Hi Klaus,
I see that this verison of the ks rpm still has alot of stuff in the
lspp policy module (attached for those not using the rpm). Some of
the policy changes reference bugzillas but not all of them.
Has Dan pulled these changes into the mls policy?
-- ljk
## Customized SELinux policy for LSPP evaluated configuration
policy_module(lspp_policy,1.0)
#############################################################################
### Additional audit
#############################################################################
gen_require(`
attribute domain;
')
# Audit setting of security relevant process attributes
# These settings are OPTIONAL
auditallow domain self:process setcurrent;
auditallow domain self:process setexec;
auditallow domain self:process setfscreate;
#auditallow domain self:process setsocketcreate; # FIXME
#auditallow domain self:process setipccreate; # FIXME
# bug workaround: vsftpd can't write to tallylog which breaks non-anon login.
#
# Fix proposed to RH 2006-12-18:
#
https://enterprise.redhat.com/issue-tracker/?module=issues&action=view&tid=107824
# https://bugzilla.linux.ibm.com/show_bug.cgi?id=29661
gen_require(`
type ftpd_t;
')
auth_rw_faillog(ftpd_t)
# for following, see:
#
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220487
### sshd ##################################################
gen_require(`
type sshd_t, unlabeled_t, staff_ssh_t, user_ssh_t, port_t;
')
kernel_tcp_recvfrom_unlabeled(sshd_t)
kernel_tcp_recvfrom_unlabeled(staff_ssh_t)
kernel_tcp_recvfrom_unlabeled(user_ssh_t)
allow staff_ssh_t port_t:tcp_socket name_connect;
allow user_ssh_t port_t:tcp_socket name_connect;
### xinetd ################################################
gen_require(`
type inetd_t, bin_t, proc_t;
type sshd_exec_t, sshd_t;
')
# xinetd needs MLS override privileges to work
mls_fd_use_all_levels(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_process_set_level(inetd_t)
# miscellaneous xinetd fixes
allow inetd_t self:fd use;
allow inetd_t proc_t:file read;
kernel_read_system_state(inetd_t)
selinux_validate_context(inetd_t)
selinux_compute_create_context(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
allow inetd_t self:process { noatsecure rlimitinh setexec siginh transition };
### xinetd running sshd ###################################
# allow xinetd to transition to sshd_t via sshd_exec_t
allow inetd_t bin_t:file { entrypoint execute getattr read };
allow inetd_t sshd_exec_t:file { entrypoint execute getattr read };
type_transition inetd_t sshd_exec_t : process sshd_t;
domain_trans(inetd_t, sshd_exec_t, sshd_t)
# various interactions
allow sshd_t inetd_t:fd use;
allow sshd_t inetd_t:process sigchld;
allow sshd_t inetd_t:tcp_socket { getattr getopt ioctl read setopt write };
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
