2017-02-24 06:27:02

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] network daemon patches

Here are patches for apache, bind, inetd, iodine, jabber, nagios,
NetworkManager, ntp, openvpn, rpc, squid, corenetwork, ssh, iptables, and
sysnetwork.

Index: refpolicy-2.20170224/policy/modules/contrib/apache.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/apache.fc
+++ refpolicy-2.20170224/policy/modules/contrib/apache.fc
@@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)

/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)

/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -111,6 +113,7 @@ ifdef(`distro_suse',`
/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -125,6 +128,7 @@ ifdef(`distro_suse',`
/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)

/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/apache.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/apache.if
+++ refpolicy-2.20170224/policy/modules/contrib/apache.if
@@ -1343,3 +1343,23 @@ interface(`apache_admin',`
apache_run_all_scripts($1, $2)
apache_run_helper($1, $2)
')
+
+########################################
+## <summary>
+## Unlink httpd_var_lib_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can unlink the files
+## </summary>
+## </param>
+#
+interface(`apache_unlink_var_lib',`
+ gen_require(`
+ type httpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 httpd_var_lib_t:dir { write remove_name };
+ allow $1 httpd_var_lib_t:file unlink;
+')
Index: refpolicy-2.20170224/policy/modules/contrib/apache.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/apache.te
+++ refpolicy-2.20170224/policy/modules/contrib/apache.te
@@ -282,6 +282,7 @@ type httpd_helper_t;
type httpd_helper_exec_t;
application_domain(httpd_helper_t, httpd_helper_exec_t)
role httpd_helper_roles types httpd_helper_t;
+init_rw_inherited_script_tmp_files(httpd_t)

type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -402,14 +403,12 @@ read_lnk_files_pattern(httpd_t, httpd_co

allow httpd_t httpd_keytab_t:file read_file_perms;

+allow httpd_t httpd_lock_t:dir manage_dir_perms;
allow httpd_t httpd_lock_t:file manage_file_perms;
-files_lock_filetrans(httpd_t, httpd_lock_t, file)
+files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })

-allow httpd_t httpd_log_t:dir setattr_dir_perms;
-create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)

@@ -427,6 +426,8 @@ manage_lnk_files_pattern(httpd_t, httpd_
allow httpd_t httpd_suexec_exec_t:file read_file_perms;

allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+allow httpd_t httpd_sys_script_t:process signull;
+

manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -444,6 +445,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_

manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })

setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -464,6 +466,8 @@ domtrans_pattern(httpd_t, httpd_rotatelo
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)

kernel_read_kernel_sysctls(httpd_t)
+kernel_read_vm_sysctls(httpd_t)
+kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
kernel_read_system_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
@@ -590,6 +594,7 @@ tunable_policy(`httpd_builtin_scripting'
tunable_policy(`httpd_enable_cgi',`
allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+ allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
')

tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -737,9 +742,8 @@ tunable_policy(`httpd_use_fusefs && http

tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')

tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1063,9 +1067,8 @@ tunable_policy(`httpd_use_fusefs && http

tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_nfs_dirs(httpd_suexec_t)
- fs_manage_nfs_files(httpd_suexec_t)
- fs_manage_nfs_symlinks(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')

tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1213,8 +1216,11 @@ optional_policy(`
#

allow httpd_sys_script_t self:tcp_socket { accept listen };
+allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms };
+

allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };

dontaudit httpd_sys_script_t httpd_config_t:dir search;

@@ -1225,6 +1231,7 @@ allow httpd_sys_script_t squirrelmail_sp
allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;

kernel_read_kernel_sysctls(httpd_sys_script_t)
+dev_read_sysfs(httpd_sys_script_t)

fs_search_auto_mountpoints(httpd_sys_script_t)

@@ -1236,6 +1243,12 @@ apache_domtrans_rotatelogs(httpd_sys_scr

auth_use_nsswitch(httpd_sys_script_t)

+logging_send_syslog_msg(httpd_sys_script_t)
+
+ifdef(`init_systemd', `
+ init_search_pid_dirs(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_sendmail',`
corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -1290,9 +1303,8 @@ tunable_policy(`httpd_use_fusefs && http

tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_nfs_dirs(httpd_sys_script_t)
- fs_manage_nfs_files(httpd_sys_script_t)
- fs_manage_nfs_symlinks(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')

tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
Index: refpolicy-2.20170224/policy/modules/contrib/bind.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/bind.fc
+++ refpolicy-2.20170224/policy/modules/contrib/bind.fc
@@ -27,6 +27,7 @@
/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)

/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)

/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)

@@ -52,6 +53,7 @@
/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)

/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+/run/lwresd/lwresd\.pid -s gen_context(system_u:object_r:named_var_run_t,s0)
/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/bind.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/bind.te
+++ refpolicy-2.20170224/policy/modules/contrib/bind.te
@@ -112,6 +112,9 @@ allow named_t named_zone_t:dir list_dir_
read_files_pattern(named_t, named_zone_t, named_zone_t)
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)

+files_read_usr_files(named_t)
+kernel_read_net_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
kernel_read_kernel_sysctls(named_t)
kernel_read_vm_overcommit_sysctl(named_t)
kernel_read_system_state(named_t)
@@ -219,6 +222,7 @@ optional_policy(`
#

allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
allow ndc_t self:process signal_perms;
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20170224/policy/modules/contrib/inetd.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/inetd.te
+++ refpolicy-2.20170224/policy/modules/contrib/inetd.te
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)

corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_bin_entry_type(inetd_child_t)

corenet_all_recvfrom_unlabeled(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
Index: refpolicy-2.20170224/policy/modules/contrib/iodine.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/iodine.fc
+++ refpolicy-2.20170224/policy/modules/contrib/iodine.fc
@@ -1,3 +1,4 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)

/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/iodine.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/iodine.te
+++ refpolicy-2.20170224/policy/modules/contrib/iodine.te
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_ex
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)

+type iodined_var_run_t;
+files_pid_file(iodined_var_run_t)
+
########################################
#
# Local policy
@@ -21,6 +24,10 @@ allow iodined_t self:capability { net_ad
allow iodined_t self:rawip_socket create_socket_perms;
allow iodined_t self:tun_socket create_socket_perms;
allow iodined_t self:udp_socket connected_socket_perms;
+allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
+manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)

kernel_read_net_sysctls(iodined_t)
kernel_read_network_state(iodined_t)
Index: refpolicy-2.20170224/policy/modules/contrib/jabber.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/jabber.fc
+++ refpolicy-2.20170224/policy/modules/contrib/jabber.fc
@@ -8,18 +8,22 @@
/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0)

/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0)

/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/prosody(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)

/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)

+/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/jabber.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/jabber.te
+++ refpolicy-2.20170224/policy/modules/contrib/jabber.te
@@ -73,21 +73,25 @@ allow jabberd_t self:capability dac_over
dontaudit jabberd_t self:capability sys_tty_config;
allow jabberd_t self:tcp_socket create_socket_perms;
allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket r_netlink_socket_perms;

manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)

allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })

manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)

manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+miscfiles_read_all_certs(jabberd_t)
+domain_dontaudit_search_all_domains_state(jabberd_t)

kernel_read_kernel_sysctls(jabberd_t)
+corecmd_exec_bin(jabberd_t)
+# usr for lua modules
+files_read_usr_files(jabberd_t)

corenet_sendrecv_jabber_client_server_packets(jabberd_t)
corenet_tcp_bind_jabber_client_port(jabberd_t)
@@ -96,6 +100,7 @@ corenet_tcp_sendrecv_jabber_client_port(
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)

dev_read_rand(jabberd_t)

Index: refpolicy-2.20170224/policy/modules/contrib/nagios.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/nagios.te
+++ refpolicy-2.20170224/policy/modules/contrib/nagios.te
@@ -216,12 +216,15 @@ optional_policy(`
# Nrpe local policy
#

-allow nrpe_t self:capability { setgid setuid };
+allow nrpe_t self:capability { dac_override setgid setuid };
dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket { accept listen };

+allow nrpe_t nagios_etc_t:dir list_dir_perms;
+allow nrpe_t nagios_etc_t:file read_file_perms;
+
allow nrpe_t nagios_plugin_domain:process { signal sigkill };

read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
Index: refpolicy-2.20170224/policy/modules/contrib/networkmanager.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/networkmanager.fc
+++ refpolicy-2.20170224/policy/modules/contrib/networkmanager.fc
@@ -3,7 +3,7 @@
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)

/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
Index: refpolicy-2.20170224/policy/modules/contrib/networkmanager.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/networkmanager.te
+++ refpolicy-2.20170224/policy/modules/contrib/networkmanager.te
@@ -236,6 +236,10 @@ optional_policy(`
optional_policy(`
xserver_dbus_chat_xdm(NetworkManager_t)
')
+
+ optional_policy(`
+ unconfined_dbus_send(NetworkManager_t)
+ ')
')

optional_policy(`
Index: refpolicy-2.20170224/policy/modules/contrib/ntp.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/ntp.if
+++ refpolicy-2.20170224/policy/modules/contrib/ntp.if
@@ -18,6 +18,23 @@ interface(`ntp_stub',`

########################################
## <summary>
+## Read ntp.conf
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_conf',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+ allow $1 ntp_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170224/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/ntp.te
+++ refpolicy-2.20170224/policy/modules/contrib/ntp.te
@@ -59,6 +59,8 @@ allow ntpd_t self:fifo_file rw_fifo_file
allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:socket create;
allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t self:socket create;
+allow ntpd_t self:unix_dgram_socket sendto;

allow ntpd_t ntp_conf_t:file read_file_perms;

@@ -72,9 +74,8 @@ read_lnk_files_pattern(ntpd_t, ntpd_key_
allow ntpd_t ntpd_lock_t:file write_file_perms;

allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+manage_dirs_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })

manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
Index: refpolicy-2.20170224/policy/modules/contrib/openvpn.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/openvpn.fc
+++ refpolicy-2.20170224/policy/modules/contrib/openvpn.fc
@@ -5,6 +5,7 @@

/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)

+/etc/openvpn/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)

Index: refpolicy-2.20170224/policy/modules/contrib/rpc.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/rpc.te
+++ refpolicy-2.20170224/policy/modules/contrib/rpc.te
@@ -162,6 +162,9 @@ kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)

+# for /proc/fs/lockd/nlm_end_grace
+kernel_write_proc_files(rpcd_t)
+
corecmd_exec_bin(rpcd_t)

files_manage_mounttab(rpcd_t)
Index: refpolicy-2.20170224/policy/modules/contrib/squid.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/squid.fc
+++ refpolicy-2.20170224/policy/modules/contrib/squid.fc
@@ -4,17 +4,17 @@

/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)

-/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)

/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)

/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)

-/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squid.* gen_context(system_u:object_r:squid_log_t,s0)
/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)

-/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+/run/squid3.* gen_context(system_u:object_r:squid_var_run_t,s0)

-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/spool/squid.* gen_context(system_u:object_r:squid_cache_t,s0)

/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/squid.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/squid.if
+++ refpolicy-2.20170224/policy/modules/contrib/squid.if
@@ -236,3 +236,22 @@ interface(`squid_admin',`
files_list_tmp($1)
admin_pattern($1, squid_tmp_t)
')
+
+########################################
+## <summary>
+## dontaudit statting tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not be audited
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_tmpfs',`
+ gen_require(`
+ type squid_tmpfs_t;
+ ')
+
+ dontaudit $1 squid_tmpfs_t:file getattr;
+')
Index: refpolicy-2.20170224/policy/modules/contrib/squid.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/squid.te
+++ refpolicy-2.20170224/policy/modules/contrib/squid.te
@@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false)
## </desc>
gen_tunable(squid_use_tproxy, false)

+## <desc>
+## <p>
+## Determine whether squid can use the
+## pinger daemon (needs raw net access)
+## </p>
+## </desc>
+gen_tunable(squid_use_pinger, true)
+
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t, squid_exec_t)
@@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',`
corenet_tcp_sendrecv_all_ports(squid_t)
')

+tunable_policy(`squid_use_pinger',`
+ allow squid_t self:rawip_socket connected_socket_perms;
+ allow squid_t self:capability net_raw;
+')
+
tunable_policy(`squid_use_tproxy',`
allow squid_t self:capability net_admin;
corenet_sendrecv_netport_server_packets(squid_t)
Index: refpolicy-2.20170224/policy/modules/kernel/corenetwork.te.in
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy-2.20170224/policy/modules/kernel/corenetwork.te.in
@@ -213,7 +213,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-network_port(postgrey, tcp,60000,s0)
+network_port(postgrey, tcp,10023,s0, tcp,60000,s0)
network_port(pptp, tcp,1723,s0, udp,1723,s0)
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@@ -232,7 +232,7 @@ network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0, udp,953,s0)
+network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0, udp,8953,s0)
network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
Index: refpolicy-2.20170224/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20170224/policy/modules/services/ssh.te
@@ -250,6 +250,8 @@ optional_policy(`
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };

+allow sshd_t self:capability net_admin;
+
allow sshd_t sshd_keytab_t:file read_file_perms;

manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
Index: refpolicy-2.20170224/policy/modules/system/iptables.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/iptables.te
+++ refpolicy-2.20170224/policy/modules/system/iptables.te
@@ -106,6 +106,10 @@ ifdef(`hide_broken_symptoms',`
')

optional_policy(`
+ permit_in_unconfined_r(iptables_t)
+')
+
+optional_policy(`
fail2ban_append_log(iptables_t)
')

@@ -153,4 +157,6 @@ optional_policy(`

optional_policy(`
udev_read_db(iptables_t)
+ # this is for iptables_t to inherit a file hande from xen vif-bridge
+ udev_manage_pid_files(iptables_t)
')
Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20170224/policy/modules/system/sysnetwork.fc
@@ -58,6 +58,7 @@ ifdef(`distro_redhat',`
/var/lib/dhcp3? -d gen_context(system_u:object_r:dhcp_state_t,s0)
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpv6(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)

@@ -70,5 +71,6 @@ ifdef(`distro_gentoo',`

ifdef(`distro_debian',`
/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0)
')

Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20170224/policy/modules/system/sysnetwork.if
@@ -442,6 +442,31 @@ interface(`sysnet_etc_filetrans_config',

#######################################
## <summary>
+## Create directories in /var/run with the type used for
+## the network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`sysnet_var_run_dirtrans_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_pid_filetrans($1, net_conf_t, dir, $2)
+ allow $1 net_conf_t:dir create_dir_perms;
+')
+
+#######################################
+## <summary>
## Create, read, write, and delete network config files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20170224/policy/modules/system/sysnetwork.te
@@ -242,6 +242,10 @@ optional_policy(`
')

optional_policy(`
+ samba_manage_config(dhcpc_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
')
Description: Make systemd work
Author: Russell Coker <[email protected]>
Last-Update: 2017-02-05


2017-02-25 15:16:37

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] network daemon patches

On 02/24/17 01:27, Russell Coker via refpolicy wrote:
> Here are patches for apache, bind, inetd, iodine, jabber, nagios,
> NetworkManager, ntp, openvpn, rpc, squid, corenetwork, ssh, iptables, and
> sysnetwork.

Merged, though I made some minor revisions.


> Index: refpolicy-2.20170224/policy/modules/contrib/apache.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/apache.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/apache.fc
> @@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
> /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
> /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> /etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
> /etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> @@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
> /usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
>
> /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
> /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> /usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
> /usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
> @@ -111,6 +113,7 @@ ifdef(`distro_suse',`
> /var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> /var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> /var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> @@ -125,6 +128,7 @@ ifdef(`distro_suse',`
> /var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> /var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> /var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
> /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/apache.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/apache.if
> +++ refpolicy-2.20170224/policy/modules/contrib/apache.if
> @@ -1343,3 +1343,23 @@ interface(`apache_admin',`
> apache_run_all_scripts($1, $2)
> apache_run_helper($1, $2)
> ')
> +
> +########################################
> +## <summary>
> +## Unlink httpd_var_lib_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that can unlink the files
> +## </summary>
> +## </param>
> +#
> +interface(`apache_unlink_var_lib',`
> + gen_require(`
> + type httpd_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + allow $1 httpd_var_lib_t:dir { write remove_name };
> + allow $1 httpd_var_lib_t:file unlink;
> +')
> Index: refpolicy-2.20170224/policy/modules/contrib/apache.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/apache.te
> +++ refpolicy-2.20170224/policy/modules/contrib/apache.te
> @@ -282,6 +282,7 @@ type httpd_helper_t;
> type httpd_helper_exec_t;
> application_domain(httpd_helper_t, httpd_helper_exec_t)
> role httpd_helper_roles types httpd_helper_t;
> +init_rw_inherited_script_tmp_files(httpd_t)
>
> type httpd_initrc_exec_t;
> init_script_file(httpd_initrc_exec_t)
> @@ -402,14 +403,12 @@ read_lnk_files_pattern(httpd_t, httpd_co
>
> allow httpd_t httpd_keytab_t:file read_file_perms;
>
> +allow httpd_t httpd_lock_t:dir manage_dir_perms;
> allow httpd_t httpd_lock_t:file manage_file_perms;
> -files_lock_filetrans(httpd_t, httpd_lock_t, file)
> +files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
>
> -allow httpd_t httpd_log_t:dir setattr_dir_perms;
> -create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> logging_log_filetrans(httpd_t, httpd_log_t, file)
>
> @@ -427,6 +426,8 @@ manage_lnk_files_pattern(httpd_t, httpd_
> allow httpd_t httpd_suexec_exec_t:file read_file_perms;
>
> allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
> +allow httpd_t httpd_sys_script_t:process signull;
> +
>
> manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> @@ -444,6 +445,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_
>
> manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> +manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
>
> setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
> @@ -464,6 +466,8 @@ domtrans_pattern(httpd_t, httpd_rotatelo
> domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
>
> kernel_read_kernel_sysctls(httpd_t)
> +kernel_read_vm_sysctls(httpd_t)
> +kernel_read_vm_overcommit_sysctl(httpd_t)
> kernel_read_network_state(httpd_t)
> kernel_read_system_state(httpd_t)
> kernel_search_network_sysctl(httpd_t)
> @@ -590,6 +594,7 @@ tunable_policy(`httpd_builtin_scripting'
> tunable_policy(`httpd_enable_cgi',`
> allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
> allow httpd_t httpd_script_exec_type:dir list_dir_perms;
> + allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
> ')
>
> tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
> @@ -737,9 +742,8 @@ tunable_policy(`httpd_use_fusefs && http
>
> tunable_policy(`httpd_use_nfs',`
> fs_list_auto_mountpoints(httpd_t)
> - fs_manage_nfs_dirs(httpd_t)
> - fs_manage_nfs_files(httpd_t)
> - fs_manage_nfs_symlinks(httpd_t)
> + rpc_manage_nfs_rw_content(httpd_t)
> + rpc_read_nfs_content(httpd_t)
> ')
>
> tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
> @@ -1063,9 +1067,8 @@ tunable_policy(`httpd_use_fusefs && http
>
> tunable_policy(`httpd_use_nfs',`
> fs_list_auto_mountpoints(httpd_suexec_t)
> - fs_manage_nfs_dirs(httpd_suexec_t)
> - fs_manage_nfs_files(httpd_suexec_t)
> - fs_manage_nfs_symlinks(httpd_suexec_t)
> + rpc_manage_nfs_rw_content(httpd_t)
> + rpc_read_nfs_content(httpd_t)
> ')
>
> tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
> @@ -1213,8 +1216,11 @@ optional_policy(`
> #
>
> allow httpd_sys_script_t self:tcp_socket { accept listen };
> +allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms };
> +
>
> allow httpd_sys_script_t httpd_t:tcp_socket { read write };
> +allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };
>
> dontaudit httpd_sys_script_t httpd_config_t:dir search;
>
> @@ -1225,6 +1231,7 @@ allow httpd_sys_script_t squirrelmail_sp
> allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
>
> kernel_read_kernel_sysctls(httpd_sys_script_t)
> +dev_read_sysfs(httpd_sys_script_t)
>
> fs_search_auto_mountpoints(httpd_sys_script_t)
>
> @@ -1236,6 +1243,12 @@ apache_domtrans_rotatelogs(httpd_sys_scr
>
> auth_use_nsswitch(httpd_sys_script_t)
>
> +logging_send_syslog_msg(httpd_sys_script_t)
> +
> +ifdef(`init_systemd', `
> + init_search_pid_dirs(httpd_sys_script_t)
> +')
> +
> tunable_policy(`httpd_can_sendmail',`
> corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
> corenet_tcp_connect_smtp_port(httpd_sys_script_t)
> @@ -1290,9 +1303,8 @@ tunable_policy(`httpd_use_fusefs && http
>
> tunable_policy(`httpd_use_nfs',`
> fs_list_auto_mountpoints(httpd_sys_script_t)
> - fs_manage_nfs_dirs(httpd_sys_script_t)
> - fs_manage_nfs_files(httpd_sys_script_t)
> - fs_manage_nfs_symlinks(httpd_sys_script_t)
> + rpc_manage_nfs_rw_content(httpd_t)
> + rpc_read_nfs_content(httpd_t)
> ')
>
> tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
> Index: refpolicy-2.20170224/policy/modules/contrib/bind.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/bind.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/bind.fc
> @@ -27,6 +27,7 @@
> /var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
>
> /var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
> +/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
>
> /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
>
> @@ -52,6 +53,7 @@
> /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
>
> /run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
> +/run/lwresd/lwresd\.pid -s gen_context(system_u:object_r:named_var_run_t,s0)
> /run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
> /run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
> /run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/bind.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/bind.te
> +++ refpolicy-2.20170224/policy/modules/contrib/bind.te
> @@ -112,6 +112,9 @@ allow named_t named_zone_t:dir list_dir_
> read_files_pattern(named_t, named_zone_t, named_zone_t)
> read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
>
> +files_read_usr_files(named_t)
> +kernel_read_net_sysctls(named_t)
> +kernel_read_vm_sysctls(named_t)
> kernel_read_kernel_sysctls(named_t)
> kernel_read_vm_overcommit_sysctl(named_t)
> kernel_read_system_state(named_t)
> @@ -219,6 +222,7 @@ optional_policy(`
> #
>
> allow ndc_t self:capability { dac_override net_admin };
> +allow ndc_t self:capability2 block_suspend;
> allow ndc_t self:process signal_perms;
> allow ndc_t self:fifo_file rw_fifo_file_perms;
> allow ndc_t self:unix_stream_socket { accept listen };
> Index: refpolicy-2.20170224/policy/modules/contrib/inetd.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/inetd.te
> +++ refpolicy-2.20170224/policy/modules/contrib/inetd.te
> @@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
> kernel_tcp_recvfrom_unlabeled(inetd_t)
>
> corecmd_bin_domtrans(inetd_t, inetd_child_t)
> +corecmd_bin_entry_type(inetd_child_t)
>
> corenet_all_recvfrom_unlabeled(inetd_t)
> corenet_all_recvfrom_netlabel(inetd_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/iodine.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/iodine.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/iodine.fc
> @@ -1,3 +1,4 @@
> /etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
>
> /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
> +/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/iodine.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/iodine.te
> +++ refpolicy-2.20170224/policy/modules/contrib/iodine.te
> @@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_ex
> type iodined_initrc_exec_t;
> init_script_file(iodined_initrc_exec_t)
>
> +type iodined_var_run_t;
> +files_pid_file(iodined_var_run_t)
> +
> ########################################
> #
> # Local policy
> @@ -21,6 +24,10 @@ allow iodined_t self:capability { net_ad
> allow iodined_t self:rawip_socket create_socket_perms;
> allow iodined_t self:tun_socket create_socket_perms;
> allow iodined_t self:udp_socket connected_socket_perms;
> +allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
> +
> +manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
> +manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
>
> kernel_read_net_sysctls(iodined_t)
> kernel_read_network_state(iodined_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/jabber.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/jabber.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/jabber.fc
> @@ -8,18 +8,22 @@
> /usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
> /usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
> /usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
> +/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0)
>
> /var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0)
>
> /var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
> /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
> +/var/log/prosody(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
>
> /var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
> /var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
> /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
> /var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
> +/var/lib/prosody(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
> /var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
> /var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)
>
> +/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
> /run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
> /run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/jabber.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/jabber.te
> +++ refpolicy-2.20170224/policy/modules/contrib/jabber.te
> @@ -73,21 +73,25 @@ allow jabberd_t self:capability dac_over
> dontaudit jabberd_t self:capability sys_tty_config;
> allow jabberd_t self:tcp_socket create_socket_perms;
> allow jabberd_t self:udp_socket create_socket_perms;
> +allow jabberd_t self:netlink_route_socket r_netlink_socket_perms;
>
> manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
>
> allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
> -append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
> -create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
> -setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
> +manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
> logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
>
> manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
>
> manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
> files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
> +miscfiles_read_all_certs(jabberd_t)
> +domain_dontaudit_search_all_domains_state(jabberd_t)
>
> kernel_read_kernel_sysctls(jabberd_t)
> +corecmd_exec_bin(jabberd_t)
> +# usr for lua modules
> +files_read_usr_files(jabberd_t)
>
> corenet_sendrecv_jabber_client_server_packets(jabberd_t)
> corenet_tcp_bind_jabber_client_port(jabberd_t)
> @@ -96,6 +100,7 @@ corenet_tcp_sendrecv_jabber_client_port(
> corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
> corenet_tcp_bind_jabber_interserver_port(jabberd_t)
> corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
> +corenet_tcp_connect_jabber_interserver_port(jabberd_t)
>
> dev_read_rand(jabberd_t)
>
> Index: refpolicy-2.20170224/policy/modules/contrib/nagios.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/nagios.te
> +++ refpolicy-2.20170224/policy/modules/contrib/nagios.te
> @@ -216,12 +216,15 @@ optional_policy(`
> # Nrpe local policy
> #
>
> -allow nrpe_t self:capability { setgid setuid };
> +allow nrpe_t self:capability { dac_override setgid setuid };
> dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
> allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
> allow nrpe_t self:fifo_file rw_fifo_file_perms;
> allow nrpe_t self:tcp_socket { accept listen };
>
> +allow nrpe_t nagios_etc_t:dir list_dir_perms;
> +allow nrpe_t nagios_etc_t:file read_file_perms;
> +
> allow nrpe_t nagios_plugin_domain:process { signal sigkill };
>
> read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/networkmanager.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/networkmanager.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/networkmanager.fc
> @@ -3,7 +3,7 @@
> /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
> /etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
> /etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
> -/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
> +/etc/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
>
> /etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
> /etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/networkmanager.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/networkmanager.te
> +++ refpolicy-2.20170224/policy/modules/contrib/networkmanager.te
> @@ -236,6 +236,10 @@ optional_policy(`
> optional_policy(`
> xserver_dbus_chat_xdm(NetworkManager_t)
> ')
> +
> + optional_policy(`
> + unconfined_dbus_send(NetworkManager_t)
> + ')
> ')
>
> optional_policy(`
> Index: refpolicy-2.20170224/policy/modules/contrib/ntp.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/ntp.if
> +++ refpolicy-2.20170224/policy/modules/contrib/ntp.if
> @@ -18,6 +18,23 @@ interface(`ntp_stub',`
>
> ########################################
> ## <summary>
> +## Read ntp.conf
> +## </summary>
> +## <param name="domain" unused="true">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_read_conf',`
> + gen_require(`
> + type ntp_conf_t;
> + ')
> + allow $1 ntp_conf_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Execute ntp server in the ntpd domain.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170224/policy/modules/contrib/ntp.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/ntp.te
> +++ refpolicy-2.20170224/policy/modules/contrib/ntp.te
> @@ -59,6 +59,8 @@ allow ntpd_t self:fifo_file rw_fifo_file
> allow ntpd_t self:shm create_shm_perms;
> allow ntpd_t self:socket create;
> allow ntpd_t self:tcp_socket { accept listen };
> +allow ntpd_t self:socket create;
> +allow ntpd_t self:unix_dgram_socket sendto;
>
> allow ntpd_t ntp_conf_t:file read_file_perms;
>
> @@ -72,9 +74,8 @@ read_lnk_files_pattern(ntpd_t, ntpd_key_
> allow ntpd_t ntpd_lock_t:file write_file_perms;
>
> allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
> -append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> -create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> -setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> +manage_dirs_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> +manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
>
> manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/openvpn.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/openvpn.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/openvpn.fc
> @@ -5,6 +5,7 @@
>
> /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
>
> +/etc/openvpn/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
> /var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
> /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
>
> Index: refpolicy-2.20170224/policy/modules/contrib/rpc.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/rpc.te
> +++ refpolicy-2.20170224/policy/modules/contrib/rpc.te
> @@ -162,6 +162,9 @@ kernel_rw_fs_sysctls(rpcd_t)
> kernel_dontaudit_getattr_core_if(rpcd_t)
> kernel_signal(rpcd_t)
>
> +# for /proc/fs/lockd/nlm_end_grace
> +kernel_write_proc_files(rpcd_t)
> +
> corecmd_exec_bin(rpcd_t)
>
> files_manage_mounttab(rpcd_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/squid.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/squid.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/squid.fc
> @@ -4,17 +4,17 @@
>
> /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
>
> -/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
> +/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
>
> /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
>
> /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
>
> -/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
> +/var/log/squid.* gen_context(system_u:object_r:squid_log_t,s0)
> /var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
>
> -/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
> +/run/squid3.* gen_context(system_u:object_r:squid_var_run_t,s0)
>
> -/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
> +/var/spool/squid.* gen_context(system_u:object_r:squid_cache_t,s0)
>
> /var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/squid.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/squid.if
> +++ refpolicy-2.20170224/policy/modules/contrib/squid.if
> @@ -236,3 +236,22 @@ interface(`squid_admin',`
> files_list_tmp($1)
> admin_pattern($1, squid_tmp_t)
> ')
> +
> +########################################
> +## <summary>
> +## dontaudit statting tmpfs files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not be audited
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`squid_dontaudit_tmpfs',`
> + gen_require(`
> + type squid_tmpfs_t;
> + ')
> +
> + dontaudit $1 squid_tmpfs_t:file getattr;
> +')
> Index: refpolicy-2.20170224/policy/modules/contrib/squid.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/squid.te
> +++ refpolicy-2.20170224/policy/modules/contrib/squid.te
> @@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false)
> ## </desc>
> gen_tunable(squid_use_tproxy, false)
>
> +## <desc>
> +## <p>
> +## Determine whether squid can use the
> +## pinger daemon (needs raw net access)
> +## </p>
> +## </desc>
> +gen_tunable(squid_use_pinger, true)
> +
> type squid_t;
> type squid_exec_t;
> init_daemon_domain(squid_t, squid_exec_t)
> @@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',`
> corenet_tcp_sendrecv_all_ports(squid_t)
> ')
>
> +tunable_policy(`squid_use_pinger',`
> + allow squid_t self:rawip_socket connected_socket_perms;
> + allow squid_t self:capability net_raw;
> +')
> +
> tunable_policy(`squid_use_tproxy',`
> allow squid_t self:capability net_admin;
> corenet_sendrecv_netport_server_packets(squid_t)
> Index: refpolicy-2.20170224/policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/kernel/corenetwork.te.in
> +++ refpolicy-2.20170224/policy/modules/kernel/corenetwork.te.in
> @@ -213,7 +213,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0
> network_port(portmap, udp,111,s0, tcp,111,s0)
> network_port(postfix_policyd, tcp,10031,s0)
> network_port(postgresql, tcp,5432,s0)
> -network_port(postgrey, tcp,60000,s0)
> +network_port(postgrey, tcp,10023,s0, tcp,60000,s0)
> network_port(pptp, tcp,1723,s0, udp,1723,s0)
> network_port(prelude, tcp,4690,s0, udp,4690,s0)
> network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
> @@ -232,7 +232,7 @@ network_port(repository, tcp, 6363, s0)
> network_port(ricci, tcp,11111,s0, udp,11111,s0)
> network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
> network_port(rlogind, tcp,513,s0)
> -network_port(rndc, tcp,953,s0, udp,953,s0)
> +network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0, udp,8953,s0)
> network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
> network_port(rsh, tcp,514,s0)
> network_port(rsync, tcp,873,s0, udp,873,s0)
> Index: refpolicy-2.20170224/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20170224/policy/modules/services/ssh.te
> @@ -250,6 +250,8 @@ optional_policy(`
> allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
> allow sshd_t self:key { search link write };
>
> +allow sshd_t self:capability net_admin;
> +
> allow sshd_t sshd_keytab_t:file read_file_perms;
>
> manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> Index: refpolicy-2.20170224/policy/modules/system/iptables.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/iptables.te
> +++ refpolicy-2.20170224/policy/modules/system/iptables.te
> @@ -106,6 +106,10 @@ ifdef(`hide_broken_symptoms',`
> ')
>
> optional_policy(`
> + permit_in_unconfined_r(iptables_t)
> +')
> +
> +optional_policy(`
> fail2ban_append_log(iptables_t)
> ')
>
> @@ -153,4 +157,6 @@ optional_policy(`
>
> optional_policy(`
> udev_read_db(iptables_t)
> + # this is for iptables_t to inherit a file hande from xen vif-bridge
> + udev_manage_pid_files(iptables_t)
> ')
> Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20170224/policy/modules/system/sysnetwork.fc
> @@ -58,6 +58,7 @@ ifdef(`distro_redhat',`
> /var/lib/dhcp3? -d gen_context(system_u:object_r:dhcp_state_t,s0)
> /var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
> /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
> +/var/lib/dhcpv6(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
> /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
> /var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
>
> @@ -70,5 +71,6 @@ ifdef(`distro_gentoo',`
>
> ifdef(`distro_debian',`
> /run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
> +/var/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0)
> ')
>
> Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20170224/policy/modules/system/sysnetwork.if
> @@ -442,6 +442,31 @@ interface(`sysnet_etc_filetrans_config',
>
> #######################################
> ## <summary>
> +## Create directories in /var/run with the type used for
> +## the network config files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_var_run_dirtrans_config',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_pid_filetrans($1, net_conf_t, dir, $2)
> + allow $1 net_conf_t:dir create_dir_perms;
> +')
> +
> +#######################################
> +## <summary>
> ## Create, read, write, and delete network config files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170224/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20170224/policy/modules/system/sysnetwork.te
> @@ -242,6 +242,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + samba_manage_config(dhcpc_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(dhcpc_t)
> seutil_dontaudit_search_config(dhcpc_t)
> ')
> Description: Make systemd work
> Author: Russell Coker <[email protected]>
> Last-Update: 2017-02-05
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Chris PeBenito