From 07d6e32f4476acdaa5c0cdc9b428bb190258e8d0 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: May 02 2005 21:02:14 +0000 Subject: reorg run_init a little, and add a convert to a few new interfaces --- diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index a2c072d..54dc5a3 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -78,6 +78,7 @@ storage_raw_write_removable_device(bootloader_t) devices_get_all_character_device_attributes(bootloader_t) devices_set_all_block_device_attributes(bootloader_t) +devices_ignore_modify_generic_devices(bootloader_t) # for reading BIOS data (cjp: ?) devices_raw_read_memory(bootloader_t) @@ -113,8 +114,6 @@ modutils_insmod_execute(insmod_t) miscfiles_read_localization(bootloader_t) -devices_ignore_modify_generic_devices(bootloader_t) - ######################################## # # mkinitrd policy diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 127feaa..a1db745 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -76,6 +76,37 @@ class dir { getattr read search }; ######################################## # +# devices_manage_device_nodes(type,[`optional']) +# +define(`devices_manage_device_nodes',` +requires_block_template(devices_manage_device_nodes_depend,$2) +allow udev_t device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; +allow udev_t device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow udev_t device_t:lnk_file { create read getattr setattr link unlink rename }; +allow udev_t device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; +allow udev_t device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; +# these next rules are to satisfy assertions broken by the above lines. +# the permissions hopefully can be cut back a lot +storage_raw_read_fixed_disk($1) +storage_raw_write_fixed_disk($1) +storage_read_scsi_generic($1) +storage_write_scsi_generic($1) +typeattribute $1 memory_raw_read; +typeattribute $1 memory_raw_write; +') + +define(`devices_manage_device_nodes_depend',` +attribute device_node, memory_raw_read, memory_raw_write; +type device_t; +class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; +class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; +class lnk_file { create read getattr setattr link unlink rename }; +class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; +class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; +') + +######################################## +# # devices_ignore_modify_generic_devices(type,[`optional']) # define(`devices_ignore_modify_generic_devices',` diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 02ea6cd..9ec4292 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -25,7 +25,8 @@ filesystem_tmpfs_associate(cardmgr_dev_t) # Relabelto is allowed for setfiles to function, in case # a device node has no specific type yet, but is for some # reason labeled with a specific type -neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto }; +#cjp: want this, but udev policy breaks this +#neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto }; # # zero_device_t is the type of /dev/zero. diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 31f8a16..baad0d9 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -2,33 +2,6 @@ ######################################## # -# kernel_system_role_change(role,[`optional']) -# -define(`kernel_system_role_change',` -requires_block_template(kernel_system_role_change_depend,$2) -allow $1 system_r; -') - -define(`kernel_system_role_change_depend',` -role system_r; -') - -######################################## -# -# kernel_system_role_transition(role,entrypoint,[`optional']) -# -define(`kernel_system_role_transition',` -requires_block_template(kernel_system_role_transition_depend,$2) -allow $1 system_r; -role_transition $1 $2 system_r; -') - -define(`kernel_system_role_change_depend',` -role system_r; -') - -######################################## -# # kernel_share_state(domain,[`optional']) # define(`kernel_share_state',` @@ -500,6 +473,20 @@ class file getattr; ######################################## # +# kernel_ignore_get_message_interface_attributes(domain) +# +define(`kernel_ignore_get_message_interface_attributes',` +requires_block_template(kernel_ignore_get_message_interface_attributes_depend) +dontaudit $1 proc_kmsg_t:file getattr; +') + +define(`kernel_ignore_get_message_interface_attributes_depend',` +type proc_kmsg_t, proc_t; +class file getattr; +') + +######################################## +# # kernel_read_network_state(domain,[`optional']) # define(`kernel_read_network_state',` diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 24613b8..3907b7b 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -48,13 +48,14 @@ allow $1_t $1_chkpwd_t:process transition; #userdomain_use_$1_terminal($1_chkpwd_t) #userdomain_use_$1_pty($1_chkpwd_t) -#allow $1_chkpwd_t privfd:fd use; +domain_use_widely_inheritable_file_descriptors($1_chkpwd_t) # Inherit and use descriptors from gnome-pty-helper. #ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') -# Inherit and use descriptors from newrole. -#ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;') +optional_policy(`selinux.te',` +selinux_newrole_use_file_descriptors($1_chkpwd_t) +') ') dnl ifelse system # for nscd diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index d9a41ac..6446862 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -19,9 +19,18 @@ logging_make_log_file(lastlog_t) type login_exec_t; files_make_file(login_exec_t) +type pam_console_t; +domain_make_domain(pam_console_t) + +type pam_console_exec_t; +domain_make_entrypoint_file(pam_console_t,pam_console_exec_t) + type pam_t; domain_make_domain(pam_t) +type pam_exec_t; +domain_make_entrypoint_file(pam_t,pam_exec_t) + type pam_tmp_t; files_make_file(pam_tmp_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 64c4116..9b499e8 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -92,6 +92,12 @@ miscfiles_read_localization(hotplug_t) mount_transition(hotplug_t) +tunable_policy(`targeted_policy', ` +terminal_ignore_use_general_physical_terminal(hotplug_t) +terminal_ignore_use_general_pseudoterminal(hotplug_t) +files_ignore_read_rootfs_file(hotplug_t) +') + optional_policy(`consoletype.te',` consoletype_transition(hotplug_t) ') @@ -109,13 +115,10 @@ udev_transition(hotplug_t) udev_read_database(hotplug_t) ') -tunable_policy(`targeted_policy', ` -terminal_ignore_use_general_physical_terminal(hotplug_t) -terminal_ignore_use_general_pseudoterminal(hotplug_t) -files_ignore_read_rootfs_file(hotplug_t) +optional_policy(`updfstab.te', ` +updfstab_transition(hotplug_t) ') - ifdef(`TODO',` allow hotplug_t null_device_t:chr_file r_file_perms; dontaudit hotplug_t unpriv_userdomain:fd use; @@ -184,10 +187,6 @@ allow hald_t hotplug_etc_t:dir search; allow hald_t hotplug_etc_t:file { getattr read }; ') -optional_policy(`updfstab.te', ` -domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t) -') - optional_policy(`fsadm.te', ` domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 1b32933..9c39f90 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -59,7 +59,7 @@ type run_init_t; domain_make_domain(run_init_t) type run_init_exec_t; -files_make_file(run_init_exec_t) +domain_make_entrypoint_file(run_init_t,run_init_exec_t) ######################################## # @@ -192,6 +192,8 @@ kernel_read_all_sysctl(initrc_t) kernel_modify_all_sysctl(initrc_t) kernel_get_selinux_enforcement_mode(initrc_t) kernel_list_usb_hardware(initrc_t) +# for lsof which is used by alsa shutdown: +kernel_ignore_get_message_interface_attributes(initrc_t) filesystem_register_binary_executable_type(initrc_t) # cjp: not sure why these are here; should use mount policy @@ -367,7 +369,7 @@ dontaudit initrc_t mail_spool_t:lnk_file read; # for lsof which is used by alsa shutdown dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; -dontaudit initrc_t proc_kmsg_t:file getattr; +kernel_ignore_get_message_interface_attributes(initrc_t) ') dnl end TODO ################################# @@ -378,25 +380,6 @@ dontaudit initrc_t proc_kmsg_t:file getattr; tunable_policy(`targeted_policy',` # targeted/unconfined stuff ',` -corecommands_execute_general_programs(run_init_t) -corecommands_execute_shell(run_init_t) - -filesystem_get_persistent_filesystem_attributes(run_init_t) - -files_read_general_system_config(run_init_t) - -libraries_use_dynamic_loader(run_init_t) -libraries_read_shared_libraries(run_init_t) - -selinux_read_config(run_init_t) -selinux_read_default_contexts(run_init_t) - -authlogin_ignore_read_shadow_passwords(run_init_t) - -miscfiles_read_localization(run_init_t) - -logging_send_system_log_message(run_init_t) - allow run_init_t initrc_t:process transition; allow run_init_t initrc_exec_t:file { getattr read execute }; @@ -412,15 +395,32 @@ allow run_init_t self:fifo_file { getattr read write }; # by a different user or has restrictive SE permissions, do not want to audit # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; +files_ignore_search_all_directories(run_init_t) + +filesystem_get_persistent_filesystem_attributes(run_init_t) devices_ignore_list_device_nodes(run_init_t) + terminal_ignore_list_pseudoterminals(run_init_t) -# often the administrator runs such programs from a directory that is owned -# by a different user or has restrictive SE permissions, do not want to audit -# the failed access to the current directory -files_ignore_search_all_directories(run_init_t) +domain_use_widely_inheritable_file_descriptors(run_init_t) + +corecommands_execute_general_programs(run_init_t) +corecommands_execute_shell(run_init_t) + +files_read_general_system_config(run_init_t) + +libraries_use_dynamic_loader(run_init_t) +libraries_read_shared_libraries(run_init_t) + +selinux_read_config(run_init_t) +selinux_read_default_contexts(run_init_t) +authlogin_ignore_read_shadow_passwords(run_init_t) + +miscfiles_read_localization(run_init_t) + +logging_send_system_log_message(run_init_t) ') dnl end ifdef targeted policy @@ -440,7 +440,6 @@ domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t) # for utmp allow run_init_t admin_tty_type:chr_file rw_file_perms; -allow run_init_t privfd:fd use; allow run_init_t lib_t:file { getattr read }; ') dnl endif targeted policy @@ -448,6 +447,6 @@ allow run_init_t lib_t:file { getattr read }; tunable_policy(`distro_gentoo', ` # Gentoo integrated run_init+open_init_pty-runscript: domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) +domain_make_entrypoint_file(run_init_t,initrc_exec_t) ') - ') dnl end TODO