From 6e61566dba91b40f75a081967d9b624806cb15a7 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 31 Aug 2005 15:25:12 +0000 Subject: [PATCH] add comsat. clean up kerberos and nscd interfaces --- refpolicy/Changelog | 2 + refpolicy/policy/modules/kernel/kernel.if | 2 +- refpolicy/policy/modules/services/comsat.fc | 2 + refpolicy/policy/modules/services/comsat.if | 1 + refpolicy/policy/modules/services/comsat.te | 86 +++++++++++++++++++ refpolicy/policy/modules/services/kerberos.if | 16 ++-- refpolicy/policy/modules/services/nis.if | 5 +- refpolicy/policy/modules/services/nscd.if | 4 +- refpolicy/policy/modules/system/domain.if | 3 +- refpolicy/policy/modules/system/init.if | 23 ++++- 10 files changed, 129 insertions(+), 15 deletions(-) create mode 100644 refpolicy/policy/modules/services/comsat.fc create mode 100644 refpolicy/policy/modules/services/comsat.if create mode 100644 refpolicy/policy/modules/services/comsat.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index bdef26cb5..643aded6a 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,5 +1,7 @@ - Doc tool will explicitly say a module does not have interfaces or templates on the module page. +- Added policies: + comsat * Fri Aug 26 2005 Chris PeBenito - 20050826 - Add Makefile support for building loadable modules. diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index c147b454c..90eb00a58 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -415,7 +415,7 @@ interface(`kernel_dontaudit_read_system_state',` class file read; ') - allow $1 proc_t:file read; + dontaudit $1 proc_t:file read; ') ####################################### diff --git a/refpolicy/policy/modules/services/comsat.fc b/refpolicy/policy/modules/services/comsat.fc new file mode 100644 index 000000000..fe0cfea4d --- /dev/null +++ b/refpolicy/policy/modules/services/comsat.fc @@ -0,0 +1,2 @@ + +/usr/sbin/in\.comsat -- context_template(system_u:object_r:comsat_exec_t,s0) diff --git a/refpolicy/policy/modules/services/comsat.if b/refpolicy/policy/modules/services/comsat.if new file mode 100644 index 000000000..afc4dfe7c --- /dev/null +++ b/refpolicy/policy/modules/services/comsat.if @@ -0,0 +1 @@ +## Comsat, a biff server. diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te new file mode 100644 index 000000000..bb50e6e38 --- /dev/null +++ b/refpolicy/policy/modules/services/comsat.te @@ -0,0 +1,86 @@ + +policy_module(comsat,1.0) + +######################################## +# +# Declarations +# +type comsat_t; +type comsat_exec_t; +inetd_udp_service_domain(comsat_t,comsat_exec_t) +role system_r types comsat_t; + +type comsat_tmp_t; +files_tmp_file(comsat_tmp_t) + +type comsat_var_run_t; +files_pid_file(comsat_var_run_t) + +######################################## +# +# Local policy +# + +allow comsat_t self:capability { setuid setgid }; +allow comsat_t self:process signal_perms; +allow comsat_t self:dir search; +allow comsat_t self:fifo_file rw_file_perms; +allow comsat_t self:{ lnk_file file } { getattr read }; +allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow comsat_t self:tcp_socket { listen accept connected_socket_perms }; + +allow comsat_t comsat_tmp_t:dir create_dir_perms; +allow comsat_t comsat_tmp_t:file create_file_perms; +files_create_tmp_files(comsat_t, comsat_tmp_t, { file dir }) + +allow comsat_t comsat_var_run_t:file create_file_perms; +files_create_pid(comsat_t,comsat_var_run_t) + +kernel_read_kernel_sysctl(comsat_t) +kernel_read_network_state(comsat_t) +kernel_read_system_state(comsat_t) + +corenet_raw_sendrecv_all_if(comsat_t) +corenet_tcp_sendrecv_all_if(comsat_t) +corenet_raw_sendrecv_all_nodes(comsat_t) +corenet_tcp_sendrecv_all_nodes(comsat_t) +corenet_tcp_sendrecv_all_ports(comsat_t) +corenet_tcp_bind_all_nodes(comsat_t) + +dev_read_urand(comsat_t) + +fs_getattr_xattr_fs(comsat_t) + +files_read_etc_files(comsat_t) +files_search_spool(comsat_t) +files_search_home(comsat_t) + +init_read_script_pid(comsat_t) +init_dontaudit_write_script_pid(comsat_t) + +libs_use_ld_so(comsat_t) +libs_use_shared_libs(comsat_t) + +logging_send_syslog_msg(comsat_t) + +miscfiles_read_localization(comsat_t) + +sysnet_read_config(comsat_t) + +mta_getattr_spool(comsat_t) + +optional_policy(`kerberos.te',` + kerberos_use(comsat_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(comsat_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(comsat_t) +') + +ifdef(`TODO',` +dontaudit comsat_t sysadm_tty_device_t:chr_file getattr; +') diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if index 499c7b19f..f0baf8b8c 100644 --- a/refpolicy/policy/modules/services/kerberos.if +++ b/refpolicy/policy/modules/services/kerberos.if @@ -32,12 +32,18 @@ interface(`kerberos_use',` gen_require(` type krb5_conf_t; - class files r_file_perms; + class file r_file_perms; + class tcp_socket create_socket_perms; + class udp_socket create_socket_perms; ') + files_search_etc($1) + allow $1 krb5_conf_t:file { getattr read }; + dontaudit $1 krb5_conf_t:file write; + tunable_policy(`allow_kerberos',` - allow $1 self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; - allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:udp_socket create_socket_perms; corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) @@ -54,10 +60,6 @@ interface(`kerberos_use',` tunable_policy(`allow_kerberos && use_dns',` corenet_udp_sendrecv_dns_port($1) ') - - files_search_etc($1) - allow $1 krb5_conf_t:file { getattr read }; - dontaudit $1 krb5_conf_t:file write; ') ######################################## diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index bb123580a..9ad95f8a7 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -22,9 +22,8 @@ interface(`nis_use_ypbind',` tunable_policy(`allow_ypbind',` dontaudit $1 self:capability net_bind_service; - allow $1 self:tcp_socket { listen accept }; - allow $1 self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; - allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; allow $1 var_yp_t:dir r_dir_perms; allow $1 var_yp_t:lnk_file r_file_perms; diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if index d53878ad7..08c7152df 100644 --- a/refpolicy/policy/modules/services/nscd.if +++ b/refpolicy/policy/modules/services/nscd.if @@ -39,13 +39,13 @@ interface(`nscd_use_socket',` type nscd_t, nscd_var_run_t; class fd use; class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - class unix_stream_socket { create_stream_socket_perms connectto }; + class unix_stream_socket { create_socket_perms connectto }; class dir { search getattr }; class sock_file rw_file_perms; class file { getattr read }; ') - allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 self:unix_stream_socket create_socket_perms; allow $1 nscd_t:unix_stream_socket connectto; allow $1 nscd_t:nscd { getpwd getgrp gethost }; diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 4d1270963..3cbb4f4b7 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -52,8 +52,9 @@ interface(`domain_type',` # read the root directory files_list_root($1) - # send init a sigchld + # send init a sigchld and signull init_sigchld($1) + init_signull($1) ifdef(`targeted_policy',` unconfined_use_fd($1) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 9543b9369..e11f7f10e 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -238,8 +238,29 @@ interface(`init_dontaudit_use_initctl',` ') ######################################## +## +## Send init a null signal. +## +## +## Domain allowed access. +## # -# init_sigchld(domain) +interface(`init_signull',` + gen_require(` + type init_t; + class process signull; + ') + + allow $1 init_t:process signull; +') + +######################################## +## +## Send init a SIGCHLD signal. +## +## +## Domain allowed access. +## # interface(`init_sigchld',` gen_require(`