Index: refpolicy-2.20200209/policy/modules/services/memlockd.fc =================================================================== --- /dev/null +++ refpolicy-2.20200209/policy/modules/services/memlockd.fc @@ -0,0 +1 @@ +/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0) Index: refpolicy-2.20200209/policy/modules/services/memlockd.if =================================================================== --- /dev/null +++ refpolicy-2.20200209/policy/modules/services/memlockd.if @@ -0,0 +1,2 @@ +## memory lock daemon, keeps important files in RAM. + Index: refpolicy-2.20200209/policy/modules/services/memlockd.te =================================================================== --- /dev/null +++ refpolicy-2.20200209/policy/modules/services/memlockd.te @@ -0,0 +1,42 @@ +policy_module(memlockd, 1.0.0) + +######################################## +# +# Declarations +# + +type memlockd_t; +type memlockd_exec_t; +init_daemon_domain(memlockd_t, memlockd_exec_t) + +######################################## +# +# Local policy +# + +allow memlockd_t self:capability { setgid setuid ipc_lock }; +allow memlockd_t self:fifo_file rw_file_perms; +allow memlockd_t self:unix_dgram_socket { create connect }; + +# cache /etc/shadow too +auth_read_shadow(memlockd_t) +auth_map_shadow(memlockd_t) + +sysnet_map_config(memlockd_t) +files_read_etc_files(memlockd_t) + +# for ldd +corecmd_exec_bin(memlockd_t) +corecmd_exec_shell(memlockd_t) +libs_exec_ld_so(memlockd_t) + +corecmd_search_bin(memlockd_t) +files_map_etc_files(memlockd_t) +# has to exec for ldd +corecmd_exec_all_executables(memlockd_t) +corecmd_read_all_executables(memlockd_t) + +logging_send_syslog_msg(memlockd_t) + +miscfiles_read_localization(memlockd_t) + Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.if +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.if @@ -366,6 +366,31 @@ interface(`sysnet_read_config',` ####################################### ## +## map network config files. +## +## +## +## Allow the specified domain to mmap the +## general network configuration files. +## +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_map_config',` + gen_require(` + type net_conf_t; + ') + + files_search_etc($1) + allow $1 net_conf_t:file { read_file_perms map }; +') + +####################################### +## ## Do not audit attempts to read network config files. ## ## Index: refpolicy-2.20200209/policy/modules/system/authlogin.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/system/authlogin.if +++ refpolicy-2.20200209/policy/modules/system/authlogin.if @@ -577,6 +577,23 @@ interface(`auth_read_shadow',` ######################################## ## +## Map the shadow passwords file (/etc/shadow) +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_map_shadow',` + gen_require(` + type shadow_t; + ') + allow $1 shadow_t:file map; +') + +######################################## +## ## Pass shadow assertion for reading. ## ##
+## Allow the specified domain to mmap the +## general network configuration files. +##