- Add support for labeled Booleans.
- Remove node definitions and change node usage to generic nodes.
- Add kernel_service access vectors, from Stephen Smalley.
+- Added modules:
+ logadm (Dan Walsh)
+ zosremote (Dan Walsh)
* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
- Fix consistency of audioentropy and iscsi module naming.
-policy_module(logwatch, 1.9.0)
+policy_module(logwatch, 1.9.1)
#################################
#
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
+kernel_read_net_sysctls(logwatch_t)
+kernel_read_network_state(logwatch_t)
corecmd_exec_bin(logwatch_t)
corecmd_exec_shell(logwatch_t)
domain_read_all_domains_state(logwatch_t)
files_list_var(logwatch_t)
+files_read_var_symlinks(logwatch_t)
files_read_etc_files(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
files_read_usr_files(logwatch_t)
fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
+fs_list_inotifyfs(logwatch_t)
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
+auth_use_nsswitch(logwatch_t)
auth_dontaudit_read_shadow(logwatch_t)
init_read_utmp(logwatch_t)
selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_dns_name_resolve(logwatch_t)
+sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
apache_read_log(logwatch_t)
')
-optional_policy(`
- auth_use_nsswitch(logwatch_t)
-')
-
optional_policy(`
avahi_dontaudit_search_pid(logwatch_t)
')
domtrans_pattern($1, passwd_exec_t, passwd_t)
')
+########################################
+## <summary>
+## Send sigkills to passwd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usermanage_kill_passwd',`
+ gen_require(`
+ type passwd_t;
+ ')
+
+ allow $1 passwd_t:process sigkill;
+')
+
########################################
## <summary>
## Execute passwd in the passwd domain, and
usermanage_domtrans_passwd($1)
role $2 types passwd_t;
+ auth_run_chk_passwd(passwd_t, $2)
')
########################################
-policy_module(usermanage, 1.12.0)
+policy_module(usermanage, 1.12.1)
########################################
#
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
+auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
+init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
userdom_read_all_users_state(passwd_t)
+userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
mta_manage_spool(useradd_t)
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_domain(useradd_t)
+ ')
+')
+
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
--- /dev/null
+# file contexts handled by userdomain and genhomedircon
--- /dev/null
+## <summary>Log administrator role</summary>
+
+########################################
+## <summary>
+## Change to the log administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logadm_role_change',`
+ gen_require(`
+ role logadm_r;
+ ')
+
+ allow $1 logadm_r;
+')
+
+########################################
+## <summary>
+## Change from the log administrator role.
+## </summary>
+## <desc>
+## <p>
+## Change from the log administrator role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logadm_role_change_to',`
+ gen_require(`
+ role logadm_r;
+ ')
+
+ allow logadm_r $1;
+')
--- /dev/null
+
+policy_module(logadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role logadm_r;
+
+userdom_base_user_template(logadm)
+
+########################################
+#
+# logadmin local policy
+#
+
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+logging_admin(logadm_t, logadm_r)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
#
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_portmap_client_packets($1_t)
# do not log when it tries to bind to a port belonging to another domain
- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
- corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
+ corenet_dontaudit_tcp_bind_all_ports($1_t)
+ corenet_dontaudit_udp_bind_all_ports($1_t)
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t)
- corenet_udp_bind_reserved_port($1_t)
+ corenet_tcp_bind_all_rpc_ports($1_t)
+ corenet_udp_bind_all_rpc_ports($1_t)
corenet_sendrecv_generic_server_packets($1_t)
fs_rw_rpc_named_pipes($1_t)
domtrans_pattern($1, nfsd_exec_t, nfsd_t)
')
+########################################
+## <summary>
+## Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_t, rpcd_exec_t;
+ ')
+
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ allow rpcd_t $1:process signal;
+')
+
########################################
## <summary>
## Read NFS exported content.
files_search_var_lib($1)
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
')
+
+########################################
+## <summary>
+## Manage NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_manage_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+')
-policy_module(rpc, 1.10.3)
+policy_module(rpc, 1.10.4)
########################################
#
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
+kernel_dontaudit_getattr_core_if(rpcd_t)
corecmd_exec_bin(rpcd_t)
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
+kernel_dontaudit_getattr_core_if(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
')
tunable_policy(`nfs_export_all_rw',`
+ dev_getattr_all_blk_files(nfsd_t)
+ dev_getattr_all_chr_files(nfsd_t)
+
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
- fs_read_noxattr_fs_files(nfsd_t)
+ dev_getattr_all_blk_files(nfsd_t)
+ dev_getattr_all_chr_files(nfsd_t)
+
+ files_getattr_all_pipes(nfsd_t)
+ files_getattr_all_sockets(nfsd_t)
+
+ fs_read_noxattr_fs_files(nfsd_t)
+
+ auth_read_all_dirs_except_shadow(nfsd_t)
auth_read_all_files_except_shadow(nfsd_t)
')
')
optional_policy(`
- kerberos_use(gssd_t)
- kerberos_read_keytab(gssd_t)
+ kerberos_keytab_template(gssd, gssd_t)
')
optional_policy(`
--- /dev/null
+/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
--- /dev/null
+## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run audispd-zos-remote.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zosremote_domtrans',`
+ gen_require(`
+ type zos_remote_t, type zos_remote_exec_t;
+ ')
+
+ domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
+')
+
+########################################
+## <summary>
+## Allow specified type and role to transition and
+## run in the zos_remote_t domain. Allow specified type
+## to use zos_remote_t terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the zos_remote domain.
+## </summary>
+## </param>
+#
+interface(`zosremote_run',`
+ gen_require(`
+ type zos_remote_t;
+ ')
+
+ zosremote_domtrans($1)
+ role $2 types zos_remote_t;
+')
--- /dev/null
+policy_module(zosremote,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type zos_remote_t;
+type zos_remote_exec_t;
+init_system_domain(zos_remote_t, zos_remote_exec_t)
+logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
+
+########################################
+#
+# zos_remote local policy
+#
+
+allow zos_remote_t self:process signal;
+allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(zos_remote_t)
+
+auth_use_nsswitch(zos_remote_t);
+
+miscfiles_read_localization(zos_remote_t)
+
+logging_send_syslog_msg(zos_remote_t)
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
dontaudit $1 udev_t:unix_dgram_socket { read write };
')
+########################################
+## <summary>
+## Do not audit search of udev database directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`udev_dontaudit_search_db',`
+ gen_require(`
+ type udev_tbl_t;
+ ')
+
+ dontaudit $1 udev_tbl_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Allow process to read list of devices.
#
interface(`udev_read_db',`
gen_require(`
- type udev_tdb_t;
+ type udev_tbl_t;
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tdb_t:file read_file_perms;
+ allow $1 udev_tbl_t:dir list_dir_perms;
+ read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
')
########################################
#
interface(`udev_rw_db',`
gen_require(`
- type udev_tdb_t;
+ type udev_tbl_t;
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tdb_t:file rw_file_perms;
+ allow $1 udev_tbl_t:file rw_file_perms;
')
-policy_module(udev, 1.10.1)
+policy_module(udev, 1.10.2)
########################################
#
can_exec(udev_t, udev_exec_t)
allow udev_t udev_helper_exec_t:dir list_dir_perms;
+can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
+kernel_search_debugfs(udev_t)
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
kernel_read_network_state(udev_t)
+kernel_read_software_raid_state(udev_t)
corecmd_exec_all_executables(udev_t)
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
+logging_send_audit_msgs(udev_t)
miscfiles_read_localization(udev_t)
optional_policy(`
alsa_domtrans(udev_t)
+ alsa_read_lib(udev_t)
alsa_read_rw_config(udev_t)
')
brctl_domtrans(udev_t)
')
+optional_policy(`
+ clock_domtrans(udev_t)
+')
+
optional_policy(`
consoletype_exec(udev_t)
')
dbus_system_bus_client(udev_t)
')
+optional_policy(`
+ lvm_domtrans(udev_t)
+')
+
optional_policy(`
fstools_domtrans(udev_t)
')