From c753c066d107146ce5aa599866bc949d077d396b Mon Sep 17 00:00:00 2001 From: cgzones <cgzones@googlemail.com> Date: Mon, 20 Feb 2017 14:20:00 +0100 Subject: [PATCH 1/3] add corecmd_check_exec_bin_files() useful for monit --- policy/modules/kernel/corecommands.if | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 426122604..24e7c4fd4 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -216,6 +216,25 @@ interface(`corecmd_dontaudit_getattr_bin_files',` dontaudit $1 bin_t:file getattr_file_perms; ') +######################################## +## <summary> +## Check if files in bin directories are executable (DAC-wise) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corecmd_check_exec_bin_files',` + gen_require(` + type bin_t; + ') + + allow $1 bin_t:dir search_dir_perms; + allow $1 bin_t:file { execute getattr }; +') + ######################################## ## <summary> ## Read files in bin directories. From e4f394072986f7d3e33031fbdbe3b04c2e6da27f Mon Sep 17 00:00:00 2001 From: cgzones <cgzones@googlemail.com> Date: Mon, 20 Feb 2017 14:20:25 +0100 Subject: [PATCH 2/3] add fs_getattr_dos_dirs() useful --- policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 96fa54d4b..c07f5fb8f 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1778,6 +1778,24 @@ interface(`fs_relabelfrom_dos_fs',` allow $1 dosfs_t:filesystem relabelfrom; ') +######################################## +## <summary> +## Get attributes of directories on a dosfs filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_getattr_dos_dirs',` + gen_require(` + type dosfs_t; + ') + + allow $1 dosfs_t:dir getattr; +') + ######################################## ## <summary> ## Search dosfs filesystem. From 5770a8ee7ca2c8b30a848169bec4f0f48a5e83af Mon Sep 17 00:00:00 2001 From: cgzones <cgzones@googlemail.com> Date: Mon, 20 Feb 2017 14:24:56 +0100 Subject: [PATCH 3/3] update init_ACTION_all_units When with systemd a program does not ship a systemd unit file but only a init script, systemd creates a pseudo service on the fly. To be able to act on this service, add the target attribute init_script_file_type to the init_ACTION_all_units interfaces. Useful for monit. --- policy/modules/system/init.if | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 7a657f3cf..62bfd4fdc 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -2524,11 +2524,11 @@ interface(`init_reload_generic_units',` # interface(`init_get_all_units_status',` gen_require(` - attribute systemdunit; + attribute init_script_file_type, systemdunit; class service status; ') - allow $1 systemdunit:service status; + allow $1 { init_script_file_type systemdunit }:service status; ') ######################################## @@ -2543,11 +2543,11 @@ interface(`init_get_all_units_status',` # interface(`init_start_all_units',` gen_require(` - attribute systemdunit; + attribute init_script_file_type, systemdunit; class service start; ') - allow $1 systemdunit:service start; + allow $1 { init_script_file_type systemdunit }:service start; ') ######################################## @@ -2562,11 +2562,11 @@ interface(`init_start_all_units',` # interface(`init_stop_all_units',` gen_require(` - attribute systemdunit; + attribute init_script_file_type, systemdunit; class service stop; ') - allow $1 systemdunit:service stop; + allow $1 { init_script_file_type systemdunit }:service stop; ') ####################################### @@ -2581,9 +2581,9 @@ interface(`init_stop_all_units',` # interface(`init_reload_all_units',` gen_require(` - attribute systemdunit; + attribute init_script_file_type, systemdunit; class service reload; ') - allow $1 systemdunit:service reload; + allow $1 { init_script_file_type systemdunit }:service reload; ')