Patch for memlockd policy against latest git.
Signed-off-by: Russell Coker <[email protected]>
Index: refpolicy-2.20200405/policy/modules/services/memlockd.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20200405/policy/modules/services/memlockd.fc
@@ -0,0 +1 @@
+/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0)
Index: refpolicy-2.20200405/policy/modules/services/memlockd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20200405/policy/modules/services/memlockd.if
@@ -0,0 +1,2 @@
+## <summary>memory lock daemon, keeps important files in RAM.</summary>
+
Index: refpolicy-2.20200405/policy/modules/services/memlockd.te
===================================================================
--- /dev/null
+++ refpolicy-2.20200405/policy/modules/services/memlockd.te
@@ -0,0 +1,42 @@
+policy_module(memlockd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type memlockd_t;
+type memlockd_exec_t;
+init_daemon_domain(memlockd_t, memlockd_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow memlockd_t self:capability { setgid setuid ipc_lock };
+allow memlockd_t self:fifo_file rw_file_perms;
+allow memlockd_t self:unix_dgram_socket { create connect };
+
+# cache /etc/shadow too
+auth_read_shadow(memlockd_t)
+auth_map_shadow(memlockd_t)
+
+sysnet_mmap_read_config(memlockd_t)
+files_read_etc_files(memlockd_t)
+
+# for ldd
+corecmd_exec_bin(memlockd_t)
+corecmd_exec_shell(memlockd_t)
+libs_exec_ld_so(memlockd_t)
+
+corecmd_search_bin(memlockd_t)
+files_map_etc_files(memlockd_t)
+# has to exec for ldd
+corecmd_exec_all_executables(memlockd_t)
+corecmd_read_all_executables(memlockd_t)
+
+logging_send_syslog_msg(memlockd_t)
+
+miscfiles_read_localization(memlockd_t)
+
Index: refpolicy-2.20200405/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20200405/policy/modules/system/sysnetwork.if
@@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',`
#######################################
## <summary>
+## map network config files.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to mmap the
+## general network configuration files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_mmap_read_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file { read_file_perms map };
+')
+
+#######################################
+## <summary>
## Do not audit attempts to read network config files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20200405/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20200405/policy/modules/system/authlogin.if
@@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
########################################
## <summary>
+## Map the shadow passwords file (/etc/shadow)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_map_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+ allow $1 shadow_t:file map;
+')
+
+########################################
+## <summary>
## Pass shadow assertion for reading.
## </summary>
## <desc>
On 4/5/20 4:43 AM, Russell Coker wrote:
> Patch for memlockd policy against latest git.
>
> Signed-off-by: Russell Coker <[email protected]>
>
>
> Index: refpolicy-2.20200405/policy/modules/services/memlockd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200405/policy/modules/services/memlockd.fc
> @@ -0,0 +1 @@
> +/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0)
> Index: refpolicy-2.20200405/policy/modules/services/memlockd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200405/policy/modules/services/memlockd.if
> @@ -0,0 +1,2 @@
> +## <summary>memory lock daemon, keeps important files in RAM.</summary>
> +
> Index: refpolicy-2.20200405/policy/modules/services/memlockd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200405/policy/modules/services/memlockd.te
> @@ -0,0 +1,42 @@
> +policy_module(memlockd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type memlockd_t;
> +type memlockd_exec_t;
> +init_daemon_domain(memlockd_t, memlockd_exec_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow memlockd_t self:capability { setgid setuid ipc_lock };
> +allow memlockd_t self:fifo_file rw_file_perms;
> +allow memlockd_t self:unix_dgram_socket { create connect };
> +
> +# cache /etc/shadow too
> +auth_read_shadow(memlockd_t)
> +auth_map_shadow(memlockd_t)
> +
Below needs to be cleaned up for line ordering.
> +sysnet_mmap_read_config(memlockd_t)
> +files_read_etc_files(memlockd_t)
> +
> +# for ldd
> +corecmd_exec_bin(memlockd_t)
> +corecmd_exec_shell(memlockd_t)
> +libs_exec_ld_so(memlockd_t)
> +
> +corecmd_search_bin(memlockd_t)
> +files_map_etc_files(memlockd_t)
> +# has to exec for ldd
> +corecmd_exec_all_executables(memlockd_t)
> +corecmd_read_all_executables(memlockd_t)
> +
> +logging_send_syslog_msg(memlockd_t)
> +
> +miscfiles_read_localization(memlockd_t)
> +
> Index: refpolicy-2.20200405/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20200405/policy/modules/system/sysnetwork.if
> @@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',`
>
> #######################################
> ## <summary>
> +## map network config files.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to mmap the
> +## general network configuration files.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_mmap_read_config',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 net_conf_t:file { read_file_perms map };
There is a mmap_read_file_perms set that has this.
> +')
> +
> +#######################################
> +## <summary>
> ## Do not audit attempts to read network config files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20200405/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20200405/policy/modules/system/authlogin.if
> @@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
>
> ########################################
> ## <summary>
> +## Map the shadow passwords file (/etc/shadow)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_map_shadow',`
> + gen_require(`
> + type shadow_t;
> + ')
> + allow $1 shadow_t:file map;
> +')
> +
> +########################################
> +## <summary>
> ## Pass shadow assertion for reading.
> ## </summary>
> ## <desc>
>
--
Chris PeBenito