rpms / selinux-policy

Clone
Source Code
GIT

Blame targeted/macros/content_macros.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   de0d2651a7bf13ec3b8999cb4c74927e92cdb308
  2.   targeted
  3.   macros
  4.   content_macros.te
Blob History Raw
Chris PeBenito ab58ad 
# Content access macros
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# FIXME: After nested booleans are supported, replace NFS/CIFS
Chris PeBenito ab58ad 
# w/ read_network_home, and write_network_home macros from global
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# FIXME: If true/false constant booleans are supported, replace
Chris PeBenito ab58ad 
# ugly $3 ifdefs with if(true), if(false)...
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# FIXME: Do we want write to imply read?
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
############################################################
Chris PeBenito ab58ad 
# read_content(domain, role_prefix, bool_prefix)
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# Allow the given domain to read content.
Chris PeBenito ab58ad 
# Content may be trusted or untrusted,
Chris PeBenito ab58ad 
# Reading anything is subject to a controlling boolean based on bool_prefix.
Chris PeBenito ab58ad 
# Reading untrusted content is additionally subject to read_untrusted_content
Chris PeBenito ab58ad 
# Reading default_t is additionally subject to read_default_t
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
define(`read_content', `
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Declare controlling boolean
Chris PeBenito ab58ad 
ifelse($3, `', `', `
Chris PeBenito ab58ad 
ifdef(`$3_read_content_defined', `', `
Chris PeBenito ab58ad 
define(`$3_read_content_defined')
Chris PeBenito ab58ad 
bool $3_read_content false;
Chris PeBenito ab58ad 
') dnl ifdef
Chris PeBenito ab58ad 
') dnl ifelse
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle nfs home dirs
Chris PeBenito ab58ad 
ifelse($3, `',
Chris PeBenito ab58ad 
`if (use_nfs_home_dirs) { ',
Chris PeBenito ab58ad 
`if ($3_read_content && use_nfs_home_dirs) {')
Chris PeBenito ab58ad 
allow $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
r_dir_file($1, nfs_t)
Chris PeBenito ab58ad 
} else {
Chris PeBenito ab58ad 
dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
dontaudit $1 nfs_t:file r_file_perms;
Chris PeBenito ab58ad 
dontaudit $1 nfs_t:dir r_dir_perms;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle samba home dirs
Chris PeBenito ab58ad 
ifelse($3, `',
Chris PeBenito ab58ad 
`if (use_samba_home_dirs) { ',
Chris PeBenito ab58ad 
`if ($3_read_content && use_samba_home_dirs) {')
Chris PeBenito ab58ad 
allow $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
r_dir_file($1, cifs_t)
Chris PeBenito ab58ad 
} else {
Chris PeBenito ab58ad 
dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
dontaudit $1 cifs_t:file r_file_perms;
Chris PeBenito ab58ad 
dontaudit $1 cifs_t:dir r_dir_perms;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle removable media, /tmp, and /home
Chris PeBenito ab58ad 
ifelse($3, `', `',
Chris PeBenito ab58ad 
`if ($3_read_content) {')
Chris PeBenito ab58ad 
allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
Chris PeBenito ab58ad 
r_dir_file($1, { $2_tmp_t $2_home_t } )
Chris PeBenito ab58ad 
ifdef(`mls_policy', `', `
Chris PeBenito ab58ad 
r_dir_file($1, removable_t)
Chris PeBenito ab58ad 
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
ifelse($3, `', `',
Chris PeBenito ab58ad 
`} else {
Chris PeBenito ab58ad 
dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
Chris PeBenito ab58ad 
dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms;
Chris PeBenito ab58ad 
dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms;
Chris PeBenito ab58ad 
}')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle default_t content
Chris PeBenito ab58ad 
ifelse($3, `',
Chris PeBenito ab58ad 
`if (read_default_t) { ',
Chris PeBenito ab58ad 
`if ($3_read_content && read_default_t) {')
Chris PeBenito ab58ad 
r_dir_file($1, default_t)
Chris PeBenito ab58ad 
} else {
Chris PeBenito ab58ad 
dontaudit $1 default_t:file r_file_perms;
Chris PeBenito ab58ad 
dontaudit $1 default_t:dir r_dir_perms;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle untrusted content
Chris PeBenito ab58ad 
ifelse($3, `',
Chris PeBenito ab58ad 
`if (read_untrusted_content) { ',
Chris PeBenito ab58ad 
`if ($3_read_content && read_untrusted_content) {')
Chris PeBenito ab58ad 
allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
Chris PeBenito ab58ad 
r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t })
Chris PeBenito ab58ad 
} else {
Chris PeBenito ab58ad 
dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
Chris PeBenito ab58ad 
dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms;
Chris PeBenito ab58ad 
dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad 
') dnl read_content
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
#################################################
Chris PeBenito ab58ad 
# write_trusted(domain, role_prefix, bool_prefix)
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# Allow the given domain to write trusted content.
Chris PeBenito ab58ad 
# This is subject to a controlling boolean based
Chris PeBenito ab58ad 
# on bool_prefix.
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
define(`write_trusted', `
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Declare controlling boolean
Chris PeBenito ab58ad 
ifelse($3, `', `', `
Chris PeBenito ab58ad 
ifdef(`$3_write_content_defined', `', `
Chris PeBenito ab58ad 
define(`$3_write_content_defined')
Chris PeBenito ab58ad 
bool $3_write_content false;
Chris PeBenito ab58ad 
') dnl ifdef
Chris PeBenito ab58ad 
') dnl ifelse
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle nfs homedirs
Chris PeBenito ab58ad 
ifelse($3, `',
Chris PeBenito ab58ad 
`if (use_nfs_home_dirs) { ',
Chris PeBenito ab58ad 
`if ($3_write_content && use_nfs_home_dirs) {')
Chris PeBenito ab58ad 
allow $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
create_dir_file($1, nfs_t)
Chris PeBenito ab58ad 
} else {
Chris PeBenito ab58ad 
dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
dontaudit $1 nfs_t:file create_file_perms;
Chris PeBenito ab58ad 
dontaudit $1 nfs_t:dir create_dir_perms;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle samba homedirs
Chris PeBenito ab58ad 
ifelse($3, `',
Chris PeBenito ab58ad 
`if (use_samba_home_dirs) { ',
Chris PeBenito ab58ad 
`if ($3_write_content && use_samba_home_dirs) {')
Chris PeBenito ab58ad 
allow $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
create_dir_file($1, cifs_t)
Chris PeBenito ab58ad 
} else {
Chris PeBenito ab58ad 
dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
dontaudit $1 cifs_t:file create_file_perms;
Chris PeBenito ab58ad 
dontaudit $1 cifs_t:dir create_dir_perms;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle /tmp and /home
Chris PeBenito ab58ad 
ifelse($3, `', `',
Chris PeBenito ab58ad 
`if ($3_write_content) {')
Chris PeBenito ab58ad 
allow $1 home_root_t:dir { read getattr search };
Chris PeBenito ab58ad 
file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file });
Chris PeBenito ab58ad 
file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file });
Chris PeBenito ab58ad 
ifelse($3, `', `',
Chris PeBenito ab58ad 
`} else {
Chris PeBenito ab58ad 
dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
Chris PeBenito ab58ad 
dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
Chris PeBenito ab58ad 
dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
Chris PeBenito ab58ad 
}')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
') dnl write_trusted
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
#########################################
Chris PeBenito ab58ad 
# write_untrusted(domain, role_prefix)
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# Allow the given domain to write untrusted content.
Chris PeBenito ab58ad 
# This is subject to the global boolean write_untrusted.
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
define(`write_untrusted', `
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle nfs homedirs
Chris PeBenito ab58ad 
if (write_untrusted_content && use_nfs_home_dirs) {
Chris PeBenito ab58ad 
allow $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
create_dir_file($1, nfs_t)
Chris PeBenito ab58ad 
} else {
Chris PeBenito ab58ad 
dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
dontaudit $1 nfs_t:file create_file_perms;
Chris PeBenito ab58ad 
dontaudit $1 nfs_t:dir create_dir_perms;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle samba homedirs
Chris PeBenito ab58ad 
if (write_untrusted_content && use_samba_home_dirs) {
Chris PeBenito ab58ad 
allow $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
create_dir_file($1, cifs_t)
Chris PeBenito ab58ad 
} else {
Chris PeBenito ab58ad 
dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
Chris PeBenito ab58ad 
dontaudit $1 cifs_t:file create_file_perms;
Chris PeBenito ab58ad 
dontaudit $1 cifs_t:dir create_dir_perms;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Handle /tmp and /home
Chris PeBenito ab58ad 
if (write_untrusted_content) {
Chris PeBenito ab58ad 
allow $1 home_root_t:dir { read getattr search };
Chris PeBenito ab58ad 
file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file })
Chris PeBenito ab58ad 
file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file })
Chris PeBenito ab58ad 
} else {
Chris PeBenito ab58ad 
dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
Chris PeBenito ab58ad 
dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
Chris PeBenito ab58ad 
dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
') dnl write_untrusted

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation