Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# macro for chroot environments
Chris PeBenito 0fbfa5
# Author Russell Coker
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# chroot(initial_domain, basename, role, tty_device_type)
Chris PeBenito 0fbfa5
define(`chroot', `
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifelse(`$1', `initrc', `
Chris PeBenito 0fbfa5
define(`chroot_role', `system_r')
Chris PeBenito 0fbfa5
define(`chroot_tty_device', `{ console_device_t admin_tty_type }')
Chris PeBenito 0fbfa5
define(`chroot_mount_domain', `mount_t')
Chris PeBenito 0fbfa5
define(`chroot_fd_use', `{ privfd init_t }')
Chris PeBenito 0fbfa5
', `
Chris PeBenito 0fbfa5
define(`chroot_role', `$1_r')
Chris PeBenito 0fbfa5
define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }')
Chris PeBenito 0fbfa5
define(`chroot_fd_use', `privfd')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow mounting /proc and /dev
Chris PeBenito 0fbfa5
ifdef(`$1_mount_def', `', `
Chris PeBenito 0fbfa5
mount_domain($1, $1_mount)
Chris PeBenito 0fbfa5
role chroot_role types $1_mount_t;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
define(`chroot_mount_domain', `$1_mount_t')
Chris PeBenito 0fbfa5
ifdef(`ssh.te', `
Chris PeBenito 0fbfa5
can_tcp_connect($1_ssh_t, $2_t)
Chris PeBenito 0fbfa5
')dnl end ssh
Chris PeBenito 0fbfa5
')dnl end ifelse initrc
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# types for read-only and read-write files in the chroot
Chris PeBenito 0fbfa5
type $2_ro_t, file_type, sysadmfile, home_type, user_home_type;
Chris PeBenito 0fbfa5
type $2_rw_t, file_type, sysadmfile, home_type, user_home_type;
Chris PeBenito 0fbfa5
# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t
Chris PeBenito 0fbfa5
# when you execute it
Chris PeBenito 0fbfa5
type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton };
Chris PeBenito 0fbfa5
allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# entry point for $2_super_t
Chris PeBenito 0fbfa5
type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type;
Chris PeBenito 0fbfa5
# $2_t is the base domain, has full access to $2_rw_t files
Chris PeBenito 0fbfa5
type $2_t, domain;
Chris PeBenito 0fbfa5
# $2_super_t is the super-chroot domain, can also write to $2_ro_t
Chris PeBenito 0fbfa5
# but still can not access outside the chroot
Chris PeBenito 0fbfa5
type $2_super_t, domain;
Chris PeBenito 0fbfa5
allow $2_super_t chroot_tty_device:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`$1_chroot_def', `', `
Chris PeBenito 0fbfa5
dnl can not have this defined twice
Chris PeBenito 0fbfa5
define(`$1_chroot_def')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# $1_chroot_t is the domain for /usr/sbin/chroot
Chris PeBenito 0fbfa5
type $1_chroot_t, domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow $1_chroot_t to write to the tty device
Chris PeBenito 0fbfa5
allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1_chroot_t chroot_fd_use:fd use;
Chris PeBenito 0fbfa5
allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
role chroot_role types $1_chroot_t;
Chris PeBenito 0fbfa5
uses_shlib($1_chroot_t)
Chris PeBenito 0fbfa5
allow $1_chroot_t self:capability sys_chroot;
Chris PeBenito 0fbfa5
allow $1_t $1_chroot_t:dir { search getattr read };
Chris PeBenito 0fbfa5
allow $1_t $1_chroot_t:{ file lnk_file } { read getattr };
Chris PeBenito 0fbfa5
domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t)
Chris PeBenito 0fbfa5
allow $1_chroot_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
')dnl End conditional
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
role chroot_role types { $2_t $2_super_t };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow ps to show processes and allow killing them
Chris PeBenito 0fbfa5
allow $1_t { $2_super_t $2_t }:dir { search getattr read };
Chris PeBenito 0fbfa5
allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr };
Chris PeBenito 0fbfa5
allow $1_t { $2_super_t $2_t }:process signal_perms;
Chris PeBenito 0fbfa5
allow $2_super_t $2_t:dir { search getattr read };
Chris PeBenito 0fbfa5
allow $2_super_t $2_t:{ file lnk_file } { read getattr };
Chris PeBenito 0fbfa5
allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace };
Chris PeBenito 0fbfa5
allow $1_t $2_super_t:process { signal_perms ptrace };
Chris PeBenito 0fbfa5
allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr;
Chris PeBenito 0fbfa5
allow { $2_super_t $2_t } device_t:dir { search getattr };
Chris PeBenito 0fbfa5
allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms;
Chris PeBenito 0fbfa5
allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config };
Chris PeBenito 0fbfa5
allow $2_super_t self:capability sys_ptrace;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_tcp_connect($2_super_t, $2_t)
Chris PeBenito 0fbfa5
allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# quiet ps and killall
Chris PeBenito 0fbfa5
dontaudit { $2_super_t $2_t } domain:dir { search getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow $2_t to write to the owner tty device (should remove this)
Chris PeBenito 0fbfa5
allow $2_t chroot_tty_device:chr_file { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
Chris PeBenito 0fbfa5
can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
Chris PeBenito 0fbfa5
can_exec($2_super_t, { $2_ro_t $2_super_entry_t })
Chris PeBenito 0fbfa5
create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
Chris PeBenito 0fbfa5
# $2_super_t transitions to $2_t when it executes
Chris PeBenito 0fbfa5
# any file that $2_t can write
Chris PeBenito 0fbfa5
domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t)
Chris PeBenito 0fbfa5
allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read;
Chris PeBenito 0fbfa5
r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t })
Chris PeBenito 0fbfa5
create_dir_notdevfile($2_t, $2_rw_t)
Chris PeBenito 0fbfa5
allow $2_t $2_rw_t:fifo_file create_file_perms;
Chris PeBenito 0fbfa5
allow $2_t $2_ro_t:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms;
Chris PeBenito 0fbfa5
create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
Chris PeBenito 0fbfa5
can_exec($1_t, { $2_ro_t $2_dropdown_t })
Chris PeBenito 0fbfa5
domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t)
Chris PeBenito 0fbfa5
domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t)
Chris PeBenito 0fbfa5
allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto };
Chris PeBenito 0fbfa5
general_proc_read_access({ $2_t $2_super_t })
Chris PeBenito 0fbfa5
general_domain_access({ $2_t $2_super_t })
Chris PeBenito 0fbfa5
can_create_pty($2)
Chris PeBenito 0fbfa5
can_create_pty($2_super)
Chris PeBenito 0fbfa5
can_network({ $2_t $2_super_t })
Chris PeBenito 0fbfa5
allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
Chris PeBenito 0fbfa5
allow { $2_t $2_super_t } self:capability { dac_override kill };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
undefine(`chroot_role')
Chris PeBenito 0fbfa5
undefine(`chroot_tty_device')
Chris PeBenito 0fbfa5
undefine(`chroot_mount_domain')
Chris PeBenito 0fbfa5
undefine(`chroot_fd_use')
Chris PeBenito 0fbfa5
')