diff options
| author |   Chris PeBenito <pebenito@ieee.org> | 2018-06-23 10:38:58 -0400 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2018-06-24 16:33:24 +0800 |
| commit | 751926c0fbba4bf7105622ee65888b66740847a0 (patch) | |
| tree | 6bbdd39cd5becdddc8e4cbc41332c383874c7972 /policy/modules/admin | |
| parent | xdg: move compat interfaces to upstream xdg module (diff) | |
| download | hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.tar.gz hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.tar.bz2 hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.zip | |
Move all files out of the old contrib directory.
Diffstat (limited to 'policy/modules/admin')
165 files changed, 14257 insertions, 0 deletions
diff --git a/policy/modules/admin/acct.fc b/policy/modules/admin/acct.fc new file mode 100644 index 00000000..5a772ec6 --- /dev/null +++ b/policy/modules/admin/acct.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/psacct -- gen_context(system_u:object_r:acct_initrc_exec_t,s0) + +/usr/bin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) + +/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) + +/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) + +/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if new file mode 100644 index 00000000..59d95d04 --- /dev/null +++ b/policy/modules/admin/acct.if @@ -0,0 +1,113 @@ +## <summary>Berkeley process accounting.</summary> + +######################################## +## <summary> +## Transition to the accounting +## management domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`acct_domtrans',` + gen_require(` + type acct_t, acct_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, acct_exec_t, acct_t) +') + +######################################## +## <summary> +## Execute accounting management tools +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acct_exec',` + gen_require(` + type acct_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, acct_exec_t) +') + +######################################## +## <summary> +## Execute accounting management data +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acct_exec_data',` + gen_require(` + type acct_data_t; + ') + + files_search_var($1) + can_exec($1, acct_data_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## process accounting data. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`acct_manage_data',` + gen_require(` + type acct_data_t; + ') + + files_search_var($1) + manage_files_pattern($1, acct_data_t, acct_data_t) + manage_lnk_files_pattern($1, acct_data_t, acct_data_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an acct environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`acct_admin',` + gen_require(` + type acct_t, acct_initrc_exec_t, acct_data_t; + ') + + allow $1 acct_t:process { ptrace signal_perms }; + ps_process_pattern($1, acct_t) + + init_startstop_service($1, $2, acct_t, acct_initrc_exec_t) + + logging_search_logs($1) + admin_pattern($1, acct_data_t) +') diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te new file mode 100644 index 00000000..4f3550cf --- /dev/null +++ b/policy/modules/admin/acct.te @@ -0,0 +1,83 @@ +policy_module(acct, 1.8.0) + +######################################## +# +# Declarations +# + +type acct_t; +type acct_exec_t; +init_system_domain(acct_t, acct_exec_t) + +type acct_initrc_exec_t; +init_script_file(acct_initrc_exec_t) + +type acct_data_t; +logging_log_file(acct_data_t) + +######################################## +# +# Local Policy +# + +allow acct_t self:capability { chown fsetid kill sys_pacct }; +dontaudit acct_t self:capability sys_tty_config; +allow acct_t self:process signal_perms; +allow acct_t self:fifo_file rw_fifo_file_perms; + +manage_files_pattern(acct_t, acct_data_t, acct_data_t) +manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t) + +can_exec(acct_t, acct_exec_t) + +kernel_list_proc(acct_t) +kernel_read_system_state(acct_t) +kernel_read_kernel_sysctls(acct_t) + +corecmd_exec_bin(acct_t) +corecmd_exec_shell(acct_t) + +dev_read_sysfs(acct_t) +dev_read_urand(acct_t) + +domain_use_interactive_fds(acct_t) + +fs_search_auto_mountpoints(acct_t) +fs_getattr_xattr_fs(acct_t) + +term_dontaudit_use_console(acct_t) +term_dontaudit_use_generic_ptys(acct_t) + +files_read_etc_runtime_files(acct_t) +files_list_usr(acct_t) + +auth_use_nsswitch(acct_t) + +init_use_fds(acct_t) +init_use_script_ptys(acct_t) +init_exec_script_files(acct_t) + +logging_send_syslog_msg(acct_t) + +miscfiles_read_localization(acct_t) + +userdom_dontaudit_search_user_home_dirs(acct_t) +userdom_dontaudit_use_unpriv_user_fds(acct_t) + +optional_policy(` + optional_policy(` + # for monthly cron job + auth_log_filetrans_login_records(acct_t) + auth_manage_login_records(acct_t) + ') + + cron_system_entry(acct_t, acct_exec_t) +') + +optional_policy(` + seutil_sigchld_newrole(acct_t) +') + +optional_policy(` + udev_read_db(acct_t) +') diff --git a/policy/modules/admin/aide.fc b/policy/modules/admin/aide.fc new file mode 100644 index 00000000..b2f47de8 --- /dev/null +++ b/policy/modules/admin/aide.fc @@ -0,0 +1,7 @@ +/usr/bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh) +/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh) + +/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh) + +/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh) +/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) diff --git a/policy/modules/admin/aide.if b/policy/modules/admin/aide.if new file mode 100644 index 00000000..01cbb67d --- /dev/null +++ b/policy/modules/admin/aide.if @@ -0,0 +1,80 @@ +## <summary>Aide filesystem integrity checker.</summary> + +######################################## +## <summary> +## Execute aide in the aide domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`aide_domtrans',` + gen_require(` + type aide_t, aide_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, aide_exec_t, aide_t) +') + +######################################## +## <summary> +## Execute aide programs in the AIDE +## domain and allow the specified role +## the AIDE domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`aide_run',` + gen_require(` + attribute_role aide_roles; + ') + + aide_domtrans($1) + roleattribute $2 aide_roles; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an aide environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`aide_admin',` + gen_require(` + type aide_t, aide_db_t, aide_log_t; + ') + + allow $1 aide_t:process { ptrace signal_perms }; + ps_process_pattern($1, aide_t) + + aide_run($1, $2) + + files_list_etc($1) + admin_pattern($1, aide_db_t) + + logging_list_logs($1) + admin_pattern($1, aide_log_t) +') diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te new file mode 100644 index 00000000..9d3c19ce --- /dev/null +++ b/policy/modules/admin/aide.te @@ -0,0 +1,45 @@ +policy_module(aide, 1.8.0) + +######################################## +# +# Declarations +# + +attribute_role aide_roles; + +type aide_t; +type aide_exec_t; +application_domain(aide_t, aide_exec_t) +role aide_roles types aide_t; + +type aide_log_t; +logging_log_file(aide_log_t) + +type aide_db_t; +files_type(aide_db_t) + +######################################## +# +# Local policy +# + +allow aide_t self:capability { dac_override fowner }; + +manage_files_pattern(aide_t, aide_db_t, aide_db_t) + +create_files_pattern(aide_t, aide_log_t, aide_log_t) +append_files_pattern(aide_t, aide_log_t, aide_log_t) +setattr_files_pattern(aide_t, aide_log_t, aide_log_t) +logging_log_filetrans(aide_t, aide_log_t, file) + +files_read_all_files(aide_t) +files_read_all_symlinks(aide_t) + +logging_send_audit_msgs(aide_t) +logging_send_syslog_msg(aide_t) + +userdom_use_user_terminals(aide_t) + +optional_policy(` + seutil_use_newrole_fds(aide_t) +') diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc new file mode 100644 index 00000000..75ea9ebf --- /dev/null +++ b/policy/modules/admin/alsa.fc @@ -0,0 +1,24 @@ +HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) + +/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0) +/etc/asound\.conf -- gen_context(system_u:object_r:alsa_etc_t,s0) + +/run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0) + +/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) +/usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) +/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) +/usr/bin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) + +/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0) +/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0) +/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0) + +/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) +/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) + +/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0) + +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) + +/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_var_lock_t,s0) diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if new file mode 100644 index 00000000..9cff9efb --- /dev/null +++ b/policy/modules/admin/alsa.if @@ -0,0 +1,292 @@ +## <summary>Advanced Linux Sound Architecture utilities.</summary> + +######################################## +## <summary> +## Execute a domain transition to run Alsa. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`alsa_domtrans',` + gen_require(` + type alsa_t, alsa_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, alsa_exec_t, alsa_t) +') + +######################################## +## <summary> +## Execute a domain transition to run +## Alsa, and allow the specified role +## the Alsa domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`alsa_run',` + gen_require(` + attribute_role alsa_roles; + ') + + alsa_domtrans($1) + roleattribute $2 alsa_roles; +') + +######################################## +## <summary> +## Read and write Alsa semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_rw_semaphores',` + gen_require(` + type alsa_t; + ') + + allow $1 alsa_t:sem rw_sem_perms; +') + +######################################## +## <summary> +## Read and write Alsa shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_rw_shared_mem',` + gen_require(` + type alsa_t; + ') + + allow $1 alsa_t:shm rw_shm_perms; +') + +######################################## +## <summary> +## Read Alsa configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_read_config',` + gen_require(` + type alsa_etc_t; + ') + + files_search_etc($1) + allow $1 alsa_etc_t:dir list_dir_perms; + read_files_pattern($1, alsa_etc_t, alsa_etc_t) + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t) +') + +######################################## +## <summary> +## Manage Alsa config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_manage_config',` + gen_require(` + type alsa_etc_t; + ') + + files_search_etc($1) + allow $1 alsa_etc_t:dir list_dir_perms; + manage_files_pattern($1, alsa_etc_t, alsa_etc_t) + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## alsa home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_manage_home_files',` + gen_require(` + type alsa_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file manage_file_perms; +') + +######################################## +## <summary> +## Read Alsa home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_read_home_files',` + gen_require(` + type alsa_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file read_file_perms; +') + +######################################## +## <summary> +## Relabel alsa home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_relabel_home_files',` + gen_require(` + type alsa_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file relabel_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the generic alsa +## home type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`alsa_home_filetrans_alsa_home',` + gen_require(` + type alsa_home_t; + ') + + userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) +') + +######################################## +## <summary> +## Read Alsa lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_read_lib',` + gen_require(` + type alsa_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) + + ifdef(`distro_gentoo',` + # gentoo saves the files in /var/lib/alsa/oss/CardName + list_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t) + ') +') + +######################################### +## <summary> +## Write Alsa lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_write_lib',` + gen_require(` + type alsa_var_lib_t; + ') + + files_search_var_lib($1) + write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) + + ifdef(`distro_gentoo',` + # gentoo saves the files in /var/lib/alsa/oss/CardName + rw_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t) + ') +') + +# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface + +# alsa_domain - see http://oss.tresys.com/pipermail/refpolicy/2014-March/007029.html +# http://oss.tresys.com/pipermail/refpolicy/2014-April/007044.html + +######################################## +## <summary> +## Mark the selected domain as an alsa-capable domain +## </summary> +## <param name="domain"> +## <summary> +## Domain that links with alsa +## </summary> +## </param> +## <param name="tmpfstype"> +## <summary> +## Tmpfs type used for shared memory of the given domain +## </summary> +## </param> +# +interface(`alsa_domain',` + gen_require(` + attribute alsadomain; + attribute alsatmpfsfile; + ') + + typeattribute $1 alsadomain; + typeattribute $2 alsatmpfsfile; +') + + diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te new file mode 100644 index 00000000..008b6d25 --- /dev/null +++ b/policy/modules/admin/alsa.te @@ -0,0 +1,136 @@ +policy_module(alsa, 1.18.1) + +######################################## +# +# Declarations +# + +attribute_role alsa_roles; + +type alsa_t; +type alsa_exec_t; +init_system_domain(alsa_t, alsa_exec_t) +role alsa_roles types alsa_t; + +type alsa_etc_t alias alsa_etc_rw_t; +files_config_file(alsa_etc_t) + +type alsa_home_t; +userdom_user_home_content(alsa_home_t) + +type alsa_runtime_t; +files_pid_file(alsa_runtime_t) + +type alsa_tmp_t; +files_tmp_file(alsa_tmp_t) + +type alsa_tmpfs_t; +files_tmpfs_file(alsa_tmpfs_t) + +type alsa_unit_t; +init_unit_file(alsa_unit_t) + +type alsa_var_lib_t; +files_type(alsa_var_lib_t) + +type alsa_var_lock_t; +files_lock_file(alsa_var_lock_t) + +######################################## +# +# Local policy +# + +allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid }; +# kill : kill pulseaudio +dontaudit alsa_t self:capability { kill sys_admin }; +allow alsa_t self:sem create_sem_perms; +allow alsa_t self:shm create_shm_perms; +allow alsa_t self:unix_stream_socket { accept listen }; + +allow alsa_t alsa_home_t:file read_file_perms; + +list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t) +read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t) +read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t) +allow alsa_t alsa_etc_t:file map; + +can_exec(alsa_t, alsa_exec_t) + +allow alsa_t alsa_runtime_t:dir manage_dir_perms; +allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms; +files_pid_filetrans(alsa_t, alsa_runtime_t, dir) + +manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) +manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) +files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) +userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) + +allow alsa_t alsa_tmpfs_t:file { manage_file_perms map }; +fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file) + +manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) +manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + +allow alsa_t alsa_var_lock_t:file manage_file_perms; +files_lock_filetrans(alsa_t, alsa_var_lock_t, file) + +kernel_read_system_state(alsa_t) + +corecmd_exec_bin(alsa_t) + +dev_getattr_fs(alsa_t) +dev_read_input(alsa_t) +dev_read_sound(alsa_t) +dev_read_sysfs(alsa_t) +dev_read_urand(alsa_t) +dev_write_sound(alsa_t) + +files_read_usr_files(alsa_t) +files_search_var_lib(alsa_t) + +fs_getattr_tmpfs(alsa_t) + +term_dontaudit_use_console(alsa_t) +term_dontaudit_use_generic_ptys(alsa_t) +term_dontaudit_use_all_ptys(alsa_t) + +auth_use_nsswitch(alsa_t) + +logging_send_syslog_msg(alsa_t) + +miscfiles_read_localization(alsa_t) + +userdom_manage_unpriv_user_semaphores(alsa_t) +userdom_manage_unpriv_user_shared_mem(alsa_t) +userdom_search_user_home_dirs(alsa_t) + +optional_policy(` + hal_use_fds(alsa_t) + hal_write_log(alsa_t) +') + +ifdef(`distro_gentoo',` + +# alsa_domain - see http://oss.tresys.com/pipermail/refpolicy/2014-March/007029.html +# http://oss.tresys.com/pipermail/refpolicy/2014-April/007044.html + + attribute alsadomain; + attribute alsatmpfsfile; + + typeattribute alsa_t alsadomain; + + ################################ + # + # alsadomain policy + # + allow alsadomain alsadomain:sem create_sem_perms; + allow alsadomain alsadomain:shm rw_shm_perms; + allow alsadomain alsatmpfsfile:file rw_file_perms; + + # ALSA applications need access to /usr/share/alsa/* + files_read_usr_files(alsadomain) + + alsa_read_config(alsadomain) + alsa_read_home_files(alsadomain) +') diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc new file mode 100644 index 00000000..0d90d71e --- /dev/null +++ b/policy/modules/admin/amanda.fc @@ -0,0 +1,30 @@ +/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) +/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) +/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) +/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0) +# empty m4 string so the index macro is not invoked +/etc/amanda/.*/index`'(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) + +/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) + +/usr/bin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +/usr/bin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) + +/usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) +/usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) +/usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + +/usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) + +/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0) +/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) +/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) +/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0) +/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0) +# the null string in here because index is a m4 builtin function +/var/lib/amanda/[^/]+/index`'(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0) + +/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if new file mode 100644 index 00000000..1de17880 --- /dev/null +++ b/policy/modules/admin/amanda.if @@ -0,0 +1,161 @@ +## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary> + +######################################## +## <summary> +## Execute a domain transition to run +## Amanda recover. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`amanda_domtrans_recover',` + gen_require(` + type amanda_recover_t, amanda_recover_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) +') + +######################################## +## <summary> +## Execute a domain transition to run +## Amanda recover, and allow the specified +## role the Amanda recover domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`amanda_run_recover',` + gen_require(` + attribute_role amanda_recover_roles; + ') + + amanda_domtrans_recover($1) + roleattribute $2 amanda_recover_roles; +') + +######################################## +## <summary> +## Search Amanda library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amanda_search_lib',` + gen_require(` + type amanda_usr_lib_t; + ') + + files_search_usr($1) + allow $1 amanda_usr_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read /etc/dumpdates. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`amanda_dontaudit_read_dumpdates',` + gen_require(` + type amanda_dumpdates_t; + ') + + dontaudit $1 amanda_dumpdates_t:file read_file_perms; +') + +######################################## +## <summary> +## Read and write /etc/dumpdates. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amanda_rw_dumpdates_files',` + gen_require(` + type amanda_dumpdates_t; + ') + + files_search_etc($1) + allow $1 amanda_dumpdates_t:file rw_file_perms; +') + +######################################## +## <summary> +## Manage Amanda library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amanda_manage_lib',` + gen_require(` + type amanda_usr_lib_t; + ') + + files_search_usr($1) + allow $1 amanda_usr_lib_t:dir manage_dir_perms; +') + +######################################## +## <summary> +## Read and append amanda log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amanda_append_log_files',` + gen_require(` + type amanda_log_t; + ') + + logging_search_logs($1) + allow $1 amanda_log_t:file { read_file_perms append_file_perms }; +') + +####################################### +## <summary> +## Search Amanda var library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`amanda_search_var_lib',` + gen_require(` + type amanda_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 amanda_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te new file mode 100644 index 00000000..ea74ccd7 --- /dev/null +++ b/policy/modules/admin/amanda.te @@ -0,0 +1,206 @@ +policy_module(amanda, 1.17.0) + +####################################### +# +# Declarations +# + +attribute_role amanda_recover_roles; +roleattribute system_r amanda_recover_roles; + +type amanda_t; +type amanda_inetd_exec_t; +inetd_service_domain(amanda_t, amanda_inetd_exec_t) + +type amanda_exec_t; +domain_entry_file(amanda_t, amanda_exec_t) + +type amanda_log_t; +logging_log_file(amanda_log_t) + +type amanda_config_t; +files_type(amanda_config_t) + +type amanda_usr_lib_t; +files_type(amanda_usr_lib_t) + +type amanda_var_lib_t; +files_type(amanda_var_lib_t) + +type amanda_gnutarlists_t; +files_type(amanda_gnutarlists_t) + +type amanda_tmp_t; +files_tmp_file(amanda_tmp_t) + +type amanda_amandates_t; +files_type(amanda_amandates_t) + +type amanda_dumpdates_t; +files_type(amanda_dumpdates_t) + +type amanda_data_t; +files_type(amanda_data_t) + +type amanda_recover_t; +type amanda_recover_exec_t; +application_domain(amanda_recover_t, amanda_recover_exec_t) +role amanda_recover_roles types amanda_recover_t; + +type amanda_recover_dir_t; +files_type(amanda_recover_dir_t) + +optional_policy(` + prelink_object_file(amanda_usr_lib_t) +') + +######################################## +# +# Local policy +# + +allow amanda_t self:capability { chown dac_override kill setuid }; +allow amanda_t self:process { setpgid signal }; +allow amanda_t self:fifo_file rw_fifo_file_perms; +allow amanda_t self:unix_stream_socket { accept listen }; +allow amanda_t self:tcp_socket { accept listen }; + +allow amanda_t amanda_amandates_t:file rw_file_perms; + +allow amanda_t amanda_config_t:file read_file_perms; + +manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) +manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) +filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) + +allow amanda_t amanda_dumpdates_t:file rw_file_perms; + +allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; +allow amanda_t amanda_gnutarlists_t:file manage_file_perms; +allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; + +manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) +manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) + +manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) +manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) +logging_log_filetrans(amanda_t, amanda_log_t, dir) + +manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) +manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) +files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) + +can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t }) + +kernel_read_kernel_sysctls(amanda_t) +kernel_read_system_state(amanda_t) +kernel_dontaudit_getattr_unlabeled_files(amanda_t) +kernel_dontaudit_read_proc_symlinks(amanda_t) + +corecmd_exec_shell(amanda_t) +corecmd_exec_bin(amanda_t) + +corenet_all_recvfrom_unlabeled(amanda_t) +corenet_all_recvfrom_netlabel(amanda_t) +corenet_tcp_sendrecv_generic_if(amanda_t) +corenet_tcp_sendrecv_generic_node(amanda_t) +corenet_tcp_sendrecv_all_ports(amanda_t) +corenet_tcp_bind_generic_node(amanda_t) + +corenet_sendrecv_all_server_packets(amanda_t) +corenet_tcp_bind_all_rpc_ports(amanda_t) +corenet_tcp_bind_generic_port(amanda_t) +corenet_dontaudit_tcp_bind_all_ports(amanda_t) + +dev_getattr_all_blk_files(amanda_t) +dev_getattr_all_chr_files(amanda_t) + +files_read_etc_runtime_files(amanda_t) +files_list_all(amanda_t) +files_read_all_files(amanda_t) +files_read_all_symlinks(amanda_t) +files_read_all_blk_files(amanda_t) +files_read_all_chr_files(amanda_t) +files_getattr_all_pipes(amanda_t) +files_getattr_all_sockets(amanda_t) + +fs_getattr_xattr_fs(amanda_t) +fs_list_all(amanda_t) + +storage_raw_read_fixed_disk(amanda_t) +storage_read_tape(amanda_t) +storage_write_tape(amanda_t) + +auth_use_nsswitch(amanda_t) +auth_read_shadow(amanda_t) + +logging_send_syslog_msg(amanda_t) + +######################################## +# +# Recover local policy +# + +allow amanda_recover_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; +allow amanda_recover_t self:process { sigkill sigstop signal }; +allow amanda_recover_t self:fifo_file rw_fifo_file_perms; +allow amanda_recover_t self:unix_stream_socket create_socket_perms; +allow amanda_recover_t self:tcp_socket { accept listen }; + +manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) +manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) + +manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) +userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) +files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(amanda_recover_t) +kernel_read_system_state(amanda_recover_t) + +corecmd_exec_shell(amanda_recover_t) +corecmd_exec_bin(amanda_recover_t) + +corenet_all_recvfrom_unlabeled(amanda_recover_t) +corenet_all_recvfrom_netlabel(amanda_recover_t) +corenet_tcp_sendrecv_generic_if(amanda_recover_t) +corenet_udp_sendrecv_generic_if(amanda_recover_t) +corenet_tcp_sendrecv_generic_node(amanda_recover_t) +corenet_udp_sendrecv_generic_node(amanda_recover_t) +corenet_tcp_sendrecv_all_ports(amanda_recover_t) +corenet_udp_sendrecv_all_ports(amanda_recover_t) +corenet_tcp_bind_generic_node(amanda_recover_t) +corenet_udp_bind_generic_node(amanda_recover_t) + +corenet_sendrecv_generic_server_packets(amanda_recover_t) +corenet_tcp_bind_reserved_port(amanda_recover_t) + +corenet_sendrecv_amanda_client_packets(amanda_recover_t) +corenet_tcp_connect_amanda_port(amanda_recover_t) + +domain_use_interactive_fds(amanda_recover_t) + +files_read_etc_runtime_files(amanda_recover_t) +files_search_pids(amanda_recover_t) +files_search_tmp(amanda_recover_t) + +auth_use_nsswitch(amanda_recover_t) + +fstools_domtrans(amanda_t) +fstools_signal(amanda_t) + +logging_search_logs(amanda_recover_t) + +miscfiles_read_localization(amanda_recover_t) + +userdom_use_user_terminals(amanda_recover_t) +userdom_search_user_home_content(amanda_recover_t) diff --git a/policy/modules/admin/amtu.fc b/policy/modules/admin/amtu.fc new file mode 100644 index 00000000..b21a14a2 --- /dev/null +++ b/policy/modules/admin/amtu.fc @@ -0,0 +1,4 @@ +/etc/rc\.d/init\.d/amtu -- gen_context(system_u:object_r:amtu_initrc_exec_t,s0) + +/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0) +/usr/sbin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0) diff --git a/policy/modules/admin/amtu.if b/policy/modules/admin/amtu.if new file mode 100644 index 00000000..69425600 --- /dev/null +++ b/policy/modules/admin/amtu.if @@ -0,0 +1,74 @@ +## <summary>Abstract Machine Test Utility.</summary> + +######################################## +## <summary> +## Execute a domain transition to run Amtu. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`amtu_domtrans',` + gen_require(` + type amtu_t, amtu_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, amtu_exec_t, amtu_t) +') + +######################################## +## <summary> +## Execute a domain transition to run +## Amtu, and allow the specified role +## the Amtu domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`amtu_run',` + gen_require(` + attribute_role amtu_roles; + ') + + amtu_domtrans($1) + roleattribute $2 amtu_roles; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an amtu environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`amtu_admin',` + gen_require(` + type amtu_t, amtu_initrc_exec_t; + ') + + allow $1 amtu_t:process { ptrace signal_perms }; + ps_process_pattern($1, amtu_t) + + init_startstop_service($1, $2, amtu_t, amtu_initrc_exec_t) +') diff --git a/policy/modules/admin/amtu.te b/policy/modules/admin/amtu.te new file mode 100644 index 00000000..9342d566 --- /dev/null +++ b/policy/modules/admin/amtu.te @@ -0,0 +1,39 @@ +policy_module(amtu, 1.4.0) + +######################################## +# +# Declarations +# + +attribute_role amtu_roles; + +type amtu_t; +type amtu_exec_t; +init_system_domain(amtu_t, amtu_exec_t) +role amtu_roles types amtu_t; + +type amtu_initrc_exec_t; +init_script_file(amtu_initrc_exec_t) + +######################################## +# +# Local policy +# + +kernel_read_system_state(amtu_t) + +files_manage_boot_files(amtu_t) +files_read_etc_runtime_files(amtu_t) +files_read_etc_files(amtu_t) + +logging_send_audit_msgs(amtu_t) + +userdom_use_user_terminals(amtu_t) + +optional_policy(` + nscd_dontaudit_search_pid(amtu_t) +') + +optional_policy(` + seutil_use_newrole_fds(amtu_t) +') diff --git a/policy/modules/admin/anaconda.fc b/policy/modules/admin/anaconda.fc new file mode 100644 index 00000000..b098089d --- /dev/null +++ b/policy/modules/admin/anaconda.fc @@ -0,0 +1 @@ +# No file context specifications. diff --git a/policy/modules/admin/anaconda.if b/policy/modules/admin/anaconda.if new file mode 100644 index 00000000..14a61b7e --- /dev/null +++ b/policy/modules/admin/anaconda.if @@ -0,0 +1 @@ +## <summary>Anaconda installer.</summary> diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te new file mode 100644 index 00000000..307f1e8f --- /dev/null +++ b/policy/modules/admin/anaconda.te @@ -0,0 +1,54 @@ +policy_module(anaconda, 1.8.0) + +gen_require(` + class passwd all_passwd_perms; +') + +######################################## +# +# Declarations +# + +type anaconda_t; +type anaconda_exec_t; +domain_type(anaconda_t) +domain_entry_file(anaconda_t, anaconda_exec_t) +domain_obj_id_change_exemption(anaconda_t) +role system_r types anaconda_t; + +######################################## +# +# Local policy +# + +allow anaconda_t self:process execmem; +allow anaconda_t self:passwd { rootok passwd chfn chsh }; + +kernel_domtrans_to(anaconda_t, anaconda_exec_t) + +init_domtrans_script(anaconda_t) + +logging_send_syslog_msg(anaconda_t) + +modutils_domtrans(anaconda_t) + +seutil_domtrans_semanage(anaconda_t) + +userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) + +optional_policy(` + rpm_domtrans(anaconda_t) + rpm_domtrans_script(anaconda_t) +') + +optional_policy(` + ssh_domtrans_keygen(anaconda_t) +') + +optional_policy(` + udev_domtrans(anaconda_t) +') + +optional_policy(` + unconfined_domain_noaudit(anaconda_t) +') diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc new file mode 100644 index 00000000..92db84d6 --- /dev/null +++ b/policy/modules/admin/apt.fc @@ -0,0 +1,23 @@ +/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0) + +ifndef(`distro_redhat',` +/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0) +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) +') + +/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) + +/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) +/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) +/var/lib/apt-xapian-inde(x)(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) + +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) + +/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0) + +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if new file mode 100644 index 00000000..568aa97d --- /dev/null +++ b/policy/modules/admin/apt.if @@ -0,0 +1,259 @@ +## <summary>Advanced package tool.</summary> + +######################################## +## <summary> +## Execute apt programs in the apt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`apt_domtrans',` + gen_require(` + type apt_t, apt_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, apt_exec_t, apt_t) +') + +######################################## +## <summary> +## Execute the apt in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_exec',` + gen_require(` + type apt_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, apt_exec_t) +') + +######################################## +## <summary> +## Execute apt programs in the apt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`apt_run',` + gen_require(` + attribute_role apt_roles; + ') + + apt_domtrans($1) + roleattribute $2 apt_roles; +') + +######################################## +## <summary> +## Use apt file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_use_fds',` + gen_require(` + type apt_t; + ') + + allow $1 apt_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to use +## apt file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apt_dontaudit_use_fds',` + gen_require(` + type apt_t; + ') + + dontaudit $1 apt_t:fd use; +') + +######################################## +## <summary> +## Read apt unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_read_pipes',` + gen_require(` + type apt_t; + ') + + allow $1 apt_t:fifo_file read_fifo_file_perms; +') + +######################################## +## <summary> +## Read and write apt unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_rw_pipes',` + gen_require(` + type apt_t; + ') + + allow $1 apt_t:fifo_file rw_file_perms; +') + +######################################## +## <summary> +## Read and write apt ptys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_use_ptys',` + gen_require(` + type apt_devpts_t; + ') + + allow $1 apt_devpts_t:chr_file rw_term_perms; +') + +######################################## +## <summary> +## Read apt package cache content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_read_cache',` + gen_require(` + type apt_var_cache_t; + ') + + files_search_var($1) + allow $1 apt_var_cache_t:dir list_dir_perms; + allow $1 apt_var_cache_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete apt package cache content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_manage_cache',` + gen_require(` + type apt_var_cache_t; + ') + + files_search_var($1) + allow $1 apt_var_cache_t:dir manage_dir_perms; + allow $1 apt_var_cache_t:file manage_file_perms; +') + +######################################## +## <summary> +## Read apt package database content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_read_db',` + gen_require(` + type apt_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 apt_var_lib_t:dir list_dir_perms; + read_files_pattern($1, apt_var_lib_t, apt_var_lib_t) + read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## apt package database content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_manage_db',` + gen_require(` + type apt_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t) + manage_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) +') + +######################################## +## <summary> +## Do not audit attempts to create, +## read, write, and delete apt +## package database content. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`apt_dontaudit_manage_db',` + gen_require(` + type apt_var_lib_t; + ') + + dontaudit $1 apt_var_lib_t:dir rw_dir_perms; + dontaudit $1 apt_var_lib_t:file manage_file_perms; + dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; +') diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te new file mode 100644 index 00000000..ed05a060 --- /dev/null +++ b/policy/modules/admin/apt.te @@ -0,0 +1,171 @@ +policy_module(apt, 1.11.1) + +######################################## +# +# Declarations +# + +attribute_role apt_roles; + +type apt_t; +type apt_exec_t; +init_system_domain(apt_t, apt_exec_t) +domain_system_change_exemption(apt_t) +role apt_roles types apt_t; + +type apt_devpts_t; +term_pty(apt_devpts_t) + +type apt_lock_t; +files_lock_file(apt_lock_t) + +type apt_tmp_t; +files_tmp_file(apt_tmp_t) + +type apt_tmpfs_t; +files_tmpfs_file(apt_tmpfs_t) + +type apt_var_cache_t alias var_cache_apt_t; +files_type(apt_var_cache_t) + +type apt_var_lib_t alias var_lib_apt_t; +files_type(apt_var_lib_t) + +type apt_var_log_t; +logging_log_file(apt_var_log_t) + +######################################## +# +# Local policy +# + +allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; +allow apt_t self:process { signal setpgid fork }; +allow apt_t self:fd use; +allow apt_t self:fifo_file rw_fifo_file_perms; +allow apt_t self:unix_dgram_socket sendto; +allow apt_t self:unix_stream_socket { accept connectto listen }; +allow apt_t self:udp_socket { connect create_socket_perms }; +allow apt_t self:tcp_socket create_stream_socket_perms; +allow apt_t self:shm create_shm_perms; +allow apt_t self:sem create_sem_perms; +allow apt_t self:msgq create_msgq_perms; +allow apt_t self:msg { send receive }; +allow apt_t self:netlink_route_socket r_netlink_socket_perms; + +allow apt_t apt_lock_t:dir manage_dir_perms; +allow apt_t apt_lock_t:file manage_file_perms; +files_lock_filetrans(apt_t, apt_lock_t, { dir file }) + +manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t) +manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t) +files_tmp_filetrans(apt_t, apt_tmp_t, { file dir }) + +manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) +manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) +manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) +manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) +manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) +fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) +manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) +files_var_filetrans(apt_t, apt_var_cache_t, dir) + +manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) +files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) + +allow apt_t apt_var_log_t:file manage_file_perms; +allow apt_t apt_var_log_t:dir manage_dir_perms; +logging_log_filetrans(apt_t, apt_var_log_t, file) + +can_exec(apt_t, apt_exec_t) + +kernel_read_system_state(apt_t) +kernel_read_kernel_sysctls(apt_t) + +corecmd_exec_bin(apt_t) +corecmd_exec_shell(apt_t) + +corenet_all_recvfrom_unlabeled(apt_t) +corenet_all_recvfrom_netlabel(apt_t) +corenet_tcp_sendrecv_generic_if(apt_t) +corenet_tcp_sendrecv_generic_node(apt_t) +corenet_tcp_sendrecv_all_ports(apt_t) + +corenet_sendrecv_all_client_packets(apt_t) +corenet_tcp_connect_all_ports(apt_t) + +dev_list_sysfs(apt_t) +dev_read_urand(apt_t) + +domain_getattr_all_domains(apt_t) +domain_use_interactive_fds(apt_t) + +files_exec_usr_files(apt_t) +files_read_etc_files(apt_t) +files_read_etc_runtime_files(apt_t) + +fs_getattr_all_fs(apt_t) + +term_create_pty(apt_t, apt_devpts_t) +term_list_ptys(apt_t) +term_use_all_terms(apt_t) + +libs_exec_ld_so(apt_t) +libs_exec_lib_files(apt_t) + +logging_send_syslog_msg(apt_t) + +miscfiles_read_localization(apt_t) + +seutil_use_newrole_fds(apt_t) + +sysnet_read_config(apt_t) + +userdom_use_user_terminals(apt_t) + +optional_policy(` + backup_manage_store_files(apt_t) +') + +optional_policy(` + cron_system_entry(apt_t, apt_exec_t) +') + +optional_policy(` + dbus_system_domain(apt_t, apt_exec_t) + + optional_policy(` + # for packagekitd + policykit_dbus_chat(apt_t) + ') + + optional_policy(` + unconfined_dbus_send(apt_t) + ') +') + +optional_policy(` + dpkg_read_db(apt_t) + dpkg_domtrans(apt_t) + dpkg_lock_db(apt_t) +') + +optional_policy(` + nis_use_ypbind(apt_t) +') + +optional_policy(` + # rkhunter trigger + rkhunter_domtrans(apt_t) +') + +optional_policy(` + rpm_read_db(apt_t) + rpm_domtrans(apt_t) +') + +optional_policy(` + unconfined_domain(apt_t) +') diff --git a/policy/modules/admin/backup.fc b/policy/modules/admin/backup.fc new file mode 100644 index 00000000..349c26f5 --- /dev/null +++ b/policy/modules/admin/backup.fc @@ -0,0 +1,5 @@ +/etc/cron\.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0) +/etc/cron\.daily/passwd -- gen_context(system_u:object_r:backup_exec_t,s0) +/etc/cron\.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0) + +/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0) diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if new file mode 100644 index 00000000..fe3f740d --- /dev/null +++ b/policy/modules/admin/backup.if @@ -0,0 +1,67 @@ +## <summary>System backup scripts.</summary> + +######################################## +## <summary> +## Execute backup in the backup domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`backup_domtrans',` + gen_require(` + type backup_t, backup_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, backup_exec_t, backup_t) +') + +######################################## +## <summary> +## Execute backup in the backup +## domain, and allow the specified +## role the backup domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`backup_run',` + gen_require(` + attribute_role backup_roles; + ') + + backup_domtrans($1) + roleattribute $2 backup_roles; +') + +######################################## +## <summary> +## Create, read, and write backup +## store files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`backup_manage_store_files',` + gen_require(` + type backup_store_t; + ') + + files_search_var($1) + manage_files_pattern($1, backup_store_t, backup_store_t) +') diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te new file mode 100644 index 00000000..ca3727ca --- /dev/null +++ b/policy/modules/admin/backup.te @@ -0,0 +1,82 @@ +policy_module(backup, 1.8.0) + +######################################## +# +# Declarations +# + +attribute_role backup_roles; +roleattribute system_r backup_roles; + +type backup_t; +type backup_exec_t; +application_domain(backup_t, backup_exec_t) +role backup_roles types backup_t; + +type backup_store_t; +files_type(backup_store_t) + +######################################## +# +# Local policy +# + +allow backup_t self:capability { chown dac_override fsetid }; +allow backup_t self:process signal; +allow backup_t self:fifo_file rw_fifo_file_perms; +allow backup_t self:tcp_socket create_socket_perms; +allow backup_t self:udp_socket create_socket_perms; + +allow backup_t backup_store_t:file setattr_file_perms; +manage_files_pattern(backup_t, backup_store_t, backup_store_t) +rw_files_pattern(backup_t, backup_store_t, backup_store_t) +read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t) + +kernel_read_system_state(backup_t) +kernel_read_kernel_sysctls(backup_t) + +corecmd_exec_bin(backup_t) +corecmd_exec_shell(backup_t) + +corenet_all_recvfrom_unlabeled(backup_t) +corenet_all_recvfrom_netlabel(backup_t) +corenet_tcp_sendrecv_generic_if(backup_t) +corenet_tcp_sendrecv_generic_node(backup_t) +corenet_tcp_sendrecv_all_ports(backup_t) + +corenet_tcp_connect_all_ports(backup_t) +corenet_sendrecv_all_client_packets(backup_t) + +dev_getattr_all_blk_files(backup_t) +dev_getattr_all_chr_files(backup_t) +dev_read_urand(backup_t) + +domain_use_interactive_fds(backup_t) + +files_read_all_files(backup_t) +files_read_all_symlinks(backup_t) +files_getattr_all_pipes(backup_t) +files_getattr_all_sockets(backup_t) + +fs_getattr_xattr_fs(backup_t) +fs_list_all(backup_t) + +auth_read_shadow(backup_t) + +logging_send_syslog_msg(backup_t) + +sysnet_read_config(backup_t) + +userdom_use_user_terminals(backup_t) + +optional_policy(` + cron_system_entry(backup_t, backup_exec_t) +') + +optional_policy(` + hostname_exec(backup_t) +') + +optional_policy(` + nis_use_ypbind(backup_t) +') diff --git a/policy/modules/admin/bacula.fc b/policy/modules/admin/bacula.fc new file mode 100644 index 00000000..27c021c3 --- /dev/null +++ b/policy/modules/admin/bacula.fc @@ -0,0 +1,21 @@ +/bacula(/.*)? gen_context(system_u:object_r:bacula_store_t,s0) + +/etc/bacula.* gen_context(system_u:object_r:bacula_etc_t,s0) + +/etc/rc\.d/init\.d/bacula.* -- gen_context(system_u:object_r:bacula_initrc_exec_t,s0) + +/usr/bin/bacula.* -- gen_context(system_u:object_r:bacula_exec_t,s0) +/usr/bin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0) +/usr/bin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0) + +/usr/sbin/bacula.* -- gen_context(system_u:object_r:bacula_exec_t,s0) +/usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0) +/usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0) + +/var/lib/bacula.* gen_context(system_u:object_r:bacula_var_lib_t,s0) + +/var/log/bacula.* gen_context(system_u:object_r:bacula_log_t,s0) + +/run/bacula.* -- gen_context(system_u:object_r:bacula_var_run_t,s0) + +/var/spool/bacula.* gen_context(system_u:object_r:bacula_spool_t,s0) diff --git a/policy/modules/admin/bacula.if b/policy/modules/admin/bacula.if new file mode 100644 index 00000000..eba3f1ca --- /dev/null +++ b/policy/modules/admin/bacula.if @@ -0,0 +1,93 @@ +## <summary>Cross platform network backup.</summary> + +######################################## +## <summary> +## Execute bacula admin bacula +## admin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bacula_domtrans_admin',` + gen_require(` + type bacula_admin_t, bacula_admin_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t) +') + +######################################## +## <summary> +## Execute user interfaces in the +## bacula admin domain, and allow the +## specified role the bacula admin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bacula_run_admin',` + gen_require(` + attribute_role bacula_admin_roles; + ') + + bacula_domtrans_admin($1) + roleattribute $2 bacula_admin_roles; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an bacula environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bacula_admin',` + gen_require(` + type bacula_t, bacula_etc_t, bacula_log_t; + type bacula_spool_t, bacula_var_lib_t; + type bacula_var_run_t, bacula_initrc_exec_t; + ') + + allow $1 bacula_t:process { ptrace signal_perms }; + ps_process_pattern($1, bacula_t) + + init_startstop_service($1, $2, bacula_t, bacula_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, bacula_etc_t) + + logging_search_logs($1) + admin_pattern($1, bacula_log_t) + + files_search_var($1) + admin_pattern($1, bacula_spool_t) + + files_search_var_lib($1) + admin_pattern($1, bacula_var_lib_t) + + files_search_pids($1) + admin_pattern($1, bacula_var_run_t) +') diff --git a/policy/modules/admin/bacula.te b/policy/modules/admin/bacula.te new file mode 100644 index 00000000..8def92c1 --- /dev/null +++ b/policy/modules/admin/bacula.te @@ -0,0 +1,158 @@ +policy_module(bacula, 1.5.0) + +######################################## +# +# Declarations +# + +attribute_role bacula_admin_roles; + +type bacula_t; +type bacula_exec_t; +init_daemon_domain(bacula_t, bacula_exec_t) + +type bacula_initrc_exec_t; +init_script_file(bacula_initrc_exec_t) + +type bacula_etc_t; +files_type(bacula_etc_t) + +type bacula_log_t; +logging_log_file(bacula_log_t) + +type bacula_spool_t; +files_type(bacula_spool_t) + +type bacula_store_t; +files_type(bacula_store_t) +files_mountpoint(bacula_store_t) + +type bacula_var_lib_t; +files_type(bacula_var_lib_t) + +type bacula_var_run_t; +files_pid_file(bacula_var_run_t) + +type bacula_admin_t; +type bacula_admin_exec_t; +application_domain(bacula_admin_t, bacula_admin_exec_t) +role bacula_admin_roles types bacula_admin_t; + +######################################## +# +# Local policy +# + +allow bacula_t self:capability { chown dac_override dac_read_search fowner fsetid }; +allow bacula_t self:process signal; +allow bacula_t self:fifo_file rw_fifo_file_perms; +allow bacula_t self:tcp_socket { accept listen }; + +read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t) + +append_files_pattern(bacula_t, bacula_log_t, bacula_log_t) +create_files_pattern(bacula_t, bacula_log_t, bacula_log_t) +setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t) + +manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t) +manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t) + +manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t) +manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t) +manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t) + +manage_dirs_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t) +manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t) +files_var_lib_filetrans(bacula_t, bacula_var_lib_t, dir) + +allow bacula_t bacula_var_run_t:file manage_file_perms; +files_pid_filetrans(bacula_t, bacula_var_run_t, file) + +kernel_read_kernel_sysctls(bacula_t) +kernel_read_system_state(bacula_t) + +corecmd_exec_bin(bacula_t) +corecmd_exec_shell(bacula_t) + +corenet_all_recvfrom_unlabeled(bacula_t) +corenet_all_recvfrom_netlabel(bacula_t) +corenet_tcp_sendrecv_generic_if(bacula_t) +corenet_udp_sendrecv_generic_if(bacula_t) +corenet_tcp_sendrecv_generic_node(bacula_t) +corenet_udp_sendrecv_generic_node(bacula_t) +corenet_tcp_sendrecv_all_ports(bacula_t) +corenet_udp_sendrecv_all_ports(bacula_t) +corenet_tcp_bind_generic_node(bacula_t) +corenet_udp_bind_generic_node(bacula_t) + +corenet_sendrecv_generic_server_packets(bacula_t) +corenet_udp_bind_generic_port(bacula_t) + +corenet_sendrecv_hplip_server_packets(bacula_t) +corenet_tcp_bind_hplip_port(bacula_t) +corenet_udp_bind_hplip_port(bacula_t) + +corenet_sendrecv_all_client_packets(bacula_t) +corenet_tcp_connect_all_ports(bacula_t) + +dev_getattr_all_blk_files(bacula_t) +dev_getattr_all_chr_files(bacula_t) + +files_dontaudit_getattr_all_sockets(bacula_t) +files_read_all_files(bacula_t) +files_read_all_symlinks(bacula_t) + +fs_getattr_xattr_fs(bacula_t) +fs_list_all(bacula_t) + +auth_read_shadow(bacula_t) + +logging_send_syslog_msg(bacula_t) + +sysnet_dns_name_resolve(bacula_t) + +optional_policy(` + mysql_stream_connect(bacula_t) + mysql_tcp_connect(bacula_t) +') + +optional_policy(` + nis_use_ypbind(bacula_t) +') + +optional_policy(` + sysnet_use_ldap(bacula_t) + ldap_stream_connect(bacula_t) +') + +######################################## +# +# Client local policy +# + +allow bacula_admin_t self:process signal; +allow bacula_admin_t self:tcp_socket { accept listen }; +allow bacula_admin_t self:dgram_socket_class_set create_socket_perms; + +read_files_pattern(bacula_admin_t, bacula_etc_t, bacula_etc_t) + +corenet_all_recvfrom_unlabeled(bacula_admin_t) +corenet_all_recvfrom_netlabel(bacula_admin_t) +corenet_tcp_sendrecv_generic_if(bacula_admin_t) +corenet_tcp_sendrecv_generic_node(bacula_admin_t) +corenet_tcp_sendrecv_all_ports(bacula_admin_t) +corenet_tcp_bind_generic_node(bacula_admin_t) + +corenet_sendrecv_hplip_client_packets(bacula_admin_t) +corenet_tcp_connect_hplip_port(bacula_admin_t) + +domain_use_interactive_fds(bacula_admin_t) + +files_read_etc_files(bacula_admin_t) + +miscfiles_read_localization(bacula_admin_t) + +sysnet_dns_name_resolve(bacula_admin_t) + +userdom_dontaudit_search_user_home_dirs(bacula_admin_t) +userdom_use_user_ptys(bacula_admin_t) diff --git a/policy/modules/admin/bcfg2.fc b/policy/modules/admin/bcfg2.fc new file mode 100644 index 00000000..feb5d9d9 --- /dev/null +++ b/policy/modules/admin/bcfg2.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0) + +/usr/bin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) + +/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) + +/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) + +/run/bcfg2-server\.pid -- gen_context(system_u:object_r:bcfg2_var_run_t,s0) diff --git a/policy/modules/admin/bcfg2.if b/policy/modules/admin/bcfg2.if new file mode 100644 index 00000000..0cd2d35b --- /dev/null +++ b/policy/modules/admin/bcfg2.if @@ -0,0 +1,151 @@ +## <summary>configuration management suite.</summary> + +######################################## +## <summary> +## Execute bcfg2 in the bcfg2 domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bcfg2_domtrans',` + gen_require(` + type bcfg2_t, bcfg2_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, bcfg2_exec_t, bcfg2_t) +') + +######################################## +## <summary> +## Execute bcfg2 server in the bcfg2 domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bcfg2_initrc_domtrans',` + gen_require(` + type bcfg2_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, bcfg2_initrc_exec_t) +') + +######################################## +## <summary> +## Search bcfg2 lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bcfg2_search_lib',` + gen_require(` + type bcfg2_var_lib_t; + ') + + allow $1 bcfg2_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read bcfg2 lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bcfg2_read_lib_files',` + gen_require(` + type bcfg2_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## bcfg2 lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bcfg2_manage_lib_files',` + gen_require(` + type bcfg2_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## bcfg2 lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bcfg2_manage_lib_dirs',` + gen_require(` + type bcfg2_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an bcfg2 environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bcfg2_admin',` + gen_require(` + type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t; + type bcfg2_var_run_t; + ') + + allow $1 bcfg2_t:process { ptrace signal_perms }; + ps_process_pattern($1, bcfg2_t) + + init_startstop_service($1, $2, bcfg2_t, bcfg2_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, bcfg2_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, bcfg2_var_lib_t) +') diff --git a/policy/modules/admin/bcfg2.te b/policy/modules/admin/bcfg2.te new file mode 100644 index 00000000..3897511e --- /dev/null +++ b/policy/modules/admin/bcfg2.te @@ -0,0 +1,61 @@ +policy_module(bcfg2, 1.4.0) + +######################################## +# +# Declarations +# + +type bcfg2_t; +type bcfg2_exec_t; +init_daemon_domain(bcfg2_t, bcfg2_exec_t) + +type bcfg2_initrc_exec_t; +init_script_file(bcfg2_initrc_exec_t) + +type bcfg2_var_lib_t; +files_type(bcfg2_var_lib_t) + +type bcfg2_var_run_t; +files_pid_file(bcfg2_var_run_t) + +######################################## +# +# Local policy +# + +allow bcfg2_t self:fifo_file rw_fifo_file_perms; +allow bcfg2_t self:tcp_socket { accept listen }; +allow bcfg2_t self:unix_stream_socket { accept connectto listen }; + +manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t) +manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t) +files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, dir) + +manage_files_pattern(bcfg2_t, bcfg2_var_run_t, bcfg2_var_run_t) +files_pid_filetrans(bcfg2_t, bcfg2_var_run_t, file) + +kernel_read_system_state(bcfg2_t) + +corenet_all_recvfrom_unlabeled(bcfg2_t) +corenet_all_recvfrom_netlabel(bcfg2_t) +corenet_tcp_sendrecv_generic_if(bcfg2_t) +corenet_tcp_sendrecv_generic_node(bcfg2_t) +corenet_tcp_bind_generic_node(bcfg2_t) + +corenet_sendrecv_cyphesis_server_packets(bcfg2_t) +corenet_tcp_bind_cyphesis_port(bcfg2_t) +corenet_tcp_sendrecv_cyphesis_port(bcfg2_t) + +corecmd_exec_bin(bcfg2_t) + +dev_read_urand(bcfg2_t) + +domain_use_interactive_fds(bcfg2_t) + +files_read_usr_files(bcfg2_t) + +auth_use_nsswitch(bcfg2_t) + +logging_send_syslog_msg(bcfg2_t) + +miscfiles_read_localization(bcfg2_t) diff --git a/policy/modules/admin/blueman.fc b/policy/modules/admin/blueman.fc new file mode 100644 index 00000000..c295d2e0 --- /dev/null +++ b/policy/modules/admin/blueman.fc @@ -0,0 +1,3 @@ +/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) + +/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) diff --git a/policy/modules/admin/blueman.if b/policy/modules/admin/blueman.if new file mode 100644 index 00000000..16ec5252 --- /dev/null +++ b/policy/modules/admin/blueman.if @@ -0,0 +1,99 @@ +## <summary>Tool to manage Bluetooth devices.</summary> + +######################################## +## <summary> +## Execute blueman in the blueman domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`blueman_domtrans',` + gen_require(` + type blueman_t, blueman_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, blueman_exec_t, blueman_t) +') + +######################################## +## <summary> +## Send and receive messages from +## blueman over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`blueman_dbus_chat',` + gen_require(` + type blueman_t; + class dbus send_msg; + ') + + allow $1 blueman_t:dbus send_msg; + allow blueman_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Search blueman lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`blueman_search_lib',` + gen_require(` + type blueman_var_lib_t; + ') + + allow $1 blueman_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read blueman lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`blueman_read_lib_files',` + gen_require(` + type blueman_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## blueman lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`blueman_manage_lib_files',` + gen_require(` + type blueman_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) +') diff --git a/policy/modules/admin/blueman.te b/policy/modules/admin/blueman.te new file mode 100644 index 00000000..718e3bf3 --- /dev/null +++ b/policy/modules/admin/blueman.te @@ -0,0 +1,70 @@ +policy_module(blueman, 1.2.0) + +######################################## +# +# Declarations +# + +type blueman_t; +type blueman_exec_t; +dbus_system_domain(blueman_t, blueman_exec_t) + +type blueman_var_lib_t; +files_type(blueman_var_lib_t) + +type blueman_var_run_t; +files_pid_file(blueman_var_run_t) + +######################################## +# +# Local policy +# + +allow blueman_t self:capability { net_admin sys_nice }; +allow blueman_t self:process { signal_perms setsched }; +allow blueman_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) +manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) +files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir) + +manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) +manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) +files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file }) + +kernel_read_net_sysctls(blueman_t) +kernel_read_system_state(blueman_t) +kernel_request_load_module(blueman_t) + +corecmd_exec_bin(blueman_t) + +dev_read_rand(blueman_t) +dev_read_urand(blueman_t) +dev_rw_wireless(blueman_t) + +domain_use_interactive_fds(blueman_t) + +files_list_tmp(blueman_t) +files_map_usr_files(blueman_t) +files_read_usr_files(blueman_t) + +auth_use_nsswitch(blueman_t) + +logging_send_syslog_msg(blueman_t) + +miscfiles_read_localization(blueman_t) + +sysnet_domtrans_ifconfig(blueman_t) + +optional_policy(` + avahi_domtrans(blueman_t) +') + +optional_policy(` + dnsmasq_domtrans(blueman_t) + dnsmasq_read_pid_files(blueman_t) +') + +optional_policy(` + iptables_domtrans(blueman_t) +') diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc new file mode 100644 index 00000000..ed472f09 --- /dev/null +++ b/policy/modules/admin/brctl.fc @@ -0,0 +1,3 @@ +/usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) + +/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if new file mode 100644 index 00000000..422a5c66 --- /dev/null +++ b/policy/modules/admin/brctl.if @@ -0,0 +1,45 @@ +## <summary>Utilities for configuring the Linux ethernet bridge.</summary> + +######################################## +## <summary> +## Execute a domain transition to run brctl. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`brctl_domtrans',` + gen_require(` + type brctl_t, brctl_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, brctl_exec_t, brctl_t) +') + +######################################## +## <summary> +## Execute brctl in the brctl domain, and +## allow the specified role the brctl domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`brctl_run',` + gen_require(` + attribute_role brctl_roles; + ') + + brctl_domtrans($1) + roleattribute $2 brctl_roles; +') diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te new file mode 100644 index 00000000..fad61476 --- /dev/null +++ b/policy/modules/admin/brctl.te @@ -0,0 +1,47 @@ +policy_module(brctl, 1.8.0) + +######################################## +# +# Declarations +# + +attribute_role brctl_roles; + +type brctl_t; +type brctl_exec_t; +init_system_domain(brctl_t, brctl_exec_t) +role brctl_roles types brctl_t; + +######################################## +# +# Local policy +# + +allow brctl_t self:capability net_admin; +allow brctl_t self:fifo_file rw_fifo_file_perms; +allow brctl_t self:unix_stream_socket create_stream_socket_perms; +allow brctl_t self:unix_dgram_socket create_socket_perms; +allow brctl_t self:tcp_socket create_socket_perms; + +kernel_request_load_module(brctl_t) +kernel_read_network_state(brctl_t) +kernel_read_sysctl(brctl_t) + +corenet_rw_tun_tap_dev(brctl_t) + +dev_create_sysfs_files(brctl_t) +dev_rw_sysfs(brctl_t) +dev_write_sysfs_dirs(brctl_t) + +domain_use_interactive_fds(brctl_t) + +files_read_etc_files(brctl_t) + +term_dontaudit_use_console(brctl_t) + +miscfiles_read_localization(brctl_t) + +optional_policy(` + xen_append_log(brctl_t) + xen_dontaudit_rw_unix_stream_sockets(brctl_t) +') diff --git a/policy/modules/admin/certwatch.fc b/policy/modules/admin/certwatch.fc new file mode 100644 index 00000000..726720cc --- /dev/null +++ b/policy/modules/admin/certwatch.fc @@ -0,0 +1 @@ +/etc/cron\.daily/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0) diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if new file mode 100644 index 00000000..54e6e661 --- /dev/null +++ b/policy/modules/admin/certwatch.if @@ -0,0 +1,48 @@ +## <summary>Digital Certificate Tracking.</summary> + +######################################## +## <summary> +## Domain transition to certwatch. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`certwatch_domtrans',` + gen_require(` + type certwatch_exec_t, certwatch_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, certwatch_exec_t, certwatch_t) +') + +######################################## +## <summary> +## Execute certwatch in the certwatch +## domain, and allow the specified role +## the certwatch domain. +## backchannel. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`certwatch_run',` + gen_require(` + attribute_role certwatch_roles; + ') + + certwatch_domtrans($1) + roleattribute $2 certwatch_roles; +') diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te new file mode 100644 index 00000000..171fafb9 --- /dev/null +++ b/policy/modules/admin/certwatch.te @@ -0,0 +1,57 @@ +policy_module(certwatch, 1.8.0) + +######################################## +# +# Declarations +# + +attribute_role certwatch_roles; +roleattribute system_r certwatch_roles; + +type certwatch_t; +type certwatch_exec_t; +application_domain(certwatch_t, certwatch_exec_t) +role certwatch_roles types certwatch_t; + +######################################## +# +# Local policy +# + +allow certwatch_t self:capability sys_nice; +allow certwatch_t self:process { setsched getsched }; + +dev_read_urand(certwatch_t) + +files_read_etc_files(certwatch_t) +files_read_usr_files(certwatch_t) +files_read_usr_symlinks(certwatch_t) +files_list_tmp(certwatch_t) + +fs_list_inotifyfs(certwatch_t) + +auth_manage_cache(certwatch_t) +auth_var_filetrans_cache(certwatch_t) + +logging_send_syslog_msg(certwatch_t) + +miscfiles_read_all_certs(certwatch_t) +miscfiles_read_localization(certwatch_t) + +userdom_use_user_terminals(certwatch_t) +userdom_dontaudit_list_user_home_dirs(certwatch_t) + +optional_policy(` + apache_exec_modules(certwatch_t) + apache_read_config(certwatch_t) +') + +optional_policy(` + cron_system_entry(certwatch_t, certwatch_exec_t) +') + +optional_policy(` + pcscd_domtrans(certwatch_t) + pcscd_read_pid_files(certwatch_t) + pcscd_stream_connect(certwatch_t) +') diff --git a/policy/modules/admin/cfengine.fc b/policy/modules/admin/cfengine.fc new file mode 100644 index 00000000..807467cb --- /dev/null +++ b/policy/modules/admin/cfengine.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/((cf-serverd)|(cf-monitord)|(cf-execd)) -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0) + +/usr/bin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0) +/usr/bin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0) +/usr/bin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0) + +/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0) +/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0) +/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0) + +/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0) + +/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_log_t,s0) diff --git a/policy/modules/admin/cfengine.if b/policy/modules/admin/cfengine.if new file mode 100644 index 00000000..ff0b0038 --- /dev/null +++ b/policy/modules/admin/cfengine.if @@ -0,0 +1,104 @@ +## <summary>System administration tool for networks.</summary> + +####################################### +## <summary> +## The template to define a cfengine domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`cfengine_domain_template',` + gen_require(` + attribute cfengine_domain; + type cfengine_log_t, cfengine_var_lib_t; + ') + + ######################################## + # + # Declarations + # + + type cfengine_$1_t, cfengine_domain; + type cfengine_$1_exec_t; + init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t) + + ######################################## + # + # Policy + # + + auth_use_nsswitch(cfengine_$1_t) +') + +######################################## +## <summary> +## Read cfengine lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cfengine_read_lib_files',` + gen_require(` + type cfengine_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) +') + +#################################### +## <summary> +## Do not audit attempts to write +## cfengine log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cfengine_dontaudit_write_log_files',` + gen_require(` + type cfengine_log_t; + ') + + dontaudit $1 cfengine_log_t:file write_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an cfengine environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cfengine_admin',` + gen_require(` + attribute cfengine_domain; + type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t; + ') + + allow $1 cfengine_domain:process { ptrace signal_perms }; + ps_process_pattern($1, cfengine_domain) + + init_startstop_service($1, $2, cfengine_domain, cfengine_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) +') diff --git a/policy/modules/admin/cfengine.te b/policy/modules/admin/cfengine.te new file mode 100644 index 00000000..18ffc278 --- /dev/null +++ b/policy/modules/admin/cfengine.te @@ -0,0 +1,77 @@ +policy_module(cfengine, 1.3.1) + +######################################## +# +# Declarations +# + +attribute cfengine_domain; + +cfengine_domain_template(serverd) +cfengine_domain_template(execd) +cfengine_domain_template(monitord) + +type cfengine_initrc_exec_t; +init_script_file(cfengine_initrc_exec_t) + +type cfengine_var_lib_t; +files_type(cfengine_var_lib_t) + +type cfengine_log_t; +logging_log_file(cfengine_log_t) + +######################################## +# +# Common cfengine domain local policy +# + +allow cfengine_domain self:capability { chown kill setgid setuid sys_chroot }; +allow cfengine_domain self:process { setfscreate signal }; +allow cfengine_domain self:fifo_file rw_fifo_file_perms; +allow cfengine_domain self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) +manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) +manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) +files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, dir) + +manage_dirs_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) +append_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) +create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) +setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) +logging_log_filetrans(cfengine_domain, cfengine_log_t, dir) + +kernel_read_system_state(cfengine_domain) + +corecmd_exec_bin(cfengine_domain) +corecmd_exec_shell(cfengine_domain) + +dev_read_urand(cfengine_domain) +dev_read_sysfs(cfengine_domain) + +logging_send_syslog_msg(cfengine_domain) + +miscfiles_read_localization(cfengine_domain) + +sysnet_domtrans_ifconfig(cfengine_domain) + +######################################## +# +# Exec local policy +# + +kernel_read_sysctl(cfengine_execd_t) + +domain_read_all_domains_state(cfengine_execd_t) + +######################################## +# +# Monitord local policy +# + +kernel_read_hotplug_sysctls(cfengine_monitord_t) +kernel_read_network_state(cfengine_monitord_t) + +domain_read_all_domains_state(cfengine_monitord_t) + +fs_getattr_xattr_fs(cfengine_monitord_t) diff --git a/policy/modules/admin/chkrootkit.fc b/policy/modules/admin/chkrootkit.fc new file mode 100644 index 00000000..fa780c34 --- /dev/null +++ b/policy/modules/admin/chkrootkit.fc @@ -0,0 +1,5 @@ +/usr/bin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0) + +/usr/sbin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0) + +/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkrootkit_log_t,s0) diff --git a/policy/modules/admin/chkrootkit.if b/policy/modules/admin/chkrootkit.if new file mode 100644 index 00000000..12589bd9 --- /dev/null +++ b/policy/modules/admin/chkrootkit.if @@ -0,0 +1,46 @@ +## <summary>chkrootkit - rootkit checker.</summary> + +######################################## +## <summary> +## Execute a domain transition to run chkrootkit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`chkrootkit_domtrans',` + gen_require(` + type chkrootkit_t, chkrootkit_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t) +') + +######################################## +## <summary> +## Execute chkrootkit in the chkrootkit domain, +## and allow the specified role +## the chkrootkit domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`chkrootkit_run',` + gen_require(` + attribute_role chkrootkit_roles; + ') + + chkrootkit_domtrans($1) + roleattribute $2 chkrootkit_roles; +') diff --git a/policy/modules/admin/chkrootkit.te b/policy/modules/admin/chkrootkit.te new file mode 100644 index 00000000..6d9fc5c3 --- /dev/null +++ b/policy/modules/admin/chkrootkit.te @@ -0,0 +1,76 @@ +policy_module(chkrootkit, 1.1.0) + +######################################## +# +# Declarations +# + +attribute_role chkrootkit_roles; + +type chkrootkit_t; +type chkrootkit_exec_t; +application_domain(chkrootkit_t, chkrootkit_exec_t) +role chkrootkit_roles types chkrootkit_t; + +type chkrootkit_log_t; +logging_log_file(chkrootkit_log_t) + +######################################## +# +# Application local policy +# + +allow chkrootkit_t self:capability { dac_read_search setuid sys_ptrace }; +allow chkrootkit_t self:fifo_file rw_fifo_file_perms; +allow chkrootkit_t self:udp_socket { create ioctl }; + +kernel_read_all_sysctls(chkrootkit_t) +kernel_getattr_proc(chkrootkit_t) +kernel_read_network_state(chkrootkit_t) +kernel_getattr_message_if(chkrootkit_t) + +corecmd_exec_bin(chkrootkit_t) +corecmd_exec_shell(chkrootkit_t) + +dev_getattr_fs(chkrootkit_t) +dev_read_rand(chkrootkit_t) +dev_read_urand(chkrootkit_t) +dev_getattr_all_chr_files(chkrootkit_t) + +domain_read_all_domains_state(chkrootkit_t) +domain_use_interactive_fds(chkrootkit_t) +domain_getattr_all_sockets(chkrootkit_t) +domain_getattr_all_pipes(chkrootkit_t) + +files_read_non_auth_files(chkrootkit_t) +files_read_all_symlinks(chkrootkit_t) +files_read_all_chr_files(chkrootkit_t) +files_getattr_all_pipes(chkrootkit_t) + +fs_getattr_xattr_fs(chkrootkit_t) + +init_signal(chkrootkit_t) + +logging_send_syslog_msg(chkrootkit_t) + +miscfiles_read_localization(chkrootkit_t) + +term_getattr_unallocated_ttys(chkrootkit_t) + +userdom_use_inherited_user_terminals(chkrootkit_t) + +usermanage_check_exec_passwd(chkrootkit_t) + +ifdef(`init_systemd',` + # start as systemd timer + init_system_domain(chkrootkit_t, chkrootkit_exec_t) +') + +optional_policy(` + cron_system_entry(chkrootkit_t, chkrootkit_exec_t) + cron_exec_crontab(chkrootkit_t) +') + +optional_policy(` + ssh_exec(chkrootkit_t) +') diff --git a/policy/modules/admin/ddcprobe.fc b/policy/modules/admin/ddcprobe.fc new file mode 100644 index 00000000..747c416e --- /dev/null +++ b/policy/modules/admin/ddcprobe.fc @@ -0,0 +1,3 @@ +/usr/bin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0) + +/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0) diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if new file mode 100644 index 00000000..aeddb697 --- /dev/null +++ b/policy/modules/admin/ddcprobe.if @@ -0,0 +1,47 @@ +## <summary>ddcprobe retrieves monitor and graphics card information.</summary> + +######################################## +## <summary> +## Execute ddcprobe in the ddcprobe domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ddcprobe_domtrans',` + gen_require(` + type ddcprobe_t, ddcprobe_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t) +') + +######################################## +## <summary> +## Execute ddcprobe in the ddcprobe +## domain, and allow the specified +## role the ddcprobe domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`ddcprobe_run',` + gen_require(` + attribute_role ddcprobe_roles; + ') + + ddcprobe_domtrans($1) + roleattribute $2 ddcprobe_roles; +') diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te new file mode 100644 index 00000000..212316cb --- /dev/null +++ b/policy/modules/admin/ddcprobe.te @@ -0,0 +1,55 @@ +policy_module(ddcprobe, 1.4.0) + +######################################## +# +# Declarations +# + +attribute_role ddcprobe_roles; +roleattribute system_r ddcprobe_roles; + +type ddcprobe_t; +type ddcprobe_exec_t; +application_domain(ddcprobe_t, ddcprobe_exec_t) +role ddcprobe_roles types ddcprobe_t; + +######################################## +# +# Local policy +# + +allow ddcprobe_t self:capability { sys_admin sys_rawio }; +allow ddcprobe_t self:process execmem; + +kernel_read_system_state(ddcprobe_t) +kernel_read_kernel_sysctls(ddcprobe_t) +kernel_change_ring_buffer_level(ddcprobe_t) + +files_search_kernel_modules(ddcprobe_t) + +corecmd_list_bin(ddcprobe_t) +corecmd_exec_bin(ddcprobe_t) + +dev_read_urand(ddcprobe_t) +dev_read_raw_memory(ddcprobe_t) +dev_wx_raw_memory(ddcprobe_t) + +files_read_etc_files(ddcprobe_t) +files_read_etc_runtime_files(ddcprobe_t) +files_read_usr_files(ddcprobe_t) + +term_use_all_ttys(ddcprobe_t) +term_use_all_ptys(ddcprobe_t) + +libs_read_lib_files(ddcprobe_t) + +miscfiles_read_localization(ddcprobe_t) + +modutils_read_module_deps(ddcprobe_t) + +userdom_use_user_terminals(ddcprobe_t) +userdom_use_all_users_fds(ddcprobe_t) + +optional_policy(` + kudzu_getattr_exec_files(ddcprobe_t) +') diff --git a/policy/modules/admin/dmidecode.fc b/policy/modules/admin/dmidecode.fc new file mode 100644 index 00000000..0ca4c99a --- /dev/null +++ b/policy/modules/admin/dmidecode.fc @@ -0,0 +1,9 @@ +/usr/bin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) +/usr/bin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) +/usr/bin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0) +/usr/bin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) + +/usr/sbin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) +/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) +/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0) +/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if new file mode 100644 index 00000000..41c3f677 --- /dev/null +++ b/policy/modules/admin/dmidecode.if @@ -0,0 +1,47 @@ +## <summary>Decode DMI data for x86/ia64 bioses.</summary> + +######################################## +## <summary> +## Execute dmidecode in the dmidecode domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dmidecode_domtrans',` + gen_require(` + type dmidecode_t, dmidecode_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dmidecode_exec_t, dmidecode_t) +') + +######################################## +## <summary> +## Execute dmidecode in the dmidecode +## domain, and allow the specified +## role the dmidecode domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dmidecode_run',` + gen_require(` + attribute_role dmidecode_roles; + ') + + dmidecode_domtrans($1) + roleattribute $2 dmidecode_roles; +') diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te new file mode 100644 index 00000000..bda30744 --- /dev/null +++ b/policy/modules/admin/dmidecode.te @@ -0,0 +1,34 @@ +policy_module(dmidecode, 1.8.0) + +######################################## +# +# Declarations +# + +attribute_role dmidecode_roles; +roleattribute system_r dmidecode_roles; + +type dmidecode_t; +type dmidecode_exec_t; +application_domain(dmidecode_t, dmidecode_exec_t) +role dmidecode_roles types dmidecode_t; + +######################################## +# +# Local policy +# + +allow dmidecode_t self:capability sys_rawio; + +dev_read_raw_memory(dmidecode_t) +dev_read_sysfs(dmidecode_t) + +domain_use_interactive_fds(dmidecode_t) + +files_list_usr(dmidecode_t) + +mls_file_read_all_levels(dmidecode_t) + +locallogin_use_fds(dmidecode_t) + +userdom_use_inherited_user_terminals(dmidecode_t) diff --git a/policy/modules/admin/dphysswapfile.fc b/policy/modules/admin/dphysswapfile.fc new file mode 100644 index 00000000..dd8ab602 --- /dev/null +++ b/policy/modules/admin/dphysswapfile.fc @@ -0,0 +1,9 @@ +/etc/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_conf_t,s0) + +/etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0) + +/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0) + +/usr/lib/systemd/system/dphys-swapfile\.service -- gen_context(system_u:object_r:dphysswapfile_unit_t,s0) + +/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0) diff --git a/policy/modules/admin/dphysswapfile.if b/policy/modules/admin/dphysswapfile.if new file mode 100644 index 00000000..c39464e4 --- /dev/null +++ b/policy/modules/admin/dphysswapfile.if @@ -0,0 +1,54 @@ +## <summary>Set up, mount/unmount, and delete an swap file.</summary> + +######################################## +## <summary> +## Dontaudit acces to the swap file. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dphysswapfile_dontaudit_read_swap',` + refpolicywarn(`$0($*) has been deprecated') + + gen_require(` + type dphysswapfile_swap_t; + ') + + dontaudit $1 dphysswapfile_swap_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an dphys-swapfile environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dphysswapfile_admin',` + gen_require(` + type dphysswapfile_t, dphysswapfile_conf_t; + type dphysswapfile_initrc_exec_t, dphysswapfile_unit_t; + ') + + admin_process_pattern($1, dphysswapfile_t) + + init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t, dphysswapfile_unit_t) + + files_search_etc($1) + admin_pattern($1, dphysswapfile_conf_t) + + # do not grant access to swap file for now +') diff --git a/policy/modules/admin/dphysswapfile.te b/policy/modules/admin/dphysswapfile.te new file mode 100644 index 00000000..ee4ec4e2 --- /dev/null +++ b/policy/modules/admin/dphysswapfile.te @@ -0,0 +1,63 @@ +policy_module(dphysswapfile, 1.2.0) + +######################################## +# +# Declarations +# + +type dphysswapfile_t; +type dphysswapfile_exec_t; +init_system_domain(dphysswapfile_t, dphysswapfile_exec_t) + +type dphysswapfile_conf_t; +files_config_file(dphysswapfile_conf_t) + +type dphysswapfile_initrc_exec_t; +init_script_file(dphysswapfile_initrc_exec_t) + +type dphysswapfile_swap_t; +files_type(dphysswapfile_swap_t) + +type dphysswapfile_unit_t; +init_unit_file(dphysswapfile_unit_t) + +######################################## +# +# Policy +# + +# sys_admin : swapon +allow dphysswapfile_t self:capability sys_admin; +allow dphysswapfile_t self:fifo_file rw_fifo_file_perms; +allow dphysswapfile_t self:unix_stream_socket { create connect }; + +allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms; + +allow dphysswapfile_t dphysswapfile_exec_t:file execute_no_trans; + +allow dphysswapfile_t dphysswapfile_swap_t:file { manage_file_perms relabelfrom }; + +kernel_read_system_state(dphysswapfile_t) + +corecmd_exec_bin(dphysswapfile_t) +corecmd_exec_shell(dphysswapfile_t) + +dev_read_rand(dphysswapfile_t) +dev_read_urand(dphysswapfile_t) + +# ignore ls -l /var/swap noise +files_dontaudit_getattr_pid_dirs(dphysswapfile_t) +files_read_etc_files(dphysswapfile_t) +files_search_var(dphysswapfile_t) +files_var_filetrans(dphysswapfile_t, dphysswapfile_swap_t, file) + +fstools_exec(dphysswapfile_t) +# swapfile_t is hardcoded in mkswap +fstools_manage_swap_files(dphysswapfile_t) +fstools_relabelto_swap_files(dphysswapfile_t) + +miscfiles_read_localization(dphysswapfile_t) + +storage_getattr_removable_dev(dphysswapfile_t) + +userdom_dontaudit_search_user_home_dirs(dphysswapfile_t) diff --git a/policy/modules/admin/dpkg.fc b/policy/modules/admin/dpkg.fc new file mode 100644 index 00000000..9ba6e312 --- /dev/null +++ b/policy/modules/admin/dpkg.fc @@ -0,0 +1,14 @@ +/etc/cron\.daily/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) + +/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) +/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) +/usr/bin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) +/usr/bin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) +/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) + +/var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) +/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) +/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) + +/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) +/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if new file mode 100644 index 00000000..a5e88d6f --- /dev/null +++ b/policy/modules/admin/dpkg.if @@ -0,0 +1,321 @@ +## <summary>Debian package manager.</summary> + +######################################## +## <summary> +## Execute dpkg programs in the dpkg domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dpkg_domtrans',` + gen_require(` + type dpkg_t, dpkg_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dpkg_exec_t, dpkg_t) +') + +######################################## +## <summary> +## Execute the dkpg in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_exec',` + gen_require(` + type dpkg_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, dpkg_exec_t) +') + +######################################## +## <summary> +## Execute dpkg_script programs in +## the dpkg_script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dpkg_domtrans_script',` + gen_require(` + type dpkg_script_t; + ') + + corecmd_shell_domtrans($1, dpkg_script_t) + allow dpkg_script_t $1:fd use; + allow dpkg_script_t $1:fifo_file rw_file_perms; + allow dpkg_script_t $1:process sigchld; +') + +######################################## +## <summary> +## access dpkg_script fifos +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`dpkg_script_rw_pipes',` + gen_require(` + type dpkg_script_t; + ') + + allow $1 dpkg_script_t:fd use; + allow $1 dpkg_script_t:fifo_file rw_file_perms; +') + +######################################## +## <summary> +## Execute dpkg programs in the dpkg domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dpkg_run',` + gen_require(` + attribute_role dpkg_roles; + ') + + dpkg_domtrans($1) + roleattribute $2 dpkg_roles; +') + +######################################## +## <summary> +## Inherit and use file descriptors from dpkg. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_use_fds',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:fd use; +') + +######################################## +## <summary> +## Read from unnamed dpkg pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_read_pipes',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:fifo_file read_fifo_file_perms; +') + +######################################## +## <summary> +## Read and write unnamed dpkg pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_rw_pipes',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Inherit and use file descriptors +## from dpkg scripts. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_use_script_fds',` + gen_require(` + type dpkg_script_t; + ') + + allow $1 dpkg_script_t:fd use; +') + +######################################## +## <summary> +## Inherit and use file descriptors +## from dpkg scripts. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_script_rw_inherited_pipes',` + gen_require(` + type dpkg_script_t; + ') + + allow $1 dpkg_script_t:fd use; + allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms; +') + +######################################## +## <summary> +## Read dpkg package database content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_read_db',` + gen_require(` + type dpkg_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 dpkg_var_lib_t:dir list_dir_perms; + read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) + read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## dpkg package database content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_manage_db',` + gen_require(` + type dpkg_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) + manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) +') + +######################################## +## <summary> +## Do not audit attempts to create, +## read, write, and delete dpkg +## package database content. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dpkg_dontaudit_manage_db',` + gen_require(` + type dpkg_var_lib_t; + ') + + dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms; + dontaudit $1 dpkg_var_lib_t:file manage_file_perms; + dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## dpkg lock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_lock_db',` + gen_require(` + type dpkg_lock_t, dpkg_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 dpkg_var_lib_t:dir list_dir_perms; + allow $1 dpkg_lock_t:file manage_file_perms; +') + +######################################## +## <summary> +## manage dpkg_script_tmp_t files and dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_manage_script_tmp_files',` + gen_require(` + type dpkg_script_tmp_t; + ') + + files_search_tmp($1) + allow $1 dpkg_script_tmp_t:dir manage_dir_perms; + allow $1 dpkg_script_tmp_t:file manage_file_perms; +') + +######################################## +## <summary> +## map dpkg_script_tmp_t files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dpkg_map_script_tmp_files',` + gen_require(` + type dpkg_script_tmp_t; + ') + + allow $1 dpkg_script_tmp_t:file map; +') diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te new file mode 100644 index 00000000..e7747bc7 --- /dev/null +++ b/policy/modules/admin/dpkg.te @@ -0,0 +1,348 @@ +policy_module(dpkg, 1.12.1) + +######################################## +# +# Declarations +# + +attribute_role dpkg_roles; +roleattribute system_r dpkg_roles; + +type dpkg_t; +type dpkg_exec_t; +init_system_domain(dpkg_t, dpkg_exec_t) +domain_obj_id_change_exemption(dpkg_t) +domain_role_change_exemption(dpkg_t) +domain_system_change_exemption(dpkg_t) +domain_interactive_fd(dpkg_t) +role dpkg_roles types dpkg_t; + +type dpkg_lock_t; +files_lock_file(dpkg_lock_t) + +type dpkg_tmp_t; +files_tmp_file(dpkg_tmp_t) + +type dpkg_tmpfs_t; +files_tmpfs_file(dpkg_tmpfs_t) + +type dpkg_var_lib_t alias var_lib_dpkg_t; +files_type(dpkg_var_lib_t) + +type dpkg_script_t; +domain_type(dpkg_script_t) +domain_entry_file(dpkg_t, dpkg_var_lib_t) +domain_entry_file(dpkg_script_t, dpkg_var_lib_t) +corecmd_shell_entry_type(dpkg_script_t) +corecmd_bin_entry_type(dpkg_script_t) +domain_obj_id_change_exemption(dpkg_script_t) +domain_system_change_exemption(dpkg_script_t) +domain_interactive_fd(dpkg_script_t) +role dpkg_roles types dpkg_script_t; + +type dpkg_script_tmp_t; +files_tmp_file(dpkg_script_tmp_t) +# out of order to work around compiler issue +domain_entry_file(dpkg_script_t, dpkg_script_tmp_t) + +type dpkg_script_tmpfs_t; +files_tmpfs_file(dpkg_script_tmpfs_t) + +######################################## +# +# Local policy +# + +allow dpkg_t self:capability { chown dac_override fowner fsetid kill linux_immutable mknod setgid setuid sys_nice sys_resource sys_tty_config }; +allow dpkg_t self:process { setpgid fork getsched setfscreate }; +allow dpkg_t self:fd use; +allow dpkg_t self:fifo_file rw_fifo_file_perms; +allow dpkg_t self:unix_dgram_socket create_socket_perms; +allow dpkg_t self:unix_stream_socket rw_stream_socket_perms; +allow dpkg_t self:unix_dgram_socket sendto; +allow dpkg_t self:unix_stream_socket connectto; +allow dpkg_t self:udp_socket { connect create_socket_perms }; +allow dpkg_t self:tcp_socket create_stream_socket_perms; +allow dpkg_t self:shm create_shm_perms; +allow dpkg_t self:sem create_sem_perms; +allow dpkg_t self:msgq create_msgq_perms; +allow dpkg_t self:msg { send receive }; + +allow dpkg_t dpkg_lock_t:file manage_file_perms; + +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t) +spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t) + +manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) +manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) +files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) + +manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) +manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) +manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) +manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) +manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) +fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +allow dpkg_t dpkg_var_lib_t:file mmap_exec_file_perms; +manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t) +files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) + +kernel_read_system_state(dpkg_t) +kernel_read_kernel_sysctls(dpkg_t) + +corecmd_bin_domtrans(dpkg_t, dpkg_script_t) + +corenet_all_recvfrom_unlabeled(dpkg_t) +corenet_all_recvfrom_netlabel(dpkg_t) +corenet_tcp_sendrecv_generic_if(dpkg_t) +corenet_tcp_sendrecv_generic_node(dpkg_t) +corenet_tcp_sendrecv_all_ports(dpkg_t) + +corenet_sendrecv_all_client_packets(dpkg_t) +corenet_tcp_connect_all_ports(dpkg_t) + +dev_list_sysfs(dpkg_t) +dev_list_usbfs(dpkg_t) +dev_read_urand(dpkg_t) + +domain_read_all_domains_state(dpkg_t) +domain_getattr_all_domains(dpkg_t) +domain_dontaudit_ptrace_all_domains(dpkg_t) +domain_use_interactive_fds(dpkg_t) +domain_dontaudit_getattr_all_pipes(dpkg_t) +domain_dontaudit_getattr_all_tcp_sockets(dpkg_t) +domain_dontaudit_getattr_all_udp_sockets(dpkg_t) +domain_dontaudit_getattr_all_packet_sockets(dpkg_t) +domain_dontaudit_getattr_all_raw_sockets(dpkg_t) +domain_dontaudit_getattr_all_stream_sockets(dpkg_t) +domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) + +files_exec_etc_files(dpkg_t) +files_relabel_non_auth_files(dpkg_t) +files_manage_non_auth_files(dpkg_t) + +fs_manage_nfs_dirs(dpkg_t) +fs_manage_nfs_files(dpkg_t) +fs_manage_nfs_symlinks(dpkg_t) +fs_getattr_all_fs(dpkg_t) +fs_search_auto_mountpoints(dpkg_t) + +mls_file_read_all_levels(dpkg_t) +mls_file_write_all_levels(dpkg_t) +mls_file_upgrade(dpkg_t) + +selinux_get_fs_mount(dpkg_t) +selinux_validate_context(dpkg_t) +selinux_compute_access_vector(dpkg_t) +selinux_compute_create_context(dpkg_t) +selinux_compute_relabel_context(dpkg_t) +selinux_compute_user_contexts(dpkg_t) + +storage_raw_write_fixed_disk(dpkg_t) +storage_raw_read_fixed_disk(dpkg_t) + +auth_dontaudit_read_shadow(dpkg_t) + +init_all_labeled_script_domtrans(dpkg_t) +init_use_script_ptys(dpkg_t) + +libs_exec_ld_so(dpkg_t) +libs_exec_lib_files(dpkg_t) +libs_run_ldconfig(dpkg_t, dpkg_roles) + +logging_send_syslog_msg(dpkg_t) + +seutil_manage_src_policy(dpkg_t) +seutil_manage_bin_policy(dpkg_t) + +sysnet_read_config(dpkg_t) + +userdom_use_user_terminals(dpkg_t) +userdom_use_unpriv_users_fds(dpkg_t) +userdom_use_all_users_fds(dpkg_t) + +dpkg_domtrans_script(dpkg_t) + +optional_policy(` + apt_use_ptys(dpkg_t) +') + +optional_policy(` + backup_manage_store_files(dpkg_t) +') + +optional_policy(` + cron_system_entry(dpkg_t, dpkg_exec_t) +') + +optional_policy(` + nis_use_ypbind(dpkg_t) +') + +optional_policy(` + unconfined_domain(dpkg_t) +') + +optional_policy(` + modutils_run(dpkg_t, dpkg_roles) +') + +optional_policy(` + mta_send_mail(dpkg_t) +') + +optional_policy(` + usermanage_run_groupadd(dpkg_t, dpkg_roles) + usermanage_run_useradd(dpkg_t, dpkg_roles) +') + +######################################## +# +# Script Local policy +# + +allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace }; +allow dpkg_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow dpkg_script_t self:fd use; +allow dpkg_script_t self:fifo_file rw_fifo_file_perms; +allow dpkg_script_t self:unix_dgram_socket create_socket_perms; +allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms; +allow dpkg_script_t self:unix_dgram_socket sendto; +allow dpkg_script_t self:unix_stream_socket connectto; +allow dpkg_script_t self:shm create_shm_perms; +allow dpkg_script_t self:sem create_sem_perms; +allow dpkg_script_t self:msgq create_msgq_perms; +allow dpkg_script_t self:msg { send receive }; +allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow dpkg_script_t self:udp_socket create_socket_perms; + +allow dpkg_script_t dpkg_tmp_t:file read_file_perms; + +allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton }; +allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms; +files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir }) + +allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms; +fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(dpkg_script_t) +kernel_read_system_state(dpkg_script_t) + +corecmd_exec_all_executables(dpkg_script_t) + +dev_list_sysfs(dpkg_script_t) +# Use named file transition to fix this +# dev_manage_generic_blk_files(dpkg_script_t) +# dev_manage_generic_chr_files(dpkg_script_t) +dev_manage_all_blk_files(dpkg_script_t) +dev_manage_all_chr_files(dpkg_script_t) + +domain_read_all_domains_state(dpkg_script_t) +domain_getattr_all_domains(dpkg_script_t) +domain_dontaudit_ptrace_all_domains(dpkg_script_t) +domain_use_interactive_fds(dpkg_script_t) +domain_signal_all_domains(dpkg_script_t) +domain_signull_all_domains(dpkg_script_t) + +files_exec_etc_files(dpkg_script_t) +files_read_etc_runtime_files(dpkg_script_t) +files_exec_usr_files(dpkg_script_t) + +fs_manage_nfs_files(dpkg_script_t) +fs_getattr_nfs(dpkg_script_t) +fs_getattr_xattr_fs(dpkg_script_t) +fs_mount_xattr_fs(dpkg_script_t) +fs_unmount_xattr_fs(dpkg_script_t) +fs_search_auto_mountpoints(dpkg_script_t) + +mls_file_read_all_levels(dpkg_script_t) +mls_file_write_all_levels(dpkg_script_t) + +selinux_get_fs_mount(dpkg_script_t) +selinux_validate_context(dpkg_script_t) +selinux_compute_access_vector(dpkg_script_t) +selinux_compute_create_context(dpkg_script_t) +selinux_compute_relabel_context(dpkg_script_t) +selinux_compute_user_contexts(dpkg_script_t) +selinux_read_policy(dpkg_script_t) + +storage_raw_read_fixed_disk(dpkg_script_t) +storage_raw_write_fixed_disk(dpkg_script_t) + +term_use_all_terms(dpkg_script_t) + +files_manage_non_auth_files(dpkg_script_t) + +auth_manage_shadow(dpkg_script_t) + +init_all_labeled_script_domtrans(dpkg_script_t) +init_use_script_fds(dpkg_script_t) +init_manage_script_service(dpkg_script_t) +init_startstop_all_script_services(dpkg_script_t) +init_admin(dpkg_script_t) + +libs_exec_ld_so(dpkg_script_t) +libs_exec_lib_files(dpkg_script_t) +libs_run_ldconfig(dpkg_script_t, dpkg_roles) + +logging_send_syslog_msg(dpkg_script_t) + +miscfiles_read_localization(dpkg_script_t) + +seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) +seutil_run_setfiles(dpkg_script_t, dpkg_roles) + +userdom_use_all_users_fds(dpkg_script_t) + +tunable_policy(`allow_execmem',` + allow dpkg_script_t self:process execmem; +') + +optional_policy(` + apt_rw_pipes(dpkg_script_t) + apt_use_fds(dpkg_script_t) +') + +optional_policy(` + bootloader_run(dpkg_script_t, dpkg_roles) +') + +optional_policy(` + devicekit_dbus_chat_power(dpkg_script_t) +') + +optional_policy(` + modutils_run(dpkg_script_t, dpkg_roles) +') + +optional_policy(` + mta_send_mail(dpkg_script_t) +') + +optional_policy(` + nis_use_ypbind(dpkg_script_t) +') + +optional_policy(` + systemd_read_logind_state(dpkg_script_t) + systemd_dbus_chat_logind(dpkg_script_t) +') + +optional_policy(` + unconfined_domain(dpkg_script_t) +') + +optional_policy(` + usermanage_run_groupadd(dpkg_script_t, dpkg_roles) + usermanage_run_useradd(dpkg_script_t, dpkg_roles) +') + +ifdef(`distro_gentoo',` + # Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise + seutil_relabelto_bin_policy(dpkg_t) +') diff --git a/policy/modules/admin/fakehwclock.fc b/policy/modules/admin/fakehwclock.fc new file mode 100644 index 00000000..85ea9317 --- /dev/null +++ b/policy/modules/admin/fakehwclock.fc @@ -0,0 +1,9 @@ +/etc/fake-hwclock\.data -- gen_context(system_u:object_r:fakehwclock_backup_t,s0) + +/etc/rc\.d/init\.d/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_initrc_exec_t,s0) + +/usr/bin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0) + +/usr/lib/systemd/system/fake-hwclock\.service -- gen_context(system_u:object_r:fakehwclock_unit_t,s0) + +/usr/sbin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0) diff --git a/policy/modules/admin/fakehwclock.if b/policy/modules/admin/fakehwclock.if new file mode 100644 index 00000000..3e5afb14 --- /dev/null +++ b/policy/modules/admin/fakehwclock.if @@ -0,0 +1,80 @@ +## <summary>fake-hwclock - Control fake hardware clock.</summary> + +######################################## +## <summary> +## Execute a domain transition to run fake-hwclock. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`fakehwclock_domtrans',` + refpolicywarn(`$0($*) has been deprecated') + + gen_require(` + type fakehwclock_t, fakehwclock_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fakehwclock_exec_t, fakehwclock_t) +') + +######################################## +## <summary> +## Execute fake-hwclock in the fake-hwclock domain, +## and allow the specified role +## the fake-hwclock domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`fakehwclock_run',` + refpolicywarn(`$0($*) has been deprecated') + + gen_require(` + attribute_role fakehwclock_roles; + ') + + fakehwclock_domtrans($1) + roleattribute $2 fakehwclock_roles; +') + +######################################## +## <summary> +## All the rules required to +## administrate an fake-hwclock environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`fakehwclock_admin',` + gen_require(` + type fakehwclock_t, fakehwclock_exec_t, fakehwclock_backup_t; + type fakehwclock_initrc_exec_t, fakehwclock_unit_t; + ') + + admin_process_pattern($1, fakehwclock_t) + + init_startstop_service($1, $2, fakehwclock_t, fakehwclock_initrc_exec_t, fakehwclock_unit_t) + + files_search_etc($1) + admin_pattern($1, fakehwclock_backup_t) +') diff --git a/policy/modules/admin/fakehwclock.te b/policy/modules/admin/fakehwclock.te new file mode 100644 index 00000000..a773824c --- /dev/null +++ b/policy/modules/admin/fakehwclock.te @@ -0,0 +1,42 @@ +policy_module(fakehwclock, 1.2.0) + +######################################## +# +# Declarations +# + +attribute_role fakehwclock_roles; + +type fakehwclock_t; +type fakehwclock_exec_t; +init_system_domain(fakehwclock_t, fakehwclock_exec_t) +role fakehwclock_roles types fakehwclock_t; + +type fakehwclock_backup_t; +files_type(fakehwclock_backup_t) + +type fakehwclock_initrc_exec_t; +init_script_file(fakehwclock_initrc_exec_t) + +type fakehwclock_unit_t; +init_unit_file(fakehwclock_unit_t) + +######################################## +# +# policy +# + +# sys_time : set system time +allow fakehwclock_t self:capability sys_time; +allow fakehwclock_t self:fifo_file rw_fifo_file_perms; + +allow fakehwclock_t fakehwclock_backup_t:file manage_file_perms; + +corecmd_exec_bin(fakehwclock_t) +corecmd_exec_shell(fakehwclock_t) + +miscfiles_read_localization(fakehwclock_t) + +optional_policy(` + cron_system_entry(fakehwclock_t, fakehwclock_exec_t) +') diff --git a/policy/modules/admin/firstboot.fc b/policy/modules/admin/firstboot.fc new file mode 100644 index 00000000..2aafeb25 --- /dev/null +++ b/policy/modules/admin/firstboot.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0) + +/usr/bin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) + +/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) + +/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if new file mode 100644 index 00000000..280f875f --- /dev/null +++ b/policy/modules/admin/firstboot.if @@ -0,0 +1,158 @@ +## <summary>Initial system configuration utility.</summary> + +######################################## +## <summary> +## Execute firstboot in the firstboot domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`firstboot_domtrans',` + gen_require(` + type firstboot_t, firstboot_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, firstboot_exec_t, firstboot_t) +') + +######################################## +## <summary> +## Execute firstboot in the firstboot +## domain, and allow the specified role +## the firstboot domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`firstboot_run',` + gen_require(` + attribute_role firstboot_roles; + ') + + firstboot_domtrans($1) + roleattribute $2 firstboot_roles; +') + +######################################## +## <summary> +## Inherit and use firstboot file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firstboot_use_fds',` + gen_require(` + type firstboot_t; + ') + + allow $1 firstboot_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to inherit +## firstboot file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`firstboot_dontaudit_use_fds',` + gen_require(` + type firstboot_t; + ') + + dontaudit $1 firstboot_t:fd use; +') + +######################################## +## <summary> +## Write firstboot unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firstboot_write_pipes',` + gen_require(` + type firstboot_t; + ') + + allow $1 firstboot_t:fifo_file write; +') + +######################################## +## <summary> +## Read and Write firstboot unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`firstboot_rw_pipes',` + gen_require(` + type firstboot_t; + ') + + allow $1 firstboot_t:fifo_file { read write }; +') + +######################################## +## <summary> +## Do not audit attemps to read and +## write firstboot unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`firstboot_dontaudit_rw_pipes',` + gen_require(` + type firstboot_t; + ') + + dontaudit $1 firstboot_t:fifo_file { read write }; +') + +######################################## +## <summary> +## Do not audit attemps to read and +## write firstboot unix domain +## stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`firstboot_dontaudit_rw_stream_sockets',` + gen_require(` + type firstboot_t; + ') + + dontaudit $1 firstboot_t:unix_stream_socket { read write }; +') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te new file mode 100644 index 00000000..1576b498 --- /dev/null +++ b/policy/modules/admin/firstboot.te @@ -0,0 +1,127 @@ +policy_module(firstboot, 1.14.1) + +gen_require(` + class passwd { passwd chfn chsh rootok }; +') + +######################################## +# +# Declarations +# + +attribute_role firstboot_roles; + +type firstboot_t; +type firstboot_exec_t; +init_system_domain(firstboot_t, firstboot_exec_t) +domain_obj_id_change_exemption(firstboot_t) +domain_subj_id_change_exemption(firstboot_t) +role firstboot_roles types firstboot_t; + +type firstboot_initrc_exec_t; +init_script_file(firstboot_initrc_exec_t) + +type firstboot_etc_t; +files_config_file(firstboot_etc_t) + +######################################## +# +# Local policy +# + +allow firstboot_t self:capability { dac_override setgid }; +allow firstboot_t self:process setfscreate; +allow firstboot_t self:fifo_file rw_fifo_file_perms; +allow firstboot_t self:tcp_socket { accept listen }; +allow firstboot_t self:passwd { rootok passwd chfn chsh }; + +allow firstboot_t firstboot_etc_t:file read_file_perms; + +kernel_read_system_state(firstboot_t) +kernel_read_kernel_sysctls(firstboot_t) + +corecmd_exec_all_executables(firstboot_t) + +dev_read_urand(firstboot_t) + +files_exec_etc_files(firstboot_t) +files_manage_etc_files(firstboot_t) +files_manage_etc_runtime_files(firstboot_t) +files_read_usr_files(firstboot_t) +files_manage_var_dirs(firstboot_t) +files_manage_var_files(firstboot_t) +files_manage_var_symlinks(firstboot_t) +files_create_boot_flag(firstboot_t) +files_delete_boot_flag(firstboot_t) + +selinux_get_fs_mount(firstboot_t) +selinux_validate_context(firstboot_t) +selinux_compute_access_vector(firstboot_t) +selinux_compute_create_context(firstboot_t) +selinux_compute_relabel_context(firstboot_t) +selinux_compute_user_contexts(firstboot_t) + +auth_dontaudit_getattr_shadow(firstboot_t) + +init_domtrans_script(firstboot_t) +init_rw_utmp(firstboot_t) + +libs_exec_ld_so(firstboot_t) +libs_exec_lib_files(firstboot_t) + +locallogin_use_fds(firstboot_t) + +logging_send_syslog_msg(firstboot_t) + +miscfiles_read_localization(firstboot_t) + +sysnet_dns_name_resolve(firstboot_t) + +userdom_use_user_terminals(firstboot_t) +userdom_home_filetrans_user_home_dir(firstboot_t) + +userdom_user_content_access_template(firstboot, firstboot_t) + +tunable_policy(`firstboot_manage_generic_user_content',` + userdom_manage_user_home_content_pipes(firstboot_t) + userdom_manage_user_home_content_sockets(firstboot_t) + userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) +') + +optional_policy(` + dbus_system_bus_client(firstboot_t) + + optional_policy(` + hal_dbus_chat(firstboot_t) + ') +') + +optional_policy(` + modutils_domtrans(firstboot_t) + modutils_read_module_config(firstboot_t) + modutils_read_module_deps(firstboot_t) +') + +optional_policy(` + nis_use_ypbind(firstboot_t) +') + +optional_policy(` + samba_rw_config(firstboot_t) +') + +optional_policy(` + unconfined_domtrans(firstboot_t) + unconfined_domain(firstboot_t) +') + +optional_policy(` + gnome_manage_generic_home_content(firstboot_t) +') + +optional_policy(` + xserver_domtrans(firstboot_t) + xserver_rw_shm(firstboot_t) + xserver_unconfined(firstboot_t) + xserver_stream_connect(firstboot_t) +') diff --git a/policy/modules/admin/hwloc.fc b/policy/modules/admin/hwloc.fc new file mode 100644 index 00000000..136bb697 --- /dev/null +++ b/policy/modules/admin/hwloc.fc @@ -0,0 +1,7 @@ +/usr/bin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0) + +/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0) + +/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0) + +/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0) diff --git a/policy/modules/admin/hwloc.if b/policy/modules/admin/hwloc.if new file mode 100644 index 00000000..c2349ecf --- /dev/null +++ b/policy/modules/admin/hwloc.if @@ -0,0 +1,106 @@ +## <summary>Dump topology and locality information from hardware tables.</summary> + +######################################## +## <summary> +## Execute hwloc dhwd in the hwloc dhwd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`hwloc_domtrans_dhwd',` + gen_require(` + type hwloc_dhwd_t, hwloc_dhwd_exec_t; + ') + + domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t) +') + +######################################## +## <summary> +## Execute hwloc dhwd in the hwloc dhwd domain, and +## allow the specified role the hwloc dhwd domain, +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`hwloc_run_dhwd',` + gen_require(` + attribute_role hwloc_dhwd_roles; + ') + + hwloc_domtrans_dhwd($1) + roleattribute $2 hwloc_dhwd_roles; +') + +######################################## +## <summary> +## Execute hwloc dhwd in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hwloc_exec_dhwd',` + gen_require(` + type hwloc_dhwd_exec_t; + ') + + can_exec($1, hwloc_dhwd_exec_t) +') + +######################################## +## <summary> +## Read hwloc runtime files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`hwloc_read_runtime_files',` + gen_require(` + type hwloc_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an hwloc environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`hwloc_admin',` + gen_require(` + type hwloc_dhwd_t, hwloc_var_run_t; + ') + + allow $1 hwloc_dhwd_t:process { ptrace signal_perms }; + ps_process_pattern($1, hwloc_dhwd_t) + + admin_pattern($1, hwloc_var_run_t) + files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc") +') diff --git a/policy/modules/admin/hwloc.te b/policy/modules/admin/hwloc.te new file mode 100644 index 00000000..e0e2243f --- /dev/null +++ b/policy/modules/admin/hwloc.te @@ -0,0 +1,31 @@ +policy_module(hwloc, 1.2.0) + +######################################## +# +# Declarations +# + +attribute_role hwloc_dhwd_roles; +roleattribute system_r hwloc_dhwd_roles; + +type hwloc_dhwd_t; +type hwloc_dhwd_exec_t; +init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t) +role hwloc_dhwd_roles types hwloc_dhwd_t; + +type hwloc_var_run_t; +files_pid_file(hwloc_var_run_t) + +type hwloc_dhwd_unit_t; +init_unit_file(hwloc_dhwd_unit_t) + +######################################## +# +# Local policy +# + +allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms; +allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms; +files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir) + +dev_read_sysfs(hwloc_dhwd_t) diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc new file mode 100644 index 00000000..4e396725 --- /dev/null +++ b/policy/modules/admin/kdump.fc @@ -0,0 +1,12 @@ +/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) + +/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) + +/usr/bin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) +/usr/bin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) + +/usr/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:kdump_unit_t,s0) + +/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if new file mode 100644 index 00000000..56fb3395 --- /dev/null +++ b/policy/modules/admin/kdump.if @@ -0,0 +1,113 @@ +## <summary>Kernel crash dumping mechanism.</summary> + +###################################### +## <summary> +## Execute kdump in the kdump domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kdump_domtrans',` + gen_require(` + type kdump_t, kdump_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kdump_exec_t, kdump_t) +') + +####################################### +## <summary> +## Execute kdump init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kdump_initrc_domtrans',` + gen_require(` + type kdump_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, kdump_initrc_exec_t) +') + +##################################### +## <summary> +## Read kdump configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kdump_read_config',` + gen_require(` + type kdump_etc_t; + ') + + files_search_etc($1) + allow $1 kdump_etc_t:file read_file_perms; +') + +#################################### +## <summary> +## Create, read, write, and delete +## kdmup configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kdump_manage_config',` + gen_require(` + type kdump_etc_t; + ') + + files_search_etc($1) + allow $1 kdump_etc_t:file manage_file_perms; +') + +###################################### +## <summary> +## All of the rules required to +## administrate an kdump environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kdump_admin',` + gen_require(` + type kdump_t, kdump_etc_t, kdumpctl_tmp_t; + type kdump_initrc_exec_t, kdumpctl_t; + ') + + allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { kdump_t kdumpctl_t }) + + init_startstop_service($1, $2, kdump_t, kdump_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, kdump_etc_t) + + files_search_tmp($1) + admin_pattern($1, kdumpctl_tmp_t) +') diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te new file mode 100644 index 00000000..4e27a84f --- /dev/null +++ b/policy/modules/admin/kdump.te @@ -0,0 +1,119 @@ +policy_module(kdump, 1.6.0) + +####################################### +# +# Declarations +# + +type kdump_t; +type kdump_exec_t; +init_system_domain(kdump_t, kdump_exec_t) + +type kdump_etc_t; +files_config_file(kdump_etc_t) + +type kdump_initrc_exec_t; +init_script_file(kdump_initrc_exec_t) + +type kdump_unit_t; +init_unit_file(kdump_unit_t) + +type kdumpctl_t; +type kdumpctl_exec_t; +init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) +application_executable_file(kdumpctl_exec_t) + +type kdumpctl_tmp_t; +files_tmp_file(kdumpctl_tmp_t) + +##################################### +# +# Local policy +# + +allow kdump_t self:capability { dac_override sys_boot }; + +allow kdump_t kdump_etc_t:file read_file_perms; + +files_read_etc_files(kdump_t) +files_read_etc_runtime_files(kdump_t) +files_read_kernel_img(kdump_t) + +kernel_read_core_if(kdump_t) +kernel_read_debugfs(kdump_t) +kernel_read_system_state(kdump_t) +kernel_request_load_module(kdump_t) + +dev_read_framebuffer(kdump_t) +dev_read_sysfs(kdump_t) + +term_use_console(kdump_t) + +####################################### +# +# Ctl local policy +# + +allow kdumpctl_t self:capability { dac_override sys_chroot }; +allow kdumpctl_t self:process setfscreate; +allow kdumpctl_t self:fifo_file rw_fifo_file_perms; +allow kdumpctl_t self:unix_stream_socket { accept listen }; + +allow kdumpctl_t kdump_etc_t:file read_file_perms; + +manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) +manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) +manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) +files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file }) + +domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t) + +kernel_read_system_state(kdumpctl_t) + +corecmd_exec_bin(kdumpctl_t) +corecmd_exec_shell(kdumpctl_t) + +dev_read_sysfs(kdumpctl_t) +dev_manage_all_dev_nodes(kdumpctl_t) + +domain_use_interactive_fds(kdumpctl_t) + +files_create_kernel_img(kdumpctl_t) +files_read_etc_files(kdumpctl_t) +files_read_etc_runtime_files(kdumpctl_t) +files_read_usr_files(kdumpctl_t) +files_read_kernel_modules(kdumpctl_t) +files_getattr_all_dirs(kdumpctl_t) + +fs_getattr_all_fs(kdumpctl_t) +fs_search_all(kdumpctl_t) + +init_domtrans_script(kdumpctl_t) +init_exec(kdumpctl_t) + +libs_exec_ld_so(kdumpctl_t) + +logging_send_syslog_msg(kdumpctl_t) + +miscfiles_read_localization(kdumpctl_t) + +optional_policy(` + gpg_exec(kdumpctl_t) +') + +optional_policy(` + lvm_read_config(kdumpctl_t) +') + +optional_policy(` + modutils_domtrans(kdumpctl_t) + modutils_read_module_config(kdumpctl_t) +') + +optional_policy(` + plymouthd_domtrans_plymouth(kdumpctl_t) +') + +optional_policy(` + ssh_exec(kdumpctl_t) +') diff --git a/policy/modules/admin/kdumpgui.fc b/policy/modules/admin/kdumpgui.fc new file mode 100644 index 00000000..250679cd --- /dev/null +++ b/policy/modules/admin/kdumpgui.fc @@ -0,0 +1 @@ +/usr/share/system-config-kdump/system-config-kdump-backend\.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) diff --git a/policy/modules/admin/kdumpgui.if b/policy/modules/admin/kdumpgui.if new file mode 100644 index 00000000..182ab8b5 --- /dev/null +++ b/policy/modules/admin/kdumpgui.if @@ -0,0 +1 @@ +## <summary>System-config-kdump GUI.</summary> diff --git a/policy/modules/admin/kdumpgui.te b/policy/modules/admin/kdumpgui.te new file mode 100644 index 00000000..2990962b --- /dev/null +++ b/policy/modules/admin/kdumpgui.te @@ -0,0 +1,90 @@ +policy_module(kdumpgui, 1.2.0) + +######################################## +# +# Declarations +# + +type kdumpgui_t; +type kdumpgui_exec_t; +init_system_domain(kdumpgui_t, kdumpgui_exec_t) + +type kdumpgui_tmp_t; +files_tmp_file(kdumpgui_tmp_t) + +###################################### +# +# Local policy +# + +allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio }; +allow kdumpgui_t self:process { setsched sigkill }; +allow kdumpgui_t self:fifo_file rw_fifo_file_perms; +allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) +manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) +files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file }) + +kernel_getattr_core_if(kdumpgui_t) +kernel_read_system_state(kdumpgui_t) +kernel_read_network_state(kdumpgui_t) + +corecmd_exec_bin(kdumpgui_t) +corecmd_exec_shell(kdumpgui_t) + +dev_getattr_all_blk_files(kdumpgui_t) +dev_dontaudit_getattr_all_chr_files(kdumpgui_t) +dev_read_sysfs(kdumpgui_t) + +files_manage_boot_files(kdumpgui_t) +files_manage_boot_symlinks(kdumpgui_t) +files_manage_etc_symlinks(kdumpgui_t) +files_manage_etc_runtime_files(kdumpgui_t) +files_etc_filetrans_etc_runtime(kdumpgui_t, file) +files_read_usr_files(kdumpgui_t) + +fs_getattr_all_fs(kdumpgui_t) +fs_list_hugetlbfs(kdumpgui_t) +fs_read_dos_files(kdumpgui_t) + +storage_raw_read_fixed_disk(kdumpgui_t) +storage_raw_write_fixed_disk(kdumpgui_t) + +auth_use_nsswitch(kdumpgui_t) + +logging_list_logs(kdumpgui_t) +logging_read_generic_logs(kdumpgui_t) +logging_send_syslog_msg(kdumpgui_t) + +miscfiles_read_localization(kdumpgui_t) + +mount_exec(kdumpgui_t) + +init_dontaudit_read_all_script_files(kdumpgui_t) + +optional_policy(` + bootloader_exec(kdumpgui_t) + bootloader_rw_config(kdumpgui_t) +') + +optional_policy(` + consoletype_exec(kdumpgui_t) +') + +optional_policy(` + dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) + + optional_policy(` + policykit_dbus_chat(kdumpgui_t) + ') +') + +optional_policy(` + dev_rw_lvm_control(kdumpgui_t) +') + +optional_policy(` + kdump_manage_config(kdumpgui_t) + kdump_initrc_domtrans(kdumpgui_t) +') diff --git a/policy/modules/admin/kismet.fc b/policy/modules/admin/kismet.fc new file mode 100644 index 00000000..09ccb80d --- /dev/null +++ b/policy/modules/admin/kismet.fc @@ -0,0 +1,13 @@ +HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0) + +/etc/rc\.d/init\.d/kismet.* -- gen_context(system_u:object_r:kismet_initrc_exec_t,s0) + +/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) +/usr/bin/kismet_server -- gen_context(system_u:object_r:kismet_exec_t,s0) +/usr/bin/kismet_drone -- gen_context(system_u:object_r:kismet_exec_t,s0) + +/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) + +/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) + +/run/kismet_server\.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if new file mode 100644 index 00000000..1ba783c4 --- /dev/null +++ b/policy/modules/admin/kismet.if @@ -0,0 +1,307 @@ +## <summary>IEEE 802.11 wireless LAN sniffer.</summary> + +######################################## +## <summary> +## Role access for kismet. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +template(`kismet_role',` + gen_require(` + type kismet_exec_t, kismet_home_t, kismet_tmp_t; + type kismet_tmpfs_t, kismet_t; + ') + + kismet_run($1, $2) + + allow $2 kismet_t:process { ptrace signal_perms }; + ps_process_pattern($2, kismet_t) + + allow $2 kismet_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 kismet_home_t:file { manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($2, kismet_home_t, dir, ".kismet") + + allow $2 kismet_tmp_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 kismet_tmp_t:file { manage_file_perms relabel_file_perms }; + allow $2 kismet_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + allow $2 kismet_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 kismet_tmpfs_t:file { manage_file_perms relabel_file_perms }; +') + +######################################## +## <summary> +## Execute a domain transition to run kismet. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kismet_domtrans',` + gen_require(` + type kismet_t, kismet_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kismet_exec_t, kismet_t) +') + +######################################## +## <summary> +## Execute kismet in the kismet domain, and +## allow the specified role the kismet domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`kismet_run',` + gen_require(` + attribute_role kismet_roles; + ') + + kismet_domtrans($1) + roleattribute $2 kismet_roles; +') + +######################################## +## <summary> +## Read kismet pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_read_pid_files',` + gen_require(` + type kismet_var_run_t; + ') + + files_search_pids($1) + allow $1 kismet_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## kismet pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_manage_pid_files',` + gen_require(` + type kismet_var_run_t; + ') + + files_search_pids($1) + allow $1 kismet_var_run_t:file manage_file_perms; +') + +######################################## +## <summary> +## Search kismet lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_search_lib',` + gen_require(` + type kismet_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 kismet_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read kismet lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_read_lib_files',` + gen_require(` + type kismet_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 kismet_var_lib_t:dir list_dir_perms; + allow $1 kismet_var_lib_t:file read_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## kismet lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_manage_lib_files',` + gen_require(` + type kismet_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## kismet lib content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_manage_lib',` + gen_require(` + type kismet_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t) + manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) + manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) +') + +######################################## +## <summary> +## Read kismet log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kismet_read_log',` + gen_require(` + type kismet_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, kismet_log_t, kismet_log_t) +') + +######################################## +## <summary> +## Append kismet log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_append_log',` + gen_require(` + type kismet_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, kismet_log_t, kismet_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## kismet log content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kismet_manage_log',` + gen_require(` + type kismet_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, kismet_log_t, kismet_log_t) + manage_files_pattern($1, kismet_log_t, kismet_log_t) + manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an kismet environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kismet_admin',` + gen_require(` + type kismet_t, kismet_var_lib_t, kismet_var_run_t; + type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t; + ') + + init_startstop_service($1, $2, kismet_t, kismet_initrc_exec_t) + + ps_process_pattern($1, kismet_t) + allow $1 kismet_t:process { ptrace signal_perms }; + + files_search_var_lib($1) + admin_pattern($1, kismet_var_lib_t) + + files_search_pids($1) + admin_pattern($1, kismet_var_run_t) + + logging_search_logs($1) + admin_pattern($1, kismet_log_t) + + files_search_tmp($1) + admin_pattern($1, kismet_tmp_t) + + kismet_run($1, $2) +') diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te new file mode 100644 index 00000000..dc07e769 --- /dev/null +++ b/policy/modules/admin/kismet.te @@ -0,0 +1,110 @@ +policy_module(kismet, 1.10.1) + +######################################## +# +# Declarations +# + +attribute_role kismet_roles; + +type kismet_t; +type kismet_exec_t; +init_system_domain(kismet_t, kismet_exec_t) +role kismet_roles types kismet_t; + +type kismet_initrc_exec_t; +init_script_file(kismet_initrc_exec_t) + +type kismet_home_t; +userdom_user_home_content(kismet_home_t) + +type kismet_log_t; +logging_log_file(kismet_log_t) + +type kismet_tmp_t; +files_tmp_file(kismet_tmp_t) + +type kismet_tmpfs_t; +files_tmp_file(kismet_tmpfs_t) + +type kismet_var_lib_t; +files_type(kismet_var_lib_t) + +type kismet_var_run_t; +files_pid_file(kismet_var_run_t) + +######################################## +# +# Local policy +# + +allow kismet_t self:capability { dac_override kill net_admin net_raw setgid setuid }; +allow kismet_t self:process signal_perms; +allow kismet_t self:fifo_file rw_fifo_file_perms; +allow kismet_t self:packet_socket create_socket_perms; +allow kismet_t self:unix_dgram_socket { create_socket_perms sendto }; +allow kismet_t self:unix_stream_socket create_stream_socket_perms; +allow kismet_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) +manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) +manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t) +userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, dir) + +allow kismet_t kismet_log_t:dir setattr_dir_perms; +append_files_pattern(kismet_t, kismet_log_t, kismet_log_t) +create_files_pattern(kismet_t, kismet_log_t, kismet_log_t) +getattr_files_pattern(kismet_t, kismet_log_t, kismet_log_t) +logging_log_filetrans(kismet_t, kismet_log_t, dir) + +manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) +manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) +manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) +files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file }) + +manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) +manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) +fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file }) + +allow kismet_t kismet_var_lib_t:file manage_file_perms; +allow kismet_t kismet_var_lib_t:dir manage_dir_perms; +files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir }) + +allow kismet_t kismet_var_run_t:dir manage_dir_perms; +files_pid_filetrans(kismet_t, kismet_var_run_t, file) + +can_exec(kismet_t, kismet_exec_t) + +kernel_search_debugfs(kismet_t) +kernel_read_system_state(kismet_t) +kernel_read_network_state(kismet_t) + +corecmd_exec_bin(kismet_t) + +corenet_all_recvfrom_unlabeled(kismet_t) +corenet_all_recvfrom_netlabel(kismet_t) +corenet_tcp_sendrecv_generic_if(kismet_t) +corenet_tcp_sendrecv_generic_node(kismet_t) +corenet_tcp_bind_generic_node(kismet_t) + +corenet_sendrecv_kismet_server_packets(kismet_t) +corenet_tcp_bind_kismet_port(kismet_t) +corenet_sendrecv_kismet_client_packets(kismet_t) +corenet_tcp_connect_kismet_port(kismet_t) +corenet_tcp_sendrecv_kismet_port(kismet_t) + +auth_use_nsswitch(kismet_t) + +files_read_usr_files(kismet_t) + +miscfiles_read_localization(kismet_t) + +userdom_use_user_terminals(kismet_t) + +optional_policy(` + dbus_system_bus_client(kismet_t) + + optional_policy(` + networkmanager_dbus_chat(kismet_t) + ') +') diff --git a/policy/modules/admin/kudzu.fc b/policy/modules/admin/kudzu.fc new file mode 100644 index 00000000..a0127d49 --- /dev/null +++ b/policy/modules/admin/kudzu.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/kudzu -- gen_context(system_u:object_r:kudzu_initrc_exec_t,s0) + +/usr/bin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) +/usr/bin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) + +/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) +/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) + +/run/kudzu(/.*)? gen_context(system_u:object_r:kudzu_var_run_t,s0) diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if new file mode 100644 index 00000000..85214c5b --- /dev/null +++ b/policy/modules/admin/kudzu.if @@ -0,0 +1,99 @@ +## <summary>Hardware detection and configuration tools.</summary> + +######################################## +## <summary> +## Execute kudzu in the kudzu domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`kudzu_domtrans',` + gen_require(` + type kudzu_t, kudzu_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kudzu_exec_t, kudzu_t) +') + +######################################## +## <summary> +## Execute kudzu in the kudzu domain, and +## allow the specified role the kudzu domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kudzu_run',` + gen_require(` + attribute_role kudzu_roles; + ') + + kudzu_domtrans($1) + roleattribute $2 kudzu_roles; +') + +######################################## +## <summary> +## Get attributes of kudzu executable files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kudzu_getattr_exec_files',` + gen_require(` + type kudzu_exec_t; + ') + + allow $1 kudzu_exec_t:file getattr_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an kudzu environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kudzu_admin',` + gen_require(` + type kudzu_t, kudzu_initrc_exec_t, kudzu_var_run_t; + type kudzu_tmp_t; + ') + + allow $1 kudzu_t:process { ptrace signal_perms }; + ps_process_pattern($1, kudzu_t) + + init_startstop_service($1, $2, kudzu_t, kudzu_initrc_exec_t) + + files_search_tmp($1) + admin_pattern($1, kudzu_tmp_t) + + files_search_pids($1) + admin_pattern($1, kudzu_var_run_t) +') diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te new file mode 100644 index 00000000..1ec6b513 --- /dev/null +++ b/policy/modules/admin/kudzu.te @@ -0,0 +1,138 @@ +policy_module(kudzu, 1.13.0) + +######################################## +# +# Declarations +# + +attribute_role kudzu_roles; + +type kudzu_t; +type kudzu_exec_t; +init_system_domain(kudzu_t, kudzu_exec_t) +role kudzu_roles types kudzu_t; + +type kudzu_initrc_exec_t; +init_script_file(kudzu_initrc_exec_t) + +type kudzu_tmp_t; +files_tmp_file(kudzu_tmp_t) + +type kudzu_var_run_t; +files_pid_file(kudzu_var_run_t) + +######################################## +# +# Local policy +# + +allow kudzu_t self:capability { dac_override mknod net_admin sys_admin sys_rawio sys_tty_config }; +dontaudit kudzu_t self:capability sys_tty_config; +allow kudzu_t self:process { signal_perms execmem }; +allow kudzu_t self:fifo_file rw_fifo_file_perms; +allow kudzu_t self:unix_stream_socket { accept connectto listen }; +allow kudzu_t self:udp_socket { create ioctl }; + +manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) +manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) +manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) +files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file }) + +manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) +manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) +files_pid_filetrans(kudzu_t, kudzu_var_run_t, file) + +kernel_change_ring_buffer_level(kudzu_t) +kernel_read_device_sysctls(kudzu_t) +kernel_read_kernel_sysctls(kudzu_t) +kernel_read_network_state(kudzu_t) +kernel_read_system_state(kudzu_t) +kernel_rw_hotplug_sysctls(kudzu_t) +kernel_rw_kernel_sysctl(kudzu_t) +kernel_dontaudit_search_unlabeled(kudzu_t) + +corecmd_exec_all_executables(kudzu_t) + +dev_list_sysfs(kudzu_t) +dev_read_usbfs(kudzu_t) +dev_read_sysfs(kudzu_t) +dev_rx_raw_memory(kudzu_t) +dev_wx_raw_memory(kudzu_t) +dev_rw_mouse(kudzu_t) +dev_rwx_zero(kudzu_t) + +domain_use_interactive_fds(kudzu_t) + +files_read_kernel_modules(kudzu_t) +files_read_usr_files(kudzu_t) +files_search_locks(kudzu_t) +files_manage_etc_files(kudzu_t) +files_manage_etc_runtime_files(kudzu_t) +files_etc_filetrans_etc_runtime(kudzu_t, file) +files_manage_mnt_files(kudzu_t) +files_manage_mnt_symlinks(kudzu_t) +files_dontaudit_search_src(kudzu_t) + +fs_search_auto_mountpoints(kudzu_t) +fs_write_ramfs_sockets(kudzu_t) + +mls_file_read_all_levels(kudzu_t) +mls_file_write_all_levels(kudzu_t) + +storage_read_scsi_generic(kudzu_t) +storage_read_tape(kudzu_t) +storage_raw_write_fixed_disk(kudzu_t) +storage_raw_write_removable_device(kudzu_t) +storage_raw_read_fixed_disk(kudzu_t) +storage_raw_read_removable_device(kudzu_t) + +term_dontaudit_use_console(kudzu_t) +term_use_unallocated_ttys(kudzu_t) + +init_use_fds(kudzu_t) +init_use_script_ptys(kudzu_t) +init_stream_connect_script(kudzu_t) +init_read_state(kudzu_t) +init_ptrace(kudzu_t) +init_telinit(kudzu_t) + +libs_read_lib_files(kudzu_t) + +logging_send_syslog_msg(kudzu_t) + +miscfiles_read_hwdata(kudzu_t) +miscfiles_read_localization(kudzu_t) + +sysnet_read_config(kudzu_t) + +userdom_use_user_terminals(kudzu_t) +userdom_dontaudit_use_unpriv_user_fds(kudzu_t) +userdom_search_user_home_dirs(kudzu_t) + +optional_policy(` + gpm_getattr_gpmctl(kudzu_t) +') + +optional_policy(` + modutils_read_module_config(kudzu_t) + modutils_read_module_deps(kudzu_t) + modutils_rename_module_config(kudzu_t) + modutils_delete_module_config(kudzu_t) + modutils_domtrans(kudzu_t) +') + +optional_policy(` + nscd_use(kudzu_t) +') + +optional_policy(` + seutil_sigchld_newrole(kudzu_t) +') + +optional_policy(` + udev_read_db(kudzu_t) +') + +optional_policy(` + unconfined_domtrans(kudzu_t) +') diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc new file mode 100644 index 00000000..dac1af39 --- /dev/null +++ b/policy/modules/admin/logrotate.fc @@ -0,0 +1,12 @@ +/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) +/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) + +/usr/bin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0) + +/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) + +/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) +/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if new file mode 100644 index 00000000..dd8e01af --- /dev/null +++ b/policy/modules/admin/logrotate.if @@ -0,0 +1,122 @@ +## <summary>Rotates, compresses, removes and mails system log files.</summary> + +######################################## +## <summary> +## Execute logrotate in the logrotate domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`logrotate_domtrans',` + gen_require(` + type logrotate_t, logrotate_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, logrotate_exec_t, logrotate_t) +') + +######################################## +## <summary> +## Execute logrotate in the logrotate +## domain, and allow the specified +## role the logrotate domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`logrotate_run',` + gen_require(` + attribute_role logrotate_roles; + ') + + logrotate_domtrans($1) + roleattribute $2 logrotate_roles; +') + +######################################## +## <summary> +## Execute logrotate in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logrotate_exec',` + gen_require(` + type logrotate_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, logrotate_exec_t) +') + +######################################## +## <summary> +## Inherit and use logrotate file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logrotate_use_fds',` + gen_require(` + type logrotate_t; + ') + + allow $1 logrotate_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to inherit +## logrotate file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`logrotate_dontaudit_use_fds',` + gen_require(` + type logrotate_t; + ') + + dontaudit $1 logrotate_t:fd use; +') + +######################################## +## <summary> +## Read logrotate temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logrotate_read_tmp_files',` + gen_require(` + type logrotate_tmp_t; + ') + + files_search_tmp($1) + allow $1 logrotate_tmp_t:file read_file_perms; +') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te new file mode 100644 index 00000000..2490cdfa --- /dev/null +++ b/policy/modules/admin/logrotate.te @@ -0,0 +1,289 @@ +policy_module(logrotate, 1.20.1) + +######################################## +# +# Declarations +# + +attribute_role logrotate_roles; +roleattribute system_r logrotate_roles; + +type logrotate_t; +type logrotate_exec_t; +domain_type(logrotate_t) +domain_obj_id_change_exemption(logrotate_t) +domain_system_change_exemption(logrotate_t) +domain_entry_file(logrotate_t, logrotate_exec_t) +init_system_domain(logrotate_t, logrotate_exec_t) +role logrotate_roles types logrotate_t; + +type logrotate_lock_t; +files_lock_file(logrotate_lock_t) + +type logrotate_tmp_t; +files_tmp_file(logrotate_tmp_t) + +type logrotate_var_lib_t; +files_type(logrotate_var_lib_t) + +type logrotate_unit_t; +init_unit_file(logrotate_unit_t) + +mta_base_mail_template(logrotate) +role system_r types logrotate_mail_t; + +######################################## +# +# Local policy +# + +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; +allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow logrotate_t self:fd use; +allow logrotate_t self:key manage_key_perms; +allow logrotate_t self:fifo_file rw_fifo_file_perms; +allow logrotate_t self:unix_dgram_socket sendto; +allow logrotate_t self:unix_stream_socket { accept connectto listen }; +allow logrotate_t self:shm create_shm_perms; +allow logrotate_t self:sem create_sem_perms; +allow logrotate_t self:msgq create_msgq_perms; +allow logrotate_t self:msg { send receive }; + +allow logrotate_t logrotate_lock_t:file manage_file_perms; +files_lock_filetrans(logrotate_t, logrotate_lock_t, file) + +manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) +manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) +files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) + +create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) +manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) +read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) +files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) + +can_exec(logrotate_t, { logrotate_exec_t logrotate_tmp_t }) + +kernel_read_system_state(logrotate_t) +kernel_read_kernel_sysctls(logrotate_t) + +corecmd_exec_bin(logrotate_t) +corecmd_exec_shell(logrotate_t) +corecmd_getattr_all_executables(logrotate_t) + +dev_read_urand(logrotate_t) + +domain_signal_all_domains(logrotate_t) +domain_use_interactive_fds(logrotate_t) +domain_getattr_all_entry_files(logrotate_t) +domain_read_all_domains_state(logrotate_t) + +files_map_etc_files(logrotate_t) +files_read_usr_files(logrotate_t) +files_read_etc_runtime_files(logrotate_t) +files_read_all_pids(logrotate_t) +files_search_all(logrotate_t) +files_read_var_lib_files(logrotate_t) +files_manage_generic_spool(logrotate_t) +files_manage_generic_spool_dirs(logrotate_t) +files_getattr_generic_locks(logrotate_t) +files_dontaudit_list_mnt(logrotate_t) + +fs_search_auto_mountpoints(logrotate_t) +fs_getattr_xattr_fs(logrotate_t) +fs_list_inotifyfs(logrotate_t) +fs_getattr_tmpfs(logrotate_t) + +mls_file_read_all_levels(logrotate_t) +mls_file_write_all_levels(logrotate_t) +mls_file_upgrade(logrotate_t) +mls_process_write_to_clearance(logrotate_t) + +selinux_get_fs_mount(logrotate_t) +selinux_get_enforce_mode(logrotate_t) + +auth_manage_login_records(logrotate_t) +auth_use_nsswitch(logrotate_t) + +init_all_labeled_script_domtrans(logrotate_t) +init_startstop_all_script_services(logrotate_t) +init_get_generic_units_status(logrotate_t) +init_get_all_units_status(logrotate_t) +init_get_system_status(logrotate_t) +init_dbus_chat(logrotate_t) +init_stream_connect(logrotate_t) +init_manage_all_units(logrotate_t) + +logging_manage_all_logs(logrotate_t) +logging_send_syslog_msg(logrotate_t) +logging_send_audit_msgs(logrotate_t) +logging_exec_all_logs(logrotate_t) + +miscfiles_read_localization(logrotate_t) + +seutil_dontaudit_read_config(logrotate_t) + +userdom_use_user_terminals(logrotate_t) +userdom_list_user_home_dirs(logrotate_t) +userdom_use_unpriv_users_fds(logrotate_t) + +mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) + +ifdef(`distro_debian',` + allow logrotate_t logrotate_tmp_t:file relabel_file_perms; + can_exec(logrotate_t, logrotate_exec_t) + + logging_check_exec_syslog(logrotate_t) + logging_read_syslog_config(logrotate_t) +') + +optional_policy(` + abrt_manage_cache(logrotate_t) +') + +optional_policy(` + acct_domtrans(logrotate_t) + acct_manage_data(logrotate_t) + acct_exec_data(logrotate_t) +') + +optional_policy(` + apache_read_config(logrotate_t) + apache_domtrans(logrotate_t) + apache_signull(logrotate_t) +') + +optional_policy(` + asterisk_domtrans(logrotate_t) +') + +optional_policy(` + awstats_domtrans(logrotate_t) +') + +optional_policy(` + bind_manage_cache(logrotate_t) +') + +optional_policy(` + callweaver_exec(logrotate_t) + callweaver_stream_connect(logrotate_t) +') + +optional_policy(` + consoletype_exec(logrotate_t) +') + +optional_policy(` + cron_system_entry(logrotate_t, logrotate_exec_t) + cron_search_spool(logrotate_t) +') + +optional_policy(` + cups_domtrans(logrotate_t) +') + +optional_policy(` + dbus_system_bus_client(logrotate_t) + init_write_pid_socket(logrotate_t) +') + +optional_policy(` + fail2ban_stream_connect(logrotate_t) +') + +optional_policy(` + hostname_exec(logrotate_t) +') + +optional_policy(` + chronyd_read_key_files(logrotate_t) +') + +optional_policy(` + icecast_signal(logrotate_t) +') + +optional_policy(` + mailman_domtrans(logrotate_t) + mailman_search_data(logrotate_t) + mailman_manage_log(logrotate_t) +') + +optional_policy(` + # reload after log rotation + monit_reload(logrotate_t) +') + +optional_policy(` + munin_read_config(logrotate_t) + munin_stream_connect(logrotate_t) + munin_search_lib(logrotate_t) +') + +optional_policy(` + mysql_read_config(logrotate_t) + mysql_stream_connect(logrotate_t) + mysql_signal(logrotate_t) +') + +optional_policy(` + openvswitch_read_pid_files(logrotate_t) + openvswitch_domtrans(logrotate_t) +') + +optional_policy(` + polipo_log_filetrans_log(logrotate_t, file, "polipo") +') + +optional_policy(` + psad_domtrans(logrotate_t) +') + +optional_policy(` + samba_exec_log(logrotate_t) +') + +optional_policy(` + sssd_domtrans(logrotate_t) +') + +optional_policy(` + slrnpull_manage_spool(logrotate_t) +') + +optional_policy(` + squid_domtrans(logrotate_t) +') + +optional_policy(` + su_exec(logrotate_t) +') + +optional_policy(` + varnishd_manage_log(logrotate_t) +') + +optional_policy(` + manage_webalizer_var_lib(logrotate_t) + webalizer_run(logrotate_t, system_r) +') + +####################################### +# +# Mail local policy +# + +allow logrotate_mail_t logrotate_t:fd use; +allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; +allow logrotate_mail_t logrotate_t:process sigchld; + +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) + +logging_read_all_logs(logrotate_mail_t) + +ifdef(`distro_gentoo',` + # Fix bug 534256 - fail2ban installs a logrotate file that calls fail2ban-client so allow transition + optional_policy(` + fail2ban_domtrans_client(logrotate_t) + ') +') diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc new file mode 100644 index 00000000..7e83c901 --- /dev/null +++ b/policy/modules/admin/logwatch.fc @@ -0,0 +1,18 @@ +/usr/bin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0) +/usr/bin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) +/usr/bin/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t,s0) + +/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0) +/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) +/usr/sbin/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t,s0) + +/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0) + +/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0) + +/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) +/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) + +/var/lock/logcheck.* gen_context(system_u:object_r:logwatch_lock_t,s0) + +/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/policy/modules/admin/logwatch.if b/policy/modules/admin/logwatch.if new file mode 100644 index 00000000..06c3d36c --- /dev/null +++ b/policy/modules/admin/logwatch.if @@ -0,0 +1,39 @@ +## <summary>System log analyzer and reporter.</summary> + +######################################## +## <summary> +## Read logwatch temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logwatch_read_tmp_files',` + gen_require(` + type logwatch_tmp_t; + ') + + files_search_tmp($1) + allow $1 logwatch_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Search logwatch cache directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logwatch_search_cache_dir',` + gen_require(` + type logwatch_cache_t; + ') + + files_search_var($1) + allow $1 logwatch_cache_t:dir search_dir_perms; +') diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te new file mode 100644 index 00000000..f20454ab --- /dev/null +++ b/policy/modules/admin/logwatch.te @@ -0,0 +1,197 @@ +policy_module(logwatch, 1.15.0) + +################################# +# +# Declarations +# + +## <desc> +## <p> +## Determine whether logwatch can connect +## to mail over the network. +## </p> +## </desc> +gen_tunable(logwatch_can_network_connect_mail, false) + +type logwatch_t; +type logwatch_exec_t; +init_system_domain(logwatch_t, logwatch_exec_t) + +type logwatch_cache_t; +files_type(logwatch_cache_t) + +type logwatch_lock_t; +files_lock_file(logwatch_lock_t) + +type logwatch_tmp_t; +files_tmp_file(logwatch_tmp_t) + +type logwatch_var_run_t; +files_pid_file(logwatch_var_run_t) + +mta_base_mail_template(logwatch) +role system_r types logwatch_mail_t; + +######################################## +# +# Local policy +# + +allow logwatch_t self:capability { dac_override dac_read_search setgid }; +allow logwatch_t self:process signal; +allow logwatch_t self:fifo_file rw_fifo_file_perms; +allow logwatch_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) +manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) + +allow logwatch_t logwatch_lock_t:file manage_file_perms; +files_lock_filetrans(logwatch_t, logwatch_lock_t, file) + +manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) +manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) +files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) + +allow logwatch_t logwatch_var_run_t:file manage_file_perms; +files_pid_filetrans(logwatch_t, logwatch_var_run_t, file) + +kernel_read_fs_sysctls(logwatch_t) +kernel_read_kernel_sysctls(logwatch_t) +kernel_read_system_state(logwatch_t) +kernel_read_net_sysctls(logwatch_t) +kernel_read_network_state(logwatch_t) + +corecmd_exec_bin(logwatch_t) +corecmd_exec_shell(logwatch_t) + +dev_read_urand(logwatch_t) +dev_read_sysfs(logwatch_t) + +domain_read_all_domains_state(logwatch_t) + +files_getattr_all_files(logwatch_t) +files_getattr_all_file_type_fs(logwatch_t) +files_list_var(logwatch_t) +files_search_all(logwatch_t) +files_read_var_symlinks(logwatch_t) +files_read_etc_runtime_files(logwatch_t) +files_read_usr_files(logwatch_t) + +fs_getattr_all_dirs(logwatch_t) +fs_getattr_all_fs(logwatch_t) +fs_dontaudit_list_auto_mountpoints(logwatch_t) +fs_list_inotifyfs(logwatch_t) + +storage_dontaudit_getattr_fixed_disk_dev(logwatch_t) + +mls_file_read_to_clearance(logwatch_t) + +term_dontaudit_getattr_pty_dirs(logwatch_t) +term_dontaudit_list_ptys(logwatch_t) + +auth_use_nsswitch(logwatch_t) +auth_dontaudit_read_shadow(logwatch_t) + +init_read_utmp(logwatch_t) +init_dontaudit_write_utmp(logwatch_t) + +libs_read_lib_files(logwatch_t) + +logging_read_all_logs(logwatch_t) +logging_send_syslog_msg(logwatch_t) + +miscfiles_read_localization(logwatch_t) + +selinux_dontaudit_getattr_dir(logwatch_t) + +sysnet_exec_ifconfig(logwatch_t) + +userdom_dontaudit_search_user_home_dirs(logwatch_t) + +mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) +mta_getattr_spool(logwatch_t) + +tunable_policy(`logwatch_can_network_connect_mail',` + corenet_all_recvfrom_unlabeled(logwatch_t) + corenet_all_recvfrom_netlabel(logwatch_t) + corenet_tcp_sendrecv_generic_if(logwatch_t) + corenet_tcp_sendrecv_generic_node(logwatch_t) + + corenet_sendrecv_smtp_client_packets(logwatch_t) + corenet_tcp_connect_smtp_port(logwatch_t) + corenet_tcp_sendrecv_smtp_port(logwatch_t) + + corenet_sendrecv_pop_client_packets(logwatch_t) + corenet_tcp_connect_pop_port(logwatch_t) + corenet_tcp_sendrecv_pop_port(logwatch_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(logwatch_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(logwatch_t) +') + +optional_policy(` + apache_read_log(logwatch_t) +') + +optional_policy(` + avahi_dontaudit_search_pid(logwatch_t) +') + +optional_policy(` + bind_read_config(logwatch_t) + bind_read_zone(logwatch_t) +') + +optional_policy(` + cron_system_entry(logwatch_t, logwatch_exec_t) +') + +optional_policy(` + hostname_exec(logwatch_t) +') + +optional_policy(` + ntp_domtrans(logwatch_t) +') + +optional_policy(` + raid_domtrans_mdadm(logwatch_t) +') + +optional_policy(` + rpc_search_nfs_state_data(logwatch_t) +') + +optional_policy(` + samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) +') + +######################################## +# +# Mail local policy +# + +allow logwatch_mail_t self:capability { dac_override dac_read_search }; + +allow logwatch_mail_t logwatch_t:fd use; +allow logwatch_mail_t logwatch_t:fifo_file rw_fifo_file_perms; +allow logwatch_mail_t logwatch_t:process sigchld; + +manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) + +dev_read_rand(logwatch_mail_t) +dev_read_urand(logwatch_mail_t) +dev_read_sysfs(logwatch_mail_t) + +logging_read_all_logs(logwatch_mail_t) + +optional_policy(` + cron_use_system_job_fds(logwatch_mail_t) + cron_rw_system_job_pipes(logwatch_mail_t) +') diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc new file mode 100644 index 00000000..a91a13f9 --- /dev/null +++ b/policy/modules/admin/mcelog.fc @@ -0,0 +1,11 @@ +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0) + +/etc/rc\.d/init\.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0) + +/usr/bin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) + +/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0) + +/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0) diff --git a/policy/modules/admin/mcelog.if b/policy/modules/admin/mcelog.if new file mode 100644 index 00000000..9b731b82 --- /dev/null +++ b/policy/modules/admin/mcelog.if @@ -0,0 +1,58 @@ +## <summary>Linux hardware error daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run mcelog. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mcelog_domtrans',` + gen_require(` + type mcelog_t, mcelog_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mcelog_exec_t, mcelog_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an mcelog environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mcelog_admin',` + gen_require(` + type mcelog_t, mcelog_initrc_exec_t, mcelog_log_t; + type mcelog_var_run_t, mcelog_etc_t; + ') + + allow $1 mcelog_t:process { ptrace signal_perms }; + ps_process_pattern($1, mcelog_t) + + init_startstop_service($1, $2, mcelog_t, mcelog_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, mcelog_etc_t) + + logging_search_logs($1) + admin_pattern($1, mcelog_log_t) + + files_search_pids($1) + admin_pattern($1, mcelog_var_run_t) +') diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te new file mode 100644 index 00000000..1c342132 --- /dev/null +++ b/policy/modules/admin/mcelog.te @@ -0,0 +1,124 @@ +policy_module(mcelog, 1.6.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether mcelog supports +## client mode. +## </p> +## </desc> +gen_tunable(mcelog_client, false) + +## <desc> +## <p> +## Determine whether mcelog can execute scripts. +## </p> +## </desc> +gen_tunable(mcelog_exec_scripts, true) + +## <desc> +## <p> +## Determine whether mcelog can use all +## the user ttys. +## </p> +## </desc> +gen_tunable(mcelog_foreground, false) + +## <desc> +## <p> +## Determine whether mcelog supports +## server mode. +## </p> +## </desc> +gen_tunable(mcelog_server, false) + +## <desc> +## <p> +## Determine whether mcelog can use syslog. +## </p> +## </desc> +gen_tunable(mcelog_syslog, false) + +type mcelog_t; +type mcelog_exec_t; +init_daemon_domain(mcelog_t, mcelog_exec_t) +application_executable_file(mcelog_exec_t) + +type mcelog_initrc_exec_t; +init_script_file(mcelog_initrc_exec_t) + +type mcelog_etc_t; +files_config_file(mcelog_etc_t) + +type mcelog_log_t; +logging_log_file(mcelog_log_t) + +type mcelog_var_run_t; +files_pid_file(mcelog_var_run_t) + +######################################## +# +# Local policy +# + +allow mcelog_t self:capability sys_admin; +allow mcelog_t self:unix_stream_socket connected_socket_perms; + +allow mcelog_t mcelog_etc_t:dir list_dir_perms; +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) + +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +logging_log_filetrans(mcelog_t, mcelog_log_t, { dir file }) + +manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) + +kernel_read_system_state(mcelog_t) + +dev_read_raw_memory(mcelog_t) +dev_read_kmsg(mcelog_t) +dev_rw_cpu_microcode(mcelog_t) +dev_rw_sysfs(mcelog_t) + +files_read_etc_files(mcelog_t) + +mls_file_read_all_levels(mcelog_t) + +locallogin_use_fds(mcelog_t) + +miscfiles_read_localization(mcelog_t) + +tunable_policy(`mcelog_client',` + allow mcelog_t self:unix_stream_socket connectto; +') + +tunable_policy(`mcelog_exec_scripts',` + allow mcelog_t self:fifo_file rw_fifo_file_perms; + corecmd_exec_bin(mcelog_t) + corecmd_exec_shell(mcelog_t) +') + +tunable_policy(`mcelog_foreground',` + userdom_use_user_terminals(mcelog_t) +') + +tunable_policy(`mcelog_server',` + allow mcelog_t self:unix_stream_socket { listen accept }; +') + +tunable_policy(`mcelog_syslog',` + logging_send_syslog_msg(mcelog_t) +') + +optional_policy(` + cron_system_entry(mcelog_t, mcelog_exec_t) +') diff --git a/policy/modules/admin/mrtg.fc b/policy/modules/admin/mrtg.fc new file mode 100644 index 00000000..fad30365 --- /dev/null +++ b/policy/modules/admin/mrtg.fc @@ -0,0 +1,16 @@ +/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0) +/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0) + +/etc/rc\.d/init\.d/mrtg -- gen_context(system_u:object_r:mrtg_initrc_exec_t,s0) + +/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0) + +/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0) + +/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) +/var/lock/mrtg-rrd(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) +/var/lock/subsys/mrtg -- gen_context(system_u:object_r:mrtg_lock_t,s0) + +/var/log/mrtg.* gen_context(system_u:object_r:mrtg_log_t,s0) + +/run/mrtg\.pid -- gen_context(system_u:object_r:mrtg_var_run_t,s0) diff --git a/policy/modules/admin/mrtg.if b/policy/modules/admin/mrtg.if new file mode 100644 index 00000000..b25b0894 --- /dev/null +++ b/policy/modules/admin/mrtg.if @@ -0,0 +1,84 @@ +## <summary>Network traffic graphing.</summary> + +######################################## +## <summary> +## Read mrtg configuration +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mrtg_read_config',` + gen_require(` + type mrtg_etc_t; + ') + + allow $1 mrtg_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Create and append mrtg log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mrtg_append_create_logs',` + gen_require(` + type mrtg_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, mrtg_log_t, mrtg_log_t) + create_files_pattern($1, mrtg_log_t, mrtg_log_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an mrtg environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mrtg_admin',` + gen_require(` + type mrtg_t, mrtg_var_run_t, mrtg_initrc_exec_t; + type mrtg_var_lib_t, mrtg_lock_t, mrtg_log_t; + type mrtg_etc_t; + ') + + allow $1 mrtg_t:process { ptrace signal_perms }; + ps_process_pattern($1, mrtg_t) + + init_startstop_service($1, $2, mrtg_t, mrtg_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, mrtg_etc_t) + + files_search_locks($1) + admin_pattern($1, mrtg_lock_t) + + logging_search_logs($1) + admin_pattern($1, mrtg_log_t) + + files_search_pids($1) + admin_pattern($1, mrtg_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, mrtg_var_lib_t) +') diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te new file mode 100644 index 00000000..953738e9 --- /dev/null +++ b/policy/modules/admin/mrtg.te @@ -0,0 +1,152 @@ +policy_module(mrtg, 1.12.0) + +######################################## +# +# Declarations +# + +type mrtg_t; +type mrtg_exec_t; +init_system_domain(mrtg_t, mrtg_exec_t) + +type mrtg_initrc_exec_t; +init_script_file(mrtg_initrc_exec_t) + +type mrtg_etc_t; +files_config_file(mrtg_etc_t) + +type mrtg_lock_t; +files_lock_file(mrtg_lock_t) + +type mrtg_log_t; +logging_log_file(mrtg_log_t) + +type mrtg_var_lib_t; +files_type(mrtg_var_lib_t) + +type mrtg_var_run_t; +files_pid_file(mrtg_var_run_t) + +######################################## +# +# Local policy +# + +allow mrtg_t self:capability { chown setgid setuid }; +dontaudit mrtg_t self:capability sys_tty_config; +allow mrtg_t self:process signal_perms; +allow mrtg_t self:fifo_file rw_fifo_file_perms; + +allow mrtg_t mrtg_etc_t:dir list_dir_perms; +allow mrtg_t mrtg_etc_t:file read_file_perms; +allow mrtg_t mrtg_etc_t:lnk_file read_lnk_file_perms; + +allow mrtg_t mrtg_lock_t:dir manage_dir_perms; +allow mrtg_t mrtg_lock_t:file manage_file_perms; +allow mrtg_t mrtg_lock_t:lnk_file manage_lnk_file_perms; +files_lock_filetrans(mrtg_t, mrtg_lock_t, { dir file }) + +manage_dirs_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) +append_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) +create_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) +setattr_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) +logging_log_filetrans(mrtg_t, mrtg_log_t, { dir file }) + +manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) +manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) + +allow mrtg_t mrtg_var_run_t:file manage_file_perms; +files_pid_filetrans(mrtg_t, mrtg_var_run_t, file) + +kernel_read_system_state(mrtg_t) +kernel_read_network_state(mrtg_t) +kernel_read_kernel_sysctls(mrtg_t) + +corecmd_exec_bin(mrtg_t) +corecmd_exec_shell(mrtg_t) + +corenet_all_recvfrom_unlabeled(mrtg_t) +corenet_all_recvfrom_netlabel(mrtg_t) +corenet_tcp_sendrecv_generic_if(mrtg_t) +corenet_tcp_sendrecv_generic_node(mrtg_t) + +corenet_sendrecv_all_client_packets(mrtg_t) +corenet_tcp_connect_all_ports(mrtg_t) +corenet_tcp_sendrecv_all_ports(mrtg_t) + +dev_read_sysfs(mrtg_t) +dev_read_urand(mrtg_t) + +domain_use_interactive_fds(mrtg_t) +domain_dontaudit_search_all_domains_state(mrtg_t) + +files_getattr_tmp_dirs(mrtg_t) +files_read_etc_runtime_files(mrtg_t) +files_read_usr_files(mrtg_t) +files_search_var(mrtg_t) +files_search_locks(mrtg_t) +files_search_var_lib(mrtg_t) +files_search_spool(mrtg_t) + +fs_search_auto_mountpoints(mrtg_t) +fs_getattr_all_fs(mrtg_t) +fs_list_inotifyfs(mrtg_t) + +term_dontaudit_use_console(mrtg_t) + +init_use_fds(mrtg_t) +init_use_script_ptys(mrtg_t) +init_read_utmp(mrtg_t) +init_dontaudit_write_utmp(mrtg_t) + +auth_use_nsswitch(mrtg_t) + +libs_read_lib_files(mrtg_t) + +logging_send_syslog_msg(mrtg_t) + +miscfiles_read_localization(mrtg_t) + +selinux_dontaudit_getattr_dir(mrtg_t) + +userdom_use_user_terminals(mrtg_t) +userdom_dontaudit_read_user_home_content_files(mrtg_t) +userdom_dontaudit_use_unpriv_user_fds(mrtg_t) + +netutils_domtrans_ping(mrtg_t) + +ifdef(`enable_mls',` + corenet_udp_sendrecv_lo_if(mrtg_t) +') + +optional_policy(` + apache_manage_sys_content(mrtg_t) +') + +optional_policy(` + cron_system_entry(mrtg_t, mrtg_exec_t) +') + +optional_policy(` + hostname_exec(mrtg_t) +') + +optional_policy(` + hddtemp_domtrans(mrtg_t) +') + +optional_policy(` + seutil_sigchld_newrole(mrtg_t) +') + +optional_policy(` + quota_dontaudit_getattr_db(mrtg_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(mrtg_t) +') + +optional_policy(` + udev_read_db(mrtg_t) +') diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc new file mode 100644 index 00000000..ca1a0e28 --- /dev/null +++ b/policy/modules/admin/ncftool.fc @@ -0,0 +1 @@ +/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if new file mode 100644 index 00000000..db9578f4 --- /dev/null +++ b/policy/modules/admin/ncftool.if @@ -0,0 +1,46 @@ +## <summary>Cross-platform network configuration library.</summary> + +######################################## +## <summary> +## Execute a domain transition to run ncftool. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`ncftool_domtrans',` + gen_require(` + type ncftool_t, ncftool_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ncftool_exec_t, ncftool_t) +') + +######################################## +## <summary> +## Execute ncftool in the ncftool +## domain, and allow the specified +## role the ncftool domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`ncftool_run',` + gen_require(` + attribute_role ncftool_roles; + ') + + ncftool_domtrans($1) + roleattribute $2 ncftool_roles; +') diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te new file mode 100644 index 00000000..676567d8 --- /dev/null +++ b/policy/modules/admin/ncftool.te @@ -0,0 +1,85 @@ +policy_module(ncftool, 1.3.0) + +######################################## +# +# Declarations +# + +attribute_role ncftool_roles; +roleattribute system_r ncftool_roles; + +type ncftool_t; +type ncftool_exec_t; +application_domain(ncftool_t, ncftool_exec_t) +domain_obj_id_change_exemption(ncftool_t) +domain_system_change_exemption(ncftool_t) +role ncftool_roles types ncftool_t; + +######################################## +# +# Local policy +# + +allow ncftool_t self:capability net_admin; +allow ncftool_t self:process signal; +allow ncftool_t self:fifo_file manage_fifo_file_perms; +allow ncftool_t self:unix_stream_socket create_stream_socket_perms; +allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; +allow ncftool_t self:tcp_socket create_stream_socket_perms; + +kernel_read_kernel_sysctls(ncftool_t) +kernel_read_modprobe_sysctls(ncftool_t) +kernel_read_network_state(ncftool_t) +kernel_read_system_state(ncftool_t) +kernel_request_load_module(ncftool_t) +kernel_rw_net_sysctls(ncftool_t) + +corecmd_exec_bin(ncftool_t) +corecmd_exec_shell(ncftool_t) + +domain_read_all_domains_state(ncftool_t) + +dev_read_sysfs(ncftool_t) + +files_read_etc_files(ncftool_t) +files_read_etc_runtime_files(ncftool_t) +files_read_usr_files(ncftool_t) + +miscfiles_read_localization(ncftool_t) + +sysnet_delete_dhcpc_pid(ncftool_t) +sysnet_run_dhcpc(ncftool_t, ncftool_roles) +sysnet_run_ifconfig(ncftool_t, ncftool_roles) +sysnet_etc_filetrans_config(ncftool_t) +sysnet_manage_config(ncftool_t) +sysnet_read_dhcpc_state(ncftool_t) +sysnet_read_dhcpc_pid(ncftool_t) +sysnet_signal_dhcpc(ncftool_t) + +userdom_use_user_terminals(ncftool_t) +userdom_read_user_tmp_files(ncftool_t) + +optional_policy(` + brctl_run(ncftool_t, ncftool_roles) +') + +optional_policy(` + consoletype_exec(ncftool_t) +') + +optional_policy(` + dbus_system_bus_client(ncftool_t) +') + +optional_policy(` + iptables_initrc_domtrans(ncftool_t) +') + +optional_policy(` + modutils_read_module_config(ncftool_t) + modutils_run(ncftool_t, ncftool_roles) +') + +optional_policy(` + netutils_run(ncftool_t, ncftool_roles) +') diff --git a/policy/modules/admin/passenger.fc b/policy/modules/admin/passenger.fc new file mode 100644 index 00000000..a1a30929 --- /dev/null +++ b/policy/modules/admin/passenger.fc @@ -0,0 +1,10 @@ +/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) + +/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) + +/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) + +/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if new file mode 100644 index 00000000..bf59ef73 --- /dev/null +++ b/policy/modules/admin/passenger.if @@ -0,0 +1,58 @@ +## <summary>Ruby on rails deployment for Apache and Nginx servers.</summary> + +###################################### +## <summary> +## Execute passenger in the passenger domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`passenger_domtrans',` + gen_require(` + type passenger_t, passenger_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, passenger_exec_t, passenger_t) +') + +###################################### +## <summary> +## Execute passenger in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`passenger_exec',` + gen_require(` + type passenger_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, passenger_exec_t) +') + +######################################## +## <summary> +## Read passenger lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`passenger_read_lib_files',` + gen_require(` + type passenger_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) +') diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te new file mode 100644 index 00000000..b6181456 --- /dev/null +++ b/policy/modules/admin/passenger.te @@ -0,0 +1,107 @@ +policy_module(passenger, 1.3.0) + +######################################## +# +# Declarations +# + +type passenger_t; +type passenger_exec_t; +domain_type(passenger_t) +domain_entry_file(passenger_t, passenger_exec_t) +role system_r types passenger_t; + +type passenger_log_t; +logging_log_file(passenger_log_t) + +type passenger_var_lib_t; +files_type(passenger_var_lib_t) + +type passenger_var_run_t; +files_pid_file(passenger_var_run_t) + +######################################## +# +# Local policy +# + +allow passenger_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace sys_resource }; +allow passenger_t self:process { setpgid setsched sigkill signal }; +allow passenger_t self:fifo_file rw_fifo_file_perms; +allow passenger_t self:unix_stream_socket { accept connectto listen }; + +manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t) +append_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +create_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +logging_log_filetrans(passenger_t, passenger_log_t, file) + +manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) +manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) + +manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) + +can_exec(passenger_t, passenger_exec_t) + +kernel_read_system_state(passenger_t) +kernel_read_kernel_sysctls(passenger_t) +kernel_read_network_state(passenger_t) +kernel_read_net_sysctls(passenger_t) + +corenet_all_recvfrom_netlabel(passenger_t) +corenet_all_recvfrom_unlabeled(passenger_t) +corenet_tcp_sendrecv_generic_if(passenger_t) +corenet_tcp_sendrecv_generic_node(passenger_t) + +corenet_sendrecv_http_client_packets(passenger_t) +corenet_tcp_connect_http_port(passenger_t) +corenet_tcp_sendrecv_http_port(passenger_t) + +corecmd_exec_bin(passenger_t) +corecmd_exec_shell(passenger_t) + +dev_read_urand(passenger_t) + +domain_read_all_domains_state(passenger_t) + +files_read_etc_files(passenger_t) + +auth_use_nsswitch(passenger_t) + +logging_send_syslog_msg(passenger_t) + +miscfiles_read_localization(passenger_t) + +sysnet_exec_ifconfig(passenger_t) + +userdom_dontaudit_use_user_terminals(passenger_t) + +optional_policy(` + apache_append_log(passenger_t) + apache_read_sys_content(passenger_t) +') + +optional_policy(` + hostname_exec(passenger_t) +') + +optional_policy(` + mta_send_mail(passenger_t) +') + +optional_policy(` + puppet_manage_lib_files(passenger_t) + puppet_read_config(passenger_t) + puppet_append_log_files(passenger_t) + puppet_create_log_files(passenger_t) + puppet_read_log_files(passenger_t) +') + +optional_policy(` + rpm_exec(passenger_t) + rpm_read_db(passenger_t) +') diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc new file mode 100644 index 00000000..7f6ab05b --- /dev/null +++ b/policy/modules/admin/portage.fc @@ -0,0 +1,50 @@ +/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0) +/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0) +/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0) +/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) +/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0) + +/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0) +/usr/bin/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) +/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) + +/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) +/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) + + +/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) +/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/git.?-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/go-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/hg-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) + +/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) +/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) +/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) +/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0) +/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) +/var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) +/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) +/var/tmp/binpkgs(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) +/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) +/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) +/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) + +ifdef(`distro_gentoo',` +/usr/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) +/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0) +') diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if new file mode 100644 index 00000000..23c15ba7 --- /dev/null +++ b/policy/modules/admin/portage.if @@ -0,0 +1,569 @@ +## <summary>Package Management System.</summary> + +######################################## +## <summary> +## Execute emerge in the portage domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portage_domtrans',` + gen_require(` + type portage_t, portage_exec_t; + type portage_tmp_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, portage_exec_t, portage_t) + + can_exec($1, portage_tmp_t) # Portage does exectest +') + +######################################## +## <summary> +## Execute emerge in the portage domain, +## and allow the specified role the +## portage domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`portage_run',` + gen_require(` + attribute_role portage_roles; + ') + + portage_domtrans($1) + roleattribute $2 portage_roles; +') + +######################################## +## <summary> +## Template for portage sandbox. +## </summary> +## <desc> +## <p> +## Template for portage sandbox. Portage +## does all compiling in the sandbox. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain Allowed Access +## </summary> +## </param> +# +interface(`portage_compile_domain',` + gen_require(` + class dbus send_msg; + type portage_devpts_t, portage_log_t, portage_sandbox_t, portage_srcrepo_t; + type portage_tmp_t, portage_tmpfs_t; + ') + + allow $1 self:capability { chown dac_override dac_read_search fowner fsetid mknod net_raw setgid setuid }; + dontaudit $1 self:capability sys_chroot; + allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; + allow $1 self:fd use; + allow $1 self:fifo_file rw_fifo_file_perms; + allow $1 self:shm create_shm_perms; + allow $1 self:sem create_sem_perms; + allow $1 self:msgq create_msgq_perms; + allow $1 self:msg { send receive }; + allow $1 self:unix_dgram_socket create_socket_perms; + allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 self:unix_dgram_socket sendto; + allow $1 self:unix_stream_socket connectto; + # really shouldnt need this + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; + # misc networking stuff (esp needed for compiling perl): + allow $1 self:rawip_socket { create ioctl }; + # needed for merging dbus: + allow $1 self:netlink_selinux_socket { bind create read }; + allow $1 self:dbus send_msg; + + allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + term_create_pty($1, portage_devpts_t) + + # write compile logs + allow $1 portage_log_t:dir setattr_dir_perms; + allow $1 portage_log_t:file { write_file_perms setattr_file_perms }; + + # Support live ebuilds (-9999) + manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + allow $1 portage_srcrepo_t:file map; + + # run scripts out of the build directory + can_exec(portage_sandbox_t, portage_tmp_t) + + manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t) + manage_files_pattern($1, portage_tmp_t, portage_tmp_t) + manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t) + manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t) + manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t) + files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file }) + # SELinux-enabled programs running in the sandbox + allow $1 portage_tmp_t:file { relabel_file_perms map }; + allow $1 portage_tmp_t:dir relabel_dir_perms; + + manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) + manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) + manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) + manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) + allow $1 portage_tmpfs_t:file map; + fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + + kernel_read_system_state($1) + kernel_read_network_state($1) + kernel_read_software_raid_state($1) + kernel_getattr_core_if($1) + kernel_getattr_message_if($1) + kernel_read_kernel_sysctls($1) + + corecmd_exec_all_executables($1) + + # really shouldnt need this but some packages test + # network access, such as during configure + # also distcc--need to reinvestigate confining distcc client + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_raw_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) + corenet_raw_sendrecv_generic_node($1) + corenet_tcp_sendrecv_all_ports($1) + corenet_udp_sendrecv_all_ports($1) + corenet_tcp_connect_all_reserved_ports($1) + corenet_tcp_connect_distccd_port($1) + corenet_tcp_connect_git_port($1) + + dev_read_sysfs($1) + dev_read_rand($1) + dev_read_urand($1) + + domain_use_interactive_fds($1) + domain_dontaudit_read_all_domains_state($1) + # SELinux-aware installs doing relabels in the sandbox + domain_obj_id_change_exemption($1) + + files_exec_etc_files($1) + files_exec_usr_src_files($1) + files_map_usr_files($1) + + # Came up with bug #496328 + fs_getattr_tmpfs($1) + fs_getattr_xattr_fs($1) + fs_list_noxattr_fs($1) + fs_read_noxattr_fs_files($1) + fs_read_noxattr_fs_symlinks($1) + fs_search_auto_mountpoints($1) + + selinux_validate_context($1) + # needed for merging dbus: + selinux_compute_access_vector($1) + + files_list_non_auth_dirs($1) + files_read_non_auth_files($1) + files_read_non_auth_symlinks($1) + + libs_exec_lib_files($1) + # some config scripts use ldd + libs_exec_ld_so($1) + libs_exec_ldconfig($1) + + logging_send_syslog_msg($1) + + miscfiles_read_localization($1) + + userdom_use_user_terminals($1) + + # SELinux-enabled programs running in the sandbox + seutil_libselinux_linked($1) + + # required by install + seutil_read_file_contexts($1) + + tunable_policy(`portage_use_nfs',` + fs_getattr_nfs($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + fs_manage_nfs_symlinks($1) + ') + + ifdef(`TODO',` + # some gui ebuilds want to interact with X server, like xawtv + optional_policy(` + allow $1 xdm_xserver_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms }; + allow $1 xdm_xserver_tmp_t:sock_file { create_file_perms delete_file_perms write_file_perms }; + ') + ') dnl end TODO + + ifdef(`distro_gentoo',` + # Fix bug 496328 + fs_getattr_tmpfs($1) + ') +') + +######################################## +## <summary> +## Execute tree management functions +## (fetching, layman, ...) in the +## portage fetch domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portage_domtrans_fetch',` + gen_require(` + type portage_fetch_t, portage_fetch_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t) +') + +######################################## +## <summary> +## Execute tree management functions +## (fetching, layman, ...) in the +## portage fetch domain, and allow +## the specified role the portage +## fetch domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`portage_run_fetch',` + gen_require(` + attribute_role portage_fetch_roles; + ') + + portage_domtrans_fetch($1) + roleattribute $2 portage_fetch_roles; +') + +######################################## +## <summary> +## Execute gcc-config in the gcc config domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`portage_domtrans_gcc_config',` + gen_require(` + type gcc_config_t, gcc_config_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gcc_config_exec_t, gcc_config_t) +') + +######################################## +## <summary> +## Execute gcc-config in the gcc config +## domain, and allow the specified role +## the gcc_config domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`portage_run_gcc_config',` + gen_require(` + attribute_role gcc_config_roles; + ') + + portage_domtrans_gcc_config($1) + roleattribute $2 gcc_config_roles; +') + +######################################## +## <summary> +## Do not audit attempts to use +## portage file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`portage_dontaudit_use_fds',` + gen_require(` + type portage_t; + ') + + dontaudit $1 portage_t:fd use; +') + +######################################## +## <summary> +## Do not audit attempts to search the +## portage temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`portage_dontaudit_search_tmp',` + gen_require(` + type portage_tmp_t; + ') + + dontaudit $1 portage_tmp_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## the portage temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`portage_dontaudit_rw_tmp_files',` + gen_require(` + type portage_tmp_t; + ') + + dontaudit $1 portage_tmp_t:file rw_file_perms; +') + +######################################## +## <summary> +## Allow the domain to run within an eselect module script. +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow within an eselect module +## </summary> +## </param> +# Specific to Gentoo, +# eselect modules allow users to switch between different flavors or versions +# of underlying components. In return, eselect makes a wrapper binary which +# makes the proper selections. If this binary is different from bin_t, it might +# not hold the necessary privileges for the wrapper to function. However, just +# marking the target binaries doesn't always work, since for python scripts the +# wrapper doesn't execute it, but treats the target as a library. +# +interface(`portage_eselect_module',` + gen_require(` + attribute portage_eselect_domain; + ') + + typeattribute $1 portage_eselect_domain; +') + +######################################## +## <summary> +## Read all portage files +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`portage_ro_role',` + portage_read_cache($2) + portage_read_config($2) + portage_read_db($2) + portage_read_ebuild($2) + portage_read_log($2) + portage_read_srcrepo($2) + portage_dontaudit_write_cache($2) +') + +######################################## +## <summary> +## Read portage db files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`portage_read_db',` + gen_require(` + type portage_db_t; + ') + + files_search_var($1) + list_dirs_pattern($1, portage_db_t, portage_db_t) + read_files_pattern($1, portage_db_t, portage_db_t) +') + +######################################## +## <summary> +## Read portage cache files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`portage_read_cache',` + gen_require(` + type portage_cache_t; + ') + + files_search_var($1) + list_dirs_pattern($1, portage_cache_t, portage_cache_t) + read_files_pattern($1, portage_cache_t, portage_cache_t) + read_lnk_files_pattern($1, portage_cache_t, portage_cache_t) +') + +######################################## +## <summary> +## Read portage configuration files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`portage_read_config',` + gen_require(` + type portage_conf_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, portage_conf_t, portage_conf_t) + read_files_pattern($1, portage_conf_t, portage_conf_t) + allow $1 portage_conf_t:file map; + read_lnk_files_pattern($1, portage_conf_t, portage_conf_t) +') + +######################################## +## <summary> +## Read portage ebuild files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`portage_read_ebuild',` + gen_require(` + type portage_ebuild_t; + ') + + files_search_usr($1) + list_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t) + read_files_pattern($1, portage_ebuild_t, portage_ebuild_t) + allow $1 portage_ebuild_t:file map; + read_lnk_files_pattern($1, portage_ebuild_t, portage_ebuild_t) +') + +######################################## +## <summary> +## Read portage log files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`portage_read_log',` + gen_require(` + type portage_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, portage_log_t, portage_log_t) +') + +######################################## +## <summary> +## Read portage src repository files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`portage_read_srcrepo',` + gen_require(` + type portage_ebuild_t, portage_srcrepo_t; + ') + + files_search_usr($1) + list_dirs_pattern($1, portage_ebuild_t, portage_srcrepo_t) + read_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + allow $1 portage_srcrepo_t:file map; + read_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) +') + +######################################## +## <summary> +## Do not audit writing portage cache files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`portage_dontaudit_write_cache',` + gen_require(` + type portage_cache_t; + ') + + dontaudit $1 portage_cache_t:dir { setattr write }; +') + diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te new file mode 100644 index 00000000..dbe5b760 --- /dev/null +++ b/policy/modules/admin/portage.te @@ -0,0 +1,534 @@ +policy_module(portage, 1.16.2) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether portage can +## use nfs filesystems. +## </p> +## </desc> +gen_tunable(portage_use_nfs, false) + +## <desc> +## <p> +## Determine whether portage domains can read user content. +## This is for non-portage_t domains as portage_t can manage the entire file system. +## </p> +## </desc> +gen_tunable(portage_read_user_content, false) + +attribute_role gcc_config_roles; +attribute_role portage_roles; +attribute_role portage_fetch_roles; + +type gcc_config_t; +type gcc_config_exec_t; +application_domain(gcc_config_t, gcc_config_exec_t) +role gcc_config_roles types gcc_config_t; + +# constraining type +type portage_t; +type portage_exec_t; +application_domain(portage_t, portage_exec_t) +domain_obj_id_change_exemption(portage_t) +rsync_entry_type(portage_t) +corecmd_shell_entry_type(portage_t) +role portage_roles types portage_t; + +# portage compile sandbox domain +type portage_sandbox_t; +application_domain(portage_sandbox_t, portage_exec_t) +# the shell is the entrypoint if regular sandbox is disabled +# portage_exec_t is the entrypoint if regular sandbox is enabled +corecmd_shell_entry_type(portage_sandbox_t) +role portage_roles types portage_sandbox_t; + +# portage package fetching domain +type portage_fetch_t; +type portage_fetch_exec_t; +application_domain(portage_fetch_t, portage_fetch_exec_t) +corecmd_shell_entry_type(portage_fetch_t) +rsync_entry_type(portage_fetch_t) +role portage_fetch_roles types portage_fetch_t; + +type portage_devpts_t; +term_pty(portage_devpts_t) + +type portage_ebuild_t; +files_mountpoint(portage_ebuild_t) + +type portage_fetch_tmp_t; +files_tmp_file(portage_fetch_tmp_t) + +type portage_db_t; +files_type(portage_db_t) + +type portage_conf_t; +files_type(portage_conf_t) + +type portage_cache_t; +files_type(portage_cache_t) + +type portage_gpg_t; +files_type(portage_gpg_t) + +type portage_log_t; +logging_log_file(portage_log_t) + +type portage_srcrepo_t; +files_type(portage_srcrepo_t) + +type portage_tmp_t; +files_tmp_file(portage_tmp_t) + +type portage_tmpfs_t; +files_tmpfs_file(portage_tmpfs_t) + +######################################## +# +# gcc-config policy +# + +allow gcc_config_t self:capability { chown fsetid }; +allow gcc_config_t self:fifo_file rw_fifo_file_perms; + +manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t) + +read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) + +allow gcc_config_t portage_ebuild_t:dir list_dir_perms; +read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t) + +allow gcc_config_t portage_exec_t:file mmap_exec_file_perms; + +kernel_read_system_state(gcc_config_t) +kernel_read_kernel_sysctls(gcc_config_t) + +corecmd_exec_shell(gcc_config_t) +corecmd_exec_bin(gcc_config_t) +corecmd_manage_bin_files(gcc_config_t) + +domain_use_interactive_fds(gcc_config_t) + +files_manage_etc_files(gcc_config_t) +files_rw_etc_runtime_files(gcc_config_t) +files_read_usr_files(gcc_config_t) +files_search_var_lib(gcc_config_t) +files_search_pids(gcc_config_t) +# complains loudly about not being able to list +# the directory it is being run from +files_list_all(gcc_config_t) + +# seems to be ok without this +init_dontaudit_read_script_status_files(gcc_config_t) + +libs_read_lib_files(gcc_config_t) +libs_run_ldconfig(gcc_config_t, portage_roles) +libs_manage_shared_libs(gcc_config_t) +# gcc-config creates a temp dir for the libs +libs_manage_lib_dirs(gcc_config_t) + +logging_send_syslog_msg(gcc_config_t) + +miscfiles_read_localization(gcc_config_t) + +userdom_use_user_terminals(gcc_config_t) + +consoletype_exec(gcc_config_t) + +ifdef(`distro_gentoo',` + init_exec_rc(gcc_config_t) +') + +tunable_policy(`portage_use_nfs',` + fs_read_nfs_files(gcc_config_t) +') + +optional_policy(` + seutil_use_newrole_fds(gcc_config_t) +') + +######################################## +# +# Portage Merging Rules +# + +# - setfscreate for merging to live fs +allow portage_t self:process { setfscreate }; +# - kill for mysql merging, at least +allow portage_t self:capability { kill setfcap sys_nice }; +dontaudit portage_t self:capability { dac_read_search }; +dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms; + +# user post-sync scripts +can_exec(portage_t, portage_conf_t) + +allow portage_t portage_log_t:file manage_file_perms; +logging_log_filetrans(portage_t, portage_log_t, file) + +allow portage_t { portage_fetch_t portage_sandbox_t }:process signal; + +# transition for rsync and wget +corecmd_shell_spec_domtrans(portage_t, portage_fetch_t) +rsync_entry_domtrans(portage_t, portage_fetch_t) +allow portage_fetch_t portage_t:fd use; +allow portage_fetch_t portage_t:fifo_file rw_fifo_file_perms; +allow portage_fetch_t portage_t:process sigchld; + +# transition to sandbox for compiling +spec_domtrans_pattern(portage_t, portage_exec_t, portage_sandbox_t) +corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) + +# run scripts out of the build directory +can_exec(portage_t, portage_tmp_t) + +kernel_dontaudit_request_load_module(portage_t) +# merging baselayout will need this: +kernel_write_proc_files(portage_t) + +domain_dontaudit_read_all_domains_state(portage_t) + +# modify any files in the system +files_manage_all_files(portage_t) +# eselect uses file, which mmap()s its db +files_map_usr_files(portage_t) + +selinux_get_fs_mount(portage_t) + +auth_manage_shadow(portage_t) + +# merging baselayout will need this: +init_exec(portage_t) + +libs_run_ldconfig(portage_t, portage_roles) + +miscfiles_read_localization(portage_t) +miscfiles_read_fonts(portage_t) + +# run setfiles -r +seutil_run_setfiles(portage_t, portage_roles) +# run semodule +seutil_run_semanage(portage_t, portage_roles) + +portage_run_gcc_config(portage_t, portage_roles) +# if sesandbox is disabled, compiling is performed in this domain +portage_compile_domain(portage_t) + +optional_policy(` + bootloader_run(portage_t, portage_roles) +') + +optional_policy(` + cron_system_entry(portage_t, portage_exec_t) + cron_system_entry(portage_fetch_t, portage_fetch_exec_t) +') + +optional_policy(` + gpg_spec_domtrans(portage_t, portage_fetch_t) +') + +optional_policy(` + modutils_run(portage_t, portage_roles) + #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; +') + +optional_policy(` + usermanage_run_groupadd(portage_t, portage_roles) + usermanage_run_useradd(portage_t, portage_roles) +') + +ifdef(`TODO',` +# seems to work ok without these +dontaudit portage_t device_t:{ blk_file chr_file } getattr; +dontaudit portage_t proc_t:dir setattr_dir_perms; +') + +########################################## +# +# Portage fetch domain +# - for rsync and distfile fetching +# + +allow portage_fetch_t self:process signal; +allow portage_fetch_t self:capability { chown dac_read_search dac_override fowner fsetid }; +allow portage_fetch_t self:fifo_file rw_fifo_file_perms; +allow portage_fetch_t self:tcp_socket { accept listen }; +allow portage_fetch_t self:unix_stream_socket { connectto create_stream_socket_perms }; + +allow portage_fetch_t portage_conf_t:dir list_dir_perms; + +allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + +allow portage_fetch_t portage_gpg_t:dir rw_dir_perms; +allow portage_fetch_t portage_gpg_t:file manage_file_perms; + +allow portage_fetch_t portage_tmp_t:dir manage_dir_perms; +allow portage_fetch_t portage_tmp_t:file manage_file_perms; +allow portage_fetch_t portage_tmp_t:sock_file manage_sock_file_perms; + +read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) + +manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) +manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) + +manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) +manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) +files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) +# Needed as otherwise we get large Python tracebacks when using emerge-webrsync (portageq failure) +can_exec(portage_fetch_t, portage_fetch_tmp_t) + +kernel_read_system_state(portage_fetch_t) +kernel_read_kernel_sysctls(portage_fetch_t) + +corecmd_exec_bin(portage_fetch_t) +corecmd_exec_shell(portage_fetch_t) + +corenet_all_recvfrom_unlabeled(portage_fetch_t) +corenet_all_recvfrom_netlabel(portage_fetch_t) +corenet_tcp_sendrecv_generic_if(portage_fetch_t) +corenet_tcp_sendrecv_generic_node(portage_fetch_t) +corenet_tcp_sendrecv_all_ports(portage_fetch_t) +corenet_tcp_connect_http_cache_port(portage_fetch_t) +corenet_tcp_connect_git_port(portage_fetch_t) +corenet_tcp_connect_rsync_port(portage_fetch_t) +corenet_sendrecv_http_client_packets(portage_fetch_t) +corenet_sendrecv_http_cache_client_packets(portage_fetch_t) +corenet_sendrecv_git_client_packets(portage_fetch_t) +corenet_sendrecv_rsync_client_packets(portage_fetch_t) +# would rather not connect to unspecified ports, but +# it occasionally comes up +corenet_tcp_connect_all_reserved_ports(portage_fetch_t) +corenet_tcp_connect_generic_port(portage_fetch_t) +# bug 540056 +corenet_tcp_connect_all_unreserved_ports(portage_fetch_t) +corenet_udp_bind_generic_node(portage_fetch_t) +corenet_udp_bind_all_unreserved_ports(portage_fetch_t) + +dev_read_rand(portage_fetch_t) + +domain_use_interactive_fds(portage_fetch_t) + +files_read_etc_runtime_files(portage_fetch_t) +files_read_usr_files(portage_fetch_t) +files_dontaudit_search_pids(portage_fetch_t) + +fs_search_auto_mountpoints(portage_fetch_t) + +logging_list_logs(portage_fetch_t) +logging_dontaudit_search_logs(portage_fetch_t) + +term_search_ptys(portage_fetch_t) + +auth_use_nsswitch(portage_fetch_t) + +miscfiles_read_generic_certs(portage_fetch_t) +miscfiles_read_localization(portage_fetch_t) + +userdom_use_user_terminals(portage_fetch_t) + +rsync_exec(portage_fetch_t) + +ifdef(`hide_broken_symptoms',` + dontaudit portage_fetch_t portage_cache_t:file read; +') + +tunable_policy(`portage_use_nfs',` + fs_getattr_nfs(portage_fetch_t) + fs_manage_nfs_dirs(portage_fetch_t) + fs_manage_nfs_files(portage_fetch_t) + fs_manage_nfs_symlinks(portage_fetch_t) +') + +tunable_policy(`portage_read_user_content',` + userdom_read_user_home_content_files(portage_fetch_t) + userdom_list_user_home_content(portage_fetch_t) +',` + userdom_dontaudit_read_user_home_content_files(portage_fetch_t) +') + +optional_policy(` + dirmngr_exec(portage_fetch_t) +') + +optional_policy(` + gpg_entry_type(portage_fetch_t) + gpg_exec(portage_fetch_t) + gpg_exec_agent(portage_fetch_t) +') + +########################################## +# +# Portage sandbox domain +# - SELinux-enforced sandbox +# + +allow portage_sandbox_t self:capability setfcap; +allow portage_sandbox_t self:process ptrace; +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; + +allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms }; +logging_log_filetrans(portage_sandbox_t, portage_log_t, file) + +portage_compile_domain(portage_sandbox_t) + +auth_use_nsswitch(portage_sandbox_t) + +ifdef(`hide_broken_symptoms',` + # leaked descriptors + dontaudit portage_sandbox_t portage_cache_t:dir { setattr_dir_perms }; + dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write }; +') + +ifdef(`distro_gentoo',` + +## <desc> +## <p> +## Determine whether portage can mount file systems (used to mount /boot for instance). +## </p> +## </desc> +gen_tunable(portage_mount_fs, false) + +## <desc> +## <p> +## Extra rules which are sometimes needed when FEATURES=test is enabled +## </p> +## </desc> +gen_tunable(portage_enable_test, false) + + + ########################################## + # + # Type declarations + # + + type gcc_config_tmp_t; + files_tmp_file(gcc_config_tmp_t) + + # Assigned to domains that are managed by eselect + attribute portage_eselect_domain; + + ########################################## + # + # Portage fetch local policy + # + + manage_files_pattern(portage_fetch_t, portage_cache_t, portage_cache_t) + manage_dirs_pattern(portage_fetch_t, portage_cache_t, portage_cache_t) + read_lnk_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) + manage_lnk_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) + + dev_rw_autofs(portage_fetch_t) + + xdg_read_config_home_files(portage_fetch_t) + + portage_domtrans(portage_fetch_t) + portage_read_config(portage_fetch_t) + + ########################################## + # + # GCC config local policy + # + + allow gcc_config_t self:capability dac_override; + allow gcc_config_t gcc_config_tmp_t:file manage_file_perms; + can_exec(gcc_config_t, gcc_config_tmp_t) # libffi support + files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file) + + files_manage_etc_runtime_files(gcc_config_t) + files_manage_etc_runtime_lnk_files(gcc_config_t) + + portage_read_config(gcc_config_t) + + ########################################## + # + # Portage local policy + # + + # Support ipc-sandbox and network-sandbox FEATURES + allow portage_t self:capability { net_admin sys_admin }; + + allow portage_t self:capability2 block_suspend; + + allow portage_t { portage_fetch_t portage_sandbox_t }:process signal_perms; + + # Support self-update of Portage + allow portage_t portage_tmp_t:dir relabel_dir_perms; + allow portage_t portage_tmp_t:lnk_file relabel_lnk_file_perms; + allow portage_t portage_exec_t:file relabel_file_perms; + allow portage_t portage_fetch_exec_t:file relabel_file_perms; + + kernel_read_vm_overcommit_sysctl(portage_t) + + # Portage is selinuxaware, transitions on calling ebuild, now marked as bin_t + corecmd_bin_entry_type(portage_t) + # Support self-update of Portage + corecmd_relabel_bin_dirs(portage_t) + corecmd_relabel_bin_files(portage_t) + corecmd_relabel_bin_lnk_files(portage_t) + + mls_file_read_all_levels(portage_t) + mls_file_write_all_levels(portage_t) + mls_file_upgrade(portage_t) + mls_file_downgrade(portage_t) + + auth_use_nsswitch(portage_t) + + # Support cgroup FEATURES + fs_mount_cgroup(portage_t) + fs_mounton_cgroup(portage_t) + + libs_generic_etc_filetrans_ld_so_cache(portage_t, file, "ld.so.cache~") + # Support self-update of Portage + libs_relabel_lib_dirs(portage_t) + libs_relabel_lib_files(portage_t) + + optional_policy(` + tunable_policy(`portage_mount_fs',` + mount_domtrans(portage_t) + ') + ') + + ########################################## + # + # Portage sandbox local policy + # + allow portage_sandbox_t self:capability2 block_suspend; + + rw_dirs_pattern(portage_sandbox_t, portage_log_t, portage_log_t) + + # When using live ebuilds, manipulation is done in sandbox domain + filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "cvs-src") + filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "egit-src") # git-2.eclass + filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "git3-src") # git-r3.eclass + filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "go-src") + filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "hg-src") + filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "svn-src") + + # install-xattr does listxattr() which throws a lot of this + dontaudit portage_sandbox_t self:capability sys_admin; + + tunable_policy(`portage_enable_test',` + # lots of tests connect over loopback + corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t) + corenet_tcp_bind_generic_node(portage_sandbox_t) + corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t) + corenet_udp_bind_all_unreserved_ports(portage_sandbox_t) + corenet_udp_bind_generic_node(portage_sandbox_t) + corenet_udp_sendrecv_all_ports(portage_sandbox_t) + ') + + ########################################## + # + # Portage eselect module domain + # + + allow portage_eselect_domain self:fifo_file { read write }; + + corecmd_exec_shell(portage_eselect_domain) + + files_manage_etc_runtime_files(portage_eselect_domain) +') diff --git a/policy/modules/admin/prelink.fc b/policy/modules/admin/prelink.fc new file mode 100644 index 00000000..8823d27a --- /dev/null +++ b/policy/modules/admin/prelink.fc @@ -0,0 +1,13 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) + +/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) + +/usr/bin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) + +/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) + +/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) +/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) + +/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) +/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if new file mode 100644 index 00000000..20d46979 --- /dev/null +++ b/policy/modules/admin/prelink.if @@ -0,0 +1,205 @@ +## <summary>Prelink ELF shared library mappings.</summary> + +######################################## +## <summary> +## Execute prelink in the prelink domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`prelink_domtrans',` + gen_require(` + type prelink_t, prelink_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, prelink_exec_t, prelink_t) + + ifdef(`hide_broken_symptoms',` + dontaudit prelink_t $1:socket_class_set { read write }; + dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms; + ') +') + +######################################## +## <summary> +## Execute prelink in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_exec',` + gen_require(` + type prelink_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, prelink_exec_t) +') + +######################################## +## <summary> +## Execute prelink in the prelink +## domain, and allow the specified role +## the prelink domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`prelink_run',` + gen_require(` + attribute_role prelink_roles; + ') + + prelink_domtrans($1) + roleattribute $2 prelink_roles; +') + +######################################## +## <summary> +## Make the specified file type prelinkable. +## </summary> +## <param name="file_type"> +## <summary> +## File type to be prelinked. +## </summary> +## </param> +# +interface(`prelink_object_file',` + gen_require(` + attribute prelink_object; + ') + + typeattribute $1 prelink_object; +') + +######################################## +## <summary> +## Read prelink cache files. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_read_cache',` + gen_require(` + type prelink_cache_t; + ') + + files_search_etc($1) + allow $1 prelink_cache_t:file read_file_perms; +') + +######################################## +## <summary> +## Delete prelink cache files. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_delete_cache',` + gen_require(` + type prelink_cache_t; + ') + + files_rw_etc_dirs($1) + allow $1 prelink_cache_t:file delete_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## prelink log files. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_manage_log',` + gen_require(` + type prelink_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, prelink_log_t, prelink_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## prelink var_lib files. +## </summary> +## <param name="file_type"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_manage_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') + +######################################## +## <summary> +## Relabel from prelink lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_relabelfrom_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') + +######################################## +## <summary> +## Relabel prelink lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`prelink_relabel_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te new file mode 100644 index 00000000..43276472 --- /dev/null +++ b/policy/modules/admin/prelink.te @@ -0,0 +1,205 @@ +policy_module(prelink, 1.12.0) + +######################################## +# +# Declarations + +attribute prelink_object; + +attribute_role prelink_roles; + +type prelink_t; +type prelink_exec_t; +init_system_domain(prelink_t, prelink_exec_t) +domain_obj_id_change_exemption(prelink_t) +role prelink_roles types prelink_t; + +type prelink_cache_t; +files_type(prelink_cache_t) + +type prelink_cron_system_t; +type prelink_cron_system_exec_t; +domain_type(prelink_cron_system_t) +domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) +domain_obj_id_change_exemption(prelink_cron_system_t) + +type prelink_log_t; +logging_log_file(prelink_log_t) + +type prelink_tmp_t; +files_tmp_file(prelink_tmp_t) + +type prelink_tmpfs_t; +files_tmpfs_file(prelink_tmpfs_t) + +type prelink_var_lib_t; +files_type(prelink_var_lib_t) + +######################################## +# +# Local policy +# + +allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource }; +allow prelink_t self:process { execheap execmem execstack signal }; +allow prelink_t self:fifo_file rw_fifo_file_perms; + +allow prelink_t prelink_cache_t:file manage_file_perms; +files_etc_filetrans(prelink_t, prelink_cache_t, file) + +allow prelink_t prelink_log_t:dir setattr_dir_perms; +create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) +append_files_pattern(prelink_t, prelink_log_t, prelink_log_t) +read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) +logging_log_filetrans(prelink_t, prelink_log_t, file) + +allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod }; +files_tmp_filetrans(prelink_t, prelink_tmp_t, file) + +allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod }; +fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) + +manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) + +allow prelink_t prelink_object:file { manage_file_perms mmap_exec_file_perms relabel_file_perms }; + +kernel_read_system_state(prelink_t) +kernel_read_kernel_sysctls(prelink_t) + +corecmd_manage_all_executables(prelink_t) +corecmd_relabel_all_executables(prelink_t) +corecmd_mmap_all_executables(prelink_t) + +dev_read_urand(prelink_t) + +files_getattr_all_files(prelink_t) +files_list_all(prelink_t) +files_manage_usr_files(prelink_t) +files_manage_var_files(prelink_t) +files_read_etc_files(prelink_t) +files_read_etc_runtime_files(prelink_t) +files_relabelfrom_usr_files(prelink_t) +files_search_var_lib(prelink_t) +files_write_non_security_dirs(prelink_t) +files_dontaudit_read_all_symlinks(prelink_t) + +fs_getattr_all_fs(prelink_t) +fs_search_auto_mountpoints(prelink_t) + +selinux_get_enforce_mode(prelink_t) + +storage_getattr_fixed_disk_dev(prelink_t) + +libs_exec_ld_so(prelink_t) +libs_legacy_use_shared_libs(prelink_t) +libs_manage_ld_so(prelink_t) +libs_relabel_ld_so(prelink_t) +libs_manage_shared_libs(prelink_t) +libs_relabel_shared_libs(prelink_t) +libs_delete_lib_symlinks(prelink_t) + +miscfiles_read_localization(prelink_t) + +userdom_use_user_terminals(prelink_t) +userdom_manage_user_home_content_files(prelink_t) +# pending +# userdom_relabel_user_home_content_files(prelink_t) +# userdom_execmod_user_home_content_files(prelink_t) +userdom_exec_user_home_content_files(prelink_t) + +ifdef(`hide_broken_symptoms',` + miscfiles_read_man_pages(prelink_t) + + optional_policy(` + dbus_read_config(prelink_t) + ') +') + +tunable_policy(`use_nfs_home_dirs',` + fs_exec_nfs_files(prelink_t) + fs_manage_nfs_files(prelink_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_exec_cifs_files(prelink_t) + fs_manage_cifs_files(prelink_t) +') + +optional_policy(` + amanda_manage_lib(prelink_t) +') + +optional_policy(` + cron_system_entry(prelink_t, prelink_exec_t) +') + +optional_policy(` + gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) +') + +optional_policy(` + mozilla_manage_plugin_rw_files(prelink_t) +') + +optional_policy(` + rpm_manage_tmp_files(prelink_t) +') + +optional_policy(` + unconfined_domain(prelink_t) +') + +######################################## +# +# Cron system local policy +# + +optional_policy(` + allow prelink_cron_system_t self:capability setuid; + allow prelink_cron_system_t self:process { setsched setfscreate signal }; + allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; + allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms; + + read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) + allow prelink_cron_system_t prelink_cache_t:file delete_file_perms; + + domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) + allow prelink_cron_system_t prelink_t:process noatsecure; + + manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t) + + manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) + files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) + allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms; + + kernel_read_system_state(prelink_cron_system_t) + + corecmd_exec_bin(prelink_cron_system_t) + corecmd_exec_shell(prelink_cron_system_t) + + dev_list_sysfs(prelink_cron_system_t) + dev_read_sysfs(prelink_cron_system_t) + + files_rw_etc_dirs(prelink_cron_system_t) + files_dontaudit_search_all_mountpoints(prelink_cron_system_t) + + auth_use_nsswitch(prelink_cron_system_t) + + init_telinit(prelink_cron_system_t) + init_exec(prelink_cron_system_t) + + libs_exec_ld_so(prelink_cron_system_t) + + logging_search_logs(prelink_cron_system_t) + + miscfiles_read_localization(prelink_cron_system_t) + + cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) + + optional_policy(` + rpm_read_db(prelink_cron_system_t) + ') +') diff --git a/policy/modules/admin/puppet.fc b/policy/modules/admin/puppet.fc new file mode 100644 index 00000000..9bb4d9f2 --- /dev/null +++ b/policy/modules/admin/puppet.fc @@ -0,0 +1,18 @@ +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) + +/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) +/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) + +/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + +/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) + +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) + +/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/policy/modules/admin/puppet.if b/policy/modules/admin/puppet.if new file mode 100644 index 00000000..135dafb2 --- /dev/null +++ b/policy/modules/admin/puppet.if @@ -0,0 +1,233 @@ +## <summary>Configuration management system.</summary> + +######################################## +## <summary> +## Execute puppetca in the puppetca +## domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`puppet_domtrans_puppetca',` + gen_require(` + type puppetca_t, puppetca_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, puppetca_exec_t, puppetca_t) +') + +##################################### +## <summary> +## Execute puppetca in the puppetca +## domain and allow the specified +## role the puppetca domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`puppet_run_puppetca',` + gen_require(` + attribute_role puppetca_roles; + ') + + puppet_domtrans_puppetca($1) + roleattribute $2 puppetca_roles; +') + +#################################### +## <summary> +## Read puppet configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`puppet_read_config',` + gen_require(` + type puppet_etc_t; + ') + + files_search_etc($1) + allow $1 puppet_etc_t:dir list_dir_perms; + allow $1 puppet_etc_t:file read_file_perms; + allow $1 puppet_etc_t:lnk_file read_lnk_file_perms; +') + +################################################ +## <summary> +## Read Puppet lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`puppet_read_lib_files',` + gen_require(` + type puppet_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) +') + +############################################### +## <summary> +## Create, read, write, and delete +## puppet lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`puppet_manage_lib_files',` + gen_require(` + type puppet_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) +') + +##################################### +## <summary> +## Append puppet log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`puppet_append_log_files',` + gen_require(` + type puppet_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, puppet_log_t, puppet_log_t) +') + +##################################### +## <summary> +## Create puppet log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`puppet_create_log_files',` + gen_require(` + type puppet_log_t; + ') + + logging_search_logs($1) + create_files_pattern($1, puppet_log_t, puppet_log_t) +') + +##################################### +## <summary> +## Read puppet log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`puppet_read_log_files',` + gen_require(` + type puppet_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, puppet_log_t, puppet_log_t) +') + +################################################ +## <summary> +## Read and write to puppet tempoprary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`puppet_rw_tmp', ` + gen_require(` + type puppet_tmp_t; + ') + + files_search_tmp($1) + allow $1 puppet_tmp_t:file rw_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an puppet environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`puppet_admin',` + gen_require(` + type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t; + type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t; + type puppet_var_run_t, puppetmaster_tmp_t; + type puppet_t, puppetca_t, puppetmaster_t; + ') + + allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) + + init_startstop_service($1, $2, puppet_t, puppet_initrc_exec_t) + init_startstop_service($1, $2, puppetmaster_t, puppetmaster_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, puppet_etc_t) + + logging_search_logs($1) + admin_pattern($1, puppet_log_t) + + files_search_var_lib($1) + admin_pattern($1, puppet_var_lib_t) + + files_search_pids($1) + admin_pattern($1, puppet_var_run_t) + + files_search_tmp($1) + admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t }) + + puppet_run_puppetca($1, $2) +') diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te new file mode 100644 index 00000000..0e8161a2 --- /dev/null +++ b/policy/modules/admin/puppet.te @@ -0,0 +1,413 @@ +policy_module(puppet, 1.8.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether puppet can +## manage all non-security files. +## </p> +## </desc> +gen_tunable(puppet_manage_all_files, false) + +attribute_role puppetca_roles; +roleattribute system_r puppetca_roles; + +type puppet_t; +type puppet_exec_t; +init_daemon_domain(puppet_t, puppet_exec_t) + +type puppet_etc_t; +files_config_file(puppet_etc_t) + +type puppet_initrc_exec_t; +init_script_file(puppet_initrc_exec_t) + +type puppet_log_t; +logging_log_file(puppet_log_t) + +type puppet_tmp_t; +files_tmp_file(puppet_tmp_t) + +type puppet_var_lib_t; +files_type(puppet_var_lib_t) + +type puppet_var_run_t; +files_pid_file(puppet_var_run_t) +init_daemon_pid_file(puppet_var_run_t, dir, "puppet") + +type puppetca_t; +type puppetca_exec_t; +application_domain(puppetca_t, puppetca_exec_t) +role puppetca_roles types puppetca_t; + +type puppetmaster_t; +type puppetmaster_exec_t; +init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) + +type puppetmaster_initrc_exec_t; +init_script_file(puppetmaster_initrc_exec_t) + +type puppetmaster_tmp_t; +files_tmp_file(puppetmaster_tmp_t) + +######################################## +# +# Local policy +# + +allow puppet_t self:capability { chown dac_override fowner fsetid setgid setuid sys_admin sys_nice sys_tty_config }; +allow puppet_t self:process { signal signull getsched setsched }; +allow puppet_t self:fifo_file rw_fifo_file_perms; +allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +allow puppet_t self:tcp_socket { accept listen }; +allow puppet_t self:udp_socket create_socket_perms; + +allow puppet_t puppet_etc_t:dir list_dir_perms; +allow puppet_t puppet_etc_t:file read_file_perms; +allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +can_exec(puppet_t, puppet_var_lib_t) + +setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) + +allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; +append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +read_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) + +manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + +kernel_dontaudit_search_sysctl(puppet_t) +kernel_dontaudit_search_kernel_sysctl(puppet_t) +kernel_read_crypto_sysctls(puppet_t) +kernel_read_kernel_sysctls(puppet_t) +kernel_read_net_sysctls(puppet_t) +kernel_read_network_state(puppet_t) + +corecmd_exec_bin(puppet_t) +corecmd_exec_shell(puppet_t) +corecmd_read_all_executables(puppet_t) + +corenet_all_recvfrom_netlabel(puppet_t) +corenet_all_recvfrom_unlabeled(puppet_t) +corenet_tcp_sendrecv_generic_if(puppet_t) +corenet_tcp_sendrecv_generic_node(puppet_t) + +corenet_sendrecv_puppet_client_packets(puppet_t) +corenet_tcp_connect_puppet_port(puppet_t) +corenet_tcp_sendrecv_puppet_port(puppet_t) + +dev_read_rand(puppet_t) +dev_read_sysfs(puppet_t) +dev_read_urand(puppet_t) + +domain_interactive_fd(puppet_t) +domain_read_all_domains_state(puppet_t) + +files_manage_config_files(puppet_t) +files_manage_config_dirs(puppet_t) +files_manage_etc_dirs(puppet_t) +files_manage_etc_files(puppet_t) +files_read_usr_files(puppet_t) +files_read_usr_symlinks(puppet_t) +files_relabel_config_dirs(puppet_t) +files_relabel_config_files(puppet_t) +files_search_var_lib(puppet_t) + +selinux_get_fs_mount(puppet_t) +selinux_search_fs(puppet_t) +selinux_set_all_booleans(puppet_t) +selinux_set_generic_booleans(puppet_t) +selinux_validate_context(puppet_t) + +term_dontaudit_getattr_unallocated_ttys(puppet_t) +term_dontaudit_getattr_all_ttys(puppet_t) + +init_all_labeled_script_domtrans(puppet_t) +init_domtrans_script(puppet_t) +init_read_utmp(puppet_t) +init_signull_script(puppet_t) + +logging_send_syslog_msg(puppet_t) + +miscfiles_read_hwdata(puppet_t) +miscfiles_read_localization(puppet_t) + +mount_domtrans(puppet_t) + +seutil_domtrans_setfiles(puppet_t) +seutil_domtrans_semanage(puppet_t) + +sysnet_run_ifconfig(puppet_t, system_r) +sysnet_use_ldap(puppet_t) + +tunable_policy(`puppet_manage_all_files',` + files_manage_non_auth_files(puppet_t) +') + +optional_policy(` + cfengine_read_lib_files(puppet_t) +') + +optional_policy(` + consoletype_exec(puppet_t) +') + +optional_policy(` + hostname_exec(puppet_t) +') + +optional_policy(` + mount_domtrans(puppet_t) +') + +optional_policy(` + mta_send_mail(puppet_t) +') + +optional_policy(` + portage_domtrans(puppet_t) + portage_domtrans_fetch(puppet_t) + portage_domtrans_gcc_config(puppet_t) +') + +optional_policy(` + files_rw_var_files(puppet_t) + + rpm_domtrans(puppet_t) + rpm_manage_db(puppet_t) + rpm_manage_log(puppet_t) +') + +optional_policy(` + shorewall_domtrans(puppet_t) +') + +optional_policy(` + unconfined_domain(puppet_t) +') + +optional_policy(` + usermanage_domtrans_groupadd(puppet_t) + usermanage_domtrans_useradd(puppet_t) +') + +######################################## +# +# Ca local policy +# + +allow puppetca_t self:capability { dac_override setgid setuid }; +allow puppetca_t self:fifo_file rw_fifo_file_perms; + +allow puppetca_t puppet_etc_t:dir list_dir_perms; +allow puppetca_t puppet_etc_t:file read_file_perms; +allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms; + +allow puppetca_t puppet_var_lib_t:dir list_dir_perms; +manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) +manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) + +allow puppetca_t puppet_log_t:dir search_dir_perms; + +allow puppetca_t puppet_var_run_t:dir search_dir_perms; + +kernel_read_system_state(puppetca_t) +kernel_read_kernel_sysctls(puppetca_t) + +corecmd_exec_bin(puppetca_t) +corecmd_exec_shell(puppetca_t) + +dev_read_urand(puppetca_t) +dev_search_sysfs(puppetca_t) + +files_read_etc_files(puppetca_t) +files_search_pids(puppetca_t) +files_search_var_lib(puppetca_t) + +selinux_validate_context(puppetca_t) + +logging_search_logs(puppetca_t) + +miscfiles_read_localization(puppetca_t) +miscfiles_read_generic_certs(puppetca_t) + +seutil_read_file_contexts(puppetca_t) + +optional_policy(` + hostname_exec(puppetca_t) +') + +######################################## +# +# Master local policy +# + +allow puppetmaster_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config }; +allow puppetmaster_t self:process { signal_perms getsched setsched }; +allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +allow puppetmaster_t self:netlink_route_socket nlmsg_write; +allow puppetmaster_t self:socket create; +allow puppetmaster_t self:tcp_socket { accept listen }; + +allow puppetmaster_t puppet_etc_t:dir list_dir_perms; +allow puppetmaster_t puppet_etc_t:file read_file_perms; +allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms; + +allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; +append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) + +allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; +allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; + +allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; +allow puppetmaster_t puppet_var_run_t:file manage_file_perms; +files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) + +allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms; +files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) + +kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) +kernel_read_network_state(puppetmaster_t) +kernel_read_system_state(puppetmaster_t) +kernel_read_crypto_sysctls(puppetmaster_t) +kernel_read_kernel_sysctls(puppetmaster_t) + +corecmd_exec_bin(puppetmaster_t) +corecmd_exec_shell(puppetmaster_t) + +corenet_all_recvfrom_netlabel(puppetmaster_t) +corenet_all_recvfrom_unlabeled(puppetmaster_t) +corenet_tcp_sendrecv_generic_if(puppetmaster_t) +corenet_tcp_sendrecv_generic_node(puppetmaster_t) +corenet_tcp_bind_generic_node(puppetmaster_t) + +corenet_sendrecv_puppet_server_packets(puppetmaster_t) +corenet_tcp_bind_puppet_port(puppetmaster_t) +corenet_tcp_sendrecv_puppet_port(puppetmaster_t) + +dev_read_rand(puppetmaster_t) +dev_read_urand(puppetmaster_t) +dev_search_sysfs(puppetmaster_t) + +domain_obj_id_change_exemption(puppetmaster_t) +domain_read_all_domains_state(puppetmaster_t) + +files_read_usr_files(puppetmaster_t) + +selinux_validate_context(puppetmaster_t) + +auth_use_nsswitch(puppetmaster_t) + +logging_send_syslog_msg(puppetmaster_t) + +miscfiles_read_generic_certs(puppetmaster_t) +miscfiles_read_localization(puppetmaster_t) + +seutil_read_file_contexts(puppetmaster_t) + +sysnet_run_ifconfig(puppetmaster_t, system_r) + +optional_policy(` + hostname_exec(puppetmaster_t) +') + +optional_policy(` + mta_send_mail(puppetmaster_t) +') + +optional_policy(` + mysql_stream_connect(puppetmaster_t) +') + +optional_policy(` + postgresql_stream_connect(puppetmaster_t) +') + +optional_policy(` + files_read_usr_symlinks(puppetmaster_t) + + rpm_exec(puppetmaster_t) + rpm_read_db(puppetmaster_t) +') + +ifdef(`distro_gentoo',` + ########################################## + # + # Puppet master policy + # + + rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) + + manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) + + optional_policy(` + usermanage_check_exec_passwd(puppetmaster_t) + usermanage_check_exec_useradd(puppetmaster_t) + ') + + ########################################### + # + # Puppet client policy + # + corenet_tcp_bind_generic_node(puppet_t) + + corenet_sendrecv_puppetclient_server_packets(puppet_t) + corenet_tcp_bind_puppetclient_port(puppet_t) + corenet_tcp_sendrecv_puppetclient_port(puppet_t) + + usermanage_domtrans_passwd(puppet_t) + + tunable_policy(`puppet_manage_all_files',` + # We should use files_relabel_all_files here, but it calls + # seutil_relabelto_bin_policy which sets a "typeattribute type attr", + # which is not allowed within a tunable_policy. + # So, we duplicate the content of files_relabel_all_files except for + # the policy configuration stuff and hope users do that through Portage + + gen_require(` + attribute file_type; + attribute security_file_type; + type policy_config_t; + ') + + allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms; + relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + # this is only relabelfrom since there should be no + # device nodes with file types. + relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + ') + + optional_policy(` + dmidecode_domtrans(puppet_t) + ') + + optional_policy(` + init_exec_rc(puppet_t) + portage_read_cache(puppet_t) + portage_read_config(puppet_t) + portage_read_ebuild(puppet_t) + portage_run(puppet_t, system_r) + ') +') diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc new file mode 100644 index 00000000..28a21a8b --- /dev/null +++ b/policy/modules/admin/quota.fc @@ -0,0 +1,32 @@ +HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0) + +/usr/bin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) +/usr/bin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) +/usr/bin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) + +/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) +/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) +/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) + +/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) + +/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) + +/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if new file mode 100644 index 00000000..6f8a9250 --- /dev/null +++ b/policy/modules/admin/quota.if @@ -0,0 +1,191 @@ +## <summary>File system quota management.</summary> + +######################################## +## <summary> +## Execute quota management tools in the quota domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`quota_domtrans',` + gen_require(` + type quota_t, quota_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, quota_exec_t, quota_t) +') + +######################################## +## <summary> +## Execute quota management tools in +## the quota domain, and allow the +## specified role the quota domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`quota_run',` + gen_require(` + attribute_role quota_roles; + ') + + quota_domtrans($1) + roleattribute $2 quota_roles; +') + +####################################### +## <summary> +## Execute quota nld in the quota nld domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`quota_domtrans_nld',` + gen_require(` + type quota_nld_t, quota_nld_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## quota db files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`quota_manage_db_files',` + gen_require(` + type quota_db_t; + ') + + allow $1 quota_db_t:file manage_file_perms; +') + +######################################## +## <summary> +## Create specified objects in specified +## directories with a type transition to +## the quota db file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="file_type"> +## <summary> +## Directory to transition on. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`quota_spec_filetrans_db',` + gen_require(` + type quota_db_t; + ') + + filetrans_pattern($1, $2, quota_db_t, $3, $4) +') + +######################################## +## <summary> +## Do not audit attempts to get attributes +## of filesystem quota data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`quota_dontaudit_getattr_db',` + gen_require(` + type quota_db_t; + ') + + dontaudit $1 quota_db_t:file getattr_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## quota flag files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`quota_manage_flags',` + gen_require(` + type quota_flag_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, quota_flag_t, quota_flag_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an quota environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`quota_admin',` + gen_require(` + type quota_nld_t, quota_t, quota_db_t; + type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t; + ') + + allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { quota_nld_t quota_t }) + + init_startstop_service($1, $2, quota_nld_t, quota_nld_initrc_exec_t) + + files_list_all($1) + admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t }) +') diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te new file mode 100644 index 00000000..e85d6d8b --- /dev/null +++ b/policy/modules/admin/quota.te @@ -0,0 +1,131 @@ +policy_module(quota, 1.10.0) + +######################################## +# +# Declarations +# + +attribute_role quota_roles; + +type quota_t; +type quota_exec_t; +init_system_domain(quota_t, quota_exec_t) +role quota_roles types quota_t; + +type quota_db_t; +files_type(quota_db_t) + +type quota_flag_t; +files_type(quota_flag_t) + +type quota_nld_t; +type quota_nld_exec_t; +init_daemon_domain(quota_nld_t, quota_nld_exec_t) + +type quota_nld_initrc_exec_t; +init_script_file(quota_nld_initrc_exec_t) + +type quota_nld_var_run_t; +files_pid_file(quota_nld_var_run_t) + +######################################## +# +# Local policy +# + +allow quota_t self:capability { dac_override sys_admin }; +dontaudit quota_t self:capability sys_tty_config; +allow quota_t self:process signal_perms; + +allow quota_t quota_db_t:file { manage_file_perms quotaon }; +files_root_filetrans(quota_t, quota_db_t, file) +files_boot_filetrans(quota_t, quota_db_t, file) +files_etc_filetrans(quota_t, quota_db_t, file) +files_tmp_filetrans(quota_t, quota_db_t, file) +files_home_filetrans(quota_t, quota_db_t, file) +files_usr_filetrans(quota_t, quota_db_t, file) +files_var_filetrans(quota_t, quota_db_t, file) +files_spool_filetrans(quota_t, quota_db_t, file) +userdom_user_home_dir_filetrans(quota_t, quota_db_t, file) + +kernel_request_load_module(quota_t) +kernel_list_proc(quota_t) +kernel_read_proc_symlinks(quota_t) +kernel_read_kernel_sysctls(quota_t) +kernel_setsched(quota_t) + +dev_read_sysfs(quota_t) +dev_getattr_all_blk_files(quota_t) +dev_getattr_all_chr_files(quota_t) + +files_list_all(quota_t) +files_read_all_files(quota_t) +files_read_all_symlinks(quota_t) +files_getattr_all_pipes(quota_t) +files_getattr_all_sockets(quota_t) +files_getattr_all_file_type_fs(quota_t) +files_read_etc_runtime_files(quota_t) + +fs_get_xattr_fs_quotas(quota_t) +fs_set_xattr_fs_quotas(quota_t) +fs_getattr_xattr_fs(quota_t) +fs_remount_xattr_fs(quota_t) +fs_search_auto_mountpoints(quota_t) + +mls_file_read_all_levels(quota_t) + +storage_raw_read_fixed_disk(quota_t) + +term_dontaudit_use_console(quota_t) + +domain_use_interactive_fds(quota_t) + +init_use_fds(quota_t) +init_use_script_ptys(quota_t) + +logging_send_syslog_msg(quota_t) + +userdom_use_user_terminals(quota_t) +userdom_dontaudit_use_unpriv_user_fds(quota_t) + +optional_policy(` + mta_queue_filetrans(quota_t, quota_db_t, file) + mta_spool_filetrans(quota_t, quota_db_t, file) +') + +optional_policy(` + seutil_sigchld_newrole(quota_t) +') + +optional_policy(` + udev_read_db(quota_t) +') + +####################################### +# +# Nld local policy +# + +allow quota_nld_t self:fifo_file rw_fifo_file_perms; +allow quota_nld_t self:netlink_socket create_socket_perms; +allow quota_nld_t self:unix_stream_socket { accept listen }; + +manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) +files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) + +kernel_read_network_state(quota_nld_t) + +auth_use_nsswitch(quota_nld_t) + +init_read_utmp(quota_nld_t) + +logging_send_syslog_msg(quota_nld_t) + +miscfiles_read_localization(quota_nld_t) + +userdom_use_user_terminals(quota_nld_t) + +optional_policy(` + dbus_system_bus_client(quota_nld_t) + dbus_connect_system_bus(quota_nld_t) +') diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc new file mode 100644 index 00000000..823f5454 --- /dev/null +++ b/policy/modules/admin/readahead.fc @@ -0,0 +1,7 @@ +/usr/bin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + +/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + +/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) + +/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0) diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if new file mode 100644 index 00000000..661bb88f --- /dev/null +++ b/policy/modules/admin/readahead.if @@ -0,0 +1,21 @@ +## <summary>Read files into page cache for improved performance.</summary> + +######################################## +## <summary> +## Execute a domain transition +## to run readahead. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`readahead_domtrans',` + gen_require(` + type readahead_t, readahead_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, readahead_exec_t, readahead_t) +') diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te new file mode 100644 index 00000000..4b40fe71 --- /dev/null +++ b/policy/modules/admin/readahead.te @@ -0,0 +1,103 @@ +policy_module(readahead, 1.16.0) + +######################################## +# +# Declarations +# + +type readahead_t; +type readahead_exec_t; +init_system_domain(readahead_t, readahead_exec_t) + +type readahead_var_lib_t; +files_type(readahead_var_lib_t) +typealias readahead_var_lib_t alias readahead_etc_rw_t; + +type readahead_var_run_t; +files_pid_file(readahead_var_run_t) +init_daemon_pid_file(readahead_var_run_t, dir, "readahead") + +######################################## +# +# Local policy +# + +allow readahead_t self:capability { dac_override dac_read_search fowner sys_admin }; +dontaudit readahead_t self:capability { net_admin sys_tty_config }; +allow readahead_t self:process { setsched signal_perms }; + +manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) +manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) + +manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) +manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) +files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file }) + +kernel_read_all_sysctls(readahead_t) +kernel_read_system_state(readahead_t) +kernel_dontaudit_getattr_core_if(readahead_t) + +dev_read_sysfs(readahead_t) +dev_getattr_generic_chr_files(readahead_t) +dev_getattr_generic_blk_files(readahead_t) +dev_getattr_all_chr_files(readahead_t) +dev_getattr_all_blk_files(readahead_t) +dev_dontaudit_read_all_blk_files(readahead_t) +dev_dontaudit_getattr_memory_dev(readahead_t) +dev_dontaudit_getattr_nvram_dev(readahead_t) +dev_dontaudit_rw_generic_chr_files(readahead_t) + +domain_use_interactive_fds(readahead_t) +domain_read_all_domains_state(readahead_t) + +files_create_boot_flag(readahead_t) +files_getattr_all_pipes(readahead_t) +files_list_non_security(readahead_t) +files_read_non_security_files(readahead_t) +files_search_var_lib(readahead_t) +files_dontaudit_getattr_all_sockets(readahead_t) +files_dontaudit_getattr_non_security_blk_files(readahead_t) + +fs_getattr_all_fs(readahead_t) +fs_search_auto_mountpoints(readahead_t) +fs_getattr_all_pipes(readahead_t) +fs_getattr_all_files(readahead_t) +fs_read_cgroup_files(readahead_t) +fs_read_tmpfs_files(readahead_t) +fs_read_tmpfs_symlinks(readahead_t) +fs_list_inotifyfs(readahead_t) +fs_dontaudit_search_ramfs(readahead_t) +fs_dontaudit_read_ramfs_pipes(readahead_t) +fs_dontaudit_read_ramfs_files(readahead_t) +fs_dontaudit_use_tmpfs_chr_dev(readahead_t) + +mcs_file_read_all(readahead_t) + +mls_file_read_all_levels(readahead_t) + +storage_raw_read_fixed_disk(readahead_t) + +term_dontaudit_use_console(readahead_t) + +auth_dontaudit_read_shadow(readahead_t) + +init_use_fds(readahead_t) +init_use_script_ptys(readahead_t) +init_getattr_initctl(readahead_t) + +logging_send_syslog_msg(readahead_t) +logging_set_audit_parameters(readahead_t) +logging_dontaudit_search_audit_config(readahead_t) + +miscfiles_read_localization(readahead_t) + +userdom_dontaudit_use_unpriv_user_fds(readahead_t) +userdom_dontaudit_search_user_home_dirs(readahead_t) + +optional_policy(` + cron_system_entry(readahead_t, readahead_exec_t) +') + +optional_policy(` + seutil_sigchld_newrole(readahead_t) +') diff --git a/policy/modules/admin/rkhunter.fc b/policy/modules/admin/rkhunter.fc new file mode 100644 index 00000000..d3c949c8 --- /dev/null +++ b/policy/modules/admin/rkhunter.fc @@ -0,0 +1,5 @@ +/usr/bin/rkhunter -- gen_context(system_u:object_r:rkhunter_exec_t,s0) + +/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0) + +/var/log/rkhunter\.log.* -- gen_context(system_u:object_r:rkhunter_log_t,s0) diff --git a/policy/modules/admin/rkhunter.if b/policy/modules/admin/rkhunter.if new file mode 100644 index 00000000..9537e1f5 --- /dev/null +++ b/policy/modules/admin/rkhunter.if @@ -0,0 +1,46 @@ +## <summary>rkhunter - rootkit checker.</summary> + +######################################## +## <summary> +## Execute a domain transition to run rkhunter. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rkhunter_domtrans',` + gen_require(` + type rkhunter_t, rkhunter_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rkhunter_exec_t, rkhunter_t) +') + +######################################## +## <summary> +## Execute rkhunter in the rkhunter domain, +## and allow the specified role +## the rkhunter domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`rkhunter_run',` + gen_require(` + attribute_role rkhunter_roles; + ') + + rkhunter_domtrans($1) + roleattribute $2 rkhunter_roles; +') diff --git a/policy/modules/admin/rkhunter.te b/policy/modules/admin/rkhunter.te new file mode 100644 index 00000000..e87a37fe --- /dev/null +++ b/policy/modules/admin/rkhunter.te @@ -0,0 +1,134 @@ +policy_module(rkhunter, 1.1.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether rkhunter can connect +## to http ports. This is required by the +## --update option. +## </p> +## </desc> +gen_tunable(rkhunter_connect_http, false) + +attribute_role rkhunter_roles; + +type rkhunter_t; +type rkhunter_exec_t; +application_domain(rkhunter_t, rkhunter_exec_t) +role rkhunter_roles types rkhunter_t; + +type rkhunter_log_t; +logging_log_file(rkhunter_log_t) + +type rkhunter_tmpfs_t; +files_tmpfs_file(rkhunter_tmpfs_t) + +type rkhunter_var_lib_t; +files_type(rkhunter_var_lib_t) + +######################################## +# +# Application local policy +# + +allow rkhunter_t self:capability { dac_read_search kill net_admin setgid setuid sys_nice sys_ptrace }; +allow rkhunter_t self:process { getsched setsched signal }; +allow rkhunter_t self:netlink_route_socket r_netlink_socket_perms; +allow rkhunter_t self:tcp_socket { bind connect create listen read write }; +allow rkhunter_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow rkhunter_t self:udp_socket { bind connect create ioctl read write }; +allow rkhunter_t self:fifo_file rw_fifo_file_perms; + +allow rkhunter_t rkhunter_log_t:file { append_file_perms create_file_perms setattr }; +logging_log_filetrans(rkhunter_t, rkhunter_log_t, file) + +allow rkhunter_t rkhunter_tmpfs_t:file manage_file_perms; +fs_tmpfs_filetrans(rkhunter_t, rkhunter_tmpfs_t, file) + +allow rkhunter_t rkhunter_var_lib_t:dir manage_dir_perms; +allow rkhunter_t rkhunter_var_lib_t:file manage_file_perms; + +kernel_request_load_module(rkhunter_t) +kernel_read_all_sysctls(rkhunter_t) +kernel_read_network_state(rkhunter_t) +kernel_getattr_message_if(rkhunter_t) +kernel_get_sysvipc_info(rkhunter_t) + +auth_dontaudit_read_shadow(rkhunter_t) + +corecmd_exec_bin(rkhunter_t) +corecmd_exec_shell(rkhunter_t) + +corenet_tcp_bind_all_ports(rkhunter_t) +corenet_udp_bind_all_ports(rkhunter_t) +corenet_tcp_bind_generic_node(rkhunter_t) +corenet_udp_bind_generic_node(rkhunter_t) + +dev_getattr_fs(rkhunter_t) +dev_read_urand(rkhunter_t) +dev_getattr_all_chr_files(rkhunter_t) +dev_getattr_all_blk_files(rkhunter_t) + +domain_read_all_domains_state(rkhunter_t) +domain_use_interactive_fds(rkhunter_t) +domain_getattr_all_sockets(rkhunter_t) +domain_getattr_all_pipes(rkhunter_t) +domain_getpgid_all_domains(rkhunter_t) +domain_getsched_all_domains(rkhunter_t) +domain_getsession_all_domains(rkhunter_t) +domain_signull_all_domains(rkhunter_t) + +files_read_non_auth_files(rkhunter_t) +files_read_all_symlinks(rkhunter_t) +files_read_all_chr_files(rkhunter_t) +files_getattr_all_pipes(rkhunter_t) +files_getattr_all_sockets(rkhunter_t) +files_check_write_lock_dirs(rkhunter_t) +files_check_write_pid_dirs(rkhunter_t) + +fs_getattr_tracefs(rkhunter_t) +fs_getattr_tracefs_dirs(rkhunter_t) +fs_getattr_xattr_fs(rkhunter_t) + +hostname_exec(rkhunter_t) + +logging_send_syslog_msg(rkhunter_t) + +modutils_exec(rkhunter_t) + +sysnet_exec_ifconfig(rkhunter_t) + +userdom_use_inherited_user_terminals(rkhunter_t) + +ifdef(`init_systemd',` + # start as systemd timer + init_system_domain(rkhunter_t, rkhunter_exec_t) +') + +tunable_policy(`rkhunter_connect_http',` + corenet_tcp_connect_http_port(rkhunter_t) +') + +optional_policy(` + cron_system_entry(rkhunter_t, rkhunter_exec_t) + cron_rw_inherited_system_job_tmp_files(rkhunter_t) +') + +optional_policy(` + # exim check + exim_exec(rkhunter_t) +') + +optional_policy(` + # gpg check + gpg_exec(rkhunter_t) +') + +optional_policy(` + # ssh check + ssh_exec_sshd(rkhunter_t) +') diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc new file mode 100644 index 00000000..9faf3c42 --- /dev/null +++ b/policy/modules/admin/rpm.fc @@ -0,0 +1,72 @@ +/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) + +/usr/bin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) +/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) + +# Systemd unit file +/usr/lib/systemd/system/[^/]*dnf-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0) +/usr/lib/systemd/system/[^/]*yum-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0) + +/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) + +/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) + +ifdef(`distro_redhat',` +/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +') + +/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) + +/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) + +/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) + +/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0) + +/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) +/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) + +/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) + +/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) +/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) + +ifdef(`enable_mls',` +/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) +') diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if new file mode 100644 index 00000000..d316410d --- /dev/null +++ b/policy/modules/admin/rpm.if @@ -0,0 +1,648 @@ +## <summary>Redhat package manager.</summary> + +######################################## +## <summary> +## Execute rpm in the rpm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpm_domtrans',` + gen_require(` + type rpm_t, rpm_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rpm_exec_t, rpm_t) +') + +######################################## +## <summary> +## Execute debuginfo install +## in the rpm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpm_debuginfo_domtrans',` + gen_require(` + type rpm_t, debuginfo_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, debuginfo_exec_t, rpm_t) +') + +######################################## +## <summary> +## Execute rpm scripts in the rpm script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rpm_domtrans_script',` + gen_require(` + type rpm_script_t; + ') + + corecmd_shell_domtrans($1, rpm_script_t) + + allow rpm_script_t $1:fd use; + allow rpm_script_t $1:fifo_file rw_fifo_file_perms; + allow rpm_script_t $1:process sigchld; +') + +######################################## +## <summary> +## Execute rpm in the rpm domain, +## and allow the specified roles the +## rpm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpm_run',` + gen_require(` + attribute_role rpm_roles; + ') + + rpm_domtrans($1) + roleattribute $2 rpm_roles; +') + +######################################## +## <summary> +## Execute the rpm in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_exec',` + gen_require(` + type rpm_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rpm_exec_t) +') + +######################################## +## <summary> +## Send null signals to rpm. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_signull',` + gen_require(` + type rpm_t; + ') + + allow $1 rpm_t:process signull; +') + +######################################## +## <summary> +## Inherit and use file descriptors from rpm. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_use_fds',` + gen_require(` + type rpm_t; + ') + + allow $1 rpm_t:fd use; +') + +######################################## +## <summary> +## Read rpm unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_read_pipes',` + gen_require(` + type rpm_t; + ') + + allow $1 rpm_t:fifo_file read_fifo_file_perms; +') + +######################################## +## <summary> +## Read and write rpm unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_rw_pipes',` + gen_require(` + type rpm_t; + ') + + allow $1 rpm_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Send and receive messages from +## rpm over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_dbus_chat',` + gen_require(` + type rpm_t; + class dbus send_msg; + ') + + allow $1 rpm_t:dbus send_msg; + allow rpm_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Do not audit attempts to send and +## receive messages from rpm over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rpm_dontaudit_dbus_chat',` + gen_require(` + type rpm_t; + class dbus send_msg; + ') + + dontaudit $1 rpm_t:dbus send_msg; + dontaudit rpm_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Send and receive messages from +## rpm script over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_script_dbus_chat',` + gen_require(` + type rpm_script_t; + class dbus send_msg; + ') + + allow $1 rpm_script_t:dbus send_msg; + allow rpm_script_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Search rpm log directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_search_log',` + gen_require(` + type rpm_log_t; + ') + + logging_search_logs($1) + allow $1 rpm_log_t:dir search_dir_perms; +') + +##################################### +## <summary> +## Append rpm log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_append_log',` + gen_require(` + type rpm_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, rpm_log_t, rpm_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rpm log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_log',` + gen_require(` + type rpm_log_t; + ') + + logging_rw_generic_log_dirs($1) + allow $1 rpm_log_t:file manage_file_perms; +') + +######################################## +## <summary> +## Inherit and use rpm script file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_use_script_fds',` + gen_require(` + type rpm_script_t; + ') + + allow $1 rpm_script_t:fd use; +') + +######################################## +## <summary> +## Create, read, write, and delete +## rpm script temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_script_tmp_files',` + gen_require(` + type rpm_script_tmp_t; + ') + + files_search_tmp($1) + manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) +') + +##################################### +## <summary> +## Append rpm temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_append_tmp_files',` + gen_require(` + type rpm_tmp_t; + ') + + files_search_tmp($1) + append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rpm temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_tmp_files',` + gen_require(` + type rpm_tmp_t; + ') + + files_search_tmp($1) + manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) +') + +######################################## +## <summary> +## Read rpm script temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_read_script_tmp_files',` + gen_require(` + type rpm_script_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) + read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) +') + +######################################## +## <summary> +## Read rpm cache content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_read_cache',` + gen_require(` + type rpm_var_cache_t; + ') + + files_search_var($1) + allow $1 rpm_var_cache_t:dir list_dir_perms; + read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) + read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rpm cache content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_cache',` + gen_require(` + type rpm_var_cache_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) + manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) + manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) +') + +######################################## +## <summary> +## Read rpm lib content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_read_db',` + gen_require(` + type rpm_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 rpm_var_lib_t:dir list_dir_perms; + read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + allow $1 rpm_var_lib_t:file map; +') + +######################################## +## <summary> +## Delete rpm lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_delete_db',` + gen_require(` + type rpm_var_lib_t; + ') + + files_search_var_lib($1) + delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## rpm lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_db',` + gen_require(` + type rpm_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + allow $1 rpm_var_lib_t:file map; +') + +######################################## +## <summary> +## Do not audit attempts to create, read, +## write, and delete rpm lib content. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`rpm_dontaudit_manage_db',` + gen_require(` + type rpm_var_lib_t; + ') + + dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; + dontaudit $1 rpm_var_lib_t:file manage_file_perms; + dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; + dontaudit $1 rpm_var_lib_t:file map; +') + +##################################### +## <summary> +## Read rpm pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_read_pid_files',` + gen_require(` + type rpm_var_run_t; + ') + + read_files_pattern($1, rpm_var_run_t, rpm_var_run_t) + files_search_pids($1) +') + +##################################### +## <summary> +## Create, read, write, and delete +## rpm pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_manage_pid_files',` + gen_require(` + type rpm_var_run_t; + ') + + manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t) + files_search_pids($1) +') + +######################################## +## <summary> +## Create specified objects in pid directories +## with the rpm pid file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`rpm_pid_filetrans_rpm_pid',` + gen_require(` + type rpm_var_run_t; + ') + + files_pid_filetrans($1, rpm_var_run_t, $3, $4) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an rpm environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rpm_admin',` + gen_require(` + type rpm_t, rpm_script_t, rpm_initrc_exec_t; + type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; + type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t; + type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; + ') + + allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { rpm_t rpm_script_t }) + + init_startstop_service($1, $2, rpm_t, rpm_initrc_exec_t) + + admin_pattern($1, rpm_file_t) + + files_list_var($1) + admin_pattern($1, rpm_var_cache_t) + + files_list_tmp($1) + admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) + + files_list_var_lib($1) + admin_pattern($1, rpm_var_lib_t) + + files_search_locks($1) + admin_pattern($1, rpm_lock_t) + + logging_list_logs($1) + admin_pattern($1, rpm_log_t) + + files_list_pids($1) + admin_pattern($1, rpm_var_run_t) + + fs_search_tmpfs($1) + admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t }) +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te new file mode 100644 index 00000000..aee8795b --- /dev/null +++ b/policy/modules/admin/rpm.te @@ -0,0 +1,422 @@ +policy_module(rpm, 1.21.1) + +######################################## +# +# Declarations +# + +attribute_role rpm_roles; + +type debuginfo_exec_t; +domain_entry_file(rpm_t, debuginfo_exec_t) + +type rpm_t; +type rpm_exec_t; +init_system_domain(rpm_t, rpm_exec_t) +domain_obj_id_change_exemption(rpm_t) +domain_role_change_exemption(rpm_t) +domain_system_change_exemption(rpm_t) +domain_interactive_fd(rpm_t) +role rpm_roles types rpm_t; + +type rpm_initrc_exec_t; +init_script_file(rpm_initrc_exec_t) + +type rpm_file_t; +files_type(rpm_file_t) + +type rpm_tmp_t; +files_tmp_file(rpm_tmp_t) + +type rpm_tmpfs_t; +files_tmpfs_file(rpm_tmpfs_t) + +type rpm_lock_t; +files_lock_file(rpm_lock_t) + +type rpm_log_t; +logging_log_file(rpm_log_t) + +type rpm_unit_t; +init_unit_file(rpm_unit_t) + +type rpm_var_lib_t; +files_type(rpm_var_lib_t) +typealias rpm_var_lib_t alias var_lib_rpm_t; + +type rpm_var_cache_t; +files_type(rpm_var_cache_t) + +type rpm_var_run_t; +files_pid_file(rpm_var_run_t) + +type rpm_script_t; +type rpm_script_exec_t; +domain_obj_id_change_exemption(rpm_script_t) +domain_system_change_exemption(rpm_script_t) +corecmd_shell_entry_type(rpm_script_t) +corecmd_bin_entry_type(rpm_script_t) +domain_type(rpm_script_t) +domain_entry_file(rpm_t, rpm_script_exec_t) +domain_interactive_fd(rpm_script_t) +role rpm_roles types rpm_script_t; +role system_r types rpm_script_t; + +type rpm_script_tmp_t; +files_tmp_file(rpm_script_tmp_t) + +type rpm_script_tmpfs_t; +files_tmpfs_file(rpm_script_tmpfs_t) + +######################################## +# +# rpm Local policy +# + +allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config }; +allow rpm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; +allow rpm_t self:fd use; +allow rpm_t self:fifo_file rw_fifo_file_perms; +allow rpm_t self:unix_dgram_socket sendto; +allow rpm_t self:unix_stream_socket { accept connectto listen }; +allow rpm_t self:udp_socket connect; +allow rpm_t self:tcp_socket { accept listen }; +allow rpm_t self:shm create_shm_perms; +allow rpm_t self:sem create_sem_perms; +allow rpm_t self:msgq create_msgq_perms; +allow rpm_t self:msg { send receive }; +allow rpm_t self:file rw_file_perms; +allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; + +allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(rpm_t, rpm_log_t, file) + +manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) +manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) +files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) + +manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) +manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) +files_var_filetrans(rpm_t, rpm_var_cache_t, dir) + +manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t) +files_lock_filetrans(rpm_t, rpm_lock_t, file) + +manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) +manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) +files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file }) + +manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) +manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) +files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file }) + +can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t }) + +kernel_read_crypto_sysctls(rpm_t) +kernel_read_network_state(rpm_t) +kernel_read_system_state(rpm_t) +kernel_read_kernel_sysctls(rpm_t) +kernel_read_network_state_symlinks(rpm_t) +kernel_rw_irq_sysctls(rpm_t) + +corecmd_exec_all_executables(rpm_t) + +corenet_all_recvfrom_unlabeled(rpm_t) +corenet_all_recvfrom_netlabel(rpm_t) +corenet_tcp_sendrecv_generic_if(rpm_t) +corenet_tcp_sendrecv_generic_node(rpm_t) +corenet_tcp_sendrecv_all_ports(rpm_t) + +corenet_sendrecv_all_client_packets(rpm_t) +corenet_tcp_connect_all_ports(rpm_t) + +dev_list_sysfs(rpm_t) +dev_list_usbfs(rpm_t) +dev_read_urand(rpm_t) +dev_read_raw_memory(rpm_t) + +dev_manage_all_dev_nodes(rpm_t) +dev_relabel_all_dev_nodes(rpm_t) + +dev_create_generic_blk_files(rpm_t) +dev_create_generic_chr_files(rpm_t) + +domain_read_all_domains_state(rpm_t) +domain_getattr_all_domains(rpm_t) +domain_use_interactive_fds(rpm_t) +domain_dontaudit_getattr_all_pipes(rpm_t) +domain_dontaudit_getattr_all_tcp_sockets(rpm_t) +domain_dontaudit_getattr_all_udp_sockets(rpm_t) +domain_dontaudit_getattr_all_packet_sockets(rpm_t) +domain_dontaudit_getattr_all_raw_sockets(rpm_t) +domain_dontaudit_getattr_all_stream_sockets(rpm_t) +domain_dontaudit_getattr_all_dgram_sockets(rpm_t) +domain_signull_all_domains(rpm_t) + +files_exec_etc_files(rpm_t) +files_relabel_non_auth_files(rpm_t) +files_manage_non_auth_files(rpm_t) + +fs_getattr_all_dirs(rpm_t) +fs_list_inotifyfs(rpm_t) +fs_manage_nfs_dirs(rpm_t) +fs_manage_nfs_files(rpm_t) +fs_manage_nfs_symlinks(rpm_t) +fs_getattr_all_fs(rpm_t) +fs_search_auto_mountpoints(rpm_t) + +mls_file_read_all_levels(rpm_t) +mls_file_write_all_levels(rpm_t) +mls_file_relabel(rpm_t) +mls_file_upgrade(rpm_t) +mls_file_downgrade(rpm_t) + +selinux_get_fs_mount(rpm_t) +selinux_validate_context(rpm_t) +selinux_compute_access_vector(rpm_t) +selinux_compute_create_context(rpm_t) +selinux_compute_relabel_context(rpm_t) +selinux_compute_user_contexts(rpm_t) + +storage_raw_write_fixed_disk(rpm_t) +storage_raw_read_fixed_disk(rpm_t) + +term_list_ptys(rpm_t) + +auth_dontaudit_read_shadow(rpm_t) +auth_use_nsswitch(rpm_t) + +rpm_domtrans_script(rpm_t) + +init_domtrans_script(rpm_t) +init_use_script_ptys(rpm_t) +init_signull_script(rpm_t) + +libs_exec_ld_so(rpm_t) +libs_exec_lib_files(rpm_t) +libs_run_ldconfig(rpm_t, rpm_roles) + +logging_send_syslog_msg(rpm_t) + +seutil_manage_src_policy(rpm_t) +seutil_manage_bin_policy(rpm_t) + +userdom_use_user_terminals(rpm_t) +userdom_use_unpriv_users_fds(rpm_t) + +optional_policy(` + cron_system_entry(rpm_t, rpm_exec_t) +') + +optional_policy(` + dbus_system_domain(rpm_t, rpm_exec_t) + dbus_system_domain(rpm_t, debuginfo_exec_t) + + optional_policy(` + hal_dbus_chat(rpm_t) + ') + + optional_policy(` + networkmanager_dbus_chat(rpm_t) + ') + + optional_policy(` + unconfined_dbus_chat(rpm_t) + ') +') + +optional_policy(` + prelink_run(rpm_t, rpm_roles) +') + +######################################## +# +# rpm-script Local policy +# + +allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio }; +allow rpm_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit }; +allow rpm_script_t self:fd use; +allow rpm_script_t self:fifo_file rw_fifo_file_perms; +allow rpm_script_t self:unix_dgram_socket sendto; +allow rpm_script_t self:unix_stream_socket { accept connectto listen }; +allow rpm_script_t self:shm create_shm_perms; +allow rpm_script_t self:sem create_sem_perms; +allow rpm_script_t self:msgq create_msgq_perms; +allow rpm_script_t self:msg { send receive }; +allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; + +allow rpm_script_t rpm_t:netlink_route_socket { read write }; + +allow rpm_script_t rpm_tmp_t:file read_file_perms; + +allow rpm_script_t rpm_script_tmp_t:dir mounton; +manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) + +manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t }) + +kernel_read_crypto_sysctls(rpm_script_t) +kernel_read_kernel_sysctls(rpm_script_t) +kernel_read_system_state(rpm_script_t) +kernel_read_network_state(rpm_script_t) +kernel_list_all_proc(rpm_script_t) +kernel_read_software_raid_state(rpm_script_t) + +corenet_all_recvfrom_unlabeled(rpm_script_t) +corenet_all_recvfrom_netlabel(rpm_script_t) +corenet_tcp_sendrecv_generic_if(rpm_script_t) +corenet_tcp_sendrecv_generic_node(rpm_script_t) + +corenet_sendrecv_http_client_packets(rpm_script_t) +corenet_tcp_connect_http_port(rpm_script_t) +corenet_tcp_sendrecv_http_port(rpm_script_t) + +corecmd_exec_all_executables(rpm_script_t) + +dev_list_sysfs(rpm_script_t) +dev_manage_generic_blk_files(rpm_script_t) +dev_manage_generic_chr_files(rpm_script_t) +dev_manage_all_blk_files(rpm_script_t) +dev_manage_all_chr_files(rpm_script_t) + +domain_read_all_domains_state(rpm_script_t) +domain_getattr_all_domains(rpm_script_t) +domain_use_interactive_fds(rpm_script_t) +domain_signal_all_domains(rpm_script_t) +domain_signull_all_domains(rpm_script_t) + +files_exec_etc_files(rpm_script_t) +files_exec_usr_files(rpm_script_t) +files_manage_non_auth_files(rpm_script_t) +files_relabel_non_auth_files(rpm_script_t) + +fs_manage_nfs_files(rpm_script_t) +fs_getattr_nfs(rpm_script_t) +fs_search_all(rpm_script_t) +fs_getattr_all_fs(rpm_script_t) +fs_getattr_xattr_fs(rpm_script_t) +fs_mount_xattr_fs(rpm_script_t) +fs_unmount_xattr_fs(rpm_script_t) +fs_search_auto_mountpoints(rpm_script_t) + +mcs_killall(rpm_script_t) + +mls_file_read_all_levels(rpm_script_t) +mls_file_write_all_levels(rpm_script_t) + +selinux_get_fs_mount(rpm_script_t) +selinux_validate_context(rpm_script_t) +selinux_compute_access_vector(rpm_script_t) +selinux_compute_create_context(rpm_script_t) +selinux_compute_relabel_context(rpm_script_t) +selinux_compute_user_contexts(rpm_script_t) + +storage_raw_read_fixed_disk(rpm_script_t) +storage_raw_write_fixed_disk(rpm_script_t) + +term_getattr_unallocated_ttys(rpm_script_t) +term_list_ptys(rpm_script_t) +term_use_all_terms(rpm_script_t) + +auth_dontaudit_getattr_shadow(rpm_script_t) +auth_use_nsswitch(rpm_script_t) + +init_domtrans_script(rpm_script_t) +init_telinit(rpm_script_t) + +libs_exec_ld_so(rpm_script_t) +libs_exec_lib_files(rpm_script_t) +libs_run_ldconfig(rpm_script_t, rpm_roles) + +logging_send_syslog_msg(rpm_script_t) + +miscfiles_read_localization(rpm_script_t) + +modutils_run(rpm_script_t, rpm_roles) + +seutil_run_loadpolicy(rpm_script_t, rpm_roles) +seutil_run_setfiles(rpm_script_t, rpm_roles) +seutil_run_semanage(rpm_script_t, rpm_roles) + +userdom_use_all_users_fds(rpm_script_t) + +ifdef(`distro_redhat',` + optional_policy(` + mta_send_mail(rpm_script_t) + mta_system_content(rpm_var_run_t) + ') +') + +tunable_policy(`allow_execmem',` + allow rpm_script_t self:process execmem; +') + +optional_policy(` + bootloader_run(rpm_script_t, rpm_roles) +') + +optional_policy(` + dbus_system_bus_client(rpm_script_t) + + optional_policy(` + unconfined_dbus_chat(rpm_script_t) + ') +') + +optional_policy(` + lvm_run(rpm_script_t, rpm_roles) +') + +optional_policy(` + ntp_domtrans(rpm_script_t) +') + +optional_policy(` + tzdata_run(rpm_t, rpm_roles) + tzdata_run(rpm_script_t, rpm_roles) +') + +optional_policy(` + udev_domtrans(rpm_script_t) +') + +optional_policy(` + unconfined_domtrans(rpm_script_t) + + optional_policy(` + java_domtrans_unconfined(rpm_script_t) + ') + + optional_policy(` + mono_domtrans(rpm_script_t) + ') +') + +optional_policy(` + usermanage_run_groupadd(rpm_script_t, rpm_roles) + usermanage_run_useradd(rpm_script_t, rpm_roles) +') + +ifdef(`distro_gentoo',` + # Moved out of files_relabel_non_auth_files as it cannot be used in tunables otherwise + seutil_relabelto_bin_policy(rpm_t) + seutil_relabelto_bin_policy(rpm_script_t) +') diff --git a/policy/modules/admin/samhain.fc b/policy/modules/admin/samhain.fc new file mode 100644 index 00000000..76b448c8 --- /dev/null +++ b/policy/modules/admin/samhain.fc @@ -0,0 +1,16 @@ +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,s0) + +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh) + +/usr/bin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0) +/usr/bin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0) + +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0) +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0) + +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh) + +/var/log/samhain_log.* -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) +/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) + +/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh) diff --git a/policy/modules/admin/samhain.if b/policy/modules/admin/samhain.if new file mode 100644 index 00000000..8b6fb18b --- /dev/null +++ b/policy/modules/admin/samhain.if @@ -0,0 +1,237 @@ +## <summary>Check file integrity.</summary> + +####################################### +## <summary> +## The template to define a samhain domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`samhain_service_template',` + gen_require(` + attribute samhain_domain; + type samhain_exec_t; + ') + + type $1_t, samhain_domain; + domain_type($1_t) + domain_entry_file($1_t, samhain_exec_t) + + files_read_all_files($1_t) + + mls_file_write_all_levels($1_t) +') + +######################################## +## <summary> +## Execute samhain in the samhain domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samhain_domtrans',` + gen_require(` + type samhain_t, samhain_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, samhain_exec_t, samhain_t) +') + +######################################## +## <summary> +## Execute samhain in the samhain +## domain with the clearance security +## level and allow the specifiled role +## the samhain domain. +## </summary> +## <desc> +## <p> +## Execute samhain in the samhain +## domain with the clearance security +## level and allow the specifiled role +## the samhain domain. +## </p> +## <p> +## The range_transition rule used in +## this interface requires that the +## calling domain should have the +## clearance security level otherwise +## the MLS constraint for process +## transition would fail. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed to access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samhain_run',` + gen_require(` + attribute_role samhain_roles; + type samhain_exec_t; + ') + + samhain_domtrans($1) + roleattribute $2 samhain_roles; + + ifdef(`enable_mls', ` + range_transition $1 samhain_exec_t:process mls_systemhigh; + ') +') + +######################################## +## <summary> +## Create, read, write, and delete +## samhain configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_manage_config_files',` + gen_require(` + type samhain_etc_t; + ') + + files_rw_etc_dirs($1) + allow $1 samhain_etc_t:file manage_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## samhain database files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_manage_db_files',` + gen_require(` + type samhain_db_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, samhain_db_t, samhain_db_t) +') + +####################################### +## <summary> +## Create, read, write, and delete +## samhain init script files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_manage_init_script_files',` + gen_require(` + type samhain_initrc_exec_t; + ') + + files_search_etc($1) + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## samhain log and log.lock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_manage_log_files',` + gen_require(` + type samhain_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, samhain_log_t, samhain_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## samhain pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samhain_manage_pid_files',` + gen_require(` + type samhain_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t) +') + +####################################### +## <summary> +## All of the rules required to +## administrate the samhain environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role" unused="true"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`samhain_admin',` + gen_require(` + attribute samhain_domain; + type samhain_db_t, samhain_etc_t; + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; + ') + + allow $1 samhain_domain:process { ptrace signal_perms }; + ps_process_pattern($1, samhain_domain) + + # duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first + # init_startstop_service($1, $2, samhain_domain, samhain_initrc_exec_t) + + files_list_var_lib($1) + admin_pattern($1, samhain_db_t) + + files_list_etc($1) + admin_pattern($1, { samhain_initrc_exec_t samhain_etc_t }) + + logging_list_logs($1) + admin_pattern($1, samhain_log_t) + + files_list_pids($1) + admin_pattern($1, samhain_var_run_t) +') diff --git a/policy/modules/admin/samhain.te b/policy/modules/admin/samhain.te new file mode 100644 index 00000000..4d093b83 --- /dev/null +++ b/policy/modules/admin/samhain.te @@ -0,0 +1,125 @@ +policy_module(samhain, 1.5.1) + +######################################## +# +# Declarations +# + +attribute samhain_domain; + +attribute_role samhain_roles; +roleattribute system_r samhain_roles; + +type samhain_etc_t; +files_config_file(samhain_etc_t) + +type samhain_exec_t; +corecmd_executable_file(samhain_exec_t) + +type samhain_log_t; +logging_log_file(samhain_log_t) + +type samhain_db_t; +files_type(samhain_db_t) + +type samhain_initrc_exec_t; +init_script_file(samhain_initrc_exec_t) + +type samhain_var_run_t; +files_pid_file(samhain_var_run_t) + +samhain_service_template(samhain) +application_domain(samhain_t, samhain_exec_t) +role samhain_roles types samhain_t; + +samhain_service_template(samhaind) +init_system_domain(samhaind_t, samhain_exec_t) + +ifdef(`enable_mcs',` + init_ranged_system_domain(samhaind_t, samhain_exec_t, mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_system_domain(samhaind_t, samhain_exec_t, mls_systemhigh) +') + +######################################## +# +# Common samhain domain local policy +# + +allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock }; +dontaudit samhain_domain self:capability { sys_ptrace sys_resource }; +allow samhain_domain self:process { setsched setrlimit signull }; +allow samhain_domain self:fd use; +allow samhain_domain self:fifo_file rw_fifo_file_perms; + +allow samhain_domain samhain_etc_t:file read_file_perms; + +manage_files_pattern(samhain_domain, samhain_log_t, samhain_log_t) +logging_log_filetrans(samhain_domain, samhain_log_t, file) + +manage_files_pattern(samhain_domain, samhain_var_run_t, samhain_var_run_t) +files_pid_filetrans(samhain_domain, samhain_var_run_t, file) + +kernel_getattr_core_if(samhain_domain) + +corecmd_list_bin(samhain_domain) + +dev_read_urand(samhain_domain) +dev_dontaudit_read_rand(samhain_domain) +dev_getattr_all_blk_files(samhain_domain) +dev_getattr_all_chr_files(samhain_domain) +dev_getattr_generic_blk_files(samhain_domain) +dev_getattr_generic_chr_files(samhain_domain) + +files_getattr_all_dirs(samhain_domain) +files_getattr_all_files(samhain_domain) +files_getattr_all_symlinks(samhain_domain) +files_getattr_all_pipes(samhain_domain) +files_getattr_all_sockets(samhain_domain) +files_getattr_all_mountpoints(samhain_domain) +files_read_all_symlinks(samhain_domain) +files_search_etc(samhain_domain) + +fs_getattr_all_dirs(samhain_domain) + +auth_read_login_records(samhain_domain) + +init_read_utmp(samhain_domain) + +logging_send_syslog_msg(samhain_domain) + +######################################## +# +# Client local policy +# + +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t) +manage_dirs_pattern(samhain_t, samhain_db_t, samhain_db_t) +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir }) + +domain_use_interactive_fds(samhain_t) + +seutil_sigchld_newrole(samhain_t) + +userdom_use_user_terminals(samhain_t) + +######################################## +# +# Server local policy +# + +allow samhaind_t { samhain_t self }:process signal_perms; + +can_exec(samhaind_t, samhain_exec_t) + +read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t) + +corenet_tcp_connect_smtp_port(samhaind_t) + +dev_read_rand(samhaind_t) + +init_use_script_ptys(samhaind_t) + +sysnet_dns_name_resolve(samhaind_t) diff --git a/policy/modules/admin/sblim.fc b/policy/modules/admin/sblim.fc new file mode 100644 index 00000000..c2aed416 --- /dev/null +++ b/policy/modules/admin/sblim.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0) + +/usr/bin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) +/usr/bin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) + +/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) +/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) + +/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/policy/modules/admin/sblim.if b/policy/modules/admin/sblim.if new file mode 100644 index 00000000..00e2e69c --- /dev/null +++ b/policy/modules/admin/sblim.if @@ -0,0 +1,71 @@ +## <summary>Standards Based Linux Instrumentation for Manageability.</summary> + +######################################## +## <summary> +## Execute gatherd in the gatherd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sblim_domtrans_gatherd',` + gen_require(` + type sblim_gatherd_t, sblim_gatherd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t) +') + +######################################## +## <summary> +## Read gatherd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sblim_read_pid_files',` + gen_require(` + type sblim_var_run_t; + ') + + files_search_pids($1) + allow $1 sblim_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an sblim environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sblim_admin',` + gen_require(` + attribute sblim_domain; + type sblim_initrc_exec_t, sblim_var_run_t; + ') + + allow $1 sblim_domain:process { ptrace signal_perms }; + ps_process_pattern($1, sblim_domain) + + init_startstop_service($1, $2, sblim_domain, sblim_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, sblim_var_run_t) +') diff --git a/policy/modules/admin/sblim.te b/policy/modules/admin/sblim.te new file mode 100644 index 00000000..d05bc1a6 --- /dev/null +++ b/policy/modules/admin/sblim.te @@ -0,0 +1,122 @@ +policy_module(sblim, 1.4.0) + +######################################## +# +# Declarations +# + +attribute sblim_domain; + +type sblim_gatherd_t, sblim_domain; +type sblim_gatherd_exec_t; +init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t) + +type sblim_reposd_t, sblim_domain; +type sblim_reposd_exec_t; +init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) + +type sblim_initrc_exec_t; +init_script_file(sblim_initrc_exec_t) + +type sblim_var_run_t; +files_pid_file(sblim_var_run_t) + +###################################### +# +# Common sblim domain local policy +# + +allow sblim_domain self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) +manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) +manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) + +kernel_read_network_state(sblim_domain) +kernel_read_system_state(sblim_domain) + +corenet_all_recvfrom_unlabeled(sblim_domain) +corenet_all_recvfrom_netlabel(sblim_domain) +corenet_tcp_sendrecv_generic_if(sblim_domain) +corenet_tcp_sendrecv_generic_node(sblim_domain) + +corenet_tcp_sendrecv_repository_port(sblim_domain) + +dev_read_sysfs(sblim_domain) + +logging_send_syslog_msg(sblim_domain) + +files_read_etc_files(sblim_domain) + +miscfiles_read_localization(sblim_domain) + +######################################## +# +# Gatherd local policy +# + +allow sblim_gatherd_t self:capability dac_override; +allow sblim_gatherd_t self:process signal; +allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; +allow sblim_gatherd_t self:unix_stream_socket { accept listen }; + +domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t) + +kernel_read_fs_sysctls(sblim_gatherd_t) +kernel_read_kernel_sysctls(sblim_gatherd_t) + +corecmd_exec_bin(sblim_gatherd_t) +corecmd_exec_shell(sblim_gatherd_t) + +corenet_sendrecv_repository_client_packets(sblim_gatherd_t) +corenet_tcp_connect_repository_port(sblim_gatherd_t) + +dev_read_rand(sblim_gatherd_t) +dev_read_urand(sblim_gatherd_t) + +domain_read_all_domains_state(sblim_gatherd_t) + +fs_getattr_all_fs(sblim_gatherd_t) +fs_search_cgroup_dirs(sblim_gatherd_t) + +storage_raw_read_fixed_disk(sblim_gatherd_t) +storage_raw_read_removable_device(sblim_gatherd_t) + +init_read_utmp(sblim_gatherd_t) + +sysnet_dns_name_resolve(sblim_gatherd_t) + +term_getattr_pty_fs(sblim_gatherd_t) + +userdom_signull_unpriv_users(sblim_gatherd_t) + +optional_policy(` + locallogin_signull(sblim_gatherd_t) +') + +optional_policy(` + rpc_search_nfs_state_data(sblim_gatherd_t) +') + +optional_policy(` + ssh_signull(sblim_gatherd_t) +') + +optional_policy(` + virt_getattr_virtd_exec_files(sblim_gatherd_t) + virt_stream_connect(sblim_gatherd_t) +') + +optional_policy(` + xen_stream_connect(sblim_gatherd_t) + xen_stream_connect_xenstore(sblim_gatherd_t) +') + +####################################### +# +# Reposd local policy +# + +corenet_sendrecv_repository_server_packets(sblim_reposd_t) +corenet_tcp_bind_repository_port(sblim_reposd_t) +corenet_tcp_bind_generic_node(sblim_domain) diff --git a/policy/modules/admin/sectoolm.fc b/policy/modules/admin/sectoolm.fc new file mode 100644 index 00000000..64a23945 --- /dev/null +++ b/policy/modules/admin/sectoolm.fc @@ -0,0 +1,5 @@ +/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) + +/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) + +/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) diff --git a/policy/modules/admin/sectoolm.if b/policy/modules/admin/sectoolm.if new file mode 100644 index 00000000..9e9663b5 --- /dev/null +++ b/policy/modules/admin/sectoolm.if @@ -0,0 +1,24 @@ +## <summary>Sectool security audit tool.</summary> + +######################################## +## <summary> +## Role access for sectoolm. +## </summary> +## <param name="role" unused="true"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`sectoolm_role',` + gen_require(` + type sectoolm_t; + ') + + allow sectoolm_t $2:unix_dgram_socket sendto; +') diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te new file mode 100644 index 00000000..ba3360f4 --- /dev/null +++ b/policy/modules/admin/sectoolm.te @@ -0,0 +1,108 @@ +policy_module(sectoolm, 1.1.1) + +######################################## +# +# Declarations +# + +type sectoolm_t; +type sectoolm_exec_t; +init_system_domain(sectoolm_t, sectoolm_exec_t) + +type sectool_var_lib_t; +files_type(sectool_var_lib_t) + +type sectool_var_log_t; +logging_log_file(sectool_var_log_t) + +type sectool_tmp_t; +files_tmp_file(sectool_tmp_t) + +######################################## +# +# Local policy +# + +allow sectoolm_t self:capability { dac_override net_admin sys_nice }; +allow sectoolm_t self:process { getcap getsched signull setsched }; +dontaudit sectoolm_t self:process { execstack execmem }; +allow sectoolm_t self:fifo_file rw_fifo_file_perms; +allow sectoolm_t self:unix_dgram_socket sendto; + +manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) +manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) +files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir }) + +manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) +manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) +files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir }) + +allow sectoolm_t sectool_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(sectoolm_t, sectool_var_log_t, file) + +kernel_read_net_sysctls(sectoolm_t) +kernel_read_network_state(sectoolm_t) +kernel_read_kernel_sysctls(sectoolm_t) + +corecmd_exec_bin(sectoolm_t) +corecmd_exec_shell(sectoolm_t) + +dev_read_sysfs(sectoolm_t) +dev_read_urand(sectoolm_t) +dev_getattr_all_blk_files(sectoolm_t) +dev_getattr_all_chr_files(sectoolm_t) + +domain_getattr_all_domains(sectoolm_t) +domain_read_all_domains_state(sectoolm_t) + +files_getattr_all_pipes(sectoolm_t) +files_getattr_all_sockets(sectoolm_t) +files_read_all_files(sectoolm_t) +files_read_all_symlinks(sectoolm_t) + +fs_getattr_all_fs(sectoolm_t) +fs_list_noxattr_fs(sectoolm_t) + +selinux_validate_context(sectoolm_t) + +application_exec_all(sectoolm_t) + +auth_use_nsswitch(sectoolm_t) + +libs_exec_ld_so(sectoolm_t) + +logging_send_syslog_msg(sectoolm_t) + +sysnet_domtrans_ifconfig(sectoolm_t) + +userdom_write_user_tmp_sockets(sectoolm_t) + +optional_policy(` + mount_exec(sectoolm_t) +') + +optional_policy(` + dbus_system_domain(sectoolm_t, sectoolm_exec_t) + + optional_policy(` + policykit_dbus_chat(sectoolm_t) + ') +') + +optional_policy(` + hostname_exec(sectoolm_t) +') + +optional_policy(` + iptables_domtrans(sectoolm_t) +') + +optional_policy(` + prelink_domtrans(sectoolm_t) +') + +optional_policy(` + rpm_exec(sectoolm_t) + rpm_dontaudit_manage_db(sectoolm_t) +') + diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc new file mode 100644 index 00000000..aae46ecb --- /dev/null +++ b/policy/modules/admin/shorewall.fc @@ -0,0 +1,29 @@ +/etc/rc\.d/init\.d/shorewall.* -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) + +/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) +/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) + +/usr/bin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) +/usr/bin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) + +/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) +/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) + +/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + +/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) + +/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) + +ifdef(`distro_gentoo',` +/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) +') diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if new file mode 100644 index 00000000..119ba279 --- /dev/null +++ b/policy/modules/admin/shorewall.if @@ -0,0 +1,191 @@ +## <summary>Shoreline Firewall high-level tool for configuring netfilter.</summary> + +######################################## +## <summary> +## Execute a domain transition to run shorewall. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`shorewall_domtrans',` + gen_require(` + type shorewall_t, shorewall_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, shorewall_exec_t, shorewall_t) +') + +###################################### +## <summary> +## Execute a domain transition to run shorewall +## using executables from /var/lib. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`shorewall_lib_domtrans',` + gen_require(` + type shorewall_t, shorewall_var_lib_t; + ') + + files_search_var_lib($1) + domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) +') + +####################################### +## <summary> +## Read shorewall configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_config',` + gen_require(` + type shorewall_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) +') + +####################################### +## <summary> +## Read shorewall pid files. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_pid_files',` + refpolicywarn(`$0($*) has been deprecated') +') + +####################################### +## <summary> +## Read and write shorewall pid files. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_rw_pid_files',` + refpolicywarn(`$0($*) has been deprecated') +') + +###################################### +## <summary> +## Read shorewall lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_lib_files',` + gen_require(` + type shorewall_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) +') + +####################################### +## <summary> +## Read and write shorewall lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_rw_lib_files',` + gen_require(` + type shorewall_var_lib_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) +') + +####################################### +## <summary> +## Read shorewall temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_tmp_files',` + gen_require(` + type shorewall_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t) +') + +####################################### +## <summary> +## All of the rules required to +## administrate an shorewall environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`shorewall_admin',` + gen_require(` + type shorewall_t, shorewall_lock_t, shorewall_log_t; + type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t; + type shorewall_tmp_t, shorewall_etc_t; + ') + + allow $1 shorewall_t:process { ptrace signal_perms }; + ps_process_pattern($1, shorewall_t) + + init_startstop_service($1, $2, shorewall_t, shorewall_initrc_exec_t) + + can_exec($1, shorewall_exec_t) + + files_list_etc($1) + admin_pattern($1, shorewall_etc_t) + + files_list_locks($1) + admin_pattern($1, shorewall_lock_t) + + logging_list_logs($1) + admin_pattern($1, shorewall_log_t) + + files_list_var_lib($1) + admin_pattern($1, shorewall_var_lib_t) + + files_list_tmp($1) + admin_pattern($1, shorewall_tmp_t) +') diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te new file mode 100644 index 00000000..429230e9 --- /dev/null +++ b/policy/modules/admin/shorewall.te @@ -0,0 +1,114 @@ +policy_module(shorewall, 1.7.1) + +######################################## +# +# Declarations +# + +type shorewall_t; +type shorewall_exec_t; +init_daemon_domain(shorewall_t, shorewall_exec_t) + +type shorewall_initrc_exec_t; +init_script_file(shorewall_initrc_exec_t) + +type shorewall_etc_t; +files_config_file(shorewall_etc_t) + +type shorewall_lock_t; +files_lock_file(shorewall_lock_t) + +type shorewall_tmp_t; +files_tmp_file(shorewall_tmp_t) + +type shorewall_var_lib_t; +domain_entry_file(shorewall_t, shorewall_var_lib_t) + +type shorewall_log_t; +logging_log_file(shorewall_log_t) + +######################################## +# +# Local policy +# + +allow shorewall_t self:capability { dac_override net_admin net_raw setgid setuid sys_admin sys_nice }; +dontaudit shorewall_t self:capability sys_tty_config; +allow shorewall_t self:fifo_file rw_fifo_file_perms; +allow shorewall_t self:netlink_socket create_socket_perms; + +read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) +list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) + +manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) +files_lock_filetrans(shorewall_t, shorewall_lock_t, file) + +manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) +append_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) +create_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) +setattr_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) +logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) + +manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) +manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) +files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) + +exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) + +allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; + +kernel_read_kernel_sysctls(shorewall_t) +kernel_read_network_state(shorewall_t) +kernel_read_system_state(shorewall_t) +kernel_rw_net_sysctls(shorewall_t) + +corecmd_exec_bin(shorewall_t) +corecmd_exec_shell(shorewall_t) + +dev_read_sysfs(shorewall_t) +dev_read_urand(shorewall_t) + +domain_read_all_domains_state(shorewall_t) + +files_getattr_kernel_modules(shorewall_t) +files_read_usr_files(shorewall_t) +files_search_kernel_modules(shorewall_t) + +fs_getattr_all_fs(shorewall_t) + +auth_use_nsswitch(shorewall_t) + +init_rw_utmp(shorewall_t) + +logging_read_generic_logs(shorewall_t) +logging_send_syslog_msg(shorewall_t) + +miscfiles_read_localization(shorewall_t) + +sysnet_domtrans_ifconfig(shorewall_t) + +userdom_dontaudit_list_user_home_dirs(shorewall_t) +userdom_use_user_terminals(shorewall_t) + +optional_policy(` + brctl_domtrans(shorewall_t) +') + +optional_policy(` + hostname_exec(shorewall_t) +') + +optional_policy(` + iptables_domtrans(shorewall_t) +') + +optional_policy(` + modutils_domtrans(shorewall_t) +') + +optional_policy(` + ulogd_search_log(shorewall_t) +') diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc new file mode 100644 index 00000000..03a2230c --- /dev/null +++ b/policy/modules/admin/shutdown.fc @@ -0,0 +1,9 @@ +/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) + +/usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + +/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + +/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + +/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if new file mode 100644 index 00000000..819d19b0 --- /dev/null +++ b/policy/modules/admin/shutdown.if @@ -0,0 +1,127 @@ +## <summary>System shutdown command.</summary> + +######################################## +## <summary> +## Role access for shutdown. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`shutdown_role',` + gen_require(` + type shutdown_t; + ') + + shutdown_run($2, $1) + + allow $2 shutdown_t:process { ptrace signal_perms }; + ps_process_pattern($2, shutdown_t) +') + +######################################## +## <summary> +## Execute a domain transition to run shutdown. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`shutdown_domtrans',` + gen_require(` + type shutdown_t, shutdown_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, shutdown_exec_t, shutdown_t) +') + +######################################## +## <summary> +## Execute shutdown in the shutdown +## domain, and allow the specified role +## the shutdown domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`shutdown_run',` + gen_require(` + attribute_role shutdown_roles; + ') + + shutdown_domtrans($1) + roleattribute $2 shutdown_roles; +') + +######################################## +## <summary> +## Send generic signals to shutdown. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shutdown_signal',` + gen_require(` + type shutdown_t; + ') + + allow shutdown_t $1:process signal; +') + +######################################## +## <summary> +## Send SIGCHLD signals to shutdown. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shutdown_sigchld',` + gen_require(` + type shutdown_t; + ') + + allow $1 shutdown_t:process sigchld; +') + +######################################## +## <summary> +## Get attributes of shutdown executable files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shutdown_getattr_exec_files',` + gen_require(` + type shutdown_exec_t; + ') + + corecmd_search_bin($1) + allow $1 shutdown_exec_t:file getattr_file_perms; +') diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te new file mode 100644 index 00000000..2168d03f --- /dev/null +++ b/policy/modules/admin/shutdown.te @@ -0,0 +1,80 @@ +policy_module(shutdown, 1.5.0) + +######################################## +# +# Declarations +# + +attribute_role shutdown_roles; + +type shutdown_t; +type shutdown_exec_t; +init_system_domain(shutdown_t, shutdown_exec_t) +application_domain(shutdown_t, shutdown_exec_t) +role shutdown_roles types shutdown_t; + +type shutdown_etc_t; +files_config_file(shutdown_etc_t) + +type shutdown_var_run_t; +files_pid_file(shutdown_var_run_t) + +######################################## +# +# Local policy +# + +allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config }; +allow shutdown_t self:process { setsched signal signull }; +allow shutdown_t self:fifo_file manage_fifo_file_perms; +allow shutdown_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t) +files_etc_filetrans(shutdown_t, shutdown_etc_t, file) + +manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) +files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) + +kernel_read_system_state(shutdown_t) + +domain_use_interactive_fds(shutdown_t) + +files_delete_boot_flag(shutdown_t) +files_read_generic_pids(shutdown_t) + +fs_getattr_xattr_fs(shutdown_t) + +mls_file_write_to_clearance(shutdown_t) + +term_use_all_terms(shutdown_t) + +auth_use_nsswitch(shutdown_t) +auth_write_login_records(shutdown_t) + +init_rw_utmp(shutdown_t) +init_stream_connect(shutdown_t) +init_telinit(shutdown_t) + +logging_search_logs(shutdown_t) +logging_send_audit_msgs(shutdown_t) +logging_send_syslog_msg(shutdown_t) + +miscfiles_read_localization(shutdown_t) + +optional_policy(` + cron_system_entry(shutdown_t, shutdown_exec_t) +') + +optional_policy(` + dbus_system_bus_client(shutdown_t) + dbus_connect_system_bus(shutdown_t) +') + +optional_policy(` + oddjob_dontaudit_rw_fifo_files(shutdown_t) + oddjob_sigchld(shutdown_t) +') + +optional_policy(` + xserver_dontaudit_write_log(shutdown_t) +') diff --git a/policy/modules/admin/smoltclient.fc b/policy/modules/admin/smoltclient.fc new file mode 100644 index 00000000..1ff29582 --- /dev/null +++ b/policy/modules/admin/smoltclient.fc @@ -0,0 +1 @@ +/usr/share/smolt/client/sendProfile\.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) diff --git a/policy/modules/admin/smoltclient.if b/policy/modules/admin/smoltclient.if new file mode 100644 index 00000000..44a8ff1f --- /dev/null +++ b/policy/modules/admin/smoltclient.if @@ -0,0 +1 @@ +## <summary>The Fedora hardware profiler client.</summary> diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te new file mode 100644 index 00000000..cc9aae0c --- /dev/null +++ b/policy/modules/admin/smoltclient.te @@ -0,0 +1,86 @@ +policy_module(smoltclient, 1.3.0) + +######################################## +# +# Declarations +# + +type smoltclient_t; +type smoltclient_exec_t; +application_domain(smoltclient_t, smoltclient_exec_t) + +type smoltclient_tmp_t; +files_tmp_file(smoltclient_tmp_t) + +######################################## +# +# Local policy +# + +allow smoltclient_t self:process { setsched getsched }; +allow smoltclient_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) +manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) +files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file }) + +can_exec(smoltclient_t, smoltclient_tmp_t) + +kernel_read_system_state(smoltclient_t) +kernel_read_network_state(smoltclient_t) +kernel_read_kernel_sysctls(smoltclient_t) + +corecmd_exec_bin(smoltclient_t) +corecmd_exec_shell(smoltclient_t) + +corenet_all_recvfrom_unlabeled(smoltclient_t) +corenet_all_recvfrom_netlabel(smoltclient_t) +corenet_tcp_sendrecv_generic_if(smoltclient_t) +corenet_tcp_sendrecv_generic_node(smoltclient_t) + +corenet_sendrecv_http_client_packets(smoltclient_t) +corenet_tcp_connect_http_port(smoltclient_t) +corenet_tcp_sendrecv_http_port(smoltclient_t) + +dev_read_sysfs(smoltclient_t) +dev_read_urand(smoltclient_t) + +fs_getattr_all_fs(smoltclient_t) +fs_getattr_all_dirs(smoltclient_t) +fs_list_auto_mountpoints(smoltclient_t) + +files_getattr_generic_locks(smoltclient_t) +files_read_etc_runtime_files(smoltclient_t) +files_read_usr_files(smoltclient_t) + +auth_use_nsswitch(smoltclient_t) + +logging_send_syslog_msg(smoltclient_t) + +miscfiles_read_hwdata(smoltclient_t) +miscfiles_read_localization(smoltclient_t) + +optional_policy(` + abrt_stream_connect(smoltclient_t) +') + +optional_policy(` + cron_system_entry(smoltclient_t, smoltclient_exec_t) +') + +optional_policy(` + dbus_system_bus_client(smoltclient_t) + + optional_policy(` + hal_dbus_chat(smoltclient_t) + ') +') + +optional_policy(` + libs_exec_ldconfig(smoltclient_t) +') + +optional_policy(` + rpm_exec(smoltclient_t) + rpm_read_db(smoltclient_t) +') diff --git a/policy/modules/admin/sosreport.fc b/policy/modules/admin/sosreport.fc new file mode 100644 index 00000000..d445530f --- /dev/null +++ b/policy/modules/admin/sosreport.fc @@ -0,0 +1,5 @@ +/usr/bin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) + +/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) + +/\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0) diff --git a/policy/modules/admin/sosreport.if b/policy/modules/admin/sosreport.if new file mode 100644 index 00000000..e1edfd96 --- /dev/null +++ b/policy/modules/admin/sosreport.if @@ -0,0 +1,129 @@ +## <summary>Generate debugging information for system.</summary> + +######################################## +## <summary> +## Execute a domain transition to run sosreport. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sosreport_domtrans',` + gen_require(` + type sosreport_t, sosreport_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, sosreport_exec_t, sosreport_t) +') + +######################################## +## <summary> +## Execute sosreport in the sosreport +## domain, and allow the specified +## role the sosreport domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`sosreport_run',` + gen_require(` + attribute_role sosreport_roles; + ') + + sosreport_domtrans($1) + roleattribute $2 sosreport_roles; +') + +######################################## +## <summary> +## Role access for sosreport. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`sosreport_role',` + gen_require(` + type sosreport_t; + ') + + sosreport_run($2, $1) + + allow $2 sosreport_t:process { ptrace signal_perms }; + ps_process_pattern($2, sosreport_t) +') + +######################################## +## <summary> +## Read sosreport temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sosreport_read_tmp_files',` + gen_require(` + type sosreport_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) +') + +######################################## +## <summary> +## Append sosreport temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sosreport_append_tmp_files',` + gen_require(` + type sosreport_tmp_t; + ') + + files_search_tmp($1) + append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) +') + +######################################## +## <summary> +## Delete sosreport temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sosreport_delete_tmp_files',` + gen_require(` + type sosreport_tmp_t; + ') + + files_delete_tmp_dir_entry($1) + delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) +') diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te new file mode 100644 index 00000000..0c7189ff --- /dev/null +++ b/policy/modules/admin/sosreport.te @@ -0,0 +1,170 @@ +policy_module(sosreport, 1.5.1) + +######################################## +# +# Declarations +# + +attribute_role sosreport_roles; +roleattribute system_r sosreport_roles; + +type sosreport_t; +type sosreport_exec_t; +application_domain(sosreport_t, sosreport_exec_t) +role sosreport_roles types sosreport_t; + +type sosreport_var_run_t; +files_pid_file(sosreport_var_run_t) + +type sosreport_tmp_t; +files_tmp_file(sosreport_tmp_t) + +type sosreport_tmpfs_t; +files_tmpfs_file(sosreport_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(sosreport_tmpfs_t) +') + +######################################## +# +# Local policy +# + +allow sosreport_t self:capability { dac_override kill net_admin net_raw setuid sys_admin sys_nice }; +dontaudit sosreport_t self:capability sys_ptrace; +allow sosreport_t self:process { setsched setpgid signal_perms }; +allow sosreport_t self:fifo_file rw_fifo_file_perms; +allow sosreport_t self:tcp_socket { accept listen }; +allow sosreport_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") +files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) + +manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) +fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) + +manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) +manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) +manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) +manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) +files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file }) + +kernel_read_network_state(sosreport_t) +kernel_read_all_sysctls(sosreport_t) +kernel_read_software_raid_state(sosreport_t) +kernel_search_debugfs(sosreport_t) +kernel_read_messages(sosreport_t) +kernel_request_load_module(sosreport_t) + +corecmd_exec_all_executables(sosreport_t) + +dev_getattr_all_chr_files(sosreport_t) +dev_getattr_all_blk_files(sosreport_t) +dev_getattr_mtrr_dev(sosreport_t) +dev_read_rand(sosreport_t) +dev_read_urand(sosreport_t) +dev_read_raw_memory(sosreport_t) +dev_read_sysfs(sosreport_t) +dev_rw_generic_usb_dev(sosreport_t) + +domain_getattr_all_domains(sosreport_t) +domain_read_all_domains_state(sosreport_t) +domain_getattr_all_sockets(sosreport_t) +domain_getattr_all_pipes(sosreport_t) + +files_getattr_all_sockets(sosreport_t) +files_getattr_all_files(sosreport_t) +files_getattr_all_pipes(sosreport_t) +files_exec_etc_files(sosreport_t) +files_list_all(sosreport_t) +files_read_config_files(sosreport_t) +files_read_generic_tmp_files(sosreport_t) +files_read_non_auth_files(sosreport_t) +files_read_usr_files(sosreport_t) +files_read_var_lib_files(sosreport_t) +files_read_var_symlinks(sosreport_t) +files_read_kernel_modules(sosreport_t) +files_read_all_symlinks(sosreport_t) +files_manage_etc_runtime_files(sosreport_t) +files_etc_filetrans_etc_runtime(sosreport_t, file) + +fs_getattr_all_fs(sosreport_t) +fs_list_inotifyfs(sosreport_t) + +storage_dontaudit_read_fixed_disk(sosreport_t) +storage_dontaudit_read_removable_device(sosreport_t) + +term_use_generic_ptys(sosreport_t) + +auth_use_nsswitch(sosreport_t) + +init_domtrans_script(sosreport_t) + +libs_domtrans_ldconfig(sosreport_t) + +logging_read_all_logs(sosreport_t) +logging_send_syslog_msg(sosreport_t) + +miscfiles_read_localization(sosreport_t) + +modutils_read_module_deps(sosreport_t) + +optional_policy(` + abrt_manage_pid_files(sosreport_t) + abrt_manage_cache(sosreport_t) + abrt_stream_connect(sosreport_t) +') + +optional_policy(` + cups_stream_connect(sosreport_t) +') + +optional_policy(` + dmesg_domtrans(sosreport_t) +') + +optional_policy(` + fstools_domtrans(sosreport_t) +') + +optional_policy(` + dbus_system_bus_client(sosreport_t) + + optional_policy(` + hal_dbus_chat(sosreport_t) + ') + + optional_policy(` + rpm_dbus_chat(sosreport_t) + ') +') + +optional_policy(` + lvm_domtrans(sosreport_t) +') + +optional_policy(` + mount_domtrans(sosreport_t) +') + +optional_policy(` + pulseaudio_run(sosreport_t, sosreport_roles) +') + +optional_policy(` + rpm_exec(sosreport_t) + rpm_dontaudit_manage_db(sosreport_t) + rpm_read_db(sosreport_t) +') + +optional_policy(` + setroubleshoot_signull(sosreport_t) +') + +optional_policy(` + xserver_stream_connect(sosreport_t) +') diff --git a/policy/modules/admin/sxid.fc b/policy/modules/admin/sxid.fc new file mode 100644 index 00000000..92d3ff1a --- /dev/null +++ b/policy/modules/admin/sxid.fc @@ -0,0 +1,8 @@ +/usr/bin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0) +/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0) + +/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0) + +/var/log/setuid.* -- gen_context(system_u:object_r:sxid_log_t,s0) +/var/log/setuid\.today.* -- gen_context(system_u:object_r:sxid_log_t,s0) +/var/log/sxid\.log.* -- gen_context(system_u:object_r:sxid_log_t,s0) diff --git a/policy/modules/admin/sxid.if b/policy/modules/admin/sxid.if new file mode 100644 index 00000000..83d2e94c --- /dev/null +++ b/policy/modules/admin/sxid.if @@ -0,0 +1,21 @@ +## <summary>SUID/SGID program monitoring.</summary> + +######################################## +## <summary> +## Read sxid log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`sxid_read_log',` + gen_require(` + type sxid_log_t; + ') + + logging_search_logs($1) + allow $1 sxid_log_t:file read_file_perms; +') diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te new file mode 100644 index 00000000..ae7e27b3 --- /dev/null +++ b/policy/modules/admin/sxid.te @@ -0,0 +1,101 @@ +policy_module(sxid, 1.9.0) + +######################################## +# +# Declarations +# + +type sxid_t; +type sxid_exec_t; +application_domain(sxid_t, sxid_exec_t) + +type sxid_log_t; +logging_log_file(sxid_log_t) + +type sxid_tmp_t; +files_tmp_file(sxid_tmp_t) + +######################################## +# +# Local policy +# + +allow sxid_t self:capability { dac_override dac_read_search fsetid }; +dontaudit sxid_t self:capability { setgid setuid sys_tty_config }; +allow sxid_t self:process signal_perms; +allow sxid_t self:fifo_file rw_fifo_file_perms; +allow sxid_t self:tcp_socket create_stream_socket_perms; +allow sxid_t self:udp_socket create_socket_perms; + +allow sxid_t sxid_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +logging_log_filetrans(sxid_t, sxid_log_t, file) + +manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) +manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) +files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir }) + +kernel_read_system_state(sxid_t) +kernel_read_kernel_sysctls(sxid_t) + +corecmd_exec_bin(sxid_t) +corecmd_exec_shell(sxid_t) + +corenet_all_recvfrom_unlabeled(sxid_t) +corenet_all_recvfrom_netlabel(sxid_t) +corenet_tcp_sendrecv_generic_if(sxid_t) +corenet_udp_sendrecv_generic_if(sxid_t) +corenet_tcp_sendrecv_generic_node(sxid_t) +corenet_udp_sendrecv_generic_node(sxid_t) +corenet_tcp_sendrecv_all_ports(sxid_t) +corenet_udp_sendrecv_all_ports(sxid_t) + +dev_read_sysfs(sxid_t) +dev_getattr_all_blk_files(sxid_t) +dev_getattr_all_chr_files(sxid_t) + +domain_use_interactive_fds(sxid_t) + +files_list_all(sxid_t) +files_getattr_all_symlinks(sxid_t) +files_getattr_all_pipes(sxid_t) +files_getattr_all_sockets(sxid_t) + +fs_getattr_xattr_fs(sxid_t) +fs_search_auto_mountpoints(sxid_t) +fs_list_all(sxid_t) + +term_dontaudit_use_console(sxid_t) + +files_read_non_auth_files(sxid_t) +auth_dontaudit_getattr_shadow(sxid_t) + +init_use_fds(sxid_t) +init_use_script_ptys(sxid_t) + +logging_send_syslog_msg(sxid_t) + +miscfiles_read_localization(sxid_t) + +sysnet_read_config(sxid_t) + +userdom_dontaudit_use_unpriv_user_fds(sxid_t) + +optional_policy(` + cron_system_entry(sxid_t, sxid_exec_t) +') + +optional_policy(` + mount_exec(sxid_t) +') + +optional_policy(` + mta_send_mail(sxid_t) +') + +optional_policy(` + seutil_sigchld_newrole(sxid_t) +') + +optional_policy(` + udev_read_db(sxid_t) +') diff --git a/policy/modules/admin/tboot.fc b/policy/modules/admin/tboot.fc new file mode 100644 index 00000000..8c3e66c4 --- /dev/null +++ b/policy/modules/admin/tboot.fc @@ -0,0 +1,3 @@ +/usr/bin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0) + +/usr/sbin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0) diff --git a/policy/modules/admin/tboot.if b/policy/modules/admin/tboot.if new file mode 100644 index 00000000..0ffe6d83 --- /dev/null +++ b/policy/modules/admin/tboot.if @@ -0,0 +1,46 @@ +## <summary>Utilities for the tboot TXT module.</summary> + +######################################## +## <summary> +## Execute txt-stat in the txtstat domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tboot_domtrans_txtstat',` + gen_require(` + type txtstat_t, txtstat_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, txtstat_exec_t, txtstat_t) +') + +######################################## +## <summary> +## Execute txt-stat in the txtstat domain, and +## allow the specified role the txtstat domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the txtstat domain. +## </summary> +## </param> +# +interface(`tboot_run_txtstat',` + gen_require(` + type txtstat_t; + attribute_role txtstat_roles; + ') + + tboot_domtrans_txtstat($1) + roleattribute $2 txtstat_roles; +') diff --git a/policy/modules/admin/tboot.te b/policy/modules/admin/tboot.te new file mode 100644 index 00000000..57b55ee9 --- /dev/null +++ b/policy/modules/admin/tboot.te @@ -0,0 +1,24 @@ +policy_module(tboot, 1.1.0) + +######################################## +# +# Declarations +# + +attribute_role txtstat_roles; +roleattribute system_r txtstat_roles; + +type txtstat_t; +type txtstat_exec_t; +application_domain(txtstat_t, txtstat_exec_t) +role txtstat_roles types txtstat_t; + +######################################## +# +# Local policy +# + +dev_read_raw_memory(txtstat_t) + +domain_use_interactive_fds(txtstat_t) +userdom_use_user_terminals(txtstat_t) diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc new file mode 100644 index 00000000..f4ce55e1 --- /dev/null +++ b/policy/modules/admin/tmpreaper.fc @@ -0,0 +1,8 @@ +/etc/rc\.d/init\.d/mountall-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) +/etc/rc\.d/init\.d/mountnfs-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) + +/usr/bin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) +/usr/bin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) + +/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) +/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) diff --git a/policy/modules/admin/tmpreaper.if b/policy/modules/admin/tmpreaper.if new file mode 100644 index 00000000..f621a275 --- /dev/null +++ b/policy/modules/admin/tmpreaper.if @@ -0,0 +1,20 @@ +## <summary>Manage temporary directory sizes and file ages.</summary> + +######################################## +## <summary> +## Execute tmpreaper in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tmpreaper_exec',` + gen_require(` + type tmpreaper_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, tmpreaper_exec_t) +') diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te new file mode 100644 index 00000000..f4ce8dba --- /dev/null +++ b/policy/modules/admin/tmpreaper.te @@ -0,0 +1,91 @@ +policy_module(tmpreaper, 1.9.0) + +######################################## +# +# Declarations +# + +type tmpreaper_t; +type tmpreaper_exec_t; +init_system_domain(tmpreaper_t, tmpreaper_exec_t) + +######################################## +# +# Local Policy +# + +allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; +allow tmpreaper_t self:fifo_file rw_fifo_file_perms; + +kernel_list_unlabeled(tmpreaper_t) +kernel_read_system_state(tmpreaper_t) + +dev_read_urand(tmpreaper_t) + +corecmd_exec_bin(tmpreaper_t) +corecmd_exec_shell(tmpreaper_t) + +fs_getattr_xattr_fs(tmpreaper_t) +fs_list_all(tmpreaper_t) + +files_getattr_all_dirs(tmpreaper_t) +files_getattr_all_files(tmpreaper_t) +files_read_var_lib_files(tmpreaper_t) +files_purge_tmp(tmpreaper_t) +files_setattr_all_tmp_dirs(tmpreaper_t) + +mcs_file_read_all(tmpreaper_t) +mcs_file_write_all(tmpreaper_t) +mls_file_read_all_levels(tmpreaper_t) +mls_file_write_all_levels(tmpreaper_t) + +auth_use_nsswitch(tmpreaper_t) + +init_use_inherited_script_ptys(tmpreaper_t) + +logging_send_syslog_msg(tmpreaper_t) + +miscfiles_read_localization(tmpreaper_t) +miscfiles_delete_man_pages(tmpreaper_t) + +ifdef(`distro_debian',` + term_dontaudit_use_unallocated_ttys(tmpreaper_t) +') + +ifdef(`distro_redhat',` + userdom_list_all_user_home_content(tmpreaper_t) + userdom_delete_all_user_home_content_dirs(tmpreaper_t) + userdom_delete_all_user_home_content_files(tmpreaper_t) + userdom_delete_all_user_home_content_symlinks(tmpreaper_t) +') + +optional_policy(` + amavis_manage_spool_files(tmpreaper_t) +') + +optional_policy(` + apache_list_cache(tmpreaper_t) + apache_delete_cache_dirs(tmpreaper_t) + apache_delete_cache_files(tmpreaper_t) + apache_setattr_cache_dirs(tmpreaper_t) +') + +optional_policy(` + cron_system_entry(tmpreaper_t, tmpreaper_exec_t) +') + +optional_policy(` + kismet_manage_log(tmpreaper_t) +') + +optional_policy(` + lpd_manage_spool(tmpreaper_t) +') + +optional_policy(` + plymouthd_exec_plymouth(tmpreaper_t) +') + +optional_policy(` + rpm_manage_cache(tmpreaper_t) +') diff --git a/policy/modules/admin/tripwire.fc b/policy/modules/admin/tripwire.fc new file mode 100644 index 00000000..77b259a4 --- /dev/null +++ b/policy/modules/admin/tripwire.fc @@ -0,0 +1,14 @@ +/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0) + +/usr/bin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0) +/usr/bin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0) +/usr/bin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0) +/usr/bin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0) + +/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0) +/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0) +/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0) +/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0) + +/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0) +/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0) diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if new file mode 100644 index 00000000..a3a4d91b --- /dev/null +++ b/policy/modules/admin/tripwire.if @@ -0,0 +1,185 @@ +## <summary>File integrity checker.</summary> + +######################################## +## <summary> +## Execute tripwire in the tripwire domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tripwire_domtrans_tripwire',` + gen_require(` + type tripwire_t, tripwire_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, tripwire_exec_t, tripwire_t) +') + +######################################## +## <summary> +## Execute tripwire in the tripwire +## domain, and allow the specified +## role the tripwire domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tripwire_run_tripwire',` + gen_require(` + attribute_role tripwire_roles; + ') + + tripwire_domtrans_tripwire($1) + roleattribute $2 tripwire_roles; +') + +######################################## +## <summary> +## Execute twadmin in the twadmin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tripwire_domtrans_twadmin',` + gen_require(` + type twadmin_t, twadmin_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, twadmin_exec_t, twadmin_t) +') + +######################################## +## <summary> +## Execute twadmin in the twadmin +## domain, and allow the specified +## role the twadmin domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tripwire_run_twadmin',` + gen_require(` + attribute_role twadmin_roles; + ') + + tripwire_domtrans_twadmin($1) + roleattribute $2 twadmin_roles; +') + +######################################## +## <summary> +## Execute twprint in the twprint domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tripwire_domtrans_twprint',` + gen_require(` + type twprint_t, twprint_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, twprint_exec_t, twprint_t) +') + +######################################## +## <summary> +## Execute twprint in the twprint +## domain, and allow the specified +## role the twprint domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tripwire_run_twprint',` + gen_require(` + attribute_role twprint_roles; + ') + + tripwire_domtrans_twprint($1) + roleattribute $2 twprint_roles; +') + +######################################## +## <summary> +## Execute siggen in the siggen domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tripwire_domtrans_siggen',` + gen_require(` + type siggen_t, siggen_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, siggen_exec_t, siggen_t) +') + +######################################## +## <summary> +## Execute siggen in the siggen domain, +## and allow the specified role +## the siggen domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tripwire_run_siggen',` + gen_require(` + attribute_role siggen_roles; + ') + + tripwire_domtrans_siggen($1) + roleattribute $2 siggen_roles; +') diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te new file mode 100644 index 00000000..ea532de5 --- /dev/null +++ b/policy/modules/admin/tripwire.te @@ -0,0 +1,155 @@ +policy_module(tripwire, 1.4.0) + +######################################## +# +# Declarations +# + +attribute_role siggen_roles; +attribute_role tripwire_roles; +attribute_role twadmin_roles; +attribute_role twprint_roles; + +type siggen_t; +type siggen_exec_t; +application_domain(siggen_t, siggen_exec_t) +role siggen_roles types siggen_t; + +type tripwire_t; +type tripwire_exec_t; +application_domain(tripwire_t, tripwire_exec_t) +role tripwire_roles types tripwire_t; + +type tripwire_etc_t; +files_config_file(tripwire_etc_t) + +type tripwire_report_t; +files_type(tripwire_report_t) + +type tripwire_tmp_t; +files_tmp_file(tripwire_tmp_t) + +type tripwire_var_lib_t; +files_type(tripwire_var_lib_t) + +type twadmin_t; +type twadmin_exec_t; +application_domain(twadmin_t, twadmin_exec_t) +role twadmin_roles types twadmin_t; + +type twprint_t; +type twprint_exec_t; +application_domain(twprint_t, twprint_exec_t) +role twprint_roles types twprint_t; + +######################################## +# +# Local policy +# + +allow tripwire_t self:capability { dac_override setgid setuid }; + +allow tripwire_t tripwire_etc_t:dir list_dir_perms; +allow tripwire_t tripwire_etc_t:file read_file_perms; +allow tripwire_t tripwire_etc_t:lnk_file read_lnk_file_perms; + +manage_dirs_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) +manage_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) +manage_lnk_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) + +manage_dirs_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) +manage_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) +manage_lnk_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) +manage_fifo_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) +manage_sock_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) +files_tmp_filetrans(tripwire_t, tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(tripwire_t, tripwire_var_lib_t, tripwire_var_lib_t) +files_var_lib_filetrans(tripwire_t, tripwire_var_lib_t, file) + +kernel_read_system_state(tripwire_t) +kernel_read_network_state(tripwire_t) +kernel_read_software_raid_state(tripwire_t) +kernel_getattr_core_if(tripwire_t) +kernel_getattr_message_if(tripwire_t) +kernel_read_kernel_sysctls(tripwire_t) + +corecmd_exec_bin(tripwire_t) +corecmd_exec_shell(tripwire_t) + +domain_use_interactive_fds(tripwire_t) + +files_read_all_files(tripwire_t) +files_read_all_symlinks(tripwire_t) +files_getattr_all_pipes(tripwire_t) +files_getattr_all_sockets(tripwire_t) + +logging_send_syslog_msg(tripwire_t) + +userdom_use_user_terminals(tripwire_t) + +optional_policy(` + cron_system_entry(tripwire_t, tripwire_exec_t) +') + +######################################## +# +# Twadmin local policy +# + +allow twadmin_t tripwire_etc_t:dir list_dir_perms; +allow twadmin_t tripwire_etc_t:file read_file_perms; +allow twadmin_t tripwire_etc_t:lnk_file read_lnk_file_perms; + +domain_use_interactive_fds(twadmin_t) + +files_search_etc(twadmin_t) + +logging_send_syslog_msg(twadmin_t) + +miscfiles_read_localization(twadmin_t) + +userdom_use_user_terminals(twadmin_t) + +######################################## +# +# Twprint local policy +# + +allow twprint_t tripwire_etc_t:dir list_dir_perms; +allow twprint_t tripwire_etc_t:file read_file_perms; +allow twprint_t tripwire_etc_t:lnk_file read_lnk_file_perms; + +allow twprint_t tripwire_report_t:dir list_dir_perms; +allow twprint_t tripwire_report_t:file read_file_perms; +allow twprint_t tripwire_report_t:lnk_file read_lnk_file_perms; + +allow twprint_t tripwire_var_lib_t:dir list_dir_perms; +allow twprint_t tripwire_var_lib_t:file read_file_perms; +allow twprint_t tripwire_var_lib_t:lnk_file read_lnk_file_perms; + +domain_use_interactive_fds(twprint_t) + +files_search_etc(twprint_t) +files_search_var_lib(twprint_t) + +logging_send_syslog_msg(twprint_t) + +miscfiles_read_localization(twprint_t) + +userdom_use_user_terminals(twprint_t) + +######################################## +# +# Siggen local policy +# + +domain_use_interactive_fds(siggen_t) + +files_read_all_files(siggen_t) + +logging_send_syslog_msg(siggen_t) + +miscfiles_read_localization(siggen_t) + +userdom_use_user_terminals(siggen_t) diff --git a/policy/modules/admin/tzdata.fc b/policy/modules/admin/tzdata.fc new file mode 100644 index 00000000..c8448c68 --- /dev/null +++ b/policy/modules/admin/tzdata.fc @@ -0,0 +1,3 @@ +/usr/bin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0) + +/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0) diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if new file mode 100644 index 00000000..53ecd0de --- /dev/null +++ b/policy/modules/admin/tzdata.if @@ -0,0 +1,47 @@ +## <summary>Time zone updater.</summary> + +######################################## +## <summary> +## Execute a domain transition to run tzdata. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tzdata_domtrans',` + gen_require(` + type tzdata_t, tzdata_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, tzdata_exec_t, tzdata_t) +') + +######################################## +## <summary> +## Execute tzdata in the tzdata domain, +## and allow the specified role +## the tzdata domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`tzdata_run',` + gen_require(` + attribute_role tzdata_roles; + ') + + tzdata_domtrans($1) + roleattribute $2 tzdata_roles; +') diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te new file mode 100644 index 00000000..cbfb2299 --- /dev/null +++ b/policy/modules/admin/tzdata.te @@ -0,0 +1,38 @@ +policy_module(tzdata, 1.6.0) + +######################################## +# +# Declarations +# + +attribute_role tzdata_roles; + +type tzdata_t; +type tzdata_exec_t; +init_daemon_domain(tzdata_t, tzdata_exec_t) +application_domain(tzdata_t, tzdata_exec_t) +role tzdata_roles types tzdata_t; + +######################################## +# +# Local policy +# + +files_read_config_files(tzdata_t) +files_search_spool(tzdata_t) + +fs_getattr_xattr_fs(tzdata_t) + +term_dontaudit_list_ptys(tzdata_t) + +locallogin_dontaudit_use_fds(tzdata_t) + +miscfiles_read_localization(tzdata_t) +miscfiles_manage_localization(tzdata_t) +miscfiles_etc_filetrans_localization(tzdata_t) + +userdom_use_user_terminals(tzdata_t) + +optional_policy(` + postfix_search_spool(tzdata_t) +') diff --git a/policy/modules/admin/updfstab.fc b/policy/modules/admin/updfstab.fc new file mode 100644 index 00000000..27ac178d --- /dev/null +++ b/policy/modules/admin/updfstab.fc @@ -0,0 +1,5 @@ +/usr/bin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0) +/usr/bin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0) + +/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0) +/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0) diff --git a/policy/modules/admin/updfstab.if b/policy/modules/admin/updfstab.if new file mode 100644 index 00000000..ec0800bb --- /dev/null +++ b/policy/modules/admin/updfstab.if @@ -0,0 +1,20 @@ +## <summary>Red Hat utility to change fstab.</summary> + +######################################## +## <summary> +## Execute updfstab in the updfstab domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`updfstab_domtrans',` + gen_require(` + type updfstab_t, updfstab_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, updfstab_exec_t, updfstab_t) +') diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te new file mode 100644 index 00000000..e63ef612 --- /dev/null +++ b/policy/modules/admin/updfstab.te @@ -0,0 +1,116 @@ +policy_module(updfstab, 1.7.0) + +######################################## +# +# Declarations +# + +type updfstab_t; +type updfstab_exec_t; +init_system_domain(updfstab_t, updfstab_exec_t) + +######################################## +# +# Local policy +# + +allow updfstab_t self:capability dac_override; +dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; +allow updfstab_t self:process signal_perms; +allow updfstab_t self:fifo_file rw_fifo_file_perms; + +kernel_use_fds(updfstab_t) +kernel_read_kernel_sysctls(updfstab_t) +kernel_dontaudit_write_kernel_sysctl(updfstab_t) +kernel_read_system_state(updfstab_t) +kernel_change_ring_buffer_level(updfstab_t) + +corecmd_exec_bin(updfstab_t) + +dev_read_sysfs(updfstab_t) +dev_manage_generic_symlinks(updfstab_t) + +domain_use_interactive_fds(updfstab_t) + +files_manage_mnt_files(updfstab_t) +files_manage_mnt_dirs(updfstab_t) +files_manage_mnt_symlinks(updfstab_t) +files_manage_etc_files(updfstab_t) +files_dontaudit_search_home(updfstab_t) +files_read_etc_runtime_files(updfstab_t) + +fs_getattr_xattr_fs(updfstab_t) +fs_getattr_tmpfs(updfstab_t) +fs_getattr_tmpfs_dirs(updfstab_t) +fs_search_auto_mountpoints(updfstab_t) + +selinux_get_fs_mount(updfstab_t) +selinux_validate_context(updfstab_t) +selinux_compute_access_vector(updfstab_t) +selinux_compute_create_context(updfstab_t) +selinux_compute_relabel_context(updfstab_t) +selinux_compute_user_contexts(updfstab_t) + +storage_raw_read_fixed_disk(updfstab_t) +storage_raw_write_fixed_disk(updfstab_t) +storage_raw_read_removable_device(updfstab_t) +storage_raw_write_removable_device(updfstab_t) +storage_read_scsi_generic(updfstab_t) +storage_write_scsi_generic(updfstab_t) + +term_dontaudit_use_console(updfstab_t) + +init_use_fds(updfstab_t) +init_use_script_ptys(updfstab_t) + +logging_search_logs(updfstab_t) +logging_send_syslog_msg(updfstab_t) + +miscfiles_read_localization(updfstab_t) + +seutil_read_config(updfstab_t) +seutil_read_default_contexts(updfstab_t) +seutil_read_file_contexts(updfstab_t) + +userdom_dontaudit_search_user_home_content(updfstab_t) +userdom_dontaudit_use_unpriv_user_fds(updfstab_t) + +optional_policy(` + auth_domtrans_pam_console(updfstab_t) +') + +optional_policy(` + dbus_system_bus_client(updfstab_t) + + init_dbus_chat_script(updfstab_t) + + optional_policy(` + hal_dbus_chat(updfstab_t) + ') +') + +optional_policy(` + fstools_getattr_swap_files(updfstab_t) +') + +optional_policy(` + hal_stream_connect(updfstab_t) +') + +optional_policy(` + modutils_read_module_config(updfstab_t) + modutils_exec(updfstab_t) + modutils_read_module_deps(updfstab_t) +') + +optional_policy(` + nscd_use(updfstab_t) +') + +optional_policy(` + seutil_sigchld_newrole(updfstab_t) +') + +optional_policy(` + udev_read_db(updfstab_t) +') diff --git a/policy/modules/admin/usbmodules.fc b/policy/modules/admin/usbmodules.fc new file mode 100644 index 00000000..72188740 --- /dev/null +++ b/policy/modules/admin/usbmodules.fc @@ -0,0 +1,3 @@ +/usr/bin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) + +/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if new file mode 100644 index 00000000..c5881ea5 --- /dev/null +++ b/policy/modules/admin/usbmodules.if @@ -0,0 +1,47 @@ +## <summary>List kernel modules of USB devices.</summary> + +######################################## +## <summary> +## Execute usbmodules in the usbmodules domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usbmodules_domtrans',` + gen_require(` + type usbmodules_t, usbmodules_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, usbmodules_exec_t, usbmodules_t) +') + +######################################## +## <summary> +## Execute usbmodules in the usbmodules +## domain, and allow the specified +## role the usbmodules domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`usbmodules_run',` + gen_require(` + attribute_role usbmodules_roles; + ') + + usbmodules_domtrans($1) + roleattribute $2 usbmodules_roles; +') diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te new file mode 100644 index 00000000..dd6bfe57 --- /dev/null +++ b/policy/modules/admin/usbmodules.te @@ -0,0 +1,44 @@ +policy_module(usbmodules, 1.4.0) + +######################################## +# +# Declarations +# + +attribute_role usbmodules_roles; + +type usbmodules_t; +type usbmodules_exec_t; +init_system_domain(usbmodules_t, usbmodules_exec_t) +role usbmodules_roles types usbmodules_t; + +######################################## +# +# Local policy +# + +kernel_list_proc(usbmodules_t) + +files_list_kernel_modules(usbmodules_t) + +dev_list_usbfs(usbmodules_t) +dev_rw_usbfs(usbmodules_t) + +files_list_etc(usbmodules_t) + +term_read_console(usbmodules_t) +term_write_console(usbmodules_t) + +init_use_fds(usbmodules_t) + +logging_send_syslog_msg(usbmodules_t) + +miscfiles_read_hwdata(usbmodules_t) + +modutils_read_module_deps(usbmodules_t) + +userdom_use_user_terminals(usbmodules_t) + +optional_policy(` + hotplug_read_config(usbmodules_t) +') diff --git a/policy/modules/admin/vbetool.fc b/policy/modules/admin/vbetool.fc new file mode 100644 index 00000000..af6c0e38 --- /dev/null +++ b/policy/modules/admin/vbetool.fc @@ -0,0 +1,3 @@ +/usr/bin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0) + +/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0) diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if new file mode 100644 index 00000000..4e648ba8 --- /dev/null +++ b/policy/modules/admin/vbetool.if @@ -0,0 +1,46 @@ +## <summary>run real-mode video BIOS code to alter hardware state.</summary> + +######################################## +## <summary> +## Execute vbetool in the vbetool domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vbetool_domtrans',` + gen_require(` + type vbetool_t, vbetool_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, vbetool_exec_t, vbetool_t) +') + +######################################## +## <summary> +## Execute vbetool in the vbetool +## domain, and allow the specified +## role the vbetool domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`vbetool_run',` + gen_require(` + attribute_role vbetool_roles; + ') + + vbetool_domtrans($1) + roleattribute $2 vbetool_roles; +') diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te new file mode 100644 index 00000000..b3757d02 --- /dev/null +++ b/policy/modules/admin/vbetool.te @@ -0,0 +1,56 @@ +policy_module(vbetool, 1.8.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether attempts by +## vbetool to mmap low regions should +## be silently blocked. +## </p> +## </desc> +gen_tunable(vbetool_mmap_zero_ignore, false) + +attribute_role vbetool_roles; + +type vbetool_t; +type vbetool_exec_t; +init_system_domain(vbetool_t, vbetool_exec_t) +role vbetool_roles types vbetool_t; + +######################################## +# +# Local policy +# + +allow vbetool_t self:capability { dac_override sys_admin sys_tty_config }; +allow vbetool_t self:process execmem; + +dev_wx_raw_memory(vbetool_t) +dev_read_raw_memory(vbetool_t) +dev_rwx_zero(vbetool_t) +dev_rw_sysfs(vbetool_t) +dev_rw_xserver_misc(vbetool_t) +dev_rw_mtrr(vbetool_t) + +domain_mmap_low(vbetool_t) + +mls_file_read_all_levels(vbetool_t) +mls_file_write_all_levels(vbetool_t) + +term_use_unallocated_ttys(vbetool_t) + +miscfiles_read_localization(vbetool_t) + +tunable_policy(`vbetool_mmap_zero_ignore',` + dontaudit vbetool_t self:memprotect mmap_zero; +') + +optional_policy(` + hal_rw_pid_files(vbetool_t) + hal_write_log(vbetool_t) + hal_dontaudit_append_lib_files(vbetool_t) +') diff --git a/policy/modules/admin/vpn.fc b/policy/modules/admin/vpn.fc new file mode 100644 index 00000000..3e40c477 --- /dev/null +++ b/policy/modules/admin/vpn.fc @@ -0,0 +1,6 @@ +/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) +/usr/bin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if new file mode 100644 index 00000000..7a7f3429 --- /dev/null +++ b/policy/modules/admin/vpn.if @@ -0,0 +1,140 @@ +## <summary>Virtual Private Networking client.</summary> + +######################################## +## <summary> +## Execute vpn clients in the vpnc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`vpn_domtrans',` + gen_require(` + type vpnc_t, vpnc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, vpnc_exec_t, vpnc_t) +') + +######################################## +## <summary> +## Execute vpn clients in the vpnc +## domain, and allow the specified +## role the vpnc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`vpn_run',` + gen_require(` + attribute_role vpnc_roles; + ') + + vpn_domtrans($1) + roleattribute $2 vpnc_roles; +') + +######################################## +## <summary> +## Send kill signals to vpnc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vpn_kill',` + gen_require(` + type vpnc_t; + ') + + allow $1 vpnc_t:process sigkill; +') + +######################################## +## <summary> +## Send generic signals to vpnc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vpn_signal',` + gen_require(` + type vpnc_t; + ') + + allow $1 vpnc_t:process signal; +') + +######################################## +## <summary> +## Send null signals to vpnc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vpn_signull',` + gen_require(` + type vpnc_t; + ') + + allow $1 vpnc_t:process signull; +') + +######################################## +## <summary> +## Send and receive messages from +## vpnc over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vpn_dbus_chat',` + gen_require(` + type vpnc_t; + class dbus send_msg; + ') + + allow $1 vpnc_t:dbus send_msg; + allow vpnc_t $1:dbus send_msg; +') + +######################################## +## <summary> +## Relabelfrom from vpnc socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`vpn_relabelfrom_tun_socket',` + gen_require(` + type vpnc_t; + ') + + allow $1 vpnc_t:tun_socket relabelfrom; +') diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te new file mode 100644 index 00000000..65de9063 --- /dev/null +++ b/policy/modules/admin/vpn.te @@ -0,0 +1,131 @@ +policy_module(vpn, 1.18.0) + +######################################## +# +# Declarations +# + +attribute_role vpnc_roles; + +type vpnc_t; +type vpnc_exec_t; +init_system_domain(vpnc_t, vpnc_exec_t) +application_domain(vpnc_t, vpnc_exec_t) +role vpnc_roles types vpnc_t; + +type vpnc_tmp_t; +files_tmp_file(vpnc_tmp_t) + +type vpnc_var_run_t; +files_pid_file(vpnc_var_run_t) + +######################################## +# +# Local policy +# + +allow vpnc_t self:capability { dac_override dac_read_search ipc_lock net_admin net_raw setuid }; +allow vpnc_t self:process { getsched signal }; +allow vpnc_t self:fifo_file rw_fifo_file_perms; +allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; +allow vpnc_t self:tcp_socket { accept listen }; +allow vpnc_t self:rawip_socket create_socket_perms; +allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; +allow vpnc_t self:socket create_socket_perms; + +manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) +manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) +files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) + +manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) +manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) +files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir}) + +kernel_read_system_state(vpnc_t) +kernel_read_network_state(vpnc_t) +kernel_read_all_sysctls(vpnc_t) +kernel_request_load_module(vpnc_t) +kernel_rw_net_sysctls(vpnc_t) + +corenet_all_recvfrom_unlabeled(vpnc_t) +corenet_all_recvfrom_netlabel(vpnc_t) +corenet_tcp_sendrecv_generic_if(vpnc_t) +corenet_udp_sendrecv_generic_if(vpnc_t) +corenet_raw_sendrecv_generic_if(vpnc_t) +corenet_tcp_sendrecv_generic_node(vpnc_t) +corenet_udp_sendrecv_generic_node(vpnc_t) +corenet_raw_sendrecv_generic_node(vpnc_t) +corenet_tcp_sendrecv_all_ports(vpnc_t) +corenet_udp_sendrecv_all_ports(vpnc_t) +corenet_udp_bind_generic_node(vpnc_t) + +corenet_sendrecv_all_server_packets(vpnc_t) +corenet_udp_bind_generic_port(vpnc_t) + +corenet_sendrecv_isakmp_server_packets(vpnc_t) +corenet_udp_bind_isakmp_port(vpnc_t) + +corenet_sendrecv_generic_server_packets(vpnc_t) +corenet_udp_bind_ipsecnat_port(vpnc_t) + +corenet_sendrecv_all_client_packets(vpnc_t) +corenet_tcp_connect_all_ports(vpnc_t) + +corenet_rw_tun_tap_dev(vpnc_t) + +corecmd_exec_all_executables(vpnc_t) + +dev_read_rand(vpnc_t) +dev_read_urand(vpnc_t) +dev_read_sysfs(vpnc_t) + +domain_use_interactive_fds(vpnc_t) + +files_exec_etc_files(vpnc_t) +files_read_etc_runtime_files(vpnc_t) +files_dontaudit_search_home(vpnc_t) + +fs_getattr_xattr_fs(vpnc_t) +fs_getattr_tmpfs(vpnc_t) + +term_use_all_ptys(vpnc_t) +term_use_all_ttys(vpnc_t) + +auth_use_nsswitch(vpnc_t) + +init_dontaudit_use_fds(vpnc_t) + +libs_exec_ld_so(vpnc_t) +libs_exec_lib_files(vpnc_t) + +locallogin_use_fds(vpnc_t) + +logging_send_syslog_msg(vpnc_t) +logging_dontaudit_search_logs(vpnc_t) + +miscfiles_read_localization(vpnc_t) + +seutil_dontaudit_search_config(vpnc_t) + +sysnet_run_ifconfig(vpnc_t, vpnc_roles) +sysnet_etc_filetrans_config(vpnc_t) +sysnet_manage_config(vpnc_t) + +userdom_use_all_users_fds(vpnc_t) +userdom_dontaudit_search_user_home_content(vpnc_t) + +optional_policy(` + dbus_system_bus_client(vpnc_t) + + optional_policy(` + networkmanager_dbus_chat(vpnc_t) + ') +') + +optional_policy(` + networkmanager_attach_tun_iface(vpnc_t) +') + +optional_policy(` + seutil_use_newrole_fds(vpnc_t) +') |