From 9d0c9b3ed56d2d1e1c0083ee3b2951872d21c7bc Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 29 May 2006 19:53:43 +0000 Subject: [PATCH] packets for admin modules --- refpolicy/policy/modules/admin/amanda.te | 9 ++++----- refpolicy/policy/modules/admin/apt.te | 5 +++-- refpolicy/policy/modules/admin/backup.te | 5 ++--- refpolicy/policy/modules/admin/dpkg.te | 7 +++---- refpolicy/policy/modules/admin/firstboot.te | 11 ++++------- refpolicy/policy/modules/admin/mrtg.te | 7 ++----- refpolicy/policy/modules/admin/netutils.te | 21 ++++++++------------- refpolicy/policy/modules/admin/rpm.te | 7 +++---- refpolicy/policy/modules/admin/sxid.te | 8 ++------ refpolicy/policy/modules/admin/vpn.te | 8 +++++--- refpolicy/policy/modules/services/afs.te | 8 +++++++- 11 files changed, 43 insertions(+), 53 deletions(-) diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index 1816551b7..7c8285f9c 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda,1.3.2) +policy_module(amanda,1.3.3) ####################################### # @@ -124,6 +124,7 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) # Added for targeted policy term_use_unallocated_ttys(amanda_t) +corenet_non_ipsec_sendrecv(amanda_t) corenet_tcp_sendrecv_all_if(amanda_t) corenet_udp_sendrecv_all_if(amanda_t) corenet_raw_sendrecv_all_if(amanda_t) @@ -132,7 +133,6 @@ corenet_udp_sendrecv_all_nodes(amanda_t) corenet_raw_sendrecv_all_nodes(amanda_t) corenet_tcp_sendrecv_all_ports(amanda_t) corenet_udp_sendrecv_all_ports(amanda_t) -corenet_non_ipsec_sendrecv(amanda_t) corenet_tcp_bind_all_nodes(amanda_t) corenet_udp_bind_all_nodes(amanda_t) @@ -212,19 +212,18 @@ files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file kernel_read_system_state(amanda_recover_t) kernel_read_kernel_sysctls(amanda_recover_t) +corenet_non_ipsec_sendrecv(amanda_recover_t) corenet_tcp_sendrecv_all_if(amanda_recover_t) corenet_udp_sendrecv_all_if(amanda_recover_t) -corenet_raw_sendrecv_all_if(amanda_recover_t) corenet_tcp_sendrecv_all_nodes(amanda_recover_t) corenet_udp_sendrecv_all_nodes(amanda_recover_t) -corenet_raw_sendrecv_all_nodes(amanda_recover_t) corenet_tcp_sendrecv_all_ports(amanda_recover_t) corenet_udp_sendrecv_all_ports(amanda_recover_t) -corenet_non_ipsec_sendrecv(amanda_recover_t) corenet_tcp_bind_all_nodes(amanda_recover_t) corenet_udp_bind_all_nodes(amanda_recover_t) corenet_tcp_bind_reserved_port(amanda_recover_t) corenet_tcp_connect_amanda_port(amanda_recover_t) +corenet_sendrecv_amanda_client_packets(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) diff --git a/refpolicy/policy/modules/admin/apt.te b/refpolicy/policy/modules/admin/apt.te index 87970365a..995ede09f 100644 --- a/refpolicy/policy/modules/admin/apt.te +++ b/refpolicy/policy/modules/admin/apt.te @@ -1,5 +1,5 @@ -policy_module(apt,1.0.0) +policy_module(apt,1.0.1) ######################################## # @@ -76,17 +76,18 @@ corecmd_exec_bin(apt_t) corecmd_exec_shell(apt_t) corecmd_exec_sbin(apt_t) +corenet_non_ipsec_sendrecv(apt_t) corenet_tcp_sendrecv_all_if(apt_t) corenet_udp_sendrecv_all_if(apt_t) corenet_tcp_sendrecv_all_nodes(apt_t) corenet_udp_sendrecv_all_nodes(apt_t) corenet_tcp_sendrecv_all_ports(apt_t) corenet_udp_sendrecv_all_ports(apt_t) -corenet_non_ipsec_sendrecv(apt_t) # TODO: reall allow all these? corenet_tcp_bind_all_nodes(apt_t) corenet_udp_bind_all_nodes(apt_t) corenet_tcp_connect_all_ports(apt_t) +corenet_sendrecv_all_client_packets(apt_t) dev_read_urand(apt_t) diff --git a/refpolicy/policy/modules/admin/backup.te b/refpolicy/policy/modules/admin/backup.te index 46b1ba3c1..c37f70130 100644 --- a/refpolicy/policy/modules/admin/backup.te +++ b/refpolicy/policy/modules/admin/backup.te @@ -1,5 +1,5 @@ -policy_module(backup,1.0.0) +policy_module(backup,1.0.1) ######################################## # @@ -44,9 +44,8 @@ corenet_udp_sendrecv_all_nodes(backup_t) corenet_raw_sendrecv_all_nodes(backup_t) corenet_tcp_sendrecv_all_ports(backup_t) corenet_udp_sendrecv_all_ports(backup_t) -corenet_tcp_bind_all_nodes(backup_t) -corenet_udp_bind_all_nodes(backup_t) corenet_tcp_connect_all_ports(backup_t) +corenet_sendrecv_all_client_packets(backup_t) dev_getattr_all_blk_files(backup_t) dev_getattr_all_chr_files(backup_t) diff --git a/refpolicy/policy/modules/admin/dpkg.te b/refpolicy/policy/modules/admin/dpkg.te index 98a673249..e2bb49c5c 100644 --- a/refpolicy/policy/modules/admin/dpkg.te +++ b/refpolicy/policy/modules/admin/dpkg.te @@ -1,5 +1,5 @@ -policy_module(dpkg,1.0.1) +policy_module(dpkg,1.0.2) ######################################## # @@ -91,6 +91,7 @@ kernel_read_kernel_sysctls(dpkg_t) corecmd_exec_all_executables(dpkg_t) # TODO: do we really need all networking? +corenet_non_ipsec_sendrecv(dpkg_t) corenet_tcp_sendrecv_all_if(dpkg_t) corenet_raw_sendrecv_all_if(dpkg_t) corenet_udp_sendrecv_all_if(dpkg_t) @@ -99,10 +100,8 @@ corenet_raw_sendrecv_all_nodes(dpkg_t) corenet_udp_sendrecv_all_nodes(dpkg_t) corenet_tcp_sendrecv_all_ports(dpkg_t) corenet_udp_sendrecv_all_ports(dpkg_t) -corenet_non_ipsec_sendrecv(dpkg_t) -corenet_tcp_bind_all_nodes(dpkg_t) -corenet_udp_bind_all_nodes(dpkg_t) corenet_tcp_connect_all_ports(dpkg_t) +corenet_sendrecv_all_client_packets(dpkg_t) dev_list_sysfs(dpkg_t) dev_list_usbfs(dpkg_t) diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te index f606dbe95..b03616f3c 100644 --- a/refpolicy/policy/modules/admin/firstboot.te +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -1,5 +1,5 @@ -policy_module(firstboot,1.1.1) +policy_module(firstboot,1.1.2) gen_require(` class passwd rootok; @@ -48,13 +48,10 @@ unconfined_domain(firstboot_t) kernel_read_system_state(firstboot_t) kernel_read_kernel_sysctls(firstboot_t) -corenet_tcp_sendrecv_all_if(firstboot_t) -corenet_raw_sendrecv_all_if(firstboot_t) -corenet_tcp_sendrecv_all_nodes(firstboot_t) -corenet_raw_sendrecv_all_nodes(firstboot_t) -corenet_tcp_sendrecv_all_ports(firstboot_t) corenet_non_ipsec_sendrecv(firstboot_t) -corenet_tcp_bind_all_nodes(firstboot_t) +corenet_tcp_sendrecv_all_if(firstboot_t) +corenet_tcp_sendrecv_all_nodes(firstboot_t) +corenet_tcp_sendrecv_all_ports(firstboot_t) dev_read_urand(firstboot_t) diff --git a/refpolicy/policy/modules/admin/mrtg.te b/refpolicy/policy/modules/admin/mrtg.te index ad531e1bb..3625067e4 100644 --- a/refpolicy/policy/modules/admin/mrtg.te +++ b/refpolicy/policy/modules/admin/mrtg.te @@ -1,5 +1,5 @@ -policy_module(mrtg,1.0.0) +policy_module(mrtg,1.0.1) ######################################## # @@ -68,15 +68,12 @@ corecmd_exec_shell(mrtg_t) corenet_non_ipsec_sendrecv(mrtg_t) corenet_tcp_sendrecv_generic_if(mrtg_t) corenet_udp_sendrecv_generic_if(mrtg_t) -corenet_raw_sendrecv_generic_if(mrtg_t) corenet_tcp_sendrecv_all_nodes(mrtg_t) corenet_udp_sendrecv_all_nodes(mrtg_t) -corenet_raw_sendrecv_all_nodes(mrtg_t) corenet_tcp_sendrecv_all_ports(mrtg_t) corenet_udp_sendrecv_all_ports(mrtg_t) -corenet_tcp_bind_all_nodes(mrtg_t) -corenet_udp_bind_all_nodes(mrtg_t) corenet_tcp_connect_all_ports(mrtg_t) +corenet_sendrecv_all_client_packets(mrtg_t) dev_read_sysfs(mrtg_t) dev_read_urand(mrtg_t) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 58c545f5d..2cc4c9f65 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -1,5 +1,5 @@ -policy_module(netutils,1.1.2) +policy_module(netutils,1.1.3) ######################################## # @@ -43,6 +43,7 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) +corenet_non_ipsec_sendrecv(netutils_t) corenet_tcp_sendrecv_all_if(netutils_t) corenet_raw_sendrecv_all_if(netutils_t) corenet_udp_sendrecv_all_if(netutils_t) @@ -51,10 +52,8 @@ corenet_raw_sendrecv_all_nodes(netutils_t) corenet_udp_sendrecv_all_nodes(netutils_t) corenet_tcp_sendrecv_all_ports(netutils_t) corenet_udp_sendrecv_all_ports(netutils_t) -corenet_non_ipsec_sendrecv(netutils_t) -corenet_tcp_bind_all_nodes(netutils_t) -corenet_udp_bind_all_nodes(netutils_t) corenet_tcp_connect_all_ports(netutils_t) +corenet_sendrecv_all_client_packets(netutils_t) fs_getattr_xattr_fs(netutils_t) @@ -96,21 +95,15 @@ allow ping_t self:capability { setuid net_raw }; dontaudit ping_t self:capability sys_tty_config; allow ping_t self:tcp_socket create_socket_perms; -allow ping_t self:udp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; +corenet_non_ipsec_sendrecv(ping_t) corenet_tcp_sendrecv_all_if(ping_t) -corenet_udp_sendrecv_all_if(ping_t) corenet_raw_sendrecv_all_if(ping_t) corenet_raw_sendrecv_all_nodes(ping_t) corenet_tcp_sendrecv_all_nodes(ping_t) -corenet_udp_sendrecv_all_nodes(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) -corenet_udp_sendrecv_all_ports(ping_t) -corenet_non_ipsec_sendrecv(ping_t) -corenet_udp_bind_all_nodes(ping_t) -corenet_tcp_bind_all_nodes(ping_t) fs_dontaudit_getattr_xattr_fs(ping_t) @@ -173,21 +166,23 @@ allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) +corenet_non_ipsec_sendrecv(traceroute_t) corenet_tcp_sendrecv_all_if(traceroute_t) corenet_udp_sendrecv_all_if(traceroute_t) corenet_raw_sendrecv_all_if(traceroute_t) -corenet_raw_sendrecv_all_nodes(traceroute_t) corenet_tcp_sendrecv_all_nodes(traceroute_t) corenet_udp_sendrecv_all_nodes(traceroute_t) +corenet_raw_sendrecv_all_nodes(traceroute_t) corenet_tcp_sendrecv_all_ports(traceroute_t) corenet_udp_sendrecv_all_ports(traceroute_t) -corenet_non_ipsec_sendrecv(traceroute_t) corenet_udp_bind_all_nodes(traceroute_t) corenet_tcp_bind_all_nodes(traceroute_t) # traceroute needs this but not tracepath corenet_raw_bind_all_nodes(traceroute_t) corenet_udp_bind_traceroute_port(traceroute_t) corenet_tcp_connect_all_ports(traceroute_t) +corenet_sendrecv_all_client_packets(traceroute_t) +corenet_sendrecv_traceroute_server_packets(traceroute_t) fs_dontaudit_getattr_xattr_fs(traceroute_t) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 22682ec60..056b35a96 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.3.5) +policy_module(rpm,1.3.6) ######################################## # @@ -92,6 +92,7 @@ kernel_read_kernel_sysctls(rpm_t) corecmd_exec_all_executables(rpm_t) +corenet_non_ipsec_sendrecv(rpm_t) corenet_tcp_sendrecv_all_if(rpm_t) corenet_raw_sendrecv_all_if(rpm_t) corenet_udp_sendrecv_all_if(rpm_t) @@ -100,10 +101,8 @@ corenet_raw_sendrecv_all_nodes(rpm_t) corenet_udp_sendrecv_all_nodes(rpm_t) corenet_tcp_sendrecv_all_ports(rpm_t) corenet_udp_sendrecv_all_ports(rpm_t) -corenet_non_ipsec_sendrecv(rpm_t) -corenet_tcp_bind_all_nodes(rpm_t) -corenet_udp_bind_all_nodes(rpm_t) corenet_tcp_connect_all_ports(rpm_t) +corenet_sendrecv_all_client_packets(rpm_t) dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) diff --git a/refpolicy/policy/modules/admin/sxid.te b/refpolicy/policy/modules/admin/sxid.te index 1c9f28930..bf3ef846f 100644 --- a/refpolicy/policy/modules/admin/sxid.te +++ b/refpolicy/policy/modules/admin/sxid.te @@ -1,5 +1,5 @@ -policy_module(sxid,1.0.0) +policy_module(sxid,1.0.1) ######################################## # @@ -43,17 +43,13 @@ corecmd_exec_bin(sxid_t) corecmd_exec_sbin(sxid_t) corecmd_exec_shell(sxid_t) +corenet_non_ipsec_sendrecv(sxid_t) corenet_tcp_sendrecv_generic_if(sxid_t) corenet_udp_sendrecv_generic_if(sxid_t) -corenet_raw_sendrecv_generic_if(sxid_t) corenet_tcp_sendrecv_all_nodes(sxid_t) corenet_udp_sendrecv_all_nodes(sxid_t) -corenet_raw_sendrecv_all_nodes(sxid_t) corenet_tcp_sendrecv_all_ports(sxid_t) corenet_udp_sendrecv_all_ports(sxid_t) -corenet_non_ipsec_sendrecv(sxid_t) -corenet_tcp_bind_all_nodes(sxid_t) -corenet_udp_bind_all_nodes(sxid_t) dev_read_sysfs(sxid_t) dev_getattr_all_blk_files(sxid_t) diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te index 6b04a1ed9..8fe4572f4 100644 --- a/refpolicy/policy/modules/admin/vpn.te +++ b/refpolicy/policy/modules/admin/vpn.te @@ -1,5 +1,5 @@ -policy_module(vpn,1.2.1) +policy_module(vpn,1.2.2) ######################################## # @@ -49,6 +49,7 @@ kernel_read_network_state(vpnc_t) kernel_read_kernel_sysctls(vpnc_t) kernel_rw_net_sysctls(vpnc_t) +corenet_non_ipsec_sendrecv(vpnc_t) corenet_tcp_sendrecv_all_if(vpnc_t) corenet_udp_sendrecv_all_if(vpnc_t) corenet_raw_sendrecv_all_if(vpnc_t) @@ -57,12 +58,13 @@ corenet_udp_sendrecv_all_nodes(vpnc_t) corenet_raw_sendrecv_all_nodes(vpnc_t) corenet_tcp_sendrecv_all_ports(vpnc_t) corenet_udp_sendrecv_all_ports(vpnc_t) -corenet_non_ipsec_sendrecv(vpnc_t) -corenet_tcp_bind_all_nodes(vpnc_t) corenet_udp_bind_all_nodes(vpnc_t) corenet_udp_bind_generic_port(vpnc_t) corenet_udp_bind_isakmp_port(vpnc_t) corenet_tcp_connect_all_ports(vpnc_t) +corenet_sendrecv_all_client_packets(vpnc_t) +corenet_sendrecv_isakmp_server_packets(vpnc_t) +corenet_sendrecv_generic_server_packets(vpnc_t) corenet_rw_tun_tap_dev(vpnc_t) dev_read_rand(vpnc_t) diff --git a/refpolicy/policy/modules/services/afs.te b/refpolicy/policy/modules/services/afs.te index ffcc7e15d..1e748b016 100644 --- a/refpolicy/policy/modules/services/afs.te +++ b/refpolicy/policy/modules/services/afs.te @@ -1,5 +1,5 @@ -policy_module(afs,1.0.0) +policy_module(afs,1.0.1) ######################################## # @@ -110,6 +110,7 @@ corenet_tcp_sendrecv_all_ports(afs_bosserver_t) corenet_udp_sendrecv_all_ports(afs_bosserver_t) corenet_udp_bind_all_nodes(afs_bosserver_t) corenet_udp_bind_afs_bos_port(afs_bosserver_t) +corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) files_read_etc_files(afs_bosserver_t) files_list_home(afs_bosserver_t) @@ -174,6 +175,7 @@ corenet_tcp_bind_all_nodes(afs_fsserver_t) corenet_udp_bind_all_nodes(afs_fsserver_t) corenet_tcp_bind_afs_fs_port(afs_fsserver_t) corenet_udp_bind_afs_fs_port(afs_fsserver_t) +corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) files_read_etc_files(afs_fsserver_t) files_read_etc_runtime_files(afs_fsserver_t) @@ -233,6 +235,8 @@ corenet_udp_sendrecv_all_ports(afs_kaserver_t) corenet_udp_bind_all_nodes(afs_kaserver_t) corenet_udp_bind_afs_ka_port(afs_kaserver_t) corenet_udp_bind_kerberos_port(afs_kaserver_t) +corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t) +corenet_sendrecv_kerberos_server_packets(afs_kaserver_t) files_read_etc_files(afs_kaserver_t) files_list_home(afs_kaserver_t) @@ -280,6 +284,7 @@ corenet_tcp_sendrecv_all_ports(afs_ptserver_t) corenet_udp_sendrecv_all_ports(afs_ptserver_t) corenet_udp_bind_all_nodes(afs_ptserver_t) corenet_udp_bind_afs_pt_port(afs_ptserver_t) +corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) files_read_etc_files(afs_ptserver_t) @@ -323,6 +328,7 @@ corenet_tcp_sendrecv_all_ports(afs_vlserver_t) corenet_udp_sendrecv_all_ports(afs_vlserver_t) corenet_udp_bind_all_nodes(afs_vlserver_t) corenet_udp_bind_afs_vl_port(afs_vlserver_t) +corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t) files_read_etc_files(afs_vlserver_t)