From ab9b49a1d782ac96a73b4b1553992528a599d8d6 Mon Sep 17 00:00:00 2001 From: Russell Coker Date: Tue, 26 Sep 2023 01:44:52 +1000 Subject: small network patches (#707) * Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc Signed-off-by: Russell Coker * Fixed typo in interface name Signed-off-by: Russell Coker * Add interface libs_watch_shared_libs_dir Signed-off-by: Russell Coker * Added sysnet_watch_config_dir interface Signed-off-by: Russell Coker * renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs Signed-off-by: Russell Coker * rename sysnet_watch_config_dir to sysnet_watch_config_dirs Signed-off-by: Russell Coker * Reverted a change as I can't remember why I did it. Signed-off-by: Russell Coker --------- Signed-off-by: Russell Coker Signed-off-by: Kenton Groombridge --- policy/modules/admin/netutils.te | 1 + policy/modules/services/firewalld.te | 3 +++ policy/modules/services/ftp.fc | 6 +++++- policy/modules/services/ftp.te | 9 +++++++++ policy/modules/services/inetd.te | 2 +- policy/modules/services/networkmanager.te | 11 ++++++++++- policy/modules/services/openvpn.te | 1 + policy/modules/services/ppp.fc | 1 + policy/modules/services/ppp.te | 2 ++ policy/modules/services/rpc.te | 6 +++++- policy/modules/system/libraries.if | 18 ++++++++++++++++++ policy/modules/system/sysnetwork.if | 18 ++++++++++++++++++ 12 files changed, 74 insertions(+), 4 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 5fef6a31a..3c43a1d84 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -146,6 +146,7 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) userdom_use_inherited_user_terminals(ping_t) +term_use_unallocated_ttys(ping_t) optional_policy(` munin_append_log(ping_t) diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te index 954a348f0..eb097753f 100644 --- a/policy/modules/services/firewalld.te +++ b/policy/modules/services/firewalld.te @@ -38,11 +38,13 @@ allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; allow firewalld_t self:netlink_netfilter_socket create_socket_perms; allow firewalld_t self:udp_socket create_socket_perms; +allow firewalld_t self:netlink_netfilter_socket create_socket_perms; allow firewalld_t firewalld_etc_rw_t:dir watch; manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto }; +allow firewalld_t firewalld_etc_rw_t:dir watch; allow firewalld_t firewalld_var_log_t:file append_file_perms; allow firewalld_t firewalld_var_log_t:file create_file_perms; @@ -86,6 +88,7 @@ logging_send_syslog_msg(firewalld_t) libs_watch_lib_dirs(firewalld_t) +miscfiles_read_generic_certs(firewalld_t) miscfiles_read_localization(firewalld_t) seutil_exec_setfiles(firewalld_t) diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc index b90598fed..a58851e58 100644 --- a/policy/modules/services/ftp.fc +++ b/policy/modules/services/ftp.fc @@ -1,4 +1,5 @@ /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) +/etc/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_etc_t,s0) /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) @@ -22,8 +23,10 @@ /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/pure-ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0) +/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0) +/run/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_runtime_t,s0) /usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) @@ -31,6 +34,7 @@ /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) +/var/log/pure-ftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index a3ff66feb..3a638a72c 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -175,6 +175,7 @@ allow ftpd_t self:tcp_socket { accept listen }; allow ftpd_t self:shm create_shm_perms; allow ftpd_t self:key manage_key_perms; +allow ftpd_t ftpd_etc_t:dir list_dir_perms; allow ftpd_t ftpd_etc_t:file read_file_perms; allow ftpd_t ftpd_keytab_t:file read_file_perms; @@ -191,6 +192,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t) manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t) +allow ftpd_t ftpd_runtime_t:file map; manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t) files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir }) @@ -400,6 +402,13 @@ optional_policy(` seutil_sigchld_newrole(ftpd_t) ') +optional_policy(` + systemd_connect_machined(ftpd_t) + systemd_dbus_chat_logind(ftpd_t) + systemd_read_logind_state(ftpd_t) + systemd_write_inherited_logind_sessions_pipes(ftpd_t) +') + ######################################## # # Ctl local policy diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index a74722c23..33af29d9b 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -33,7 +33,7 @@ files_tmp_file(inetd_child_tmp_t) # Local policy # -allow inetd_t self:capability { setgid setuid sys_resource }; +allow inetd_t self:capability { kill setgid setuid sys_resource }; dontaudit inetd_t self:capability sys_tty_config; allow inetd_t self:process { setsched setexec setrlimit }; allow inetd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 1f521643b..4494d0012 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -47,7 +47,7 @@ ifdef(`distro_gentoo',` # Local policy # -allow NetworkManager_t self:capability { chown dac_override fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice }; +allow NetworkManager_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice }; dontaudit NetworkManager_t self:capability { sys_module sys_ptrace sys_tty_config }; allow NetworkManager_t self:capability2 wake_alarm; allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; @@ -153,7 +153,9 @@ files_read_usr_src_files(NetworkManager_t) files_watch_etc_dirs(NetworkManager_t) fs_getattr_all_fs(NetworkManager_t) +fs_read_nsfs_files(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) +fs_search_tmpfs(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) mls_file_read_all_levels(NetworkManager_t) @@ -169,6 +171,8 @@ init_get_system_status(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) +libs_watch_shared_libs_dirs(NetworkManager_t) + logging_send_audit_msgs(NetworkManager_t) logging_send_syslog_msg(NetworkManager_t) @@ -192,6 +196,7 @@ sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) sysnet_manage_config(NetworkManager_t) sysnet_etc_filetrans_config(NetworkManager_t) +sysnet_watch_config_dirs(NetworkManager_t) # certificates in user home directories (cert_home_t in ~/\.pki) userdom_read_user_certs(NetworkManager_t) @@ -223,6 +228,10 @@ optional_policy(` consoletype_exec(NetworkManager_t) ') +optional_policy(` + chronyd_domtrans_cli(NetworkManager_t) +') + optional_policy(` cron_read_system_job_lib_files(NetworkManager_t) ') diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index e97730fbd..c92925ca1 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -129,6 +129,7 @@ files_read_etc_runtime_files(openvpn_t) fs_getattr_all_fs(openvpn_t) fs_search_auto_mountpoints(openvpn_t) +fs_search_tmpfs(openvpn_t) auth_use_pam(openvpn_t) diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc index 98b57f108..c4dd850f9 100644 --- a/policy/modules/services/ppp.fc +++ b/policy/modules/services/ppp.fc @@ -8,6 +8,7 @@ HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0) /etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) /etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) /etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) +/etc/ppp/ip-pre-up -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) /usr/bin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) /usr/bin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index 47111375d..70d52ca44 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -86,6 +86,7 @@ allow pppd_t self:socket create_socket_perms; allow pppd_t self:netlink_route_socket nlmsg_write; allow pppd_t self:tcp_socket { accept listen }; allow pppd_t self:packet_socket create_socket_perms; +allow pppd_t self:pppox_socket { connect create ioctl }; allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; @@ -108,6 +109,7 @@ files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file}) manage_dirs_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t) manage_files_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t) +allow pppd_t pppd_runtime_t:file map; files_runtime_filetrans(pppd_t, pppd_runtime_t, { dir file }) can_exec(pppd_t, pppd_exec_t) diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 63693603f..bfcb8fa8a 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -121,6 +121,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domain) fs_rw_rpc_named_pipes(rpc_domain) fs_search_auto_mountpoints(rpc_domain) +fs_watch_rpc_pipefs_dirs(rpc_domain) files_read_etc_runtime_files(rpc_domain) files_read_usr_files(rpc_domain) @@ -312,7 +313,8 @@ optional_policy(` # NFSD local policy # -allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; +allow nfsd_t self:capability { dac_override dac_read_search setpcap sys_admin sys_resource lease }; +allow nfsd_t self:process setcap; allow nfsd_t exports_t:file read_file_perms; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; @@ -342,6 +344,8 @@ fs_mount_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) fs_getattr_all_dirs(nfsd_t) fs_list_nfsd_fs(nfsd_t) +fs_list_rpc(nfsd_t) + fs_watch_nfsd_dirs(nfsd_t) fs_watch_nfsd_files(nfsd_t) fs_rw_nfsd_fs(nfsd_t) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index faf172ce3..00128ef6d 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -530,6 +530,24 @@ interface(`libs_legacy_use_shared_libs',` allow $1 lib_t:file execmod; ') +######################################## +## +## watch lib dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`libs_watch_shared_libs_dirs',` + gen_require(` + type lib_t; + ') + + allow $1 lib_t:dir watch; +') + ######################################## ## ## Relabel to and from the type used for diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 70e873fe6..f41024669 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -567,6 +567,24 @@ interface(`sysnet_manage_config',` ') ') +####################################### +## +## Watch a network config dir +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_watch_config_dirs',` + gen_require(` + type net_conf_t; + ') + + allow $1 net_conf_t:dir watch; +') + ####################################### ## ## Read dhcp client runtime files. -- cgit v1.2.3-65-gdbad