Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 593040 Details for
Bug 833557
No SELinux policies for xl2tpd
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
selinux-policy-l2tpd-support.patch (fixed)
selinux-policy-l2tpd-support.patch (text/plain), 13.30 KB, created by
Paul Wouters
on 2012-06-19 18:52:50 UTC
(
hide
)
Description:
selinux-policy-l2tpd-support.patch (fixed)
Filename:
MIME Type:
Creator:
Paul Wouters
Created:
2012-06-19 18:52:50 UTC
Size:
13.30 KB
patch
obsolete
>diff -up serefpolicy-3.7.19/man/man8/l2tpd_selinux.8.l2tpd-support serefpolicy-3.7.19/man/man8/l2tpd_selinux.8 >--- serefpolicy-3.7.19/man/man8/l2tpd_selinux.8.l2tpd-support 2012-06-12 22:19:23.150197776 +0300 >+++ serefpolicy-3.7.19/man/man8/l2tpd_selinux.8 2012-06-12 22:19:23.150197776 +0300 >@@ -0,0 +1,105 @@ >+.TH "l2tpd_selinux" "8" "l2tpd" "dwalsh@redhat.com" "l2tpd SELinux Policy documentation" >+.SH "NAME" >+l2tpd_selinux \- Security Enhanced Linux Policy for the l2tpd processes >+.SH "DESCRIPTION" >+ >+ >+SELinux Linux secures >+.B l2tpd >+(policy for l2tpd) >+processes via flexible mandatory access >+control. >+ >+ >+ >+.SH FILE CONTEXTS >+SELinux requires files to have an extended attribute to define the file type. >+.PP >+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP >+.PP >+Policy governs the access confined processes have to these files. >+SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible. >+.PP >+The following file types are defined for l2tpd: >+ >+ >+.EX >+.PP >+.B l2tpd_exec_t >+.EE >+ >+- Set files with the l2tpd_exec_t type, if you want to transition an executable to the l2tpd_t domain. >+ >+.br >+.TP 5 >+Paths: >+/usr/sbin/xl2tpd, /usr/sbin/openl2tpd >+ >+.EX >+.PP >+.B l2tpd_initrc_exec_t >+.EE >+ >+- Set files with the l2tpd_initrc_exec_t type, if you want to transition an executable to the l2tpd_initrc_t domain. >+ >+.br >+.TP 5 >+Paths: >+/etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/openl2tpd >+ >+.EX >+.PP >+.B l2tpd_var_run_t >+.EE >+ >+- Set files with the l2tpd_var_run_t type, if you want to store the l2tpd files under the /run directory. >+ >+.br >+.TP 5 >+Paths: >+/var/run/xl2tpd(/.*)?, /var/run/xl2tpd\.pid >+ >+.PP >+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the >+.B semanage fcontext >+command. This will modify the SELinux labeling database. You will need to use >+.B restorecon >+to apply the labels. >+ >+.SH PROCESS TYPES >+SELinux defines process types (domains) for each process running on the system >+.PP >+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP >+.PP >+Policy governs the access confined processes have to files. >+SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible. >+.PP >+The following process types are defined for l2tpd: >+ >+.EX >+.B l2tpd_t >+.EE >+.PP >+Note: >+.B semanage permissive -a PROCESS_TYPE >+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. >+ >+.SH "COMMANDS" >+.B semanage fcontext >+can also be used to manipulate default file context mappings. >+.PP >+.B semanage permissive >+can also be used to manipulate whether or not a process type is permissive. >+.PP >+.B semanage module >+can also be used to enable/disable/install/remove policy modules. >+ >+.PP >+.B system-config-selinux >+is a GUI tool available to customize SELinux policy settings. >+ >+.SH AUTHOR >+This manual page was autogenerated by genman.py. >+ >+.SH "SEE ALSO" >+selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1) >diff -up serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in.l2tpd-support serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in >--- serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in.l2tpd-support 2012-06-12 22:19:23.137198243 +0300 >+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2012-06-12 22:19:23.151198133 +0300 >@@ -163,6 +163,7 @@ network_port(lmtp, tcp,24,s0, udp,24,s0) > network_port(lirc, tcp,8765,s0) > network_port(luci, tcp,8084,s0) > type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon >+network_port(l2tp, tcp,1701,s0, udp,1701,s0) > network_port(mail, tcp,2000,s0, tcp,3905,s0) > network_port(matahari, tcp,49000,s0, udp,49000,s0) > network_port(memcache, tcp,11211,s0, udp,11211,s0) >diff -up serefpolicy-3.7.19/policy/modules/services/l2tpd.fc.l2tpd-support serefpolicy-3.7.19/policy/modules/services/l2tpd.fc >--- serefpolicy-3.7.19/policy/modules/services/l2tpd.fc.l2tpd-support 2012-06-12 22:19:23.151198133 +0300 >+++ serefpolicy-3.7.19/policy/modules/services/l2tpd.fc 2012-06-12 22:19:23.151198133 +0300 >@@ -0,0 +1,18 @@ >+/etc/prol2tp(/.*)? gen_context(system_u:object_r:l2tp_etc_t,s0) >+ >+/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) >+/etc/rc\.d/init\.d/prol2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) >+/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) >+ >+/etc/sysconfig/prol2tpd -- gen_context(system_u:object_r:l2tp_etc_t,s0) >+ >+/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) >+/usr/sbin/prol2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) >+/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) >+ >+/var/run/openl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) >+/var/run/prol2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) >+/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) >+/var/run/prol2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) >+/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) >+/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) >diff -up serefpolicy-3.7.19/policy/modules/services/l2tpd.if.l2tpd-support serefpolicy-3.7.19/policy/modules/services/l2tpd.if >--- serefpolicy-3.7.19/policy/modules/services/l2tpd.if.l2tpd-support 2012-06-12 22:19:23.151198133 +0300 >+++ serefpolicy-3.7.19/policy/modules/services/l2tpd.if 2012-06-12 22:19:23.151198133 +0300 >@@ -0,0 +1,178 @@ >+## <summary>Layer 2 Tunneling Protocol daemons.</summary> >+ >+######################################## >+## <summary> >+## Transition to l2tpd. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed to transition. >+## </summary> >+## </param> >+# >+interface(`l2tpd_domtrans',` >+ gen_require(` >+ type l2tpd_t, l2tpd_exec_t; >+ ') >+ >+ corecmd_search_bin($1) >+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t) >+') >+ >+######################################## >+## <summary> >+## Execute l2tpd server in the l2tpd domain. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`l2tpd_initrc_domtrans',` >+ gen_require(` >+ type l2tpd_initrc_exec_t; >+ ') >+ >+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) >+') >+ >+######################################## >+## <summary> >+## Send to l2tpd via a unix dgram socket. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`l2tpd_dgram_send',` >+ gen_require(` >+ type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; >+ ') >+ >+ files_search_tmp($1) >+ dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) >+') >+ >+######################################## >+## <summary> >+## Read and write l2tpd sockets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`l2tpd_rw_socket',` >+ gen_require(` >+ type l2tpd_t; >+ ') >+ >+ allow $1 l2tpd_t:socket rw_socket_perms; >+') >+ >+######################################## >+## <summary> >+## Read l2tpd PID files. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`l2tpd_read_pid_files',` >+ gen_require(` >+ type l2tpd_var_run_t; >+ ') >+ >+ files_search_pids($1) >+ allow $1 l2tpd_var_run_t:file read_file_perms; >+') >+ >+##################################### >+## <summary> >+## Connect to l2tpd over a unix domain >+## stream socket. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`l2tpd_stream_connect',` >+ gen_require(` >+ type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t; >+ ') >+ >+ files_search_pids($1) >+ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t) >+ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t) >+') >+ >+######################################## >+## <summary> >+## Read and write l2tpd unnamed pipes. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`l2tpd_rw_pipes',` >+ gen_require(` >+ type l2tpd_t; >+ ') >+ >+ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms; >+') >+ >+######################################## >+## <summary> >+## All of the rules required to administrate >+## an l2tpd environment >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <param name="role"> >+## <summary> >+## Role allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`l2tpd_admin',` >+ gen_require(` >+ type l2tpd_t, l2tpd_initrc_exec_t. l2tpd_var_run_t; >+ type l2tp_etc_t, l2tpd_tmp_t; >+ ') >+ >+ allow $1 l2tpd_t:process signal_perms; >+ ps_process_pattern($1, l2tpd_t) >+ >+ tunable_policy(`deny_ptrace',`',` >+ allow $1 l2tpd_t:process ptrace; >+ ') >+ >+ l2tpd_initrc_domtrans($1) >+ domain_system_change_exemption($1) >+ role_transition $2 l2tpd_initrc_exec_t system_r; >+ allow $2 system_r; >+ >+ files_search_etc($1) >+ admin_pattern($1, l2tp_etc_t) >+ >+ files_search_pids($1) >+ admin_pattern($1, l2tpd_var_run_t) >+ >+ files_search_tmp($1) >+ admin_pattern($1, l2tpd_tmp_t) >+') >diff -up serefpolicy-3.7.19/policy/modules/services/l2tpd.te.l2tpd-support serefpolicy-3.7.19/policy/modules/services/l2tpd.te >--- serefpolicy-3.7.19/policy/modules/services/l2tpd.te.l2tpd-support 2012-06-12 22:19:23.152197806 +0300 >+++ serefpolicy-3.7.19/policy/modules/services/l2tpd.te 2012-06-12 22:19:23.152197806 +0300 >@@ -0,0 +1,98 @@ >+policy_module(l2tpd, 1.0.0) >+ >+######################################## >+# >+# Declarations >+# >+ >+type l2tpd_t; >+type l2tpd_exec_t; >+init_daemon_domain(l2tpd_t, l2tpd_exec_t) >+ >+type l2tpd_initrc_exec_t; >+init_script_file(l2tpd_initrc_exec_t) >+ >+type l2tp_etc_t; >+files_config_file(l2tp_etc_t) >+ >+type l2tpd_tmp_t; >+files_tmp_file(l2tpd_tmp_t) >+ >+type l2tpd_var_run_t; >+files_pid_file(l2tpd_var_run_t) >+ >+######################################## >+# >+# Local policy >+# >+ >+allow l2tpd_t self:capability { net_admin net_bind_service }; >+allow l2tpd_t self:process signal; >+allow l2tpd_t self:fifo_file rw_fifo_file_perms; >+allow l2tpd_t self:netlink_socket create_socket_perms; >+allow l2tpd_t self:rawip_socket create_socket_perms; >+allow l2tpd_t self:socket create_socket_perms; >+allow l2tpd_t self:tcp_socket create_stream_socket_perms; >+allow l2tpd_t self:unix_dgram_socket sendto; >+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms; >+ >+read_files_pattern(l2tpd_t, l2tp_etc_t, l2tp_etc_t) >+ >+manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) >+manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) >+manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) >+manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) >+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file }) >+ >+manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) >+files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) >+ >+corenet_all_recvfrom_unlabeled(l2tpd_t) >+corenet_all_recvfrom_netlabel(l2tpd_t) >+corenet_raw_sendrecv_generic_if(l2tpd_t) >+corenet_tcp_sendrecv_generic_if(l2tpd_t) >+corenet_udp_sendrecv_generic_if(l2tpd_t) >+corenet_raw_bind_generic_node(l2tpd_t) >+corenet_tcp_bind_generic_node(l2tpd_t) >+corenet_udp_bind_generic_node(l2tpd_t) >+corenet_raw_sendrecv_generic_node(l2tpd_t) >+corenet_tcp_sendrecv_generic_node(l2tpd_t) >+corenet_udp_sendrecv_generic_node(l2tpd_t) >+ >+corenet_tcp_bind_all_rpc_ports(l2tpd_t) >+corenet_udp_bind_all_rpc_ports(l2tpd_t) >+corenet_udp_bind_generic_port(l2tpd_t) >+ >+corenet_udp_bind_l2tp_port(l2tpd_t) >+corenet_udp_sendrecv_l2tp_port(l2tpd_t) >+corenet_sendrecv_l2tp_server_packets(l2tpd_t) >+ >+kernel_read_network_state(l2tpd_t) >+# net-pf-24 (pppox) >+kernel_request_load_module(l2tpd_t) >+ >+term_use_ptmx(l2tpd_t) >+term_use_generic_ptys(l2tpd_t) >+ >+# prol2tpc >+corecmd_exec_bin(l2tpd_t) >+ >+dev_read_urand(l2tpd_t) >+ >+domain_use_interactive_fds(l2tpd_t) >+ >+files_read_etc_files(l2tpd_t) >+ >+term_use_ptmx(l2tpd_t) >+ >+logging_send_syslog_msg(l2tpd_t) >+ >+miscfiles_read_localization(l2tpd_t) >+ >+sysnet_dns_name_resolve(l2tpd_t) >+ >+optional_policy(` >+ ppp_domtrans(l2tpd_t) >+ ppp_signal(l2tpd_t) >+ ppp_kill(l2tpd_t) >+') >diff -up serefpolicy-3.7.19/policy/modules/services/ppp.te.l2tpd-support serefpolicy-3.7.19/policy/modules/services/ppp.te >--- serefpolicy-3.7.19/policy/modules/services/ppp.te.l2tpd-support 2012-06-12 22:19:22.367452653 +0300 >+++ serefpolicy-3.7.19/policy/modules/services/ppp.te 2012-06-12 22:19:54.854511119 +0300 >@@ -106,7 +106,7 @@ manage_files_pattern(pppd_t, pppd_tmp_t, > files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) > > manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) >-files_pid_filetrans(pppd_t, pppd_var_run_t, file) >+files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) > > allow pppd_t pptp_t:process signal; > >@@ -183,6 +183,7 @@ sysnet_etc_filetrans_config(pppd_t) > userdom_use_user_terminals(pppd_t) > userdom_dontaudit_use_unpriv_user_fds(pppd_t) > userdom_search_user_home_dirs(pppd_t) >+userdom_search_admin_dir(pppd_t) > > ppp_exec(pppd_t) > >@@ -191,6 +192,12 @@ optional_policy(` > ') > > optional_policy(` >+ l2tpd_dgram_send(pppd_t) >+ l2tpd_rw_socket(pppd_t) >+ l2tpd_stream_connect(pppd_t) >+') >+ >+optional_policy(` > tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',` > modutils_domtrans_insmod_uncond(pppd_t) > ')
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=593040">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 833557
:
593038
|
593039
| 593040