| 1 |
commit: adc98ed46f3758c57f03ed69da0a8c08eb674060 |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Sun Oct 28 16:31:47 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Sun Oct 28 17:58:56 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=adc98ed4 |
| 7 |
|
| 8 |
Changes to the snmp policy module |
| 9 |
|
| 10 |
Ported from Fedora with changes |
| 11 |
|
| 12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 13 |
|
| 14 |
--- |
| 15 |
policy/modules/contrib/snmp.fc | 18 ++++-------- |
| 16 |
policy/modules/contrib/snmp.if | 35 ++++++++++++---------- |
| 17 |
policy/modules/contrib/snmp.te | 61 +++++++++++++++++++++++---------------- |
| 18 |
3 files changed, 61 insertions(+), 53 deletions(-) |
| 19 |
|
| 20 |
diff --git a/policy/modules/contrib/snmp.fc b/policy/modules/contrib/snmp.fc |
| 21 |
index cbe31d2..c73fa24 100644 |
| 22 |
--- a/policy/modules/contrib/snmp.fc |
| 23 |
+++ b/policy/modules/contrib/snmp.fc |
| 24 |
@@ -1,24 +1,18 @@ |
| 25 |
-/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) |
| 26 |
-/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) |
| 27 |
+/etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) |
| 28 |
|
| 29 |
-# |
| 30 |
-# /usr |
| 31 |
-# |
| 32 |
-/usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0) |
| 33 |
+/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) |
| 34 |
+/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) |
| 35 |
|
| 36 |
/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0) |
| 37 |
|
| 38 |
-# |
| 39 |
-# /var |
| 40 |
-# |
| 41 |
/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) |
| 42 |
+/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) |
| 43 |
|
| 44 |
/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) |
| 45 |
/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) |
| 46 |
|
| 47 |
-/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) |
| 48 |
- |
| 49 |
-/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) |
| 50 |
+/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) |
| 51 |
|
| 52 |
+/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) |
| 53 |
/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) |
| 54 |
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) |
| 55 |
|
| 56 |
diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if |
| 57 |
index d057046..7a9cc9d 100644 |
| 58 |
--- a/policy/modules/contrib/snmp.if |
| 59 |
+++ b/policy/modules/contrib/snmp.if |
| 60 |
@@ -1,8 +1,9 @@ |
| 61 |
-## <summary>Simple network management protocol services</summary> |
| 62 |
+## <summary>Simple network management protocol services.</summary> |
| 63 |
|
| 64 |
######################################## |
| 65 |
## <summary> |
| 66 |
-## Connect to snmpd using a unix domain stream socket. |
| 67 |
+## Connect to snmpd with a unix |
| 68 |
+## domain stream socket. |
| 69 |
## </summary> |
| 70 |
## <param name="domain"> |
| 71 |
## <summary> |
| 72 |
@@ -11,12 +12,12 @@ |
| 73 |
## </param> |
| 74 |
# |
| 75 |
interface(`snmp_stream_connect',` |
| 76 |
- gen_require(` |
| 77 |
+ gen_require(` |
| 78 |
type snmpd_t, snmpd_var_lib_t; |
| 79 |
- ') |
| 80 |
+ ') |
| 81 |
|
| 82 |
- files_search_var_lib($1) |
| 83 |
- stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) |
| 84 |
+ files_search_var_lib($1) |
| 85 |
+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) |
| 86 |
') |
| 87 |
|
| 88 |
######################################## |
| 89 |
@@ -97,7 +98,7 @@ interface(`snmp_manage_var_lib_files',` |
| 90 |
|
| 91 |
######################################## |
| 92 |
## <summary> |
| 93 |
-## Read snmpd libraries. |
| 94 |
+## Read snmpd lib content. |
| 95 |
## </summary> |
| 96 |
## <param name="domain"> |
| 97 |
## <summary> |
| 98 |
@@ -117,7 +118,8 @@ interface(`snmp_read_snmp_var_lib_files',` |
| 99 |
|
| 100 |
######################################## |
| 101 |
## <summary> |
| 102 |
-## dontaudit Read snmpd libraries. |
| 103 |
+## Do not audit attempts to read |
| 104 |
+## snmpd lib content. |
| 105 |
## </summary> |
| 106 |
## <param name="domain"> |
| 107 |
## <summary> |
| 108 |
@@ -129,14 +131,16 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',` |
| 109 |
gen_require(` |
| 110 |
type snmpd_var_lib_t; |
| 111 |
') |
| 112 |
+ |
| 113 |
dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; |
| 114 |
dontaudit $1 snmpd_var_lib_t:file read_file_perms; |
| 115 |
- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read }; |
| 116 |
+ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; |
| 117 |
') |
| 118 |
|
| 119 |
######################################## |
| 120 |
## <summary> |
| 121 |
-## dontaudit write snmpd libraries files. |
| 122 |
+## Do not audit attempts to write |
| 123 |
+## snmpd lib files. |
| 124 |
## </summary> |
| 125 |
## <param name="domain"> |
| 126 |
## <summary> |
| 127 |
@@ -154,8 +158,8 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` |
| 128 |
|
| 129 |
######################################## |
| 130 |
## <summary> |
| 131 |
-## All of the rules required to administrate |
| 132 |
-## an snmp environment |
| 133 |
+## All of the rules required to |
| 134 |
+## administrate an snmp environment. |
| 135 |
## </summary> |
| 136 |
## <param name="domain"> |
| 137 |
## <summary> |
| 138 |
@@ -164,19 +168,18 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` |
| 139 |
## </param> |
| 140 |
## <param name="role"> |
| 141 |
## <summary> |
| 142 |
-## The role to be allowed to manage the snmp domain. |
| 143 |
+## Role allowed access. |
| 144 |
## </summary> |
| 145 |
## </param> |
| 146 |
## <rolecap/> |
| 147 |
# |
| 148 |
interface(`snmp_admin',` |
| 149 |
gen_require(` |
| 150 |
- type snmpd_t, snmpd_log_t; |
| 151 |
+ type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; |
| 152 |
type snmpd_var_lib_t, snmpd_var_run_t; |
| 153 |
- type snmpd_initrc_exec_t; |
| 154 |
') |
| 155 |
|
| 156 |
- allow $1 snmpd_t:process { ptrace signal_perms getattr }; |
| 157 |
+ allow $1 snmpd_t:process { ptrace signal_perms }; |
| 158 |
ps_process_pattern($1, snmpd_t) |
| 159 |
|
| 160 |
init_labeled_script_domtrans($1, snmpd_initrc_exec_t) |
| 161 |
|
| 162 |
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te |
| 163 |
index 709139b..02f3b3b 100644 |
| 164 |
--- a/policy/modules/contrib/snmp.te |
| 165 |
+++ b/policy/modules/contrib/snmp.te |
| 166 |
@@ -1,9 +1,10 @@ |
| 167 |
-policy_module(snmp, 1.13.2) |
| 168 |
+policy_module(snmp, 1.13.3) |
| 169 |
|
| 170 |
######################################## |
| 171 |
# |
| 172 |
# Declarations |
| 173 |
# |
| 174 |
+ |
| 175 |
type snmpd_t; |
| 176 |
type snmpd_exec_t; |
| 177 |
init_daemon_domain(snmpd_t, snmpd_exec_t) |
| 178 |
@@ -24,16 +25,16 @@ files_type(snmpd_var_lib_t) |
| 179 |
# |
| 180 |
# Local policy |
| 181 |
# |
| 182 |
-allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; |
| 183 |
+ |
| 184 |
+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; |
| 185 |
dontaudit snmpd_t self:capability { sys_module sys_tty_config }; |
| 186 |
allow snmpd_t self:process { signal_perms getsched setsched }; |
| 187 |
allow snmpd_t self:fifo_file rw_fifo_file_perms; |
| 188 |
-allow snmpd_t self:unix_dgram_socket create_socket_perms; |
| 189 |
-allow snmpd_t self:unix_stream_socket create_stream_socket_perms; |
| 190 |
-allow snmpd_t self:tcp_socket create_stream_socket_perms; |
| 191 |
+allow snmpd_t self:unix_stream_socket { accept connectto listen }; |
| 192 |
+allow snmpd_t self:tcp_socket { accept listen }; |
| 193 |
allow snmpd_t self:udp_socket connected_stream_socket_perms; |
| 194 |
|
| 195 |
-allow snmpd_t snmpd_log_t:file manage_file_perms; |
| 196 |
+allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; |
| 197 |
logging_log_filetrans(snmpd_t, snmpd_log_t, file) |
| 198 |
|
| 199 |
manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) |
| 200 |
@@ -41,18 +42,18 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) |
| 201 |
manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) |
| 202 |
files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) |
| 203 |
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) |
| 204 |
-files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) |
| 205 |
+files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file }) |
| 206 |
|
| 207 |
+manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) |
| 208 |
manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) |
| 209 |
-files_pid_filetrans(snmpd_t, snmpd_var_run_t, file) |
| 210 |
+files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir }) |
| 211 |
|
| 212 |
kernel_read_device_sysctls(snmpd_t) |
| 213 |
kernel_read_kernel_sysctls(snmpd_t) |
| 214 |
kernel_read_fs_sysctls(snmpd_t) |
| 215 |
kernel_read_net_sysctls(snmpd_t) |
| 216 |
-kernel_read_proc_symlinks(snmpd_t) |
| 217 |
-kernel_read_system_state(snmpd_t) |
| 218 |
kernel_read_network_state(snmpd_t) |
| 219 |
+kernel_read_system_state(snmpd_t) |
| 220 |
|
| 221 |
corecmd_exec_bin(snmpd_t) |
| 222 |
corecmd_exec_shell(snmpd_t) |
| 223 |
@@ -63,16 +64,22 @@ corenet_tcp_sendrecv_generic_if(snmpd_t) |
| 224 |
corenet_udp_sendrecv_generic_if(snmpd_t) |
| 225 |
corenet_tcp_sendrecv_generic_node(snmpd_t) |
| 226 |
corenet_udp_sendrecv_generic_node(snmpd_t) |
| 227 |
-corenet_tcp_sendrecv_all_ports(snmpd_t) |
| 228 |
-corenet_udp_sendrecv_all_ports(snmpd_t) |
| 229 |
corenet_tcp_bind_generic_node(snmpd_t) |
| 230 |
corenet_udp_bind_generic_node(snmpd_t) |
| 231 |
+ |
| 232 |
+corenet_sendrecv_snmp_server_packets(snmpd_t) |
| 233 |
corenet_tcp_bind_snmp_port(snmpd_t) |
| 234 |
corenet_udp_bind_snmp_port(snmpd_t) |
| 235 |
-corenet_sendrecv_snmp_server_packets(snmpd_t) |
| 236 |
+corenet_tcp_sendrecv_snmp_port(snmpd_t) |
| 237 |
+corenet_udp_sendrecv_snmp_port(snmpd_t) |
| 238 |
+ |
| 239 |
+corenet_sendrecv_snmp_client_packets(snmpd_t) |
| 240 |
corenet_tcp_connect_agentx_port(snmpd_t) |
| 241 |
+corenet_sendrecv_snmp_server_packets(snmpd_t) |
| 242 |
corenet_tcp_bind_agentx_port(snmpd_t) |
| 243 |
corenet_udp_bind_agentx_port(snmpd_t) |
| 244 |
+corenet_tcp_sendrecv_agentx_port(snmpd_t) |
| 245 |
+corenet_udp_sendrecv_agentx_port(snmpd_t) |
| 246 |
|
| 247 |
dev_list_sysfs(snmpd_t) |
| 248 |
dev_read_sysfs(snmpd_t) |
| 249 |
@@ -83,23 +90,23 @@ dev_getattr_usbfs_dirs(snmpd_t) |
| 250 |
domain_use_interactive_fds(snmpd_t) |
| 251 |
domain_signull_all_domains(snmpd_t) |
| 252 |
domain_read_all_domains_state(snmpd_t) |
| 253 |
-domain_dontaudit_ptrace_all_domains(snmpd_t) |
| 254 |
domain_exec_all_entry_files(snmpd_t) |
| 255 |
|
| 256 |
-files_read_etc_files(snmpd_t) |
| 257 |
files_read_usr_files(snmpd_t) |
| 258 |
files_read_etc_runtime_files(snmpd_t) |
| 259 |
files_search_home(snmpd_t) |
| 260 |
|
| 261 |
fs_getattr_all_dirs(snmpd_t) |
| 262 |
fs_getattr_all_fs(snmpd_t) |
| 263 |
+files_list_all(snmpd_t) |
| 264 |
+files_search_all_mountpoints(snmpd_t) |
| 265 |
fs_search_auto_mountpoints(snmpd_t) |
| 266 |
|
| 267 |
storage_dontaudit_read_fixed_disk(snmpd_t) |
| 268 |
storage_dontaudit_read_removable_device(snmpd_t) |
| 269 |
+storage_dontaudit_write_removable_device(snmpd_t) |
| 270 |
|
| 271 |
auth_use_nsswitch(snmpd_t) |
| 272 |
-files_list_non_auth_dirs(snmpd_t) |
| 273 |
|
| 274 |
init_read_utmp(snmpd_t) |
| 275 |
init_dontaudit_write_utmp(snmpd_t) |
| 276 |
@@ -110,18 +117,9 @@ miscfiles_read_localization(snmpd_t) |
| 277 |
|
| 278 |
seutil_dontaudit_search_config(snmpd_t) |
| 279 |
|
| 280 |
-sysnet_read_config(snmpd_t) |
| 281 |
- |
| 282 |
userdom_dontaudit_use_unpriv_user_fds(snmpd_t) |
| 283 |
userdom_dontaudit_search_user_home_dirs(snmpd_t) |
| 284 |
|
| 285 |
-ifdef(`distro_redhat', ` |
| 286 |
- optional_policy(` |
| 287 |
- rpm_read_db(snmpd_t) |
| 288 |
- rpm_dontaudit_manage_db(snmpd_t) |
| 289 |
- ') |
| 290 |
-') |
| 291 |
- |
| 292 |
optional_policy(` |
| 293 |
amanda_dontaudit_read_dumpdates(snmpd_t) |
| 294 |
') |
| 295 |
@@ -131,6 +129,10 @@ optional_policy(` |
| 296 |
') |
| 297 |
|
| 298 |
optional_policy(` |
| 299 |
+ corosync_stream_connect(snmpd_t) |
| 300 |
+') |
| 301 |
+ |
| 302 |
+optional_policy(` |
| 303 |
cups_read_rw_config(snmpd_t) |
| 304 |
') |
| 305 |
|
| 306 |
@@ -140,10 +142,19 @@ optional_policy(` |
| 307 |
') |
| 308 |
|
| 309 |
optional_policy(` |
| 310 |
+ ricci_stream_connect_modclusterd(snmpd_t) |
| 311 |
+') |
| 312 |
+ |
| 313 |
+optional_policy(` |
| 314 |
rpc_search_nfs_state_data(snmpd_t) |
| 315 |
') |
| 316 |
|
| 317 |
optional_policy(` |
| 318 |
+ rpm_read_db(snmpd_t) |
| 319 |
+ rpm_dontaudit_manage_db(snmpd_t) |
| 320 |
+') |
| 321 |
+ |
| 322 |
+optional_policy(` |
| 323 |
sendmail_read_log(snmpd_t) |
| 324 |
') |
Archives