From 052c953ae59f98e2fe4cc0d7ddc6bcb4aa04da13 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 11 2005 14:49:58 +0000 Subject: add quota --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index d3265f1..5306a99 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -8,6 +8,7 @@ * Added policies: acct mysql + quota su sudo tmpreaper diff --git a/refpolicy/policy/modules/admin/quota.fc b/refpolicy/policy/modules/admin/quota.fc new file mode 100644 index 0000000..3e367f0 --- /dev/null +++ b/refpolicy/policy/modules/admin/quota.fc @@ -0,0 +1,14 @@ + +/sbin/quota(check|on) -- context_template(system_u:object_r:quota_exec_t,s0) + +ifdef(`distro_redhat',` +/usr/sbin/convertquota -- context_template(system_u:object_r:quota_exec_t,s0) +',` +/sbin/convertquota -- context_template(system_u:object_r:quota_exec_t,s0) +') + +HOME_ROOT/a?quota\.(user|group) -- context_template(system_u:object_r:quota_db_t,s0) + +/var/a?quota\.(user|group) -- context_template(system_u:object_r:quota_db_t,s0) + +/var/lib/quota(/.*)? context_template(system_u:object_r:quota_flag_t,s0) diff --git a/refpolicy/policy/modules/admin/quota.if b/refpolicy/policy/modules/admin/quota.if new file mode 100644 index 0000000..ed0e637 --- /dev/null +++ b/refpolicy/policy/modules/admin/quota.if @@ -0,0 +1,81 @@ +## File system quota management + +######################################## +## +## Execute quota management tools in the quota domain. +## +## +## The type of the process performing this action. +## +# +interface(`quota_domtrans',` + gen_require(` + type quota_t, quota_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + domain_auto_trans($1,quota_exec_t,quota_t) + + allow $1 quota_t:fd use; + allow quota_t $1:fd use; + allow quota_t $1:fifo_file rw_file_perms; + allow quota_t $1:process sigchld; +') + +######################################## +## +## Execute quota management tools in the quota domain, and +## allow the specified role the quota domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the quota domain. +## +## +## The type of the terminal allow the quota domain to use. +## +# +interface(`quota_run',` + gen_require(` + type quota_t; + class chr_file rw_term_perms; + ') + + quota_domtrans($1) + role $2 types quota_t; + allow quota_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Do not audit attempts to get the attributes +## of filesystem quota data files. +## +## +## Domain to not audit. +## +# +interface(`quota_dontaudit_getattr_db',` + gen_require(` + type quota_db_t; + class file getattr; + ') + + dontaudit $1 quota_db_t:file getattr; +') + +interface(`quota_manage_flags',` + gen_require(` + type quota_flag_t; + class dir rw_dir_perms; + class file create_file_perms; + ') + + files_search_var_lib($1) + allow $1 quota_flag_t:dir rw_dir_perms; + allow $1 quota_flag_t:file create_file_perms; +') diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te new file mode 100644 index 0000000..4005a80 --- /dev/null +++ b/refpolicy/policy/modules/admin/quota.te @@ -0,0 +1,89 @@ + +policy_module(quota,1.0) + +######################################## +# +# Declarations +# + +type quota_t; +type quota_exec_t; +init_system_domain(quota_t,quota_exec_t) + +type quota_db_t; +files_type(quota_db_t) + +type quota_flag_t; +files_type(quota_flag_t) + +allow quota_t self:capability { sys_admin dac_override }; +dontaudit quota_t self:capability sys_tty_config; +allow quota_t self:process signal_perms; + +# for /quota.* +allow quota_t quota_db_t:file { read write quotaon }; + +kernel_list_proc(quota_t) +kernel_read_proc_symlinks(quota_t) +kernel_read_kernel_sysctl(quota_t) + +dev_read_sysfs(quota_t) +dev_getattr_all_blk_files(quota_t) +dev_getattr_all_chr_files(quota_t) + +fs_get_xattr_fs_quota(quota_t) +fs_set_xattr_fs_quota(quota_t) +fs_getattr_xattr_fs(quota_t) +fs_remount_xattr_fs(quota_t) +fs_search_auto_mountpoints(quota_t) + +storage_raw_read_fixed_disk(quota_t) + +term_dontaudit_use_console(quota_t) + +domain_use_wide_inherit_fd(quota_t) + +files_list_all_dirs(quota_t) +files_read_all_files(quota_t) +files_read_all_symlinks(quota_t) +files_getattr_all_pipes(quota_t) +files_getattr_all_sockets(quota_t) +# Read /etc/mtab. +files_read_etc_runtime_files(quota_t) + +init_use_fd(quota_t) +init_use_script_pty(quota_t) + +libs_use_ld_so(quota_t) +libs_use_shared_libs(quota_t) + +logging_send_syslog_msg(quota_t) + +userdom_dontaudit_use_unpriv_user_fd(quota_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(quota_t) + term_dontaudit_use_generic_pty(quota_t) + files_dontaudit_read_root_file(quota_t) +') + +optional_policy(`rhgb.te',` + rhgb_domain(quota_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(quota_t) +') + +optional_policy(`udev.te', ` + udev_read_db(quota_t) +') + +ifdef(`TODO',` +# quotacheck creates new quota_db_t files +file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file) + +allow quota_t file_t:file quotaon; + +allow quota_t proc_t:file getattr; +') dnl end TODO diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 09e1c6b..a9bb42f 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -216,6 +216,42 @@ interface(`fs_relabelfrom_xattr_fs',` ######################################## ## +## Get the filesystem quotas of a filesystem +## with extended attributes. +## +## +## The type of the domain mounting the filesystem. +## +# +interface(`fs_get_xattr_fs_quota',` + gen_require(` + type fs_t; + class filesystem quotaget; + ') + + allow $1 fs_t:filesystem quotaget; +') + +######################################## +## +## Set the filesystem quotas of a filesystem +## with extended attributes. +## +## +## The type of the domain mounting the filesystem. +## +# +interface(`fs_set_xattr_fs_quota',` + gen_require(` + type fs_t; + class filesystem quotamod; + ') + + allow $1 fs_t:filesystem quotamod; +') + +######################################## +## ## Mount an automount pseudo filesystem. ## ## diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index d62a4ad..ecfc8dd 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -140,8 +140,29 @@ interface(`files_dontaudit_getattr_all_dirs',` ') ######################################## +## +## List the contents of all directories. +## +## +## Domain allowed access. +## # -# files_getattr_all_files(domain) +interface(`files_list_all_dirs',` + gen_require(` + attribute file_type; + class dir r_dir_perms; + ') + + allow $1 file_type:dir r_dir_perms; +') + +######################################## +## +## Get the attributes of all files. +## +## +## Domain allowed access. +## # interface(`files_getattr_all_files',` gen_require(` @@ -174,6 +195,29 @@ interface(`files_dontaudit_getattr_all_files',` ######################################## ## +## Read all files. +## +## +## Domain allowed access. +## +# +interface(`files_read_all_files',` + gen_require(` + attribute file_type; + class dir search; + class file r_file_perms; + ') + + allow $1 file_type:dir search; + allow $1 file_type:file r_file_perms; + + optional_policy(`authlogin.te',` + auth_read_shadow($1) + ') +') + +######################################## +## ## Get the attributes of all symbolic links. ## ## @@ -211,6 +255,25 @@ interface(`files_dontaudit_getattr_all_symlinks',` ######################################## ## +## Read all symbolic links. +## +## +## Domain allowed access. +## +# +interface(`files_read_all_symlinks',` + gen_require(` + attribute file_type; + class dir search; + class lnk_file { getattr read }; + ') + + allow $1 file_type:dir search; + allow $1 file_type:lnk_file { getattr read }; +') + +######################################## +## ## Get the attributes of all named pipes. ## ## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 41e33ca..129b41c 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -410,6 +410,10 @@ optional_policy(`raid.te',` raid_manage_mdadm_pid(initrc_t) ') +optional_policy(`quota.te',` + quota_manage_flags(initrc_t) +') + optional_policy(`rhgb.te',` corecmd_shell_entry_type(initrc_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 3ba5898..cc1a1b4 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -265,6 +265,10 @@ template(`base_user_template',` pcmcia_read_pid($1_t) ') + optional_policy(`quota.te',` + quota_dontaudit_getattr_db($1_t) + ') + optional_policy(`rpm.te',` files_getattr_var_lib_dir($1_t) files_search_var_lib($1_t) diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 55d7321..b32e891 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -175,6 +175,10 @@ ifdef(`targeted_policy',` pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`quota.te',` + quota_run(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`rpm.te',` rpm_run(sysadm_t,sysadm_r,admin_terminal) ')