Sysnetwork patch from Dan Walsh.

2010-03-18 15:40:04 -04:00 · 2010-03-18 15:40:04 -04:00 · 1fa92b8a55
parent ddd786e404
commit 1fa92b8a55
3 changed files with 123 additions and 21 deletions
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@ -13,6 +13,9 @@
 /etc/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhcp/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/ethers		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)

@ -21,7 +24,8 @@

 ifdef(`distro_redhat',`
 /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/network-scripts(/.*)?  gen_context(system_u:object_r:net_conf_t,s0)
 ')

 #
@ -53,6 +57,7 @@ ifdef(`distro_redhat',`
 /var/lib/dhcp3?/dhclient.*	gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/dhclient(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/wifiroamd(/.*)?	gen_context(system_u:object_r:dhcpc_state_t,s0)

 /var/run/dhclient.*	--	gen_context(system_u:object_r:dhcpc_var_run_t,s0)

--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@ -43,6 +43,42 @@ interface(`sysnet_run_dhcpc',`

 	sysnet_domtrans_dhcpc($1)
 	role $2 types dhcpc_t;
+
+	modutils_run_insmod(dhcpc_t, $2)
+
+	sysnet_run_ifconfig(dhcpc_t, $2)
+
+	optional_policy(`
+		consoletype_run(dhcpc_t, $2)
+	')
+
+	optional_policy(`
+		hostname_run(dhcpc_t, $2)
+	')
+
+	optional_policy(`
+		netutils_run(dhcpc_t, $2)
+		netutils_run_ping(dhcpc_t, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use
+##	the dhcp file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain sending the SIGCHLD.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dontaudit_use_dhcpc_fds',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	dontaudit $1 dhcpc_t:fd use;
 ')

 ########################################
@ -192,7 +228,25 @@ interface(`sysnet_read_dhcpc_state',`
 		type dhcpc_state_t;
 	')

-	allow $1 dhcpc_state_t:file read_file_perms;
+	read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+#######################################
+## <summary>
+##	Delete the dhcp client state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_delete_dhcpc_state',`
+	gen_require(`
+		type dhcpc_state_t;
+	')
+
+	delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
 ')

 #######################################
@ -252,6 +306,11 @@ interface(`sysnet_read_config',`

 	files_search_etc($1)
 	allow $1 net_conf_t:file read_file_perms;
+
+	ifdef(`distro_redhat',`
+		allow $1 net_conf_t:dir list_dir_perms;
+		read_files_pattern($1, net_conf_t, net_conf_t)
+	')
 ')

 #######################################
@ -345,6 +404,10 @@ interface(`sysnet_manage_config',`
 	')

 	allow $1 net_conf_t:file manage_file_perms;
+
+	ifdef(`distro_redhat',`
+		manage_files_pattern($1, net_conf_t, net_conf_t)
+	')
 ')

 #######################################
@ -485,6 +548,7 @@ interface(`sysnet_read_dhcp_config',`
 	')

 	files_search_etc($1)
+	allow $1 dhcp_etc_t:dir list_dir_perms;
 	read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
 ')

@ -578,6 +642,14 @@ interface(`sysnet_dns_name_resolve',`
 	corenet_sendrecv_dns_client_packets($1)

 	sysnet_read_config($1)
+
+	optional_policy(`
+		avahi_stream_connect($1)
+	')
+
+	optional_policy(`
+		nscd_socket_use($1)
+	')
 ')

 ########################################
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@ -1,5 +1,5 @@

-policy_module(sysnetwork, 1.10.2)
+policy_module(sysnetwork, 1.10.3)

 ########################################
 #
@ -41,21 +41,23 @@ files_type(net_conf_t)
 #
 # DHCP client local policy
 #
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability sys_tty_config;
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process signal_perms;
-allow dhcpc_t self:fifo_file rw_file_perms;
+allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+
+allow dhcpc_t self:fifo_file rw_fifo_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
 allow dhcpc_t self:udp_socket create_socket_perms;
 allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };

 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
 exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)

+allow dhcpc_t dhcp_state_t:file read_file_perms;
 manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
 filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)

@ -65,7 +67,7 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)

 # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
 # in /etc created by dhcpcd will be labelled net_conf_t.
-allow dhcpc_t net_conf_t:file manage_file_perms;
+sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)

 # create temp files
@ -80,7 +82,9 @@ domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t)

 kernel_read_system_state(dhcpc_t)
 kernel_read_network_state(dhcpc_t)
+kernel_search_network_sysctl(dhcpc_t)
 kernel_read_kernel_sysctls(dhcpc_t)
+kernel_request_load_module(dhcpc_t)
 kernel_use_fds(dhcpc_t)

 corecmd_exec_bin(dhcpc_t)
@ -108,13 +112,15 @@ dev_read_sysfs(dhcpc_t)
 dev_read_urand(dhcpc_t)

 domain_use_interactive_fds(dhcpc_t)
-domain_dontaudit_list_all_domains_state(dhcpc_t)
+domain_dontaudit_read_all_domains_state(dhcpc_t)

 files_read_etc_files(dhcpc_t)
 files_read_etc_runtime_files(dhcpc_t)
+files_read_usr_files(dhcpc_t)
 files_search_home(dhcpc_t)
 files_search_var_lib(dhcpc_t)
 files_dontaudit_search_locks(dhcpc_t)
+files_getattr_generic_locks(dhcpc_t)

 fs_getattr_all_fs(dhcpc_t)
 fs_search_auto_mountpoints(dhcpc_t)
@ -164,6 +170,10 @@ optional_policy(`
 	hostname_domtrans(dhcpc_t)
 ')

+optional_policy(`
+	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+')
+
 optional_policy(`
 	hotplug_getattr_config_dirs(dhcpc_t)
 	hotplug_search_config(dhcpc_t)
@ -183,25 +193,17 @@ optional_policy(`
 ')

 optional_policy(`
-	nis_use_ypbind(dhcpc_t)
-	nis_signal_ypbind(dhcpc_t)
 	nis_read_ypbind_pid(dhcpc_t)
-	nis_delete_ypbind_pid(dhcpc_t)
-
-	# dhclient sometimes starts ypbind
-	init_exec_script_files(dhcpc_t)
-	nis_domtrans_ypbind(dhcpc_t)
 ')

 optional_policy(`
+	nscd_initrc_domtrans(dhcpc_t)
 	nscd_domtrans(dhcpc_t)
 	nscd_read_pid(dhcpc_t)
 ')

 optional_policy(`
-	# dhclient sometimes starts ntpd
-	init_exec_script_files(dhcpc_t)
-	ntp_domtrans(dhcpc_t)
+	ntp_initrc_domtrans(dhcpc_t)
 ')

 optional_policy(`
@ -222,6 +224,10 @@ optional_policy(`
 	userdom_use_all_users_fds(dhcpc_t)
 ')

+optional_policy(`
+	vmware_append_log(dhcpc_t)
+')
+
 optional_policy(`
 	kernel_read_xen_state(dhcpc_t)
 	kernel_write_xen_state(dhcpc_t)
@ -235,7 +241,6 @@ optional_policy(`
 #

 allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
-dontaudit ifconfig_t self:capability sys_module;
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;
@ -260,6 +265,7 @@ allow ifconfig_t self:tcp_socket { create ioctl };
 kernel_use_fds(ifconfig_t)
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
+kernel_request_load_module(ifconfig_t)
 kernel_search_network_sysctl(ifconfig_t)
 kernel_rw_net_sysctls(ifconfig_t)

@ -272,12 +278,18 @@ dev_read_urand(ifconfig_t)
 domain_use_interactive_fds(ifconfig_t)

 files_read_etc_files(ifconfig_t)
+files_read_etc_runtime_files(ifconfig_t)

 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)

+selinux_dontaudit_getattr_fs(ifconfig_t)
+
+term_dontaudit_use_console(ifconfig_t)
 term_dontaudit_use_all_ttys(ifconfig_t)
 term_dontaudit_use_all_ptys(ifconfig_t)
+term_dontaudit_use_ptmx(ifconfig_t)
+term_dontaudit_use_generic_ptys(ifconfig_t)

 files_dontaudit_read_root_files(ifconfig_t)

@ -313,6 +325,11 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')

+optional_policy(`
+	hal_dontaudit_rw_pipes(ifconfig_t)
+	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+')
+
 optional_policy(`
 	ipsec_write_pid(ifconfig_t)
 ')
@ -329,6 +346,14 @@ optional_policy(`
 	ppp_use_fds(ifconfig_t)
 ')

+optional_policy(`
+	unconfined_dontaudit_rw_pipes(ifconfig_t)
+')
+
+optional_policy(`
+	vmware_append_log(ifconfig_t)
+')
+
 optional_policy(`
 	kernel_read_xen_state(ifconfig_t)
 	kernel_write_xen_state(ifconfig_t)