From 2c243586e54cccc7cfc82e0ccd03a6a60b1c8123 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jan 11 2006 23:20:28 +0000 Subject: add prelink. --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 0ceec0a..f5cd8e6 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -3,7 +3,7 @@ - Add apache relay and db connect tunables. - Rename texrel_shlib_t to textrel_shlib_t. - Add swat to samba module. -- Miscellaneous fixes from Dan Walsh. +- Numerous miscellaneous fixes from Dan Walsh. - Added modules: automount ddcprobe @@ -12,6 +12,7 @@ lockdev logwatch (Dan Walsh) openct + prelink (Dan Walsh) readahead roundup screen diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index ad505e5..b951681 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda,1.1.0) +policy_module(amanda,1.1.1) ####################################### # @@ -77,6 +77,10 @@ role system_r types amanda_recover_t; type amanda_recover_dir_t; files_type(amanda_recover_dir_t) +optional_policy(`prelink',` + prelink_object_file(amanda_usr_lib_t) +') + ######################################## # # Amanda local policy diff --git a/refpolicy/policy/modules/admin/prelink.fc b/refpolicy/policy/modules/admin/prelink.fc new file mode 100644 index 0000000..ee0cf31 --- /dev/null +++ b/refpolicy/policy/modules/admin/prelink.fc @@ -0,0 +1,6 @@ + +/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) + +/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) + +/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) diff --git a/refpolicy/policy/modules/admin/prelink.if b/refpolicy/policy/modules/admin/prelink.if new file mode 100644 index 0000000..e76434d --- /dev/null +++ b/refpolicy/policy/modules/admin/prelink.if @@ -0,0 +1,92 @@ +## Prelink ELF shared library mappings. + +######################################## +## +## Execute the prelink program in the prelink domain. +## +## +## Domain allowed access. +## +# +interface(`prelink_domtrans',` + gen_require(` + type prelink_t, prelink_exec_t; + ') + + corecmd_search_sbin($1) + domain_auto_trans($1, prelink_exec_t, prelink_t) + + allow $1 prelink_t:fd use; + allow prelink_t $1:fd use; + allow prelink_t $1:fifo_file rw_file_perms; + allow prelink_t $1:process sigchld; +') + +######################################## +## +## Make the specified file type prelinkable. +## +## +## File type to be prelinked. +## +# +# cjp: added for misc non-entrypoint objects +interface(`prelink_object_file',` + gen_require(` + attribute prelink_object; + ') + + typeattribute $1 prelink_object; +') + +######################################## +## +## Read the prelink cache. +## +## +## Domain allowed access. +## +# +interface(`prelink_read_cache',` + gen_require(` + type prelink_cache_t; + ') + + files_search_etc($1) + allow $1 prelink_cache_t:file { getattr read }; +') + +######################################## +## +## Delete the prelink cache. +## +## +## Domain allowed access. +## +# +interface(`prelink_delete_cache',` + gen_require(` + type prelink_cache_t; + ') + + allow $1 prelink_cache_t:file unlink; +') + +######################################## +## +## Create, read, write, and delete +## prelink log files. +## +## +## Domain allowed access. +## +# +interface(`prelink_manage_log',` + gen_require(` + type prelink_log_t; + ') + + logging_search_logs($1) + allow $1 prelink_log_t:dir rw_dir_perms; + allow $1 prelink_log_t:file create_file_perms; +') diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te new file mode 100644 index 0000000..91c5f86 --- /dev/null +++ b/refpolicy/policy/modules/admin/prelink.te @@ -0,0 +1,79 @@ + +policy_module(prelink,1.0.0) + +######################################## +# +# Declarations + +attribute prelink_object; + +type prelink_t; +type prelink_exec_t; +init_system_domain(prelink_t,prelink_exec_t) + +type prelink_cache_t; +files_type(prelink_cache_t) + +type prelink_log_t; +logging_log_file(prelink_log_t) + +######################################## +# +# Local policy +# + +allow prelink_t self:capability { chown dac_override fowner fsetid }; +allow prelink_t self:process { execheap execmem execstack }; +allow prelink_t self:fifo_file rw_file_perms; + +allow prelink_t prelink_cache_t:file manage_file_perms; +files_create_etc_config(prelink_t, prelink_cache_t, file) + +allow prelink_t prelink_log_t:dir { setattr rw_dir_perms }; +allow prelink_t prelink_log_t:file { create ra_file_perms }; +allow prelink_t prelink_log_t:lnk_file read; +logging_create_log(prelink_t, prelink_log_t) + +# prelink misc objects that are not system +# libraries or entrypoints +allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom }; + +kernel_read_system_state(prelink_t) +kernel_dontaudit_search_kernel_sysctl(prelink_t) +kernel_dontaudit_search_sysctl(prelink_t) + +corecmd_manage_bin_files(prelink_t) +corecmd_relabel_bin_files(prelink_t) +corecmd_mmap_bin_files(prelink_t) +corecmd_manage_sbin_files(prelink_t) +corecmd_relabel_sbin_files(prelink_t) +corecmd_mmap_sbin_files(prelink_t) + +dev_read_urand(prelink_t) + +domain_manage_all_entry_files(prelink_t) +domain_relabel_all_entry_files(prelink_t) +domain_mmap_all_entry_files(prelink_t) + +files_list_all(prelink_t) +files_getattr_all_files(prelink_t) +files_write_non_security_dir(prelink_t) +files_read_etc_runtime_files(prelink_t) + +fs_getattr_xattr_fs(prelink_t) + +libs_use_ld_so(prelink_t) +libs_manage_ld_so(prelink_t) +libs_relabel_ld_so(prelink_t) +libs_use_shared_libs(prelink_t) +libs_manage_shared_libs(prelink_t) +libs_relabel_shared_libs(prelink_t) +libs_use_lib(prelink_t) +libs_manage_lib_files(prelink_t) +libs_relabel_lib_files(prelink_t) + +miscfiles_read_localization(prelink_t) + +optional_policy(`cron',` + cron_system_entry(prelink_t, prelink_exec_t) +') diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if index 0033679..f6f09fe 100644 --- a/refpolicy/policy/modules/kernel/corecommands.if +++ b/refpolicy/policy/modules/kernel/corecommands.if @@ -190,6 +190,57 @@ interface(`corecmd_exec_bin',` ######################################## ## +## Create, read, write, and delete bin files. +## +## +## Domain allowed access. +## +# +interface(`corecmd_manage_bin_files',` + gen_require(` + type bin_t; + ') + + allow $1 bin_t:dir rw_dir_perms; + allow $1 bin_t:file manage_file_perms; +') + +######################################## +## +## Relabel to and from the bin type. +## +## +## Domain allowed access. +## +# +interface(`corecmd_relabel_bin_files',` + gen_require(` + type bin_t; + ') + + allow $1 bin_t:dir search_dir_perms; + allow $1 bin_t:file { relabelfrom relabelto }; +') + +######################################## +## +## Mmap a bin file as executable. +## +## +## Domain allowed access. +## +# +interface(`corecmd_mmap_bin_files',` + gen_require(` + type bin_t; + ') + + allow $1 bin_t:dir search_dir_perms; + allow $1 bin_t:file { getattr read execute }; +') + +######################################## +## ## Execute a file in a bin directory ## in the specified domain. ## @@ -389,7 +440,60 @@ interface(`corecmd_exec_sbin',` allow $1 sbin_t:dir r_dir_perms; allow $1 sbin_t:lnk_file r_file_perms; can_exec($1,sbin_t) +') +######################################## +## +## Create, read, write, and delete sbin files. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`corecmd_manage_sbin_files',` + gen_require(` + type sbin_t; + ') + + allow $1 sbin_t:dir rw_dir_perms; + allow $1 sbin_t:file manage_file_perms; +') + +######################################## +## +## Relabel to and from the sbin type. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`corecmd_relabel_sbin_files',` + gen_require(` + type sbin_t; + ') + + allow $1 sbin_t:dir search_dir_perms; + allow $1 sbin_t:file { relabelfrom relabelto }; +') + +######################################## +## +## Mmap a sbin file as executable. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`corecmd_mmap_sbin_files',` + gen_require(` + type sbin_t; + ') + + allow $1 sbin_t:dir search_dir_perms; + allow $1 sbin_t:file { getattr read execute }; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te index ff88d10..d157fec 100644 --- a/refpolicy/policy/modules/kernel/corecommands.te +++ b/refpolicy/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.1.0) +policy_module(corecommands,1.1.1) ######################################## # diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if index 58d3c7d..d02815b 100644 --- a/refpolicy/policy/modules/kernel/domain.if +++ b/refpolicy/policy/modules/kernel/domain.if @@ -1021,6 +1021,59 @@ interface(`domain_exec_all_entry_files',` ######################################## ## +## Create, read, write, and delete all +## entrypoint files. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`domain_manage_all_entry_files',` + gen_require(` + attribute entry_type; + ') + + allow $1 entry_type:file manage_file_perms; +') + +######################################## +## +## Relabel to and from all entry point +## file types. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`domain_relabel_all_entry_files',` + gen_require(` + attribute entry_type; + ') + + allow $1 entry_type:file { relabelfrom relabelto }; +') + +######################################## +## +## Mmap all entry point files as executable. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`domain_mmap_all_entry_files',` + gen_require(` + attribute entry_type; + ') + + allow $1 entry_type:file { getattr read execute }; +') + +######################################## +## ## Unconfined access to domains. ## ## diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te index 099269e..6956584 100644 --- a/refpolicy/policy/modules/kernel/domain.te +++ b/refpolicy/policy/modules/kernel/domain.te @@ -1,5 +1,5 @@ -policy_module(domain,1.0.0) +policy_module(domain,1.0.1) ######################################## # diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index f22676a..32b7be4 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.1.1) +policy_module(apache,1.1.2) # # NOTES: @@ -122,6 +122,10 @@ ifdef(`targeted_policy',` typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; ') +optional_policy(`prelink',` + prelink_object_file(httpd_modules_t) +') + ######################################## # # Apache server local policy diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index e89f8c4..90fcf06 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.1.3) +policy_module(cron,1.1.4) gen_require(` class passwd rootok; @@ -397,6 +397,12 @@ ifdef(`targeted_policy',` nscd_use_socket(system_crond_t) ') + optional_policy(`prelink',` + prelink_read_cache(system_crond_t) + prelink_manage_log(system_crond_t) + prelink_delete_cache(system_crond_t) + ') + optional_policy(`samba',` samba_read_config(system_crond_t) samba_read_log(system_crond_t) diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te index b71ac92..62086a6 100644 --- a/refpolicy/policy/modules/services/xdm.te +++ b/refpolicy/policy/modules/services/xdm.te @@ -319,6 +319,10 @@ allow xdm_xserver_t var_lib_t:dir search; allow xdm_xserver_t xkb_var_lib_t:lnk_file read; can_exec(xdm_xserver_t, xkb_var_lib_t) +optional_policy(`prelink',` + prelink_object_file(xkb_var_lib_t) +') + # Insert video drivers. allow xdm_xserver_t self:capability mknod; allow xdm_xserver_t sysctl_modprobe_t:file { getattr read }; diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 05f6904..8863b6a 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -115,6 +115,44 @@ interface(`libs_exec_ld_so',` ######################################## ## +## Create, read, write, and delete the +## dynamic link/loader. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`libs_manage_ld_so',` + gen_require(` + type lib_t, ld_so_t; + ') + + allow $1 lib_t:dir rw_dir_perms; + allow $1 ld_so_t:file manage_file_perms; +') + +######################################## +## +## Relabel to and from the type used for +## the dynamic link/loader. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`libs_relabel_ld_so',` + gen_require(` + type lib_t, ld_so_t; + ') + + allow $1 lib_t:dir search_dir_perms; + allow $1 ld_so_t:file { relabelfrom relabelto }; +') + +######################################## +## ## Modify the dynamic link/loader's cached listing ## of shared libraries. ## @@ -214,6 +252,25 @@ interface(`libs_use_lib',` ######################################## ## +## Create, read, write, and delete generic +## files in library directories. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`libs_manage_lib_files',` + gen_require(` + type lib_t; + ') + + allow $1 lib_t:dir search_dir_perms; + allow $1 lib_t:file manage_file_perms; +') + +######################################## +## ## Relabel files to the type used in library directories. ## ## @@ -226,11 +283,49 @@ interface(`libs_relabelto_lib_files',` class file relabelto; ') + allow $1 lib_t:dir search_dir_perms; allow $1 lib_t:file relabelto; ') ######################################## ## +## Relabel to and from the type used +## for generic lib files. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`libs_relabel_lib_files',` + gen_require(` + type lib_t; + ') + + allow $1 lib_t:dir search_dir_perms; + allow $1 lib_t:file { relabelfrom relabelto }; +') + +######################################## +## +## Create, read, write, and delete shared libraries. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`libs_manage_shared_libs',` + gen_require(` + type lib_t, shlib_t, textrel_shlib_t; + ') + + allow $1 lib_t:dir rw_dir_perms; + allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms; +') + +######################################## +## ## Load and execute functions from shared libraries. ## ## @@ -269,3 +364,21 @@ interface(`libs_legacy_use_shared_libs',` allow $1 { shlib_t textrel_shlib_t }:file execmod; ') +######################################## +## +## Relabel to and from the type used for +## shared libraries. +## +## +## Domain allowed access. +## +# +# cjp: added for prelink +interface(`libs_relabel_shared_libs',` + gen_require(` + type lib_t, shlib_t, textrel_shlib_t; + ') + + allow $1 lib_t:dir search_dir_perms; + allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto }; +') diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 86b3c8c..e5b3020 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.1.3) +policy_module(libraries,1.1.4) ######################################## # diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index a2f47d1..81fd9be 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.1.4) +policy_module(unconfined,1.1.5) ######################################## # @@ -129,10 +129,6 @@ ifdef(`targeted_policy',` sendmail_domtrans(unconfined_t) ') - optional_policy(`su',` - su_per_userdomain_template(sysadm,unconfined_t,system_r) - ') - optional_policy(`sysnetwork',` sysnet_domtrans_dhcpc(unconfined_t) ')