--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/snmp.fc 2008-08-14 13:53:54.000000000 -0400
@@ -17,3 +17,6 @@
/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
+
+/etc/rc.d/init.d/snmpd -- gen_context(system_u:object_r:snmp_script_exec_t,s0)
+/etc/rc.d/init.d/snmptrapd -- gen_context(system_u:object_r:snmp_script_exec_t,s0)
--- nsaserefpolicy/policy/modules/services/snmp.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/snmp.if 2008-08-14 13:53:54.000000000 -0400
@@ -87,6 +87,25 @@
########################################
##
+## Execute snmp server in the snmp domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`snmp_script_domtrans',`
+ gen_require(`
+ type snmpd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1, snmpd_script_exec_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an snmp environment
##
@@ -95,23 +114,40 @@
## Domain allowed access.
##
##
+##
+##
+## The role to be allowed to manage the snmp domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
##
#
interface(`snmp_admin',`
gen_require(`
type snmpd_t, snmpd_log_t;
type snmpd_var_lib_t, snmpd_var_run_t;
+ type snmpd_script_exec_t;
')
allow $1 snmpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, snmpd_t)
+ # Allow snmpd_t to restart the apache service
+ snmp_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 snmpd_script_exec_t system_r;
+ allow $2 system_r;
+
logging_list_logs($1)
- manage_files_pattern($1, snmpd_log_t, snmpd_log_t)
+ admin_pattern($1, snmpd_log_t)
files_list_var_lib($1)
- manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ admin_pattern($1, snmpd_var_lib_t)
files_list_pids($1)
- manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t)
+ admin_pattern($1, snmpd_var_run_t)
')
--- nsaserefpolicy/policy/modules/services/snmp.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/snmp.te 2008-08-14 13:53:54.000000000 -0400
@@ -18,12 +18,16 @@
type snmpd_var_lib_t;
files_type(snmpd_var_lib_t)
+type snmp_script_exec_t;
+init_script_type(snmp_script_exec_t)
+
########################################
#
# Local policy
#
-allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config sys_ptrace };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+allow snmpd_t self:process { getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -45,6 +49,7 @@
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
+kernel_read_fs_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
kernel_read_proc_symlinks(snmpd_t)
kernel_read_system_state(snmpd_t)
@@ -76,13 +81,14 @@
domain_use_interactive_fds(snmpd_t)
domain_signull_all_domains(snmpd_t)
domain_read_all_domains_state(snmpd_t)
+domain_dontaudit_ptrace_all_domains(snmpd_t)
+domain_exec_all_entry_files(snmpd_t)
files_read_etc_files(snmpd_t)
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
-files_getattr_boot_dirs(snmpd_t)
-files_dontaudit_getattr_home_dir(snmpd_t)
+auth_read_all_dirs_except_shadow(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
@@ -94,6 +100,8 @@
init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
+auth_use_nsswitch(snmpd_t)
+
libs_use_ld_so(snmpd_t)
libs_use_shared_libs(snmpd_t)
@@ -121,7 +129,7 @@
')
optional_policy(`
- auth_use_nsswitch(snmpd_t)
+ consoletype_exec(snmpd_t)
')
optional_policy(`