|
Chris PeBenito |
0fbfa5 |
#DESC Checkpolicy - SELinux policy compliler
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Frank Mayer, mayerf@tresys.com
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: checkpolicy
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
###########################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# checkpolicy_t is the domain type for checkpolicy
|
|
Chris PeBenito |
0fbfa5 |
# checkpolicy_exec_t if file type for the executable
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type checkpolicy_t, domain;
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types checkpolicy_t;
|
|
Chris PeBenito |
0fbfa5 |
role system_r types checkpolicy_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
##########################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# able to create and modify binary policy files
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t policy_config_t:file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
###########################
|
|
Chris PeBenito |
0fbfa5 |
# constrain what checkpolicy can use as source files
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# only allow read of policy source files
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t policy_src_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow test policies to be created in src directories
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# directory search permissions for path to source and binary policy files
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t root_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t etc_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read the devpts root directory.
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`sshd.te',
|
|
Chris PeBenito |
0fbfa5 |
`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Other access
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib(checkpolicy_t)
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t self:capability dac_override;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
##########################
|
|
Chris PeBenito |
0fbfa5 |
# Allow users to execute checkpolicy without a domain transition
|
|
Chris PeBenito |
0fbfa5 |
# so it can be used without privilege to write real binary policy file
|
|
Chris PeBenito |
0fbfa5 |
can_exec(unpriv_userdomain, checkpolicy_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t { userdomain privfd }:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t console_device_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t init_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
allow checkpolicy_t selinux_config_t:dir search;
|