, xfs_exec_t) + +type xfs_tmp_t; +files_tmp_file(xfs_tmp_t) + +type xfs_var_run_t; +files_pid_file(xfs_var_run_t) + +######################################## +# +# Local policy +# + +allow xfs_t self:capability { dac_override setgid setuid }; +dontaudit xfs_t self:capability sys_tty_config; +allow xfs_t self:process { signal_perms setpgid }; +allow xfs_t self:unix_stream_socket create_stream_socket_perms; +allow xfs_t self:unix_dgram_socket create_socket_perms; +allow xfs_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) +manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) +files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) + +manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t) +files_pid_filetrans(xfs_t, xfs_var_run_t, file) + +kernel_read_kernel_sysctls(xfs_t) +kernel_read_system_state(xfs_t) + +corenet_all_recvfrom_unlabeled(xfs_t) +corenet_all_recvfrom_netlabel(xfs_t) +corenet_tcp_sendrecv_generic_if(xfs_t) +corenet_tcp_sendrecv_generic_node(xfs_t) +corenet_tcp_sendrecv_all_ports(xfs_t) +corenet_tcp_bind_generic_node(xfs_t) +corenet_tcp_bind_xfs_port(xfs_t) +corenet_sendrecv_xfs_server_packets(xfs_t) + +corecmd_list_bin(xfs_t) + +dev_read_sysfs(xfs_t) +dev_read_urand(xfs_t) +dev_read_rand(xfs_t) + +fs_getattr_all_fs(xfs_t) +fs_search_auto_mountpoints(xfs_t) + +domain_use_interactive_fds(xfs_t) + +files_read_etc_files(xfs_t) +files_read_etc_runtime_files(xfs_t) +files_read_usr_files(xfs_t) + +auth_use_nsswitch(xfs_t) + +logging_send_syslog_msg(xfs_t) + +miscfiles_read_localization(xfs_t) +miscfiles_read_fonts(xfs_t) + +userdom_dontaudit_use_unpriv_user_fds(xfs_t) +userdom_dontaudit_search_user_home_dirs(xfs_t) + +xfs_exec(xfs_t) + +ifdef(`distro_debian',` + # for /tmp/.font-unix/fs7100 + init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file) +') + +optional_policy(` + seutil_sigchld_newrole(xfs_t) +') + +optional_policy(` + udev_read_db(xfs_t) +') diff --git a/policy/modules/contrib/xguest.fc b/policy/modules/contrib/xguest.fc new file mode 100644 index 00000000..601a7b02 --- /dev/null +++ b/policy/modules/contrib/xguest.fc @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/contrib/xguest.if b/policy/modules/contrib/xguest.if new file mode 100644 index 00000000..d2234e32 --- /dev/null +++ b/policy/modules/contrib/xguest.if @@ -0,0 +1,50 @@ +## <summary>Least privledge xwindows user role</summary> + +######################################## +## <summary> +## Change to the xguest role. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`xguest_role_change',` + gen_require(` + role xguest_r; + ') + + allow $1 xguest_r; +') + +######################################## +## <summary> +## Change from the xguest role. +## </summary> +## <desc> +## <p> +## Change from the xguest role to +## the specified role. +## </p> +## <p> +## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +## </p> +## </desc> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`xguest_role_change_to',` + gen_require(` + role xguest_r; + ') + + allow xguest_r $1; +') diff --git a/policy/modules/contrib/xguest.te b/policy/modules/contrib/xguest.te new file mode 100644 index 00000000..e88b95f1 --- /dev/null +++ b/policy/modules/contrib/xguest.te @@ -0,0 +1,98 @@ +policy_module(xguest, 1.1.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow xguest users to mount removable media +## </p> +## </desc> +gen_tunable(xguest_mount_media, true) + +## <desc> +## <p> +## Allow xguest to configure Network Manager +## </p> +## </desc> +gen_tunable(xguest_connect_network, true) + +## <desc> +## <p> +## Allow xguest to use blue tooth devices +## </p> +## </desc> +gen_tunable(xguest_use_bluetooth, true) + +role xguest_r; + +userdom_restricted_xwindows_user_template(xguest) + +######################################## +# +# Local policy +# + +ifndef(`enable_mls',` + fs_exec_noxattr(xguest_t) + + tunable_policy(`user_rw_noexattrfile',` + fs_manage_noxattr_fs_files(xguest_t) + fs_manage_noxattr_fs_dirs(xguest_t) + # Write floppies + storage_raw_read_removable_device(xguest_t) + storage_raw_write_removable_device(xguest_t) + ',` + storage_raw_read_removable_device(xguest_t) + ') +') + +# Allow mounting of file systems +optional_policy(` + tunable_policy(`xguest_mount_media',` + kernel_read_fs_sysctls(xguest_t) + + files_dontaudit_getattr_boot_dirs(xguest_t) + files_search_mnt(xguest_t) + + fs_manage_noxattr_fs_files(xguest_t) + fs_manage_noxattr_fs_dirs(xguest_t) + fs_manage_noxattr_fs_dirs(xguest_t) + fs_getattr_noxattr_fs(xguest_t) + fs_read_noxattr_fs_symlinks(xguest_t) + + auth_list_pam_console_data(xguest_t) + + init_read_utmp(xguest_t) + ') +') + +optional_policy(` + tunable_policy(`xguest_use_bluetooth',` + bluetooth_dbus_chat(xguest_t) + ') +') + +optional_policy(` + hal_dbus_chat(xguest_t) +') + +optional_policy(` + java_role(xguest_r, xguest_t) +') + +optional_policy(` + mozilla_role(xguest_r, xguest_t) +') + +optional_policy(` + tunable_policy(`xguest_connect_network',` + networkmanager_dbus_chat(xguest_t) + corenet_tcp_connect_pulseaudio_port(xguest_t) + corenet_tcp_connect_ipp_port(xguest_t) + ') +') + +#gen_user(xguest_u,, xguest_r, s0, s0) diff --git a/policy/modules/contrib/xprint.fc b/policy/modules/contrib/xprint.fc new file mode 100644 index 00000000..6a857fff --- /dev/null +++ b/policy/modules/contrib/xprint.fc @@ -0,0 +1 @@ +/usr/bin/Xprt -- gen_context(system_u:object_r:xprint_exec_t,s0) diff --git a/policy/modules/contrib/xprint.if b/policy/modules/contrib/xprint.if new file mode 100644 index 00000000..e69a82af --- /dev/null +++ b/policy/modules/contrib/xprint.if @@ -0,0 +1 @@ +## <summary>X print server</summary> diff --git a/policy/modules/contrib/xprint.te b/policy/modules/contrib/xprint.te new file mode 100644 index 00000000..68d13e59 --- /dev/null +++ b/policy/modules/contrib/xprint.te @@ -0,0 +1,82 @@ +policy_module(xprint, 1.7.0) + +######################################## +# +# Declarations +# + +type xprint_t; +type xprint_exec_t; +init_daemon_domain(xprint_t, xprint_exec_t) + +type xprint_var_run_t; +files_pid_file(xprint_var_run_t) + +######################################## +# +# Local policy +# + +dontaudit xprint_t self:capability sys_tty_config; +allow xprint_t self:process signal_perms; +allow xprint_t self:fifo_file rw_file_perms; +allow xprint_t self:tcp_socket create_stream_socket_perms; +allow xprint_t self:udp_socket create_socket_perms; + +manage_files_pattern(xprint_t, xprint_var_run_t, xprint_var_run_t) +files_pid_filetrans(xprint_t, xprint_var_run_t, file) + +kernel_read_system_state(xprint_t) +kernel_read_kernel_sysctls(xprint_t) + +corecmd_exec_bin(xprint_t) +corecmd_exec_shell(xprint_t) + +corenet_all_recvfrom_unlabeled(xprint_t) +corenet_all_recvfrom_netlabel(xprint_t) +corenet_tcp_sendrecv_generic_if(xprint_t) +corenet_udp_sendrecv_generic_if(xprint_t) +corenet_tcp_sendrecv_generic_node(xprint_t) +corenet_udp_sendrecv_generic_node(xprint_t) +corenet_tcp_sendrecv_all_ports(xprint_t) +corenet_udp_sendrecv_all_ports(xprint_t) + +dev_read_sysfs(xprint_t) +dev_read_urand(xprint_t) + +domain_use_interactive_fds(xprint_t) + +files_read_etc_files(xprint_t) +files_read_etc_runtime_files(xprint_t) +files_read_usr_files(xprint_t) +files_search_var_lib(xprint_t) +files_search_tmp(xprint_t) + +fs_getattr_all_fs(xprint_t) +fs_search_auto_mountpoints(xprint_t) + +logging_send_syslog_msg(xprint_t) + +miscfiles_read_fonts(xprint_t) +miscfiles_read_localization(xprint_t) + +sysnet_read_config(xprint_t) + +userdom_dontaudit_use_unpriv_user_fds(xprint_t) +userdom_dontaudit_search_user_home_dirs(xprint_t) + +optional_policy(` + cups_read_config(xprint_t) +') + +optional_policy(` + nis_use_ypbind(xprint_t) +') + +optional_policy(` + seutil_sigchld_newrole(xprint_t) +') + +optional_policy(` + udev_read_db(xprint_t) +') diff --git a/policy/modules/contrib/xscreensaver.fc b/policy/modules/contrib/xscreensaver.fc new file mode 100644 index 00000000..29396daa --- /dev/null +++ b/policy/modules/contrib/xscreensaver.fc @@ -0,0 +1 @@ +/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) diff --git a/policy/modules/contrib/xscreensaver.if b/policy/modules/contrib/xscreensaver.if new file mode 100644 index 00000000..1067bd1f --- /dev/null +++ b/policy/modules/contrib/xscreensaver.if @@ -0,0 +1,30 @@ +## <summary>X Screensaver</summary> + +######################################## +## <summary> +## Role access for xscreensaver +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`xscreensaver_role',` + gen_require(` + type xscreensaver_t, xscreensaver_exec_t; + ') + + role $1 types xscreensaver_t; + + domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) + + # Allow the user domain to signal/ps. + ps_process_pattern($2, xscreensaver_t) + allow $2 xscreensaver_t:process signal_perms; +') diff --git a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te new file mode 100644 index 00000000..1487a4e5 --- /dev/null +++ b/policy/modules/contrib/xscreensaver.te @@ -0,0 +1,42 @@ +policy_module(xscreensaver, 1.1.0) + +######################################## +# +# Declarations +# + +type xscreensaver_t; +type xscreensaver_exec_t; +userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t) + +type xscreensaver_tmpfs_t; +userdom_user_tmpfs_file(xscreensaver_tmpfs_t) + +######################################## +# +# Local policy +# + +allow xscreensaver_t self:fifo_file rw_fifo_file_perms; +allow xscreensaver_t self:process signal; + +kernel_read_system_state(xscreensaver_t) + +files_read_usr_files(xscreensaver_t) + +auth_use_nsswitch(xscreensaver_t) +auth_domtrans_chk_passwd(xscreensaver_t) + +#/var/run/utmp +init_read_utmp(xscreensaver_t) + +logging_send_audit_msgs(xscreensaver_t) +logging_send_syslog_msg(xscreensaver_t) + +miscfiles_read_localization(xscreensaver_t) + +userdom_use_user_ptys(xscreensaver_t) +#access to .icons and ~/.xscreensaver +userdom_read_user_home_content_files(xscreensaver_t) + +xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) diff --git a/policy/modules/contrib/yam.fc b/policy/modules/contrib/yam.fc new file mode 100644 index 00000000..4ec6edeb --- /dev/null +++ b/policy/modules/contrib/yam.fc @@ -0,0 +1,6 @@ +/etc/yam\.conf -- gen_context(system_u:object_r:yam_etc_t,s0) + +/usr/bin/yam -- gen_context(system_u:object_r:yam_exec_t,s0) + +/var/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0) +/var/www/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0) diff --git a/policy/modules/contrib/yam.if b/policy/modules/contrib/yam.if new file mode 100644 index 00000000..07015a25 --- /dev/null +++ b/policy/modules/contrib/yam.if @@ -0,0 +1,66 @@ +## <summary>Yum/Apt Mirroring</summary> + +######################################## +## <summary> +## Execute yam in the yam domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`yam_domtrans',` + gen_require(` + type yam_t, yam_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, yam_exec_t, yam_t) +') + +######################################## +## <summary> +## Execute yam in the yam domain, and +## allow the specified role the yam domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`yam_run',` + gen_require(` + type yam_t; + ') + + yam_domtrans($1) + role $2 types yam_t; +') + +######################################## +## <summary> +## Read yam content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`yam_read_content',` + gen_require(` + type yam_content_t; + ') + + allow $1 yam_content_t:dir list_dir_perms; + read_files_pattern($1, yam_content_t, yam_content_t) + read_lnk_files_pattern($1, yam_content_t, yam_content_t) +') diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te new file mode 100644 index 00000000..223ad437 --- /dev/null +++ b/policy/modules/contrib/yam.te @@ -0,0 +1,124 @@ +policy_module(yam, 1.4.0) + +######################################## +# +# Declarations +# + +type yam_t alias yam_crond_t; +type yam_exec_t; +application_domain(yam_t, yam_exec_t) + +type yam_content_t; +files_mountpoint(yam_content_t) + +type yam_etc_t; +files_config_file(yam_etc_t) + +type yam_tmp_t; +files_tmp_file(yam_tmp_t) + +######################################## +# +# Local policy +# + +allow yam_t self:capability { chown fowner fsetid dac_override }; +allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow yam_t self:process execmem; +allow yam_t self:fd use; +allow yam_t self:fifo_file rw_fifo_file_perms; +allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow yam_t self:unix_dgram_socket { create_socket_perms sendto }; +allow yam_t self:shm create_shm_perms; +allow yam_t self:sem create_sem_perms; +allow yam_t self:msgq create_msgq_perms; +allow yam_t self:msg { send receive }; +allow yam_t self:tcp_socket create_socket_perms; + +# Update the content being managed by yam. +manage_dirs_pattern(yam_t, yam_content_t, yam_content_t) +manage_files_pattern(yam_t, yam_content_t, yam_content_t) +manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t) + +allow yam_t yam_etc_t:file read_file_perms; +files_search_etc(yam_t) + +manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t) +manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t) +files_tmp_filetrans(yam_t, yam_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(yam_t) +kernel_read_proc_symlinks(yam_t) +# Python works fine without reading /proc/meminfo +kernel_dontaudit_read_system_state(yam_t) + +corecmd_exec_shell(yam_t) +corecmd_exec_bin(yam_t) + +# Rsync and lftp need to network. They also set files attributes to +# match whats on the remote server. +corenet_all_recvfrom_unlabeled(yam_t) +corenet_all_recvfrom_netlabel(yam_t) +corenet_tcp_sendrecv_generic_if(yam_t) +corenet_tcp_sendrecv_generic_node(yam_t) +corenet_tcp_sendrecv_all_ports(yam_t) +corenet_tcp_connect_http_port(yam_t) +corenet_tcp_connect_rsync_port(yam_t) +corenet_sendrecv_http_client_packets(yam_t) +corenet_sendrecv_rsync_client_packets(yam_t) + +# mktemp +dev_read_urand(yam_t) + +files_read_etc_files(yam_t) +files_read_etc_runtime_files(yam_t) +# /usr/share/createrepo/genpkgmetadata.py: +files_exec_usr_files(yam_t) +# Programs invoked to build package lists need various permissions. +# genpkglist creates tmp files in /var/cache/apt/genpkglist +files_rw_var_files(yam_t) + +fs_search_auto_mountpoints(yam_t) +# Content can also be on ISO image files. +fs_read_iso9660_files(yam_t) + +logging_send_syslog_msg(yam_t) + +miscfiles_read_localization(yam_t) + +seutil_read_config(yam_t) + +sysnet_dns_name_resolve(yam_t) +sysnet_read_config(yam_t) + +userdom_use_user_terminals(yam_t) +userdom_use_unpriv_users_fds(yam_t) +# Reading dotfiles... +# cjp: ? +userdom_search_user_home_dirs(yam_t) + +# The whole point of this program is to make updates available on a +# local web server. Need to go through /var to get to /var/yam +# Go through /var/www to get to /var/www/yam +apache_search_sys_content(yam_t) + +optional_policy(` + cron_system_entry(yam_t, yam_exec_t) +') + +optional_policy(` + mount_domtrans(yam_t) +') + +optional_policy(` + nis_use_ypbind(yam_t) +') + +optional_policy(` + nscd_socket_use(yam_t) +') + +optional_policy(` + rsync_exec(yam_t) +') diff --git a/policy/modules/contrib/zabbix.fc b/policy/modules/contrib/zabbix.fc new file mode 100644 index 00000000..aa5a5211 --- /dev/null +++ b/policy/modules/contrib/zabbix.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) +/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) + +/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) + +/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) + +/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if new file mode 100644 index 00000000..c9981d18 --- /dev/null +++ b/policy/modules/contrib/zabbix.if @@ -0,0 +1,158 @@ +## <summary>Distributed infrastructure monitoring</summary> + +######################################## +## <summary> +## Execute a domain transition to run zabbix. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`zabbix_domtrans',` + gen_require(` + type zabbix_t, zabbix_exec_t; + ') + + domtrans_pattern($1, zabbix_exec_t, zabbix_t) +') + +######################################## +## <summary> +## Allow connectivity to the zabbix server +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_tcp_connect',` + gen_require(` + type zabbix_t; + ') + + corenet_sendrecv_zabbix_agent_client_packets($1) + corenet_tcp_connect_zabbix_port($1) + corenet_tcp_recvfrom_labeled($1, zabbix_t) + corenet_tcp_sendrecv_zabbix_port($1) +') + +######################################## +## <summary> +## Allow the specified domain to read zabbix's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`zabbix_read_log',` + gen_require(` + type zabbix_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, zabbix_log_t, zabbix_log_t) +') + +######################################## +## <summary> +## Allow the specified domain to append +## zabbix log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_append_log',` + gen_require(` + type zabbix_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, zabbix_log_t, zabbix_log_t) +') + +######################################## +## <summary> +## Read zabbix PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_read_pid_files',` + gen_require(` + type zabbix_var_run_t; + ') + + files_search_pids($1) + allow $1 zabbix_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow connectivity to a zabbix agent +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_agent_tcp_connect',` + gen_require(` + type zabbix_agent_t; + ') + + corenet_sendrecv_zabbix_agent_client_packets($1) + corenet_tcp_connect_zabbix_agent_port($1) + corenet_tcp_recvfrom_labeled($1, zabbix_t) + corenet_tcp_sendrecv_zabbix_agent_port($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an zabbix environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the zabbix domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`zabbix_admin',` + gen_require(` + type zabbix_t, zabbix_log_t, zabbix_var_run_t; + type zabbix_initrc_exec_t; + ') + + allow $1 zabbix_t:process { ptrace signal_perms }; + ps_process_pattern($1, zabbix_t) + + init_labeled_script_domtrans($1, zabbix_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 zabbix_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, zabbix_log_t) + + files_list_pids($1) + admin_pattern($1, zabbix_var_run_t) +') diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te new file mode 100644 index 00000000..8c0bd708 --- /dev/null +++ b/policy/modules/contrib/zabbix.te @@ -0,0 +1,137 @@ +policy_module(zabbix, 1.5.0) + +######################################## +# +# Declarations +# + +type zabbix_t; +type zabbix_exec_t; +init_daemon_domain(zabbix_t, zabbix_exec_t) + +type zabbix_initrc_exec_t; +init_script_file(zabbix_initrc_exec_t) + +type zabbix_agent_t; +type zabbix_agent_exec_t; +init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) + +type zabbix_agent_initrc_exec_t; +init_script_file(zabbix_agent_initrc_exec_t) + +# log files +type zabbix_log_t; +logging_log_file(zabbix_log_t) + +# shared memory +type zabbix_tmpfs_t; +files_tmpfs_file(zabbix_tmpfs_t) + +# pid files +type zabbix_var_run_t; +files_pid_file(zabbix_var_run_t) + +######################################## +# +# zabbix local policy +# + +allow zabbix_t self:capability { setuid setgid }; +allow zabbix_t self:fifo_file rw_file_perms; +allow zabbix_t self:process { setsched getsched signal }; +allow zabbix_t self:unix_stream_socket create_stream_socket_perms; +allow zabbix_t self:sem create_sem_perms; +allow zabbix_t self:shm create_shm_perms; +allow zabbix_t self:tcp_socket create_stream_socket_perms; + +# log files +allow zabbix_t zabbix_log_t:dir setattr; +manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +logging_log_filetrans(zabbix_t, zabbix_log_t, file) + +# shared memory +rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) +fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) + +# pid file +manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) + +corenet_tcp_bind_generic_node(zabbix_t) +corenet_tcp_bind_zabbix_port(zabbix_t) + +files_read_etc_files(zabbix_t) + +miscfiles_read_localization(zabbix_t) + +sysnet_dns_name_resolve(zabbix_t) + +zabbix_agent_tcp_connect(zabbix_t) + +optional_policy(` + mysql_stream_connect(zabbix_t) + mysql_tcp_connect(zabbix_t) +') + +optional_policy(` + postgresql_stream_connect(zabbix_t) +') + +######################################## +# +# zabbix agent local policy +# + +allow zabbix_agent_t self:capability { setuid setgid }; +allow zabbix_agent_t self:process { setsched getsched signal }; +allow zabbix_agent_t self:fifo_file rw_file_perms; +allow zabbix_agent_t self:sem create_sem_perms; +allow zabbix_agent_t self:shm create_shm_perms; +allow zabbix_agent_t self:tcp_socket create_stream_socket_perms; +allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; + +# Logging access +filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) +manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) + +# Shared Memory support +rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) +fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) + +# PID file management +manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) +files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) + +kernel_read_all_sysctls(zabbix_agent_t) +kernel_read_system_state(zabbix_agent_t) + +corecmd_read_all_executables(zabbix_agent_t) + +corenet_tcp_bind_generic_node(zabbix_agent_t) +corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) +corenet_tcp_connect_ssh_port(zabbix_agent_t) +corenet_tcp_connect_zabbix_port(zabbix_agent_t) + +dev_getattr_all_blk_files(zabbix_agent_t) +dev_getattr_all_chr_files(zabbix_agent_t) + +domain_search_all_domains_state(zabbix_agent_t) + +files_getattr_all_dirs(zabbix_agent_t) +files_getattr_all_files(zabbix_agent_t) +files_read_all_symlinks(zabbix_agent_t) +files_read_etc_files(zabbix_agent_t) + +fs_getattr_all_fs(zabbix_agent_t) + +init_read_utmp(zabbix_agent_t) + +logging_search_logs(zabbix_agent_t) + +miscfiles_read_localization(zabbix_agent_t) + +sysnet_dns_name_resolve(zabbix_agent_t) + +# Network access to zabbix server +zabbix_tcp_connect(zabbix_agent_t) diff --git a/policy/modules/contrib/zarafa.fc b/policy/modules/contrib/zarafa.fc new file mode 100644 index 00000000..3defaa1f --- /dev/null +++ b/policy/modules/contrib/zarafa.fc @@ -0,0 +1,26 @@ +/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) + +/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) +/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) +/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) +/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) +/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) +/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) +/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) + +/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) + +/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) +/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) +/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) +/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) +/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0) +/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) + +/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) +/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) +/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) +/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if new file mode 100644 index 00000000..21ae6643 --- /dev/null +++ b/policy/modules/contrib/zarafa.if @@ -0,0 +1,120 @@ +## <summary>Zarafa collaboration platform.</summary> + +###################################### +## <summary> +## Creates types and rules for a basic +## zararfa init daemon domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`zarafa_domain_template',` + gen_require(` + attribute zarafa_domain; + ') + + ############################## + # + # $1_t declarations + # + + type zarafa_$1_t, zarafa_domain; + type zarafa_$1_exec_t; + init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) + + type zarafa_$1_log_t; + logging_log_file(zarafa_$1_log_t) + + type zarafa_$1_var_run_t; + files_pid_file(zarafa_$1_var_run_t) + + ############################## + # + # $1_t local policy + # + + manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) + + manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) + logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) +') + +###################################### +## <summary> +## Allow the specified domain to search +## zarafa configuration dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zarafa_search_config',` + gen_require(` + type zarafa_etc_t; + ') + + files_search_etc($1) + allow $1 zarafa_etc_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Execute a domain transition to run zarafa_deliver. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`zarafa_domtrans_deliver',` + gen_require(` + type zarafa_deliver_t, zarafa_deliver_exec_t; + ') + + domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) +') + +######################################## +## <summary> +## Execute a domain transition to run zarafa_server. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`zarafa_domtrans_server',` + gen_require(` + type zarafa_server_t, zarafa_server_exec_t; + ') + + domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) +') + +####################################### +## <summary> +## Connect to zarafa-server unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zarafa_stream_connect_server',` + gen_require(` + type zarafa_server_t, zarafa_server_var_run_t; + ') + + files_search_var_lib($1) + stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) +') diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te new file mode 100644 index 00000000..9fb47472 --- /dev/null +++ b/policy/modules/contrib/zarafa.te @@ -0,0 +1,161 @@ +policy_module(zarafa, 1.0.0) + +######################################## +# +# Declarations +# + +attribute zarafa_domain; + +zarafa_domain_template(deliver) + +type zarafa_deliver_tmp_t; +files_tmp_file(zarafa_deliver_tmp_t) + +type zarafa_etc_t; +files_config_file(zarafa_etc_t) + +zarafa_domain_template(gateway) +zarafa_domain_template(ical) +zarafa_domain_template(indexer) +zarafa_domain_template(monitor) +zarafa_domain_template(server) + +type zarafa_server_tmp_t; +files_tmp_file(zarafa_server_tmp_t) + +type zarafa_share_t; +files_type(zarafa_share_t) + +zarafa_domain_template(spooler) + +type zarafa_var_lib_t; +files_tmp_file(zarafa_var_lib_t) + +######################################## +# +# zarafa-deliver local policy +# + +manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) +manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) +files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) + +######################################## +# +# zarafa_gateway local policy +# + +allow zarafa_gateway_t self:capability { chown kill }; +allow zarafa_gateway_t self:process setrlimit; + +corenet_all_recvfrom_unlabeled(zarafa_gateway_t) +corenet_all_recvfrom_netlabel(zarafa_gateway_t) +corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) +corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) +corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) +corenet_tcp_bind_generic_node(zarafa_gateway_t) +corenet_tcp_bind_pop_port(zarafa_gateway_t) + +####################################### +# +# zarafa-ical local policy +# + +allow zarafa_ical_t self:capability chown; + +corenet_all_recvfrom_unlabeled(zarafa_ical_t) +corenet_all_recvfrom_netlabel(zarafa_ical_t) +corenet_tcp_sendrecv_generic_if(zarafa_ical_t) +corenet_tcp_sendrecv_generic_node(zarafa_ical_t) +corenet_tcp_sendrecv_all_ports(zarafa_ical_t) +corenet_tcp_bind_generic_node(zarafa_ical_t) +corenet_tcp_bind_http_cache_port(zarafa_ical_t) + +###################################### +# +# zarafa-monitor local policy +# + +allow zarafa_monitor_t self:capability chown; + +######################################## +# +# zarafa_server local policy +# + +allow zarafa_server_t self:capability { chown kill net_bind_service }; +allow zarafa_server_t self:process setrlimit; + +manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) +manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) +files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) + +manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) +manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) +files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir }) + +stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) + +corenet_all_recvfrom_unlabeled(zarafa_server_t) +corenet_all_recvfrom_netlabel(zarafa_server_t) +corenet_tcp_sendrecv_generic_if(zarafa_server_t) +corenet_tcp_sendrecv_generic_node(zarafa_server_t) +corenet_tcp_sendrecv_all_ports(zarafa_server_t) +corenet_tcp_bind_generic_node(zarafa_server_t) +corenet_tcp_bind_zarafa_port(zarafa_server_t) + +files_read_usr_files(zarafa_server_t) + +logging_send_syslog_msg(zarafa_server_t) +logging_send_audit_msgs(zarafa_server_t) + +sysnet_dns_name_resolve(zarafa_server_t) + +optional_policy(` + kerberos_use(zarafa_server_t) +') + +optional_policy(` + mysql_stream_connect(zarafa_server_t) +') + +######################################## +# +# zarafa_spooler local policy +# + +allow zarafa_spooler_t self:capability { chown kill }; + +can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) + +corenet_all_recvfrom_unlabeled(zarafa_spooler_t) +corenet_all_recvfrom_netlabel(zarafa_spooler_t) +corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) +corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) +corenet_tcp_sendrecv_all_ports(zarafa_spooler_t) +corenet_tcp_connect_smtp_port(zarafa_spooler_t) + +######################################## +# +# zarafa domains local policy +# + +# bad permission on /etc/zarafa +allow zarafa_domain self:capability { dac_override setgid setuid }; +allow zarafa_domain self:process signal; +allow zarafa_domain self:fifo_file rw_fifo_file_perms; +allow zarafa_domain self:tcp_socket create_stream_socket_perms; +allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; + +stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) + +read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) + +kernel_read_system_state(zarafa_domain) + +files_read_etc_files(zarafa_domain) + +auth_use_nsswitch(zarafa_domain) + +miscfiles_read_localization(zarafa_domain) diff --git a/policy/modules/contrib/zebra.fc b/policy/modules/contrib/zebra.fc new file mode 100644 index 00000000..e1b30b25 --- /dev/null +++ b/policy/modules/contrib/zebra.fc @@ -0,0 +1,22 @@ +/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) + +/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) + +/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) +/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) + +/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) + +/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) +/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) + +/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) +/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) +/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if new file mode 100644 index 00000000..6b876050 --- /dev/null +++ b/policy/modules/contrib/zebra.if @@ -0,0 +1,88 @@ +## <summary>Zebra border gateway protocol network routing service</summary> + +######################################## +## <summary> +## Read the configuration files for zebra. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`zebra_read_config',` + gen_require(` + type zebra_conf_t; + ') + + files_search_etc($1) + allow $1 zebra_conf_t:dir list_dir_perms; + read_files_pattern($1, zebra_conf_t, zebra_conf_t) + read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t) +') + +######################################## +## <summary> +## Connect to zebra over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zebra_stream_connect',` + gen_require(` + type zebra_t, zebra_var_run_t; + ') + + files_search_pids($1) + allow $1 zebra_var_run_t:sock_file write; + allow $1 zebra_t:unix_stream_socket connectto; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an zebra environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the zebra domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`zebra_admin',` + gen_require(` + type zebra_t, zebra_tmp_t, zebra_log_t; + type zebra_conf_t, zebra_var_run_t; + type zebra_initrc_exec_t; + ') + + allow $1 zebra_t:process { ptrace signal_perms }; + ps_process_pattern($1, zebra_t) + + init_labeled_script_domtrans($1, zebra_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 zebra_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, zebra_conf_t) + + logging_list_logs($1) + admin_pattern($1, zebra_log_t) + + files_list_tmp($1) + admin_pattern($1, zebra_tmp_t) + + files_list_pids($1) + admin_pattern($1, zebra_var_run_t) +') diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te new file mode 100644 index 00000000..ade6c2cc --- /dev/null +++ b/policy/modules/contrib/zebra.te @@ -0,0 +1,140 @@ +policy_module(zebra, 1.12.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow zebra daemon to write it configuration files +## </p> +## </desc> +# +gen_tunable(allow_zebra_write_config, false) + +type zebra_t; +type zebra_exec_t; +init_daemon_domain(zebra_t, zebra_exec_t) + +type zebra_conf_t; +files_type(zebra_conf_t) + +type zebra_initrc_exec_t; +init_script_file(zebra_initrc_exec_t) + +type zebra_log_t; +logging_log_file(zebra_log_t) + +type zebra_tmp_t; +files_tmp_file(zebra_tmp_t) + +type zebra_var_run_t; +files_pid_file(zebra_var_run_t) + +######################################## +# +# Local policy +# + +allow zebra_t self:capability { setgid setuid net_admin net_raw }; +dontaudit zebra_t self:capability sys_tty_config; +allow zebra_t self:process { signal_perms getcap setcap }; +allow zebra_t self:file rw_file_perms; +allow zebra_t self:unix_dgram_socket create_socket_perms; +allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; +allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; +allow zebra_t self:udp_socket create_socket_perms; +allow zebra_t self:rawip_socket create_socket_perms; + +allow zebra_t zebra_conf_t:dir list_dir_perms; +read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) +read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) + +allow zebra_t zebra_log_t:dir setattr; +manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) + +# /tmp/.bgpd is such a bad idea! +allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; +files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) + +manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) +manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) +manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) +files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file }) + +kernel_read_system_state(zebra_t) +kernel_read_network_state(zebra_t) +kernel_read_kernel_sysctls(zebra_t) +kernel_rw_net_sysctls(zebra_t) + +corenet_all_recvfrom_unlabeled(zebra_t) +corenet_all_recvfrom_netlabel(zebra_t) +corenet_tcp_sendrecv_generic_if(zebra_t) +corenet_udp_sendrecv_generic_if(zebra_t) +corenet_raw_sendrecv_generic_if(zebra_t) +corenet_tcp_sendrecv_generic_node(zebra_t) +corenet_udp_sendrecv_generic_node(zebra_t) +corenet_raw_sendrecv_generic_node(zebra_t) +corenet_tcp_sendrecv_all_ports(zebra_t) +corenet_udp_sendrecv_all_ports(zebra_t) +corenet_tcp_bind_generic_node(zebra_t) +corenet_udp_bind_generic_node(zebra_t) +corenet_tcp_bind_bgp_port(zebra_t) +corenet_tcp_bind_zebra_port(zebra_t) +corenet_udp_bind_router_port(zebra_t) +corenet_tcp_connect_bgp_port(zebra_t) +corenet_sendrecv_zebra_server_packets(zebra_t) +corenet_sendrecv_router_server_packets(zebra_t) + +dev_associate_usbfs(zebra_var_run_t) +dev_list_all_dev_nodes(zebra_t) +dev_read_sysfs(zebra_t) +dev_rw_zero(zebra_t) + +fs_getattr_all_fs(zebra_t) +fs_search_auto_mountpoints(zebra_t) + +term_list_ptys(zebra_t) + +domain_use_interactive_fds(zebra_t) + +files_search_etc(zebra_t) +files_read_etc_files(zebra_t) +files_read_etc_runtime_files(zebra_t) + +logging_send_syslog_msg(zebra_t) + +miscfiles_read_localization(zebra_t) + +sysnet_read_config(zebra_t) + +userdom_dontaudit_use_unpriv_user_fds(zebra_t) +userdom_dontaudit_search_user_home_dirs(zebra_t) + +tunable_policy(`allow_zebra_write_config',` + manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) +') + +optional_policy(` + nis_use_ypbind(zebra_t) +') + +optional_policy(` + rpm_read_pipes(zebra_t) +') + +optional_policy(` + seutil_sigchld_newrole(zebra_t) +') + +optional_policy(` + udev_read_db(zebra_t) +') + +optional_policy(` + unconfined_sigchld(zebra_t) +') diff --git a/policy/modules/contrib/zosremote.fc b/policy/modules/contrib/zosremote.fc new file mode 100644 index 00000000..d719d0b9 --- /dev/null +++ b/policy/modules/contrib/zosremote.fc @@ -0,0 +1 @@ +/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) diff --git a/policy/modules/contrib/zosremote.if b/policy/modules/contrib/zosremote.if new file mode 100644 index 00000000..702e7680 --- /dev/null +++ b/policy/modules/contrib/zosremote.if @@ -0,0 +1,45 @@ +## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary> + +######################################## +## <summary> +## Execute a domain transition to run audispd-zos-remote. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`zosremote_domtrans',` + gen_require(` + type zos_remote_t, zos_remote_exec_t; + ') + + domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) +') + +######################################## +## <summary> +## Allow specified type and role to transition and +## run in the zos_remote_t domain. Allow specified type +## to use zos_remote_t terminal. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`zosremote_run',` + gen_require(` + type zos_remote_t; + ') + + zosremote_domtrans($1) + role $2 types zos_remote_t; +') diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te new file mode 100644 index 00000000..f9a06d2c --- /dev/null +++ b/policy/modules/contrib/zosremote.te @@ -0,0 +1,28 @@ +policy_module(zosremote, 1.1.0) + +######################################## +# +# Declarations +# + +type zos_remote_t; +type zos_remote_exec_t; +init_system_domain(zos_remote_t, zos_remote_exec_t) +logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) + +######################################## +# +# zos_remote local policy +# + +allow zos_remote_t self:process signal; +allow zos_remote_t self:fifo_file rw_file_perms; +allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; + +files_read_etc_files(zos_remote_t) + +auth_use_nsswitch(zos_remote_t) + +miscfiles_read_localization(zos_remote_t) + +logging_send_syslog_msg(zos_remote_t) |