From 142e9f40ea4680effacab2bea2da1553b2845e36 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 21 2005 14:49:41 +0000 Subject: targeted and redhat cleanups --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index ff405e7..eb1fa16 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,6 @@ +- Make logrotate, sendmail, sshd, and rpm policies + unconfined in the targeted policy so no special + modules.conf is required. - Add experimental MCS support. - Add appconfig for MLS. - Add equivalents for old can_resolve(), can_ldap(), and diff --git a/refpolicy/Makefile b/refpolicy/Makefile index e2bebb5..a03a9fd 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -27,7 +27,9 @@ #OUTPUT_POLICY = 18 # Policy Type -# strict, targeted, strict-mls, targeted-mls +# strict, targeted, +# strict-mls, targeted-mls, +# strict-mcs, targeted-mcs TYPE = strict # Policy Name @@ -45,6 +47,13 @@ NAME = refpolicy # Fedora users should enable redhat. #DISTRO = redhat +# Direct admin init +# Setting this will allow sysadm to directly +# run init scripts, instead of requring run_init. +# This is a build option, as role transitions do +# not work in conditional policy. +DIRECT_INITRC=n + # Build monolithic policy. Putting n here # will build a loadable module policy. MONOLITHIC=y @@ -139,6 +148,10 @@ ifeq ($(NAME),) NAME := $(TYPE) endif +ifeq ($(DIRECT_INITRC),y) + override M4PARAM += -D direct_sysadm_daemon +endif + # determine the policy version and current kernel version if possible PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') KV := $(shell cat /selinux/policyvers) diff --git a/refpolicy/policy/modules.conf.targeted_example b/refpolicy/policy/modules.conf.targeted_example deleted file mode 100644 index 7f14aca..0000000 --- a/refpolicy/policy/modules.conf.targeted_example +++ /dev/null @@ -1,493 +0,0 @@ -# -# This file contains a listing of available modules. -# To prevent a module from being used in policy -# creation, set the module name to "off". -# -# For monolithic policies, modules set to "base" and "module" -# will be built into the policy. -# -# For modular policies, modules set to "base" will be -# included in the base module. "module" will be compiled -# as individual loadable modules. -# - -# Layer: kernel -# Module: devices -# Required in base -# -# Device nodes and interfaces for many basic system devices. -# -devices = base - -# Layer: kernel -# Module: filesystem -# Required in base -# -# Policy for filesystems. -# -filesystem = base - -# Layer: kernel -# Module: selinux -# Required in base -# -# Policy for kernel security interface, in particular, selinuxfs. -# -selinux = base - -# Layer: kernel -# Module: terminal -# Required in base -# -# Policy for terminals. -# -terminal = base - -# Layer: kernel -# Module: kernel -# Required in base -# -# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. -# -kernel = base - -# Layer: kernel -# Module: corenetwork -# Required in base -# -# Policy controlling access to network objects -# -corenetwork = base - -# Layer: system -# Module: files -# Required in base -# -# Basic filesystem types and interfaces. -# -files = base - -# Layer: system -# Module: domain -# Required in base -# -# Core policy for domains. -# -domain = base - -# Layer: admin -# Module: usermanage -# -# Policy for managing user accounts. -# -usermanage = module - -# Layer: admin -# Module: rpm -# -# Policy for the RPM package manager. -# -rpm = off - -# Layer: admin -# Module: dmesg -# -# Policy for dmesg. -# -dmesg = module - -# Layer: admin -# Module: logrotate -# -# Rotate and archive system logs -# -logrotate = off - -# Layer: admin -# Module: consoletype -# -# Determine of the console connected to the controlling terminal. -# -consoletype = module - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = module - -# Layer: admin -# Module: acct -# -# Berkeley process accounting -# -acct = module - -# Layer: admin -# Module: tmpreaper -# -# Manage temporary directory sizes and file ages -# -tmpreaper = module - -# Layer: admin -# Module: updfstab -# -# Red Hat utility to change /etc/fstab. -# -updfstab = module - -# Layer: admin -# Module: su -# -# Run shells with substitute user and group -# -su = off - -# Layer: admin -# Module: sudo -# -# Execute a command with a substitute user -# -sudo = module - -# Layer: admin -# Module: quota -# -# File system quota management -# -quota = module - -# Layer: admin -# Module: firstboot -# -# Final system configuration run during the first boot -# after installation of Red Hat/Fedora systems. -# -firstboot = module - -# Layer: apps -# Module: gpg -# -# Policy for GNU Privacy Guard and related programs. -# -gpg = off - -# Layer: apps -# Module: loadkeys -# -# Load keyboard mappings. -# -loadkeys = module - -# Layer: kernel -# Module: bootloader -# -# Policy for the kernel modules, kernel image, and bootloader. -# -bootloader = module - -# Layer: kernel -# Module: storage -# -# Policy controlling access to storage devices -# -storage = module - -# Layer: services -# Module: remotelogin -# -# Policy for rshd, rlogind, and telnetd. -# -remotelogin = module - -# Layer: services -# Module: nscd -# -# Name service cache daemon -# -nscd = module - -# Layer: services -# Module: nis -# -# Policy for NIS (YP) servers and clients -# -nis = module - -# Layer: services -# Module: sendmail -# -# Policy for sendmail. -# -sendmail = off - -# Layer: services -# Module: ssh -# -# Secure shell client and server policy. -# -ssh = off - -# Layer: services -# Module: cron -# -# Periodic execution of scheduled commands. -# -cron = module - -# Layer: services -# Module: inetd -# -# Internet services daemon. -# -inetd = module - -# Layer: services -# Module: kerberos -# -# MIT Kerberos admin and KDC -# -kerberos = module - -# Layer: services -# Module: mta -# -# Policy common to all email tranfer agents. -# -mta = module - -# Layer: services -# Module: mysql -# -# Policy for MySQL -# -mysql = module - -# Layer: services -# Module: tcpd -# -# Policy for TCP daemon. -# -tcpd = module - -# Layer: services -# Module: rshd -# -# Remote shell service. -# -rshd = module - -# Layer: services -# Module: ldap -# -# OpenLDAP directory server -# -ldap = module - -# Layer: services -# Module: gpm -# -# General Purpose Mouse driver -# -gpm = module - -# Layer: services -# Module: howl -# -# Port of Apple Rendezvous multicast DNS -# -howl = module - -# Layer: services -# Module: rsync -# -# Fast incremental file transfer for synchronization -# -rsync = module - -# Layer: services -# Module: privoxy -# -# Privacy enhancing web proxy. -# -privoxy = module - -# Layer: services -# Module: bind -# -# Berkeley internet name domain DNS server. -# -bind = module - -# Layer: system -# Module: unconfined -# -# The unconfined domain. -# -unconfined = module - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = module - -# Layer: system -# Module: selinuxutil -# -# Policy for SELinux policy and userland applications. -# -selinuxutil = module - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = module - -# Layer: system -# Module: mount -# -# Policy for mount. -# -mount = module - -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = module - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = module - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = module - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = module - -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = module - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = module - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = module - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = module - -# Layer: system -# Module: corecommands -# -# Core policy for shells, and generic programs -# in /bin, /sbin, /usr/bin, and /usr/sbin. -# -corecommands = base - -# Layer: system -# Module: hotplug -# -# Policy for hotplug system, for supporting the -# connection and disconnection of devices at runtime. -# -hotplug = module - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = module - -# Layer: system -# Module: lvm -# -# Policy for logical volume management programs. -# -lvm = module - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = module - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = module - -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = module - -# Layer: system -# Module: hostname -# -# Policy for changing the system host name. -# -hostname = module - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = module - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = module - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = module - diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 5ddfe4b..b5bc065 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -6,9 +6,10 @@ policy_module(logrotate,1.0) # Declarations # -type logrotate_t; #, priv_system_role +type logrotate_t; domain_type(logrotate_t) domain_obj_id_change_exempt(logrotate_t) +domain_system_change_exempt(logrotate_t) role system_r types logrotate_t; type logrotate_exec_t; @@ -126,6 +127,10 @@ ifdef(`distro_debian', ` can_exec(logrotate_t, logrotate_exec_t) ') +ifdef(`targeted_policy',` + unconfined_domain_template(logrotate_t) +') + optional_policy(`acct.te',` acct_domtrans(logrotate_t) acct_manage_data(logrotate_t) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 1da113f..9939948 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -169,6 +169,10 @@ sysnet_read_config(rpm_t) userdom_use_unpriv_users_fd(rpm_t) +ifdef(`targeted_policy',` + unconfined_domain_template(rpm_t) +') + optional_policy(`cron.te',` cron_system_entry(rpm_t,rpm_exec_t) ') @@ -310,11 +314,8 @@ seutil_domtrans_restorecon(rpm_script_t) userdom_use_all_user_fd(rpm_script_t) -# this should be tunable_policy, but -# typeattribute does not work in conditionals -ifdef(`unlimitedRPM',` +ifdef(`targeted_policy',` unconfined_domain_template(rpm_t) - unconfined_domain_template(rpm_script_t) ') tunable_policy(`allow_execmem',` diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index 07b9a03..8481397 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -220,3 +220,20 @@ interface(`dbus_send_system_bus_msg',` allow $1 system_dbusd_t:dbus send_msg; ') + +######################################## +## +## Allow unconfined access to the system DBUS. +## +## +## Domain allowed access. +## +# +interface(`dbus_system_bus_unconfined',` + gen_require(` + type system_dbusd_t; + class dbus all_dbus_perms; + ') + + allow $1 system_dbusd_t:dbus *; +') diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index 5524cc8..f1438ed 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -15,7 +15,7 @@ files_type(dbusd_etc_t) type system_dbusd_t alias dbusd_t; type system_dbusd_exec_t; -init_daemon_domain(system_dbusd_t,system_dbusd_exec_t) +init_system_domain(system_dbusd_t,system_dbusd_exec_t) type system_dbusd_tmp_t; files_tmp_file(system_dbusd_tmp_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 61e6238..0ac4b5f 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -102,7 +102,8 @@ mta_rw_aliases(sendmail_t) mta_manage_queue(sendmail_t) mta_manage_spool(sendmail_t) -ifdef(`targeted_policy', ` +ifdef(`targeted_policy',` + unconfined_domain_template(sendmail_t) term_dontaudit_use_unallocated_tty(sendmail_t) term_dontaudit_use_generic_pty(sendmail_t) files_dontaudit_read_root_file(sendmail_t) diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index fe1f7c9..8935f68 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -72,6 +72,10 @@ auth_exec_pam(sshd_t) seutil_read_config(sshd_t) +ifdef(`targeted_policy',` + unconfined_domain_template(sshd_t) +') + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te index 2d53cc0..7ee474b 100644 --- a/refpolicy/policy/modules/system/corecommands.te +++ b/refpolicy/policy/modules/system/corecommands.te @@ -12,12 +12,6 @@ policy_module(corecommands,1.0) type bin_t; files_type(bin_t) -ifdef(`targeted_policy',` - # Define some type aliases to help with compatibility with - # macros and domains from the "strict" policy. - typealias bin_t alias su_exec_t; -') - # # sbin_t is the type of files in the system sbin directories. # diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 1b1028c..1b08279 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -2568,8 +2568,6 @@ interface(`files_manage_generic_spools',` interface(`files_unconfined',` gen_require(` attribute file_type; - class unix_stream_socket name_bind; - class unix_dgram_socket name_bind; ') # Create/access any file in a labeled filesystem; @@ -2582,4 +2580,10 @@ interface(`files_unconfined',` # Bind to any network address. # cjp: need to check this, I dont think this has any effect. allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; + + ifdef(`targeted_policy',` + tunable_policy(`allow_execmod',` + allow $1 file_type:file execmod; + ') + ') ') diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 59eb383..82d9f6e 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -9,6 +9,11 @@ ## # template(`unconfined_domain_template',` + gen_require(` + class dbus all_dbus_perms; + class nscd all_nscd_perms; + class passwd all_passwd_perms; + ') # Use any Linux capability. allow $1 self:capability *; @@ -52,6 +57,11 @@ template(`unconfined_domain_template',` bootloader_manage_kernel_modules($1) ') + optional_policy(`dbus.te', ` + # Communicate via dbusd. + dbus_system_bus_unconfined($1) + ') + optional_policy(`nscd.te', ` nscd_unconfined($1) ') @@ -67,20 +77,12 @@ template(`unconfined_domain_template',` ifdef(`TODO',` if (allow_execmod) { - ifdef(`targeted_policy', ` - allow $1 file_type:file execmod; - ', ` + ifdef(`targeted_policy', `', ` # Allow text relocations on system shared libraries, e.g. libGL. allow $1 texrel_shlib_t:file execmod; allow $1 home_type:file execmod; ') } - - ifdef(`dbusd.te', ` - # Communicate via dbusd. - allow $1 system_dbusd_t:dbus *; - ') - ') dnl end TODO ') diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 80a543d..7def5d0 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -25,14 +25,14 @@ ifdef(`targeted_policy',` # Define some type aliases to help with compatibility with # macros and domains from the "strict" policy. - typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t }; + # cjp: remove xdm_t when we get to that module + typealias unconfined_t alias { secadm_t sysadm_t xdm_t }; init_domtrans_script(unconfined_t) userdom_unconfined(unconfined_t) ifdef(`TODO',` - #cjp: why is this needed? ifdef(`samba.te', `samba_domain(user)') ') dnl end TODO ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 721e51a..4656bb4 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -731,6 +731,10 @@ template(`unpriv_user_template', ` ## # template(`admin_user_template',` + gen_require(` + class passwd { passwd chfn chsh rootok crontab }; + ') + ############################## # # Declarations @@ -743,9 +747,10 @@ template(`admin_user_template',` domain_obj_id_change_exempt($1_t) role system_r types $1_t; - #ifdef(`direct_sysadm_daemon', `, priv_system_role') - #; dnl end of sysadm_t type declaration - + ifdef(`direct_sysadm_daemon',` + domain_system_change_exempt($1_t) + ') + typeattribute $1_devpts_t admin_terminal; typeattribute $1_tty_device_t admin_terminal; diff --git a/tools/regression.sh b/tools/regression.sh index 0979a05..db3e42b 100755 --- a/tools/regression.sh +++ b/tools/regression.sh @@ -1,16 +1,15 @@ #!/bin/bash DISTROS="redhat gentoo debian suse" -STRICT_TYPES="strict strict-mls strict-mcs" -TARG_TYPES="targeted targeted-mls targeted-mcs" +TYPES="strict strict-mls strict-mcs targeted targeted-mls targeted-mcs" POLVER="`checkpolicy -V |cut -f 1 -d ' '`" SETFILES="/usr/sbin/setfiles" do_test() { local OPTS="" - for i in $STRICT_TYPES; do - OPTS="TYPE=$i QUIET=@" + for i in $TYPES; do + OPTS="TYPE=$i QUIET=@ DIRECT_INITRC=y" [ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1" make bare || exit 1 echo "**** Options: $OPTS ****" @@ -19,19 +18,6 @@ do_test() { make $OPTS file_contexts || exit 1 $SETFILES -q -c policy.$POLVER file_contexts || exit 1 done - - # need a specific config for targeted policy - for i in $TARG_TYPES; do - OPTS="TYPE=$i QUIET=@" - [ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1" - make bare || exit 1 - echo "**** Options: $OPTS ****" - cp policy/modules.conf.targeted_example policy/modules.conf - make $OPTS conf || exit 1 - make $OPTS || exit 1 - make $OPTS file_contexts || exit 1 - $SETFILES -q -c policy.$POLVER file_contexts|| exit 1 - done } # first to generic test