From a800cf40d231c465707b62277a84940ef114c5c0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 17 2008 15:27:53 +0000 Subject: - Dontaudit validating context when using kerberos libraries - Allow postfix_virtual write access to postfix_private sockets --- diff --git a/policy-20070703.patch b/policy-20070703.patch index e29ab00..9c52657 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1788,6 +1788,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.0.8/policy/modules/admin/mrtg.te +--- nsaserefpolicy/policy/modules/admin/mrtg.te 2007-10-22 13:21:42.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/mrtg.te 2008-04-17 11:16:21.000000000 -0400 +@@ -78,6 +78,7 @@ + dev_read_urand(mrtg_t) + + domain_use_interactive_fds(mrtg_t) ++domain_dontaudit_search_all_domains_state(mrtg_t) + + files_read_usr_files(mrtg_t) + files_search_var(mrtg_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.8/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2007-10-22 13:21:42.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/admin/netutils.te 2008-04-04 16:11:03.000000000 -0400 @@ -20120,8 +20131,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall # Sulogin local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.8/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/logging.fc 2008-04-04 16:11:03.000000000 -0400 -@@ -1,12 +1,16 @@ ++++ serefpolicy-3.0.8/policy/modules/system/logging.fc 2008-04-17 11:18:18.000000000 -0400 +@@ -1,12 +1,17 @@ - /dev/log -s gen_context(system_u:object_r:devlog_t,s0) @@ -20130,6 +20141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) +/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) ++/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) @@ -20139,7 +20151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) -@@ -26,12 +30,22 @@ +@@ -26,12 +31,22 @@ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) @@ -20162,7 +20174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) -@@ -43,3 +57,10 @@ +@@ -43,3 +58,10 @@ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -20595,7 +20607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-04-04 16:11:03.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-04-17 11:18:03.000000000 -0400 @@ -1,5 +1,5 @@ -policy_module(logging,1.7.3) @@ -20623,7 +20635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin type syslogd_var_run_t; files_pid_file(syslogd_var_run_t) -@@ -55,23 +61,37 @@ +@@ -55,23 +61,42 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -20644,6 +20656,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +type audisp_var_run_t; +files_pid_file(audisp_var_run_t) + ++type audisp_remote_t; ++type audisp_remote_exec_t; ++domain_type(audisp_remote_t) ++domain_entry_file(audisp_remote_t, audisp_remote_exec_t) ++ ######################################## # -# Auditd local policy @@ -20664,7 +20681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin files_read_etc_files(auditctl_t) kernel_read_kernel_sysctls(auditctl_t) -@@ -91,6 +111,7 @@ +@@ -91,6 +116,7 @@ locallogin_dontaudit_use_fds(auditctl_t) @@ -20672,7 +20689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(auditctl_t) ######################################## -@@ -98,16 +119,15 @@ +@@ -98,16 +124,15 @@ # Auditd local policy # @@ -20691,7 +20708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t) manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t) -@@ -141,6 +161,7 @@ +@@ -141,6 +166,7 @@ init_telinit(auditd_t) @@ -20699,7 +20716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(auditd_t) libs_use_ld_so(auditd_t) -@@ -153,9 +174,21 @@ +@@ -153,9 +179,21 @@ seutil_dontaudit_read_config(auditd_t) @@ -20721,7 +20738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin optional_policy(` seutil_sigchld_newrole(auditd_t) ') -@@ -194,6 +227,7 @@ +@@ -194,6 +232,7 @@ fs_getattr_all_fs(klogd_t) fs_search_auto_mountpoints(klogd_t) @@ -20729,7 +20746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_use_interactive_fds(klogd_t) -@@ -212,6 +246,12 @@ +@@ -212,6 +251,12 @@ userdom_dontaudit_search_sysadm_home_dirs(klogd_t) @@ -20742,7 +20759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin optional_policy(` udev_read_db(klogd_t) ') -@@ -241,12 +281,16 @@ +@@ -241,12 +286,16 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -20759,7 +20776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -255,6 +299,9 @@ +@@ -255,6 +304,9 @@ manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file }) @@ -20769,7 +20786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow syslogd_t syslogd_var_run_t:file manage_file_perms; files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) -@@ -300,6 +347,7 @@ +@@ -300,6 +352,7 @@ # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t) @@ -20777,7 +20794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # syslog-ng can send or receive logs corenet_sendrecv_syslogd_client_packets(syslogd_t) -@@ -312,6 +360,8 @@ +@@ -312,6 +365,8 @@ domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) @@ -20786,7 +20803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts files_dontaudit_search_isid_type_dirs(syslogd_t) -@@ -341,6 +391,12 @@ +@@ -341,6 +396,12 @@ files_var_lib_filetrans(syslogd_t,devlog_t,sock_file) ') @@ -20799,7 +20816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin optional_policy(` inn_manage_log(syslogd_t) ') -@@ -365,3 +421,40 @@ +@@ -365,3 +426,69 @@ # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -20815,6 +20832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +## internal communication is often done using fifo and unix sockets. +allow audisp_t self:fifo_file rw_file_perms; +allow audisp_t self:unix_stream_socket create_stream_socket_perms; ++allow audisp_t self:unix_dgram_socket create_socket_perms; +allow audisp_t auditd_t:unix_stream_socket rw_file_perms; + +manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) @@ -20830,7 +20848,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +miscfiles_read_localization(audisp_t) + +corecmd_search_bin(audisp_t) -+allow audisp_t self:unix_dgram_socket create_socket_perms; ++ ++sysnet_dns_name_resolve(audisp_t) + +logging_domtrans_audisp(auditd_t) +logging_audisp_signal(auditd_t) @@ -20840,6 +20859,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +#') + +#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t) ++ ++######################################## ++# ++# audisp_remote local policy ++# ++ ++logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t) ++ ++allow audisp_remote_t self:tcp_socket create_socket_perms; ++ ++corenet_all_recvfrom_unlabeled(audisp_remote_t) ++corenet_all_recvfrom_netlabel(audisp_remote_t) ++corenet_tcp_sendrecv_all_if(audisp_remote_t) ++corenet_tcp_sendrecv_all_nodes(audisp_remote_t) ++corenet_tcp_connect_audit_port(audisp_remote_t) ++ ++files_read_etc_files(audisp_remote_t) ++ ++libs_use_ld_so(audisp_remote_t) ++libs_use_shared_libs(audisp_remote_t) ++ ++logging_send_syslog_msg(audisp_remote_t) ++logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t) ++ ++miscfiles_read_localization(audisp_remote_t) ++ ++sysnet_dns_name_resolve(audisp_remote_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.8/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/lvm.fc 2008-04-04 16:11:03.000000000 -0400