Changeset 2820

Timestamp:

09/25/08 10:34:32 (2 months ago)

Author:

cpebenito

Message:

rbacsep: update to trunk 2819.

Files:

• branches/rbacsep/Changelog (modified) (2 diffs)
• branches/rbacsep/policy/mls (modified) (1 diff)
• branches/rbacsep/policy/modules/admin/firstboot.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/admin/kudzu.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/admin/logrotate.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/admin/readahead.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/kernel/corenetwork.te.in (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/apcupsd.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/apcupsd.te (modified) (1 diff)
• branches/rbacsep/policy/modules/services/bind.fc (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/bind.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/bind.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/services/courier.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/cups.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/cvs.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/cvs.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/cyphesis.fc (copied) (copied from trunk/policy/modules/services/cyphesis.fc)
• branches/rbacsep/policy/modules/services/cyphesis.if (copied) (copied from trunk/policy/modules/services/cyphesis.if)
• branches/rbacsep/policy/modules/services/cyphesis.te (copied) (copied from trunk/policy/modules/services/cyphesis.te) (1 diff)
• branches/rbacsep/policy/modules/services/fail2ban.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/fail2ban.te (modified) (6 diffs)
• branches/rbacsep/policy/modules/services/inetd.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/inetd.te (modified) (6 diffs)
• branches/rbacsep/policy/modules/services/mta.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/mta.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/mta.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/services/networkmanager.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/networkmanager.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/networkmanager.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/services/ntp.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/ntp.te (modified) (7 diffs)
• branches/rbacsep/policy/modules/services/ppp.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/ppp.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/ppp.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/services/rpcbind.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/rpcbind.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/rpcbind.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/squid.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/squid.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/squid.te (modified) (7 diffs)
• branches/rbacsep/policy/modules/services/ssh.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/services/xserver.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/xserver.te (modified) (1 diff)
• branches/rbacsep/policy/modules/system/init.if (modified) (6 diffs)
• branches/rbacsep/policy/modules/system/init.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/system/logging.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/system/logging.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/system/logging.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/system/modutils.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/system/modutils.te (modified) (1 diff)
• branches/rbacsep/policy/modules/system/setrans.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/system/setrans.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/system/unconfined.te (modified) (1 diff)

branches/rbacsep/Changelog

@@ +1 @@
+- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
+- Logrotate and Bind updates from Vaclav Ovsik.
+- Init script file and domain support.
-- Glibc 2.7 fix from Vaclav Ovsik.
-- Samba/winbind update from Mike Edenfield.
@@ -11 +14 @@
-  named pipe.  Updated init_telinit() to match.
-- Added modules:
+        cyphesis (Dan Walsh)
-        w3c (Dan Walsh)
-

branches/rbacsep/policy/mls

@@ -573 +573 @@
-#
-
- (explicit single level)
+
-mlsconstrain x_application_data { paste }
-eq
-
- (downgrade permitted)
+domby
+
+
-mlsconstrain x_application_data { paste_after_confirm }
-
-
-
-
-
-
-
-
-
-
+
-
-

branches/rbacsep/policy/modules/admin/firstboot.te

@@ -1 +1 @@
-
-1
+2
-
-gen_require(`
@@ -119 +119 @@
-')
-
+optional_policy(`
+        xserver_rw_shm(firstboot_t)
+')
+
-ifdef(`TODO',`
-allow firstboot_t proc_t:file write;

branches/rbacsep/policy/modules/admin/kudzu.te

@@ -1 +1 @@
-
-1
+2
-
-########################################
@@ -22 +22 @@
-#
-
-
-{ sys_ptrace sys_tty_config }
+ptrace sys_
+sys_tty_config
-allow kudzu_t self:process { signal_perms execmem };
-allow kudzu_t self:fifo_file rw_fifo_file_perms;
@@ -69 +69 @@
-modutils_read_module_config(kudzu_t)
-modutils_rename_module_config(kudzu_t)
+modutils_delete_module_config(kudzu_t)
-
-storage_read_scsi_generic(kudzu_t)
@@ -104 +105 @@
-init_use_script_ptys(kudzu_t)
-init_stream_connect_script(kudzu_t)
+init_read_state(kudzu_t)
+init_ptrace(kudzu_t)
-# kudzu will telinit to make init re-read
-# the inittab after configuring serial consoles

branches/rbacsep/policy/modules/admin/logrotate.te

@@ -1 +1 @@
-
-1
+2
-
-########################################
@@ -134 +134 @@
-        # for syslogd-listfiles
-        logging_read_syslog_config(logrotate_t)
+
+        # for "test -x /sbin/syslogd"
+        logging_check_exec_syslog(logrotate_t)
-')
-

branches/rbacsep/policy/modules/admin/readahead.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -60 +60 @@
-fs_dontaudit_read_ramfs_files(readahead_t)
-fs_read_tmpfs_symlinks(readahead_t)
+fs_list_inotifyfs(readahead_t)
-
-mls_file_read_all_levels(readahead_t)

branches/rbacsep/policy/modules/kernel/corenetwork.te.in

@@ -1 +1 @@
-
-7
+9
-
-########################################
@@ -83 +83 @@
-network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
-network_port(comsat, udp,512,s0)
+network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
-network_port(cvs, tcp,2401,s0, udp,2401,s0)
-network_port(dcc, udp,6276,s0, udp,6277,s0)
@@ -135 +136 @@
-network_port(pegasus_https, tcp,5989,s0)
-network_port(postfix_policyd, tcp,10031,s0)
+network_port(pgpkeyserver, udp,11371,s0, tcp,11371,s0)
-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
-network_port(portmap, udp,111,s0, tcp,111,s0)
@@ -150 +152 @@
-network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0)
-
+, udp,521,s0, tcp,521,s0
-network_port(rsh, tcp,514,s0)
-network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(rwho, udp,513,s0)
-
+7-13
-network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
@@ -174 +176 @@
-network_port(vnc, tcp,5900,s0)
-network_port(wccp, udp,2048,s0)
+network_port(whois, tcp,43,s0, udp,43,s0)
-network_port(xdmcp, udp,177,s0, tcp,177,s0)
-network_port(xen, tcp,8002,s0)

branches/rbacsep/policy/modules/services/apcupsd.if

@@ -91 +91 @@
-## </param>
-#
-httpd_
+
-        gen_require(`
-                type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;

branches/rbacsep/policy/modules/services/apcupsd.te

@@ -1 +1 @@
-
-0
+1
-
-########################################

branches/rbacsep/policy/modules/services/bind.fc

@@ +1 @@
+/etc/rc.d/init.d/named  --      gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rndc.*             --      gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc\.key          --      gen_context(system_u:object_r:dnssec_t,s0)
@@ -16 +17 @@
-/etc/bind(/.*)?                 gen_context(system_u:object_r:named_zone_t,s0)
-/etc/bind/named\.conf   --      gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key     --      gen_context(system_u:object_r:dnssec_t,s0)
-/var/cache/bind(/.*)?           gen_context(system_u:object_r:named_cache_t,s0)

branches/rbacsep/policy/modules/services/bind.if

@@ -255 +255 @@
-        refpolicywarn(`$0($*) has been deprecated.')
-')
+
+########################################
+## <summary>
+##      All of the rules required to administrate 
+##      an bind environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_admin',`
+        gen_require(`
+                type named_t, ndc_t;
+        ')
+
+        allow $1 named_t:process { ptrace signal_perms };
+        ps_process_pattern($1, named_t)
+                
+        allow $1 ndc_t:process { ptrace signal_perms };
+        ps_process_pattern($1, ndc_t)
+                
+        bind_run_ndc($1, $2, $3)
+')

branches/rbacsep/policy/modules/services/bind.te

@@ -1 +1 @@
-
-0
+2
-
-########################################
@@ -36 +36 @@
-files_type(named_cache_t)
-
+type named_initrc_exec_t;
+init_script_file(named_initrc_exec_t)
+
-type named_log_t;
-logging_log_file(named_log_t)
@@ -61 +64 @@
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
-dontaudit named_t self:capability sys_tty_config;
-
+getcap 
-allow named_t self:fifo_file rw_fifo_file_perms;
-allow named_t self:unix_stream_socket create_stream_socket_perms;
@@ -223 +226 @@
-corenet_tcp_sendrecv_all_nodes(ndc_t)
-corenet_tcp_sendrecv_all_ports(ndc_t)
+corenet_tcp_bind_all_nodes(ndc_t)
-corenet_tcp_connect_rndc_port(ndc_t)
-corenet_sendrecv_rndc_client_packets(ndc_t)

branches/rbacsep/policy/modules/services/courier.te

@@ -1 +1 @@
-
-1
+2
-
-########################################
@@ -28 +28 @@
-
-type courier_exec_t;
-files_typ
+mta_agent_executabl
-
-courier_domain_template(sqwebmail)

branches/rbacsep/policy/modules/services/cups.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -570 +570 @@
-
-optional_policy(`
+        dbus_system_bus_client(hplip_t)
+')
+
+optional_policy(`
-        seutil_sigchld_newrole(hplip_t)
-')

branches/rbacsep/policy/modules/services/cvs.if

@@ -37 +37 @@
-        can_exec($1, cvs_exec_t)
-')
+
+########################################
+## <summary>
+##      All of the rules required to administrate 
+##      an cvs environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed to manage the cvs domain.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cvs_admin',`
+        gen_require(`
+                type cvs_t, cvs_tmp_t;
+                type cvs_data_t, cvs_var_run_t;
+                type cvs_initrc_exec_t;
+        ')
+
+        allow $1 cvs_t:process { ptrace signal_perms };
+        ps_process_pattern($1, cvs_t)
+                
+        # Allow cvs_t to restart the apache service
+        init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+        domain_system_change_exemption($1)
+        role_transition $2 cvs_initrc_exec_t system_r;
+        allow $2 system_r;
+')

branches/rbacsep/policy/modules/services/cvs.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -22 +22 @@
-type cvs_data_t; # customizable
-files_type(cvs_data_t)
+
+type cvs_initrc_exec_t;
+init_script_file(cvs_initrc_exec_t)
-
-type cvs_tmp_t;
@@ -70 +73 @@
-
-auth_domtrans_chk_passwd(cvs_t)
+auth_use_nsswitch(cvs_t)
-
-corecmd_exec_bin(cvs_t)
@@ -87 +91 @@
-miscfiles_read_localization(cvs_t)
-
-sysnet_read_config(cvs_t)
-
-mta_send_mail(cvs_t)
-
@@ -98 +100 @@
-
-optional_policy(`
-        kerberos_use(cvs_t)
-        kerberos_read_keytab(cvs_t)
-        kerberos_read_config(cvs_t)
-        kerberos_dontaudit_write_config(cvs_t)
-')
-
-optional_policy(`
-        nis_use_ypbind(cvs_t)
-')
-
-optional_policy(`
-        nscd_socket_use(cvs_t)
-')

branches/rbacsep/policy/modules/services/cyphesis.te

@@ -77 +77 @@
-optional_policy(`
-        avahi_dbus_chat(cyphesis_t)
-_template(cyphesis, 
+(
-')
-

branches/rbacsep/policy/modules/services/fail2ban.fc

@@ +1 @@
+/etc/rc\.d/init\.d/fail2ban --  gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
+
-/usr/bin/fail2ban       --      gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-server --     gen_context(system_u:object_r:fail2ban_exec_t,s0)
-/var/log/fail2ban\.log  --      gen_context(system_u:object_r:fail2ban_log_t,s0)
-/var/run/fail2ban\.pid  --      gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+/var/run/fail2ban\.sock -s      gen_context(system_u:object_r:fail2ban_var_run_t,s0)

branches/rbacsep/policy/modules/services/fail2ban.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -10 +10 @@
-type fail2ban_exec_t;
-init_daemon_domain(fail2ban_t, fail2ban_exec_t)
+
+type fail2ban_initrc_exec_t;
+init_script_file(fail2ban_initrc_exec_t)
-
-# log files
@@ -26 +29 @@
-allow fail2ban_t self:process signal;
-allow fail2ban_t self:fifo_file rw_fifo_file_perms;
-
+
+
-
-# log files
@@ -34 +38 @@
-
-# pid file
+manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
-manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
-file
+{ file sock_file }
-
-kernel_read_system_state(fail2ban_t)
@@ -42 +47 @@
-corecmd_exec_shell(fail2ban_t)
-
+corenet_all_recvfrom_unlabeled(fail2ban_t)
+corenet_all_recvfrom_netlabel(fail2ban_t)
+corenet_tcp_sendrecv_generic_if(fail2ban_t)
+corenet_tcp_sendrecv_all_nodes(fail2ban_t)
+corenet_tcp_sendrecv_all_ports(fail2ban_t)
+corenet_tcp_connect_whois_port(fail2ban_t)
+corenet_sendrecv_whois_client_packets(fail2ban_t)
+
-dev_read_urand(fail2ban_t)
-
@@ -47 +60 @@
-
-files_read_etc_files(fail2ban_t)
+files_read_etc_runtime_files(fail2ban_t)
-files_read_usr_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_search_var_lib(fail2ban_t)
+
+fs_list_inotifyfs(fail2ban_t)
+fs_getattr_all_fs(fail2ban_t)
+
+auth_use_nsswitch(fail2ban_t)
-
-libs_use_ld_so(fail2ban_t)
-libs_use_shared_libs(fail2ban_t)
-
-generic
+all
-
-miscfiles_read_localization(fail2ban_t)
+
+mta_send_mail(fail2ban_t)
-
-optional_policy(`

branches/rbacsep/policy/modules/services/inetd.if

@@ -116 +116 @@
-        allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
-        allow $1 inetd_t:udp_socket rw_socket_perms;
+
+        # encrypt the service through stunnel
+        optional_policy(`
+                stunnel_service_domain($1, $2)
+        ')
-')
-

branches/rbacsep/policy/modules/services/inetd.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -30 +30 @@
-type inetd_child_var_run_t;
-files_pid_file(inetd_child_var_run_t)
+
+ifdef(`enable_mcs',`
+        init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh)
+')
-
-########################################
@@ -59 +63 @@
-kernel_read_system_state(inetd_t)
-kernel_tcp_recvfrom_unlabeled(inetd_t)
+
+corecmd_bin_domtrans(inetd_t, inetd_child_t)
-
-# base networking:
@@ -85 +91 @@
-corenet_tcp_bind_inetd_child_port(inetd_t)
-corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
-corenet_udp_bind_ktalkd_port(inetd_t)
-corenet_tcp_bind_printer_port(inetd_t)
@@ -106 +113 @@
-corenet_sendrecv_ftp_server_packets(inetd_t)
-corenet_sendrecv_inetd_child_server_packets(inetd_t)
+corenet_sendrecv_ircd_server_packets(inetd_t)
-corenet_sendrecv_ktalkd_server_packets(inetd_t)
-corenet_sendrecv_printer_server_packets(inetd_t)
@@ -149 +157 @@
-sysadm_dontaudit_search_home_dirs(inetd_t)
-
+ifdef(`distro_redhat',`
+        optional_policy(`
+                unconfined_domain(inetd_t)
+        ')
+')
+
-ifdef(`enable_mls',`
-        corenet_tcp_recvfrom_netlabel(inetd_t)
-        corenet_udp_recvfrom_netlabel(inetd_t)
-')
+
-optional_policy(`
-        amanda_search_lib(inetd_t)

branches/rbacsep/policy/modules/services/mta.fc

@@ +1 @@
+/bin/mail               --      gen_context(system_u:object_r:sendmail_exec_t,s0)
-
-/etc/aliases            --      gen_context(system_u:object_r:etc_aliases_t,s0)

branches/rbacsep/policy/modules/services/mta.if

@@ -190 +190 @@
-        init_daemon_domain($1,$2)
-        typeattribute $1 mailserver_domain;
+')
+
+########################################
+## <summary>
+##      Make the specified type a MTA executable file.
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a mail client.
+##      </summary>
+## </param>
+#
+interface(`mta_agent_executable',`
+        gen_require(`
+                attribute mta_exec_type;
+        ')
+
+        typeattribute $1 mta_exec_type;
+
+        application_executable_file($1)
+')
+
+########################################
+## <summary>
+##      Make the specified type by a system MTA.
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a mail client.
+##      </summary>
+## </param>
+#
+interface(`mta_system_content',`
+        gen_require(`
+                attribute mailcontent_type;
+        ')
+
+        typeattribute $1 mailcontent_type;
-')
-
@@ -323 +361 @@
-        gen_require(`
-                attribute mta_user_agent;
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-
-        allow mta_user_agent $1:fd use;

branches/rbacsep/policy/modules/services/mta.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -7 +7 @@
-#
-
+attribute mailcontent_type;
+attribute mta_exec_type;
-attribute mta_user_agent;
-attribute mailserver_delivery;
@@ -21 +23 @@
-
-type mqueue_spool_t;
-type
+mountpoint
-
-type mail_spool_t;
-type
+mountpoint
-
-type sendmail_exec_t;
-application_executable_fi
+mta_agent_executab
-
-mta_base_mail_template(system)
@@ -49 +51 @@
-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+
+allow system_mail_t mta_exec_type:file entrypoint;
+
+allow system_mail_t mailcontent_type:file read_file_perms;
-
-kernel_read_system_state(system_mail_t)

branches/rbacsep/policy/modules/services/networkmanager.fc

@@ +1 @@
+/sbin/wpa_cli                   --      gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/sbin/wpa_supplicant            --      gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
-/usr/s?bin/NetworkManager       --      gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/s?bin/wpa_supplicant       --      gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/log/wpa_supplicant.*       --      gen_context(system_u:object_r:NetworkManager_log_t,s0)
-
-/var/run/NetworkManager\.pid    --      gen_context(system_u:object_r:NetworkManager_var_run_t,s0)

branches/rbacsep/policy/modules/services/networkmanager.if

@@ -98 +98 @@
-        allow NetworkManager_t $1:dbus send_msg;
-')
+
+########################################
+## <summary>
+##      Send a generic signal to NetworkManager
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`networkmanager_signal',`
+        gen_require(`
+                type NetworkManager_t;
+        ')
+
+        allow $1 NetworkManager_t:process signal;
+')
+
+########################################
+## <summary>
+##      Read NetworkManager PID files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`networkmanager_read_pid_files',`
+        gen_require(`
+                type NetworkManager_var_run_t;
+        ')
+
+        files_search_pids($1)
+        allow $1 NetworkManager_var_run_t:file read_file_perms;
+')

branches/rbacsep/policy/modules/services/networkmanager.te

@@ -1 +1 @@
-
-0
+3
-
-########################################
@@ -11 +11 @@
-init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
-
+type NetworkManager_initrc_exec_t;
+init_script_file(NetworkManager_initrc_exec_t)
+
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
+type NetworkManager_tmp_t;
+files_tmp_file(NetworkManager_tmp_t)
+
-type NetworkManager_var_run_t;
-files_pid_file(NetworkManager_var_run_t)
+
+type wpa_cli_t;
+type wpa_cli_exec_t;
+init_system_domain(wpa_cli_t, wpa_cli_exec_t)
-
-########################################
@@ -32 +45 @@
-allow NetworkManager_t self:packet_socket create_socket_perms;
-
+allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+
-can_exec(NetworkManager_t, NetworkManager_exec_t)
+
+manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+
+rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_search_tmp(NetworkManager_t)
-
-manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
@@ -176 +197 @@
-        vpn_signal(NetworkManager_t)
-')
+
+########################################
+#
+# wpa_cli local policy
+#
+
+allow wpa_cli_t self:capability dac_override;
+allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
+
+allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
+
+manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
+
+list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+
+init_dontaudit_use_fds(wpa_cli_t)
+init_use_script_ptys(wpa_cli_t)
+
+libs_use_ld_so(wpa_cli_t)
+libs_use_shared_libs(wpa_cli_t)
+
+miscfiles_read_localization(wpa_cli_t)
+
+term_dontaudit_use_console(wpa_cli_t)

branches/rbacsep/policy/modules/services/ntp.fc

@@ -1 @@
-
-/etc/ntp(d)?\.conf.*            --      gen_context(system_u:object_r:net_conf_t,s0)
-
-/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-
+/etc/ntpd?\.conf.*              --      gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp/crypto(/.*)?                   gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)?                     gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys                   --      gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.*         --      gen_context(system_u:object_r:net_conf_t,s0)
-
+
+
-
-/usr/sbin/ntpd                  --      gen_context(system_u:object_r:ntpd_exec_t,s0)

branches/rbacsep/policy/modules/services/ntp.te

@@ -1 +1 @@
-
-1
+2
-
-########################################
@@ -13 +13 @@
-type ntpd_exec_t;
-init_daemon_domain(ntpd_t, ntpd_exec_t)
+
+type ntpd_initrc_exec_t;
+init_script_file(ntpd_initrc_exec_t)
+
+type ntpd_key_t;
+files_type(ntpd_key_t)
-
-type ntpd_log_