From 06b025010b322f3edbb81154eab66b63b5d31063 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 19 2009 10:33:02 +0000 Subject: - Fix kismet policy --- diff --git a/policy-20071130.patch b/policy-20071130.patch index fe47c39..91f4f83 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -572895,8 +572895,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.3.1/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2009-02-12 22:21:57.000000000 +0100 -@@ -0,0 +1,252 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2009-02-19 11:22:07.000000000 +0100 +@@ -0,0 +1,253 @@ +## Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. + +######################################## @@ -572915,6 +572915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + ') + + domtrans_pattern($1, kismet_exec_t, kismet_t) ++ allow kismet_t $1:process signull; +') + +######################################## @@ -573151,8 +573152,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.3.1/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2009-02-12 22:21:57.000000000 +0100 -@@ -0,0 +1,77 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2009-02-19 11:27:37.000000000 +0100 +@@ -0,0 +1,98 @@ + +policy_module(kismet, 1.0.2) + @@ -573175,6 +573176,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +type kismet_log_t; +logging_log_file(kismet_log_t) + ++type kismet_tmpfs_t; ++files_tmpfs_file(kismet_tmpfs_t) ++ ++type kismet_tmp_t; ++files_tmp_file(kismet_tmp_t) ++ +######################################## +# +# kismet local policy @@ -573200,6 +573207,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +allow kismet_t kismet_var_run_t:dir manage_dir_perms; +files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) + ++manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) ++manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) ++fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file }) ++ ++manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) ++manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) ++files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir }) ++ +corecmd_exec_bin(kismet_t) + +corenet_all_recvfrom_unlabeled(kismet_t) @@ -573209,6 +573224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +corenet_tcp_sendrecv_all_ports(kismet_t) +corenet_tcp_bind_all_nodes(kismet_t) +corenet_tcp_bind_kismet_port(kismet_t) ++corenet_tcp_connect_pulseaudio_port(kismet_t) + +kernel_search_debugfs(kismet_t) + @@ -573218,11 +573234,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + +files_read_usr_files(kismet_t) + ++fs_getattr_tmpfs(kismet_t) ++ +libs_use_ld_so(kismet_t) +libs_use_shared_libs(kismet_t) + +miscfiles_read_localization(kismet_t) + ++userdom_read_generic_user_tmpfs_files(kismet_t) ++ ++userdom_dontaudit_manage_sysadm_home_files(kismet_t) ++ +optional_policy(` + dbus_system_bus_client_template(kismet, kismet_t) + @@ -673972,7 +673994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-26 14:23:09.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2009-02-12 22:21:57.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2009-02-19 11:21:16.000000000 +0100 @@ -29,9 +29,14 @@ ') @@ -675947,7 +675969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,6 +3473,42 @@ +@@ -3254,6 +3473,63 @@ ## ## # @@ -675962,6 +675984,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) +') + ++###################################### ++## ++## Read user tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_generic_user_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ allow $1 user_tmpfs_t:dir list_dir_perms; ++ fs_search_tmpfs($1) ++') ++ +######################################## +## +## Read/write user tmpfs files. @@ -675990,7 +676033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -3267,6 +3522,42 @@ +@@ -3267,6 +3543,42 @@ ######################################## ## @@ -676033,7 +676076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## List users untrusted directories. ## ## -@@ -3962,6 +4253,24 @@ +@@ -3962,6 +4274,24 @@ ######################################## ## @@ -676058,7 +676101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Manage unpriviledged user SysV shared ## memory segments. ## -@@ -4231,11 +4540,11 @@ +@@ -4231,11 +4561,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -676072,7 +676115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4560,10 @@ +@@ -4251,10 +4581,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -676085,7 +676128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4579,11 @@ +@@ -4270,11 +4600,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -676099,7 +676142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4598,16 @@ +@@ -4289,16 +4619,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -676119,7 +676162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4616,54 @@ +@@ -4307,12 +4637,54 @@ ## ## # @@ -676177,7 +676220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4678,13 @@ +@@ -4327,13 +4699,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -676195,7 +676238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4882,10 @@ +@@ -4531,10 +4903,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -676208,7 +676251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4902,10 @@ +@@ -4551,10 +4923,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -676221,7 +676264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4920,10 @@ +@@ -4569,10 +4941,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -676234,7 +676277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4939,10 @@ +@@ -4588,10 +4960,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -676247,7 +676290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4957,10 @@ +@@ -4606,10 +4978,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -676260,7 +676303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4976,10 @@ +@@ -4625,10 +4997,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -676273,17 +676316,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4995,29 @@ +@@ -4644,14 +5016,53 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` - type sysadm_home_dir_t, sysadm_home_t; + type admin_home_t; - ') - -- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; -- dontaudit $1 sysadm_home_t:dir search_dir_perms; -- dontaudit $1 sysadm_home_t:file read_file_perms; ++ ') ++ + dontaudit $1 admin_home_t:dir search_dir_perms; + dontaudit $1 admin_home_t:file read_file_perms; +') @@ -676301,13 +676341,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +interface(`userdom_dontaudit_read_sysadm_home_sym_links',` + gen_require(` + type admin_home_t; -+ ') -+ + ') + +- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; +- dontaudit $1 sysadm_home_t:dir search_dir_perms; +- dontaudit $1 sysadm_home_t:file read_file_perms; + dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; ++') ++ ++####################################### ++## ++## Do not audit attempts to manage files in the sysadm ++## home directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_manage_sysadm_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:dir manage_dir_perms; ++ dontaudit $1 admin_home_t:file manage_file_perms; ++ dontaudit $1 admin_home_t:lnk_file manage_lnk_file_perms; ') ++ ######################################## -@@ -4676,10 +5044,10 @@ + ## + ## Create objects in sysadm home directories +@@ -4676,10 +5087,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -676320,7 +676387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +5062,10 @@ +@@ -4694,10 +5105,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -676333,7 +676400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +5080,13 @@ +@@ -4712,13 +5123,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -676351,151 +676418,156 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +5122,49 @@ +@@ -4754,16 +5165,16 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` +- attribute home_dir_type; + attribute user_home_dir_type; -+ ') -+ -+ files_list_home($1) -+ allow $1 user_home_dir_type:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Read all users home directories symlinks. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_all_users_home_dirs_symlinks',` -+ gen_require(` - attribute home_dir_type; ') files_list_home($1) - allow $1 home_dir_type:dir search_dir_perms; -+ allow $1 home_dir_type:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## -+## Read all users home directories symlinks. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_all_users_home_content_symlinks',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ files_list_home($1) -+ allow $1 user_home_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4778,6 +5184,14 @@ - - files_list_home($1) - allow $1 home_dir_type:dir list_dir_perms; -+ -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_list_nfs($1) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_list_cifs($1) -+ ') ++ allow $1 user_home_dir_type:dir search_dir_perms; ') ######################################## -@@ -4815,6 +5229,8 @@ + ## +-## List all users home directories. ++## Read all users home directories symlinks. + ## + ## + ## +@@ -4771,18 +5182,18 @@ + ## + ## + # +-interface(`userdom_list_all_users_home_dirs',` ++interface(`userdom_read_all_users_home_dirs_symlinks',` + gen_require(` + attribute home_dir_type; ') - dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; -+ fs_dontaudit_list_nfs($1) -+ fs_dontaudit_list_cifs($1) + files_list_home($1) +- allow $1 home_dir_type:dir list_dir_perms; ++ allow $1 home_dir_type:lnk_file read_lnk_file_perms; ') ######################################## -@@ -4839,7 +5255,7 @@ - - ######################################## ## --## Create, read, write, and delete all directories -+## delete all directories - ## in all users home directories. +-## Search all users home directories. ++## Read all users home directories symlinks. ## ## -@@ -4848,18 +5264,18 @@ + ## +@@ -4790,36 +5201,45 @@ ## ## # --interface(`userdom_manage_all_users_home_content_dirs',` -+interface(`userdom_delete_all_users_home_content_dirs',` +-interface(`userdom_search_all_users_home_content',` ++interface(`userdom_read_all_users_home_content_symlinks',` gen_require(` - attribute home_type; +- attribute home_dir_type, home_type; ++ type user_home_t; ') files_list_home($1) -- allow $1 home_type:dir manage_dir_perms; -+ delete_dirs_pattern($1, home_type, home_type) +- allow $1 { home_dir_type home_type }:dir search_dir_perms; ++ allow $1 user_home_t:lnk_file read_lnk_file_perms; ') ######################################## ## --## Create, read, write, and delete all files -+## Create, read, write, and delete all directories - ## in all users home directories. +-## Do not audit attempts to search all users home directories. ++## List all users home directories. ## ## -@@ -4868,18 +5284,18 @@ + ## +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`userdom_manage_all_users_home_content_files',` -+interface(`userdom_manage_all_users_home_content_dirs',` +-interface(`userdom_dontaudit_search_all_users_home_content',` ++interface(`userdom_list_all_users_home_dirs',` gen_require(` - attribute home_type; +- attribute home_dir_type, home_type; ++ attribute home_dir_type; ') - files_list_home($1) -- manage_files_pattern($1,home_type,home_type) -+ allow $1 home_type:dir manage_dir_perms; +- dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; ++ files_list_home($1) ++ allow $1 home_dir_type:dir list_dir_perms; ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_list_nfs($1) ++ ') ++ ++ tunable_policy(`use_samba_home_dirs',` ++ fs_list_cifs($1) ++ ') ') ######################################## ## --## Create, read, write, and delete all symlinks -+## Delete all files - ## in all users home directories. +-## Read all files in all users home directories. ++## Search all users home directories. ## ## -@@ -4888,12 +5304,71 @@ + ## +@@ -4827,7 +5247,46 @@ ## ## # --interface(`userdom_manage_all_users_home_content_symlinks',` -+interface(`userdom_delete_all_users_home_content_files',` - gen_require(` - attribute home_type; - ') - -- files_list_home($1) -+ delete_files_pattern($1,home_type,home_type) +-interface(`userdom_read_all_users_home_content_files',` ++interface(`userdom_search_all_users_home_content',` ++ gen_require(` ++ attribute home_dir_type, home_type; ++ ') ++ ++ files_list_home($1) ++ allow $1 { home_dir_type home_type }:dir search_dir_perms; +') + +######################################## +## -+## Create, read, write, and delete all files ++## Do not audit attempts to search all users home directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_search_all_users_home_content',` ++ gen_require(` ++ attribute home_dir_type, home_type; ++ ') ++ ++ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; ++ fs_dontaudit_list_nfs($1) ++ fs_dontaudit_list_cifs($1) ++') ++ ++######################################## ++## ++## Read all files in all users home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_all_users_home_content_files',` + gen_require(` + attribute home_type; + ') +@@ -4839,6 +5298,26 @@ + + ######################################## + ## ++## delete all directories +## in all users home directories. +## +## @@ -676504,18 +676576,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+interface(`userdom_manage_all_users_home_content_files',` ++interface(`userdom_delete_all_users_home_content_dirs',` + gen_require(` + attribute home_type; + ') + + files_list_home($1) -+ manage_files_pattern($1,home_type,home_type) ++ delete_dirs_pattern($1, home_type, home_type) +') + +######################################## +## -+## Delete all symlinks + ## Create, read, write, and delete all directories + ## in all users home directories. + ## +@@ -4859,6 +5338,25 @@ + + ######################################## + ## ++## Delete all files +## in all users home directories. +## +## @@ -676524,18 +676603,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+interface(`userdom_delete_all_users_home_content_symlinks',` ++interface(`userdom_delete_all_users_home_content_files',` + gen_require(` + attribute home_type; + ') + -+ files_list_home($1) -+ delete_lnk_files_pattern($1,home_type,home_type) ++ delete_files_pattern($1,home_type,home_type) +') + +######################################## +## -+## Create, read, write, and delete all symlinks + ## Create, read, write, and delete all files + ## in all users home directories. + ## +@@ -4879,6 +5377,26 @@ + + ######################################## + ## ++## Delete all symlinks +## in all users home directories. +## +## @@ -676544,16 +676629,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+interface(`userdom_manage_all_users_home_content_symlinks',` ++interface(`userdom_delete_all_users_home_content_symlinks',` + gen_require(` + attribute home_type; + ') + + files_list_home($1) - manage_lnk_files_pattern($1,home_type,home_type) - ') - -@@ -5115,7 +5590,7 @@ ++ delete_lnk_files_pattern($1,home_type,home_type) ++') ++ ++######################################## ++## + ## Create, read, write, and delete all symlinks + ## in all users home directories. + ## +@@ -5115,7 +5633,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -676562,7 +676652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5779,63 @@ +@@ -5304,6 +5822,63 @@ ######################################## ## @@ -676626,7 +676716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,6 +6041,43 @@ +@@ -5509,6 +6084,43 @@ ######################################## ## @@ -676670,7 +676760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5559,7 +6128,7 @@ +@@ -5559,7 +6171,7 @@ attribute userdomain; ') @@ -676679,7 +676769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -5674,6 +6243,42 @@ +@@ -5674,6 +6286,42 @@ ######################################## ## @@ -676722,7 +676812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6309,408 @@ +@@ -5704,3 +6352,408 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')