Add brctl_run interface to cleaned up brctl module.
Add brctl domtrans and run calls to new ncftool module, modutils.
Implement system conf type for manageable system configuration files.
Add /replace calls to system configuration interfaces in virt, init, iptables.
Add network configuration interfaces and add calls to these interfaces in various modules.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 5b43db5... 8f1ee2c... M policy/modules/admin/brctl.if
:100644 100644 0ff3679... 45b26c9... M policy/modules/admin/brctl.te
:000000 100644 0000000... 19710b5... A policy/modules/admin/ncftool.fc
:000000 100644 0000000... 5b9318b... A policy/modules/admin/ncftool.if
:000000 100644 0000000... 2e2f551... A policy/modules/admin/ncftool.te
:100644 100644 a22e546... 157f6ff... M policy/modules/admin/shorewall.te
:100644 100644 3517db2... ba92739... M policy/modules/kernel/files.fc
:100644 100644 5302dac... 17e7a6a... M policy/modules/kernel/files.if
:100644 100644 07352a5... ec07a47... M policy/modules/kernel/files.te
:100644 100644 3cce663... 57c0f15... M policy/modules/services/virt.te
:100644 100644 abab4cf... c038370... M policy/modules/system/init.te
:100644 100644 13f62a6... e0813a1... M policy/modules/system/iptables.fc
:100644 100644 5c94dfe... 68cd2d2... M policy/modules/system/iptables.if
:100644 100644 a3fdcb3... 8e644c4... M policy/modules/system/iptables.te
:100644 100644 9c0faab... 565e5bc... M policy/modules/system/modutils.if
:100644 100644 8e71fb7... 1e4892d... M policy/modules/system/sysnetwork.if
:100644 100644 dfbe736... ab27920... M policy/modules/system/sysnetwork.te
policy/modules/admin/brctl.if | 34 ++++++++++++-
policy/modules/admin/brctl.te | 1 -
policy/modules/admin/ncftool.fc | 1 +
policy/modules/admin/ncftool.if | 80 +++++++++++++++++++++++++++++++
policy/modules/admin/ncftool.te | 82 ++++++++++++++++++++++++++++++++
policy/modules/admin/shorewall.te | 4 ++
policy/modules/kernel/files.fc | 89 +++--------------------------------
policy/modules/kernel/files.if | 74 +++++++++++++++++++++++++++++
policy/modules/kernel/files.te | 8 +++
policy/modules/services/virt.te | 7 ++-
policy/modules/system/init.te | 2 +
policy/modules/system/iptables.fc | 2 -
policy/modules/system/iptables.if | 78 ------------------------------
policy/modules/system/iptables.te | 4 +-
policy/modules/system/modutils.if | 20 ++++++++
policy/modules/system/sysnetwork.if | 38 +++++++++++++++
policy/modules/system/sysnetwork.te | 4 ++
17 files changed, 357 insertions(+), 171 deletions(-)
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
index 5b43db5..8f1ee2c 100644
--- a/policy/modules/admin/brctl.if
+++ b/policy/modules/admin/brctl.if
@@ -1,13 +1,13 @@
-## <summary>Utilities for configuring the linux ethernet bridge</summary>
+## <summary>Utilities for configuring the linux ethernet bridge.</summary>
########################################
## <summary>
## Execute a domain transition to run brctl.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`brctl_domtrans',`
@@ -15,5 +15,33 @@ interface(`brctl_domtrans',`
type brctl_t, brctl_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
+
+#####################################
+## <summary>
+## Execute a domain transition to run
+## Brctl, and allow the specified role
+## the Brctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`brctl_run',`
+ gen_require(`
+ type brctl_t, brctl_exec_t;
+ ')
+
+ brctl_domtrans($1)
+ role $2 types brctl_t;
+')
diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
index 0ff3679..45b26c9 100644
--- a/policy/modules/admin/brctl.te
+++ b/policy/modules/admin/brctl.te
@@ -30,7 +30,6 @@ corenet_rw_tun_tap_dev(brctl_t)
dev_rw_sysfs(brctl_t)
dev_write_sysfs_dirs(brctl_t)
-# Init script handling
domain_use_interactive_fds(brctl_t)
files_read_etc_files(brctl_t)
diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc
new file mode 100644
index 0000000..19710b5
--- /dev/null
+++ b/policy/modules/admin/ncftool.fc
@@ -0,0 +1 @@
+/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if
new file mode 100644
index 0000000..5b9318b
--- /dev/null
+++ b/policy/modules/admin/ncftool.if
@@ -0,0 +1,80 @@
+## <summary>Network Interface Management.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run Ncftool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ncftool_domtrans',`
+ gen_require(`
+ type ncftool_t, ncftool_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ncftool_exec_t, ncftool_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## Ncftool, and allow the specified role
+## the Ncftool domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ncftool_run',`
+ gen_require(`
+ type ncftool_t;
+ ')
+
+ ncftool_domtrans($1)
+ role $2 types ncftool_t;
+
+ optional_policy(`
+ brctl_run(ncftool_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Role access for Ncftool.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ncftool_role',`
+ gen_require(`
+ type ncftool_t;
+ ')
+
+ role $1 types ncftool_t;
+
+ ncftool_domtrans($2)
+
+ ps_process_pattern($2, ncftool_t)
+ allow $2 ncftool_t:process { ptrace signal_perms };
+')
diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
new file mode 100644
index 0000000..2e2f551
--- /dev/null
+++ b/policy/modules/admin/ncftool.te
@@ -0,0 +1,82 @@
+policy_module(ncftool, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ncftool_t;
+type ncftool_exec_t;
+application_domain(ncftool_t, ncftool_exec_t)
+domain_obj_id_change_exemption(ncftool_t)
+domain_system_change_exemption(ncftool_t)
+role system_r types ncftool_t;
+
+########################################
+#
+# local policy
+#
+
+allow ncftool_t self:capability { net_admin sys_ptrace };
+allow ncftool_t self:process signal;
+allow ncftool_t self:fifo_file manage_fifo_file_perms;
+allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
+allow ncftool_t self:tcp_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(ncftool_t)
+kernel_read_modprobe_sysctls(ncftool_t)
+kernel_read_network_state(ncftool_t)
+kernel_read_system_state(ncftool_t)
+kernel_request_load_module(ncftool_t)
+kernel_rw_net_sysctls(ncftool_t)
+
+corecmd_exec_bin(ncftool_t)
+corecmd_exec_shell(ncftool_t)
+
+domain_read_all_domains_state(ncftool_t)
+
+dev_read_sysfs(ncftool_t)
+
+files_manage_system_conf_files(ncftool_t)
+files_relabelto_system_conf_files(ncftool_t)
+files_read_etc_files(ncftool_t)
+files_read_etc_runtime_files(ncftool_t)
+files_read_usr_files(ncftool_t)
+
+term_use_all_terms(ncftool_t)
+
+miscfiles_read_localization(ncftool_t)
+
+modutils_list_module_config(ncftool_t)
+modutils_read_module_config(ncftool_t)
+modutils_domtrans_insmod(ncftool_t)
+
+sysnet_delete_dhcpc_pid(ncftool_t)
+sysnet_domtrans_dhcpc(ncftool_t)
+sysnet_domtrans_ifconfig(ncftool_t)
+sysnet_etc_filetrans_config(ncftool_t)
+sysnet_manage_config(ncftool_t)
+sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
+sysnet_read_dhcpc_pid(ncftool_t)
+sysnet_signal_dhcpc(ncftool_t)
+
+userdom_read_user_tmp_files(ncftool_t)
+
+optional_policy(`
+ consoletype_exec(ncftool_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(ncftool_t)
+')
+
+optional_policy(`
+ iptables_initrc_domtrans(ncftool_t)
+')
+
+optional_policy(`
+ netutils_domtrans(ncftool_t)
+')
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
index a22e546..157f6ff 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
@@ -89,6 +89,10 @@ sysnet_domtrans_ifconfig(shorewall_t)
userdom_dontaudit_list_user_home_dirs(shorewall_t)
optional_policy(`
+ brctl_domtrans(shorewall_t)
+')
+
+optional_policy(`
hostname_exec(shorewall_t)
')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 3517db2..ba92739 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -1,15 +1,9 @@
-
-#
-# /
-#
/.* gen_context(system_u:object_r:default_t,s0)
/ -d gen_context(system_u:object_r:root_t,s0)
/\.journal <<none>>
/afs -d gen_context(system_u:object_r:mnt_t,s0)
/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
-
-ifdef(`distro_redhat',`
/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
/\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -18,15 +12,8 @@ ifdef(`distro_redhat',`
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-ifdef(`distro_suse',`
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-#
-# /boot
-#
/boot -d gen_context(system_u:object_r:boot_t,s0)
/boot/.* gen_context(system_u:object_r:boot_t,s0)
/boot/\.journal <<none>>
@@ -35,15 +22,9 @@ ifdef(`distro_suse',`
/boot/lost\+found/.* <<none>>
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
-#
-# /emul
-#
/emul -d gen_context(system_u:object_r:usr_t,s0)
/emul/.* gen_context(system_u:object_r:usr_t,s0)
-#
-# /etc
-#
/etc -d gen_context(system_u:object_r:etc_t,s0)
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -72,114 +53,68 @@ ifdef(`distro_suse',`
/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
+
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
-ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-ifdef(`distro_redhat',`
/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
-')
-ifdef(`distro_suse',`
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-#
-# HOME_ROOT
-# expanded by genhomedircon
-#
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
-#
-# /initrd
-#
-# initrd mount point, only used during boot
/initrd -d gen_context(system_u:object_r:root_t,s0)
-#
-# /lib(64)?
-#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
/lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-#
-# /lost+found
-#
/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/lost\+found/.* <<none>>
-#
-# /media
-#
-# Mount points; do not relabel subdirectories, since
-# we don't want to change any removable media by default.
/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/media/[^/]*/.* <<none>>
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
-#
-# /misc
-#
/misc -d gen_context(system_u:object_r:mnt_t,s0)
-#
-# /mnt
-#
/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/mnt/[^/]*/.* <<none>>
-#
-# /net
-#
/net -d gen_context(system_u:object_r:mnt_t,s0)
-#
-# /opt
-#
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-#
-# /proc
-#
/proc -d <<none>>
/proc/.* <<none>>
-#
-# /selinux
-#
/selinux -d <<none>>
/selinux/.* <<none>>
-#
-# /srv
-#
/srv -d gen_context(system_u:object_r:var_t,s0)
/srv/.* gen_context(system_u:object_r:var_t,s0)
-#
-# /sys
-#
/sys -d <<none>>
/sys/.* <<none>>
-#
-# /tmp
-#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/tmp/.* <<none>>
/tmp/\.journal <<none>>
@@ -187,9 +122,6 @@ HOME_ROOT/lost\+found/.* <<none>>
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/tmp/lost\+found/.* <<none>>
-#
-# /usr
-#
/usr -d gen_context(system_u:object_r:usr_t,s0)
/usr/.* gen_context(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>>
@@ -215,16 +147,11 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/usr/tmp/.* <<none>>
-ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-')
-#
-# /var
-#
/var -d gen_context(system_u:object_r:var_t,s0)
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
@@ -255,6 +182,4 @@ ifndef(`distro_redhat',`
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
-ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5302dac..17e7a6a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1875,6 +1875,80 @@ interface(`files_manage_boot_symlinks',`
manage_lnk_files_pattern($1, boot_t, boot_t)
')
+###################################
+## <summary>
+## Create manageable system configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
+######################################
+## <summary>
+## Manage manageable system configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
+######################################
+## <summary>
+## Relabel from manageable system configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type system_conf_t;
+ ')
+
+ files_search_etc($1)
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+######################################
+## <summary>
+## Relabel to manageable system configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type system_conf_t;
+ ')
+
+ files_search_etc($1)
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
+')
+
########################################
## <summary>
## Read kernel files in the /boot directory.
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 07352a5..ec07a47 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -128,6 +128,14 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
type src_t;
files_mountpoint(src_t)
+# system_conf_t is a new type of various
+# files in /etc/ that can be managed and
+# created by several domains.
+#
+type system_conf_t, configfile;
+files_type(system_conf_t)
+typealias system_conf_t alias iptables_conf_t;
+
#
# system_map_t is for the system.map files in /boot
#
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3cce663..57c0f15 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -255,6 +255,10 @@ files_search_all(virtd_t)
files_read_kernel_modules(virtd_t)
files_read_usr_src_files(virtd_t)
files_manage_etc_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_manage_system_conf_files(virtd_t)
+files_etc_filetrans_system_conf(virtd_t)
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
@@ -339,9 +343,6 @@ optional_policy(`
optional_policy(`
iptables_domtrans(virtd_t)
iptables_initrc_domtrans(virtd_t)
-
- # Manages /etc/sysconfig/system-config-firewall
- iptables_manage_config(virtd_t)
')
optional_policy(`
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index abab4cf..c038370 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -530,6 +530,8 @@ ifdef(`distro_redhat',`
optional_policy(`
sysnet_rw_dhcp_config(initrc_t)
sysnet_manage_config(initrc_t)
+ sysnet_relabelfrom_net_conf(initrc_t)
+ sysnet_relabelto_net_conf(initrc_t)
')
optional_policy(`
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 13f62a6..e0813a1 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,6 +1,4 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 5c94dfe..68cd2d2 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -87,81 +87,3 @@ interface(`iptables_initrc_domtrans',`
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
')
-
-#####################################
-## <summary>
-## Set the attributes of iptables config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`iptables_setattr_config',`
- gen_require(`
- type iptables_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 iptables_conf_t:file setattr;
-')
-
-#####################################
-## <summary>
-## Read iptables config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`iptables_read_config',`
- gen_require(`
- type iptables_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 iptables_conf_t:dir list_dir_perms;
- read_files_pattern($1, iptables_conf_t, iptables_conf_t)
-')
-
-#####################################
-## <summary>
-## Create files in /etc with the type used for
-## the iptables config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`iptables_etc_filetrans_config',`
- gen_require(`
- type iptables_conf_t;
- ')
-
- files_etc_filetrans($1, iptables_conf_t, file)
-')
-
-###################################
-## <summary>
-## Manage iptables config files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`iptables_manage_config',`
- gen_require(`
- type iptables_conf_t;
- type etc_t;
- ')
-
- files_search_etc($1)
- manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
-')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index a3fdcb3..8e644c4 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -33,8 +33,8 @@ allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:rawip_socket create_socket_perms;
-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
-files_etc_filetrans(iptables_t, iptables_conf_t, file)
+files_manage_system_conf_files(iptables_t)
+files_etc_filetrans_system_conf(iptables_t)
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab..565e5bc 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',`
########################################
## <summary>
+## List the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_list_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
## Read the configuration options used when
## loading modules.
## </summary>
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 8e71fb7..1e4892d 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -652,6 +652,44 @@ interface(`sysnet_dns_name_resolve',`
')
')
+#######################################
+## <summary>
+## Relabel from network configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_relabelfrom_net_conf',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file relabelfrom;
+')
+
+######################################
+## <summary>
+## Relabel to network configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_relabelto_net_conf',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file relabelto;
+')
+
########################################
## <summary>
## Connect and use a LDAP server.
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index dfbe736..ab27920 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
+ brctl_domtrans(ifconfig_t)
+')
+
+optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
')
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/4cb758a5/attachment.bin
On 09/03/10 15:46, Dominick Grift wrote:
> Add brctl_run interface to cleaned up brctl module.
> Add brctl domtrans and run calls to new ncftool module, modutils.
> Implement system conf type for manageable system configuration files.
> Add /replace calls to system configuration interfaces in virt, init, iptables.
> Add network configuration interfaces and add calls to these interfaces in various modules.
There are unrelated changes in this patch; please remove them. This
patch is also big enough that it should probably be split up into 2 or 3
patches.
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 5b43db5... 8f1ee2c... M policy/modules/admin/brctl.if
> :100644 100644 0ff3679... 45b26c9... M policy/modules/admin/brctl.te
> :000000 100644 0000000... 19710b5... A policy/modules/admin/ncftool.fc
> :000000 100644 0000000... 5b9318b... A policy/modules/admin/ncftool.if
> :000000 100644 0000000... 2e2f551... A policy/modules/admin/ncftool.te
> :100644 100644 a22e546... 157f6ff... M policy/modules/admin/shorewall.te
> :100644 100644 3517db2... ba92739... M policy/modules/kernel/files.fc
> :100644 100644 5302dac... 17e7a6a... M policy/modules/kernel/files.if
> :100644 100644 07352a5... ec07a47... M policy/modules/kernel/files.te
> :100644 100644 3cce663... 57c0f15... M policy/modules/services/virt.te
> :100644 100644 abab4cf... c038370... M policy/modules/system/init.te
> :100644 100644 13f62a6... e0813a1... M policy/modules/system/iptables.fc
> :100644 100644 5c94dfe... 68cd2d2... M policy/modules/system/iptables.if
> :100644 100644 a3fdcb3... 8e644c4... M policy/modules/system/iptables.te
> :100644 100644 9c0faab... 565e5bc... M policy/modules/system/modutils.if
> :100644 100644 8e71fb7... 1e4892d... M policy/modules/system/sysnetwork.if
> :100644 100644 dfbe736... ab27920... M policy/modules/system/sysnetwork.te
> policy/modules/admin/brctl.if | 34 ++++++++++++-
> policy/modules/admin/brctl.te | 1 -
> policy/modules/admin/ncftool.fc | 1 +
> policy/modules/admin/ncftool.if | 80 +++++++++++++++++++++++++++++++
> policy/modules/admin/ncftool.te | 82 ++++++++++++++++++++++++++++++++
> policy/modules/admin/shorewall.te | 4 ++
> policy/modules/kernel/files.fc | 89 +++--------------------------------
> policy/modules/kernel/files.if | 74 +++++++++++++++++++++++++++++
> policy/modules/kernel/files.te | 8 +++
> policy/modules/services/virt.te | 7 ++-
> policy/modules/system/init.te | 2 +
> policy/modules/system/iptables.fc | 2 -
> policy/modules/system/iptables.if | 78 ------------------------------
> policy/modules/system/iptables.te | 4 +-
> policy/modules/system/modutils.if | 20 ++++++++
> policy/modules/system/sysnetwork.if | 38 +++++++++++++++
> policy/modules/system/sysnetwork.te | 4 ++
> 17 files changed, 357 insertions(+), 171 deletions(-)
>
> diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
> index 5b43db5..8f1ee2c 100644
> --- a/policy/modules/admin/brctl.if
> +++ b/policy/modules/admin/brctl.if
> @@ -1,13 +1,13 @@
> -##<summary>Utilities for configuring the linux ethernet bridge</summary>
> +##<summary>Utilities for configuring the linux ethernet bridge.</summary>
>
> ########################################
> ##<summary>
> ## Execute a domain transition to run brctl.
> ##</summary>
> ##<param name="domain">
> -##<summary>
> +## <summary>
> ## Domain allowed to transition.
> -##</summary>
> +## </summary>
> ##</param>
> #
> interface(`brctl_domtrans',`
> @@ -15,5 +15,33 @@ interface(`brctl_domtrans',`
> type brctl_t, brctl_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, brctl_exec_t, brctl_t)
> ')
> +
> +#####################################
> +##<summary>
> +## Execute a domain transition to run
> +## Brctl, and allow the specified role
> +## the Brctl domain.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +##</param>
> +##<param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`brctl_run',`
> + gen_require(`
> + type brctl_t, brctl_exec_t;
> + ')
> +
> + brctl_domtrans($1)
> + role $2 types brctl_t;
> +')
> diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
> index 0ff3679..45b26c9 100644
> --- a/policy/modules/admin/brctl.te
> +++ b/policy/modules/admin/brctl.te
> @@ -30,7 +30,6 @@ corenet_rw_tun_tap_dev(brctl_t)
> dev_rw_sysfs(brctl_t)
> dev_write_sysfs_dirs(brctl_t)
>
> -# Init script handling
> domain_use_interactive_fds(brctl_t)
>
> files_read_etc_files(brctl_t)
> diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc
> new file mode 100644
> index 0000000..19710b5
> --- /dev/null
> +++ b/policy/modules/admin/ncftool.fc
> @@ -0,0 +1 @@
> +/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
> diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if
> new file mode 100644
> index 0000000..5b9318b
> --- /dev/null
> +++ b/policy/modules/admin/ncftool.if
> @@ -0,0 +1,80 @@
> +##<summary>Network Interface Management.</summary>
> +
> +########################################
> +##<summary>
> +## Execute a domain transition to run Ncftool.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +##</param>
> +#
> +interface(`ncftool_domtrans',`
> + gen_require(`
> + type ncftool_t, ncftool_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, ncftool_exec_t, ncftool_t)
> +')
> +
> +########################################
> +##<summary>
> +## Execute a domain transition to run
> +## Ncftool, and allow the specified role
> +## the Ncftool domain.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +##<param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`ncftool_run',`
> + gen_require(`
> + type ncftool_t;
> + ')
> +
> + ncftool_domtrans($1)
> + role $2 types ncftool_t;
> +
> + optional_policy(`
> + brctl_run(ncftool_t, $2)
> + ')
> +')
> +
> +########################################
> +##<summary>
> +## Role access for Ncftool.
> +##</summary>
> +##<param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +##</param>
> +##<param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`ncftool_role',`
> + gen_require(`
> + type ncftool_t;
> + ')
> +
> + role $1 types ncftool_t;
> +
> + ncftool_domtrans($2)
> +
> + ps_process_pattern($2, ncftool_t)
> + allow $2 ncftool_t:process { ptrace signal_perms };
> +')
> diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
> new file mode 100644
> index 0000000..2e2f551
> --- /dev/null
> +++ b/policy/modules/admin/ncftool.te
> @@ -0,0 +1,82 @@
> +policy_module(ncftool, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type ncftool_t;
> +type ncftool_exec_t;
> +application_domain(ncftool_t, ncftool_exec_t)
> +domain_obj_id_change_exemption(ncftool_t)
> +domain_system_change_exemption(ncftool_t)
> +role system_r types ncftool_t;
> +
> +########################################
> +#
> +# local policy
> +#
> +
> +allow ncftool_t self:capability { net_admin sys_ptrace };
> +allow ncftool_t self:process signal;
> +allow ncftool_t self:fifo_file manage_fifo_file_perms;
> +allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
> +allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ncftool_t self:tcp_socket create_stream_socket_perms;
> +
> +kernel_read_kernel_sysctls(ncftool_t)
> +kernel_read_modprobe_sysctls(ncftool_t)
> +kernel_read_network_state(ncftool_t)
> +kernel_read_system_state(ncftool_t)
> +kernel_request_load_module(ncftool_t)
> +kernel_rw_net_sysctls(ncftool_t)
> +
> +corecmd_exec_bin(ncftool_t)
> +corecmd_exec_shell(ncftool_t)
> +
> +domain_read_all_domains_state(ncftool_t)
> +
> +dev_read_sysfs(ncftool_t)
> +
> +files_manage_system_conf_files(ncftool_t)
> +files_relabelto_system_conf_files(ncftool_t)
> +files_read_etc_files(ncftool_t)
> +files_read_etc_runtime_files(ncftool_t)
> +files_read_usr_files(ncftool_t)
> +
> +term_use_all_terms(ncftool_t)
> +
> +miscfiles_read_localization(ncftool_t)
> +
> +modutils_list_module_config(ncftool_t)
> +modutils_read_module_config(ncftool_t)
> +modutils_domtrans_insmod(ncftool_t)
> +
> +sysnet_delete_dhcpc_pid(ncftool_t)
> +sysnet_domtrans_dhcpc(ncftool_t)
> +sysnet_domtrans_ifconfig(ncftool_t)
> +sysnet_etc_filetrans_config(ncftool_t)
> +sysnet_manage_config(ncftool_t)
> +sysnet_read_dhcpc_state(ncftool_t)
> +sysnet_relabelfrom_net_conf(ncftool_t)
> +sysnet_relabelto_net_conf(ncftool_t)
> +sysnet_read_dhcpc_pid(ncftool_t)
> +sysnet_signal_dhcpc(ncftool_t)
> +
> +userdom_read_user_tmp_files(ncftool_t)
> +
> +optional_policy(`
> + consoletype_exec(ncftool_t)
> +')
> +
> +optional_policy(`
> + dbus_system_bus_client(ncftool_t)
> +')
> +
> +optional_policy(`
> + iptables_initrc_domtrans(ncftool_t)
> +')
> +
> +optional_policy(`
> + netutils_domtrans(ncftool_t)
> +')
> diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
> index a22e546..157f6ff 100644
> --- a/policy/modules/admin/shorewall.te
> +++ b/policy/modules/admin/shorewall.te
> @@ -89,6 +89,10 @@ sysnet_domtrans_ifconfig(shorewall_t)
> userdom_dontaudit_list_user_home_dirs(shorewall_t)
>
> optional_policy(`
> + brctl_domtrans(shorewall_t)
> +')
> +
> +optional_policy(`
> hostname_exec(shorewall_t)
> ')
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index 3517db2..ba92739 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -1,15 +1,9 @@
> -
> -#
> -# /
> -#
> /.* gen_context(system_u:object_r:default_t,s0)
> / -d gen_context(system_u:object_r:root_t,s0)
> /\.journal <<none>>
> /afs -d gen_context(system_u:object_r:mnt_t,s0)
> /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
> /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
> -
> -ifdef(`distro_redhat',`
> /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0)
> @@ -18,15 +12,8 @@ ifdef(`distro_redhat',`
> /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
> -
> -ifdef(`distro_suse',`
> /success -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
>
> -#
> -# /boot
> -#
> /boot -d gen_context(system_u:object_r:boot_t,s0)
> /boot/.* gen_context(system_u:object_r:boot_t,s0)
> /boot/\.journal <<none>>
> @@ -35,15 +22,9 @@ ifdef(`distro_suse',`
> /boot/lost\+found/.* <<none>>
> /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
>
> -#
> -# /emul
> -#
> /emul -d gen_context(system_u:object_r:usr_t,s0)
> /emul/.* gen_context(system_u:object_r:usr_t,s0)
>
> -#
> -# /etc
> -#
> /etc -d gen_context(system_u:object_r:etc_t,s0)
> /etc/.* gen_context(system_u:object_r:etc_t,s0)
> /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
> @@ -72,114 +53,68 @@ ifdef(`distro_suse',`
>
> /etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
>
> +/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
> +/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
> +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
> /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
> +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
> +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
> +
> +/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
>
> -ifdef(`distro_gentoo', `
> /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
>
> -ifdef(`distro_redhat',`
> /etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
> -')
>
> -ifdef(`distro_suse',`
> /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
>
> -#
> -# HOME_ROOT
> -# expanded by genhomedircon
> -#
> HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
> HOME_ROOT/\.journal <<none>>
> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
> HOME_ROOT/lost\+found/.* <<none>>
>
> -#
> -# /initrd
> -#
> -# initrd mount point, only used during boot
> /initrd -d gen_context(system_u:object_r:root_t,s0)
>
> -#
> -# /lib(64)?
> -#
> /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
> /lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
>
> -#
> -# /lost+found
> -#
> /lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
> /lost\+found/.* <<none>>
>
> -#
> -# /media
> -#
> -# Mount points; do not relabel subdirectories, since
> -# we don't want to change any removable media by default.
> /media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
> /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
> /media/[^/]*/.* <<none>>
> /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
>
> -#
> -# /misc
> -#
> /misc -d gen_context(system_u:object_r:mnt_t,s0)
>
> -#
> -# /mnt
> -#
> /mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
> /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
> /mnt/[^/]*/.* <<none>>
>
> -#
> -# /net
> -#
> /net -d gen_context(system_u:object_r:mnt_t,s0)
>
> -#
> -# /opt
> -#
> /opt -d gen_context(system_u:object_r:usr_t,s0)
> /opt/.* gen_context(system_u:object_r:usr_t,s0)
>
> /opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
>
> -#
> -# /proc
> -#
> /proc -d <<none>>
> /proc/.* <<none>>
>
> -#
> -# /selinux
> -#
> /selinux -d <<none>>
> /selinux/.* <<none>>
>
> -#
> -# /srv
> -#
> /srv -d gen_context(system_u:object_r:var_t,s0)
> /srv/.* gen_context(system_u:object_r:var_t,s0)
>
> -#
> -# /sys
> -#
> /sys -d <<none>>
> /sys/.* <<none>>
>
> -#
> -# /tmp
> -#
> /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
> /tmp/.* <<none>>
> /tmp/\.journal <<none>>
> @@ -187,9 +122,6 @@ HOME_ROOT/lost\+found/.* <<none>>
> /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
> /tmp/lost\+found/.* <<none>>
>
> -#
> -# /usr
> -#
> /usr -d gen_context(system_u:object_r:usr_t,s0)
> /usr/.* gen_context(system_u:object_r:usr_t,s0)
> /usr/\.journal <<none>>
> @@ -215,16 +147,11 @@ HOME_ROOT/lost\+found/.* <<none>>
> /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
> /usr/tmp/.* <<none>>
>
> -ifndef(`distro_redhat',`
> /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
>
> /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
> /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
> -')
>
> -#
> -# /var
> -#
> /var -d gen_context(system_u:object_r:var_t,s0)
> /var/.* gen_context(system_u:object_r:var_t,s0)
> /var/\.journal <<none>>
> @@ -255,6 +182,4 @@ ifndef(`distro_redhat',`
> /var/tmp/lost\+found/.* <<none>>
> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
>
> -ifdef(`distro_debian',`
> /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 5302dac..17e7a6a 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1875,6 +1875,80 @@ interface(`files_manage_boot_symlinks',`
> manage_lnk_files_pattern($1, boot_t, boot_t)
> ')
>
> +###################################
> +##<summary>
> +## Create manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`files_etc_filetrans_system_conf',`
> + gen_require(`
> + type etc_t, system_conf_t;
> + ')
> +
> + filetrans_pattern($1, etc_t, system_conf_t, file)
> +')
> +
> +######################################
> +##<summary>
> +## Manage manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`files_manage_system_conf_files',`
> + gen_require(`
> + type etc_t, system_conf_t;
> + ')
> +
> + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
> +')
> +
> +######################################
> +##<summary>
> +## Relabel from manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`files_relabelfrom_system_conf_files',`
> + gen_require(`
> + type system_conf_t;
> + ')
> +
> + files_search_etc($1)
> + relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
> +')
> +
> +######################################
> +##<summary>
> +## Relabel to manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`files_relabelto_system_conf_files',`
> + gen_require(`
> + type system_conf_t;
> + ')
> +
> + files_search_etc($1)
> + relabelto_files_pattern($1, system_conf_t, system_conf_t)
> +')
> +
> ########################################
> ##<summary>
> ## Read kernel files in the /boot directory.
> diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
> index 07352a5..ec07a47 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -128,6 +128,14 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
> type src_t;
> files_mountpoint(src_t)
>
> +# system_conf_t is a new type of various
> +# files in /etc/ that can be managed and
> +# created by several domains.
> +#
> +type system_conf_t, configfile;
> +files_type(system_conf_t)
> +typealias system_conf_t alias iptables_conf_t;
> +
> #
> # system_map_t is for the system.map files in /boot
> #
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index 3cce663..57c0f15 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -255,6 +255,10 @@ files_search_all(virtd_t)
> files_read_kernel_modules(virtd_t)
> files_read_usr_src_files(virtd_t)
> files_manage_etc_files(virtd_t)
> +files_relabelfrom_system_conf_files(virtd_t)
> +files_relabelto_system_conf_files(virtd_t)
> +files_manage_system_conf_files(virtd_t)
> +files_etc_filetrans_system_conf(virtd_t)
>
> fs_list_auto_mountpoints(virtd_t)
> fs_getattr_xattr_fs(virtd_t)
> @@ -339,9 +343,6 @@ optional_policy(`
> optional_policy(`
> iptables_domtrans(virtd_t)
> iptables_initrc_domtrans(virtd_t)
> -
> - # Manages /etc/sysconfig/system-config-firewall
> - iptables_manage_config(virtd_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index abab4cf..c038370 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -530,6 +530,8 @@ ifdef(`distro_redhat',`
> optional_policy(`
> sysnet_rw_dhcp_config(initrc_t)
> sysnet_manage_config(initrc_t)
> + sysnet_relabelfrom_net_conf(initrc_t)
> + sysnet_relabelto_net_conf(initrc_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
> index 13f62a6..e0813a1 100644
> --- a/policy/modules/system/iptables.fc
> +++ b/policy/modules/system/iptables.fc
> @@ -1,6 +1,4 @@
> /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
> -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
> -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>
> /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> index 5c94dfe..68cd2d2 100644
> --- a/policy/modules/system/iptables.if
> +++ b/policy/modules/system/iptables.if
> @@ -87,81 +87,3 @@ interface(`iptables_initrc_domtrans',`
>
> init_labeled_script_domtrans($1, iptables_initrc_exec_t)
> ')
> -
> -#####################################
> -##<summary>
> -## Set the attributes of iptables config files.
> -##</summary>
> -##<param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -##</param>
> -#
> -interface(`iptables_setattr_config',`
> - gen_require(`
> - type iptables_conf_t;
> - ')
> -
> - files_search_etc($1)
> - allow $1 iptables_conf_t:file setattr;
> -')
> -
> -#####################################
> -##<summary>
> -## Read iptables config files.
> -##</summary>
> -##<param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -##</param>
> -#
> -interface(`iptables_read_config',`
> - gen_require(`
> - type iptables_conf_t;
> - ')
> -
> - files_search_etc($1)
> - allow $1 iptables_conf_t:dir list_dir_perms;
> - read_files_pattern($1, iptables_conf_t, iptables_conf_t)
> -')
> -
> -#####################################
> -##<summary>
> -## Create files in /etc with the type used for
> -## the iptables config files.
> -##</summary>
> -##<param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -##</param>
> -#
> -interface(`iptables_etc_filetrans_config',`
> - gen_require(`
> - type iptables_conf_t;
> - ')
> -
> - files_etc_filetrans($1, iptables_conf_t, file)
> -')
> -
> -###################################
> -##<summary>
> -## Manage iptables config files.
> -##</summary>
> -##<param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -##</param>
> -#
> -interface(`iptables_manage_config',`
> - gen_require(`
> - type iptables_conf_t;
> - type etc_t;
> - ')
> -
> - files_search_etc($1)
> - manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> -')
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index a3fdcb3..8e644c4 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -33,8 +33,8 @@ allow iptables_t self:fifo_file rw_fifo_file_perms;
> allow iptables_t self:process { sigchld sigkill sigstop signull signal };
> allow iptables_t self:rawip_socket create_socket_perms;
>
> -manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
> -files_etc_filetrans(iptables_t, iptables_conf_t, file)
> +files_manage_system_conf_files(iptables_t)
> +files_etc_filetrans_system_conf(iptables_t)
>
> manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
> files_pid_filetrans(iptables_t, iptables_var_run_t, file)
> diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
> index 9c0faab..565e5bc 100644
> --- a/policy/modules/system/modutils.if
> +++ b/policy/modules/system/modutils.if
> @@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',`
>
> ########################################
> ##<summary>
> +## List the configuration options used when
> +## loading modules.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`modutils_list_module_config',`
> + gen_require(`
> + type modules_conf_t;
> + ')
> +
> + files_search_etc($1)
> + list_dirs_pattern($1, modules_conf_t, modules_conf_t)
> +')
> +
> +########################################
> +##<summary>
> ## Read the configuration options used when
> ## loading modules.
> ##</summary>
> diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
> index 8e71fb7..1e4892d 100644
> --- a/policy/modules/system/sysnetwork.if
> +++ b/policy/modules/system/sysnetwork.if
> @@ -652,6 +652,44 @@ interface(`sysnet_dns_name_resolve',`
> ')
> ')
>
> +#######################################
> +##<summary>
> +## Relabel from network configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`sysnet_relabelfrom_net_conf',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 net_conf_t:file relabelfrom;
> +')
> +
> +######################################
> +##<summary>
> +## Relabel to network configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`sysnet_relabelto_net_conf',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 net_conf_t:file relabelto;
> +')
> +
> ########################################
> ##<summary>
> ## Connect and use a LDAP server.
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index dfbe736..ab27920 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',`
> ')
>
> optional_policy(`
> + brctl_domtrans(ifconfig_t)
> +')
> +
> +optional_policy(`
> hal_dontaudit_rw_pipes(ifconfig_t)
> hal_dontaudit_rw_dgram_sockets(ifconfig_t)
> ')
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com