The ping module can use cap_net_raw instead of being suid.
Has a pid dir instead of file now.
A few accesses so that it can collect stats.
---
collectd.fc | 1 +
collectd.te | 9 +++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/collectd.fc b/collectd.fc
index 79a3abe..58ac4e8 100644
--- a/collectd.fc
+++ b/collectd.fc
@@ -5,5 +5,6 @@
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
+/var/run/collectd(/.*)? gen_context(system_u:object_r:collectd_var_run_t,s0)
/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
diff --git a/collectd.te b/collectd.te
index 0dfb1c5..245ccb8 100644
--- a/collectd.te
+++ b/collectd.te
@@ -33,10 +33,11 @@ apache_content_template(collectd)
# Local policy
#
-allow collectd_t self:capability { ipc_lock sys_nice };
+allow collectd_t self:capability { ipc_lock net_raw sys_nice };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
@@ -44,10 +45,12 @@ manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
domain_use_interactive_fds(collectd_t)
+kernel_read_kernel_sysctls(collectd_t)
kernel_read_network_state(collectd_t)
kernel_read_net_sysctls(collectd_t)
kernel_read_system_state(collectd_t)
@@ -62,6 +65,8 @@ files_read_usr_files(collectd_t)
fs_getattr_all_fs(collectd_t)
+init_read_utmp(collectd_t)
+
miscfiles_read_localization(collectd_t)
logging_send_syslog_msg(collectd_t)
--
2.7.3
---
virt.fc | 1 +
virt.te | 40 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/virt.fc b/virt.fc
index f7e0ce8..7d9456a 100644
--- a/virt.fc
+++ b/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/virt.te b/virt.te
index 6e72a87..a3b6472 100644
--- a/virt.te
+++ b/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -468,6 +480,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -554,6 +569,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1315,3 +1331,27 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+ps_process_pattern(virtlogd_t, virtd_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_append_log(virtlogd_t)
+virt_read_config(virtlogd_t)
--
2.7.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/13/2016 03:08 PM, Jason Zaman wrote:
> --- virt.fc | 1 + virt.te | 40
> ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41
> insertions(+)
>
> diff --git a/virt.fc b/virt.fc index f7e0ce8..7d9456a 100644 ---
> a/virt.fc +++ b/virt.fc @@ -32,6 +32,7 @@
> HOME_DIR/VirtualMachines/isos(/.*)?
> gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf
> -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
> /usr/sbin/libvirtd --
> gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd
> -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
> +/usr/sbin/virtlogd --
> gen_context(system_u:object_r:virtlogd_exec_t,s0)
>
> /var/cache/libvirt(/.*)?
> gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
>
> diff --git a/virt.te b/virt.te index 6e72a87..a3b6472 100644 ---
> a/virt.te +++ b/virt.te @@ -208,12 +208,21 @@
> files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t;
> files_type(virtlockd_var_lib_t)
>
> +type virtlogd_t; +type virtlogd_exec_t;
> +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type
> virtlogd_run_t; +files_pid_file(virtlogd_run_t) +
> ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t,
> virtlockd_exec_t, s0 - mcs_systemhigh) +
> init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 -
> mcs_systemhigh) ')
>
> ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t,
> virtlockd_exec_t, s0 - mls_systemhigh) +
> init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 -
> mls_systemhigh) ')
>
> ######################################## @@ -234,6 +243,9 @@ allow
> virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file
> rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld;
>
> +allow virt_domain virtlogd_t:fd use; +allow virt_domain
> virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain
> virtd_t:unix_stream_socket { read write };
>
> manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@
> -468,6 +480,9 @@ dontaudit virtd_t virt_domain:process { siginh
> noatsecure rlimitinh }; allow virtd_t { virt_domain
> svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms
> connectto }; allow virtd_t svirt_lxc_domain:process signal_perms;
>
> +allow virtd_t virtlogd_t:fd use; +allow virtd_t
> virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t
> virtd_lxc_t:process { signal signull sigkill };
>
> domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -554,6
> +569,7 @@ filetrans_pattern(virtd_t, virt_var_run_t,
> virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t,
> virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
> stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t,
> virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t,
> virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t,
> virt_var_run_t, virtlogd_run_t, virtlogd_t)
>
> can_exec(virtd_t, virt_tmp_t)
>
> @@ -1315,3 +1331,27 @@ miscfiles_read_localization(virtlockd_t)
>
> virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) +
> +######################################## +# +# Virtlogd local
> policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; +
> +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
> +manage_sock_files_pattern(virtlogd_t, virt_var_run_t,
> virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t,
> virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t,
> virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) +
> +ps_process_pattern(virtlogd_t, virtd_t) +
This patter includes a "getattr process" and is therefore not suitable
for this.
Instead the following would be appropriate:
allow virtlogd_t virtd_t:dir list_dir_perms;
allow virtlogd_t virtd_t:file read_file_perms;
allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
> +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t)
> + +miscfiles_read_localization(virtlogd_t) +
> +virt_append_log(virtlogd_t) +virt_read_config(virtlogd_t)
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJXNitdAAoJECV0jlU3+UdpjzIL/2JIN2uhdDkGLom7Q5oVjK44
IAQTaJ6LDVEg6GeBxono3PmDW/98eCRKk0gDS/Dluls51BYQiRT0a3Y+bohfR/kJ
qJp1tzNfjLai6P92oc4VWVaZTB5xPTopS/nv3ih7/klF0lQUc2Eb6DEYHsnrWHlk
CbadWLmvbzBl2H3iFMuERC6yzP4Pvbwe1wKWVzL1g0sYwwvANK9WOaTdLxWi69Aw
3QY1b4kdtuAG1CCYp3KeC50G7q5SVI8Dk00NYMQ+ab9KFs9AgLYx8d2+FRQAnri5
oBpkD60jIry5NoaLI2/5Z9d5faCBuoTypINsQcZSIikcmXIkgfDwWXuUuzRQ05UR
AGRVIBR79kmr3Ho1l7sdE8S0HWM/X6YU7KD7C61g5i2nDGWlMUon0Ur5NC2EMpUj
BPJQR7fkZd4RXbQDsKTy+gnjMRKr/5NowdJBnZN64JvEF/JOunxHBYk+xx1R1lSp
ABOdDRwLta8iFz8VMaZ3ZgrLCz9tBbYoz6s+vVqMJA==
=FPnJ
-----END PGP SIGNATURE-----
On 5/13/2016 9:08 AM, Jason Zaman wrote:
> The ping module can use cap_net_raw instead of being suid.
> Has a pid dir instead of file now.
> A few accesses so that it can collect stats.
Merged.
> ---
> collectd.fc | 1 +
> collectd.te | 9 +++++++--
> 2 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/collectd.fc b/collectd.fc
> index 79a3abe..58ac4e8 100644
> --- a/collectd.fc
> +++ b/collectd.fc
> @@ -5,5 +5,6 @@
> /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
>
> /var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
> +/var/run/collectd(/.*)? gen_context(system_u:object_r:collectd_var_run_t,s0)
>
> /usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
> diff --git a/collectd.te b/collectd.te
> index 0dfb1c5..245ccb8 100644
> --- a/collectd.te
> +++ b/collectd.te
> @@ -33,10 +33,11 @@ apache_content_template(collectd)
> # Local policy
> #
>
> -allow collectd_t self:capability { ipc_lock sys_nice };
> +allow collectd_t self:capability { ipc_lock net_raw sys_nice };
> allow collectd_t self:process { getsched setsched signal };
> allow collectd_t self:fifo_file rw_fifo_file_perms;
> allow collectd_t self:packet_socket create_socket_perms;
> +allow collectd_t self:rawip_socket create_socket_perms;
> allow collectd_t self:unix_stream_socket { accept listen };
>
> manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
> @@ -44,10 +45,12 @@ manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
> files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
>
> manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
> -files_pid_filetrans(collectd_t, collectd_var_run_t, file)
> +manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
> +files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
>
> domain_use_interactive_fds(collectd_t)
>
> +kernel_read_kernel_sysctls(collectd_t)
> kernel_read_network_state(collectd_t)
> kernel_read_net_sysctls(collectd_t)
> kernel_read_system_state(collectd_t)
> @@ -62,6 +65,8 @@ files_read_usr_files(collectd_t)
>
> fs_getattr_all_fs(collectd_t)
>
> +init_read_utmp(collectd_t)
> +
> miscfiles_read_localization(collectd_t)
>
> logging_send_syslog_msg(collectd_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com