From 2e863f8ad083ad8f9a504df84b63f9e4fc9e44c9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 09 2005 20:51:54 +0000 Subject: add first part of changes to make base module compilable --- diff --git a/refpolicy/policy/constraints b/refpolicy/policy/constraints index be9b34d..101441e 100644 --- a/refpolicy/policy/constraints +++ b/refpolicy/policy/constraints @@ -1,9 +1,5 @@ # -# Define m4 macros for the constraints -# - -# # Define the constraints # # constrain class_set perm_set expression ; @@ -33,29 +29,20 @@ # SELinux process identity change constraint: # constrain process transition - ( u1 == u2 or + ( u1 == u2 ifdef(`targeted_policy',` - t1 == can_change_process_identity + or t1 == can_change_process_identity ',` - ( t1 == can_change_process_identity and t2 == userdomain ) - ifdef(`crond.te',` - or ( - t1 == crond_t - and ( - t2 == user_crond_domain - or u2 == system_u - ) - ) - ') + or ( t1 == can_change_process_identity and t2 == process_user_target ) - ifdef(`userhelper.te',` - or (t1 == userhelperdomain) - ') + or ( t1 == cron_source_domain + and ( t2 == cron_job_domain or u2 == system_u ) + ) + + or (t1 == process_uncond_exempt) - ifdef(`TODO',` - or (t1 == priv_system_role and u2 == system_u ) - ') dnl end TODO + or (t1 == can_system_change and u2 == system_u ) ') ); @@ -63,19 +50,16 @@ ifdef(`targeted_policy',` # SELinux process role change constraint: # constrain process transition - ( r1 == r2 or + ( r1 == r2 + ifdef(`targeted_policy',` - t1 == can_change_process_role + or t1 == can_change_process_role ',` - ( t1 == can_change_process_role and t2 == userdomain ) + or ( t1 == can_change_process_role and t2 == process_user_target ) - ifdef(`crond.te',` - or (t1 == crond_t and t2 == user_crond_domain) - ') + or ( t1 == cron_source_domain and t2 == cron_job_domain ) - ifdef(`userhelper.te',` - or (t1 == userhelperdomain) - ') + or ( t1 == process_uncond_exempt ) ifdef(`postfix.te',` ifdef(`direct_sysadm_daemon',` @@ -87,9 +71,7 @@ ifdef(`targeted_policy',` ') ') - ifdef(`TODO',` - or (t1 == priv_system_role and r2 == system_r ) - ') dnl end TODO + or (t1 == can_system_change and r2 == system_r ) ') ); @@ -97,7 +79,7 @@ ifdef(`targeted_policy',` # SELinux dynamic transition constraint: # constrain process dyntransition - ( u1 == u2 and r1 == r2); + ( u1 == u2 and r1 == r2 ); # # SElinux object identity change constraint: diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index e418325..44fd2c1 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -33,8 +33,9 @@ template(`cron_per_userdomain_template',` type $1_cron_spool_t, cron_spool_type; files_type($1_cron_spool_t) - type $1_crond_t; # user_crond_domain; - domain_type($1_crond_t); + type $1_crond_t; + domain_type($1_crond_t) + domain_cron_exemption_target($1_crond_t) corecmd_shell_entry_type($1_crond_t) role $3 types $1_crond_t; diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index f93be50..d18945d 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -17,6 +17,7 @@ type crond_t; #, privmail type crond_exec_t; init_daemon_domain(crond_t,crond_exec_t) domain_wide_inherit_fd(crond_t) +domain_cron_exemption_source(crond_t) type crond_log_t; logging_log_file(crond_log_t) diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 4489fdc..b18be62 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -389,6 +389,7 @@ template(`ssh_per_userdomain_template',` # template(`ssh_server_template', ` type $1_t, ssh_server; + domain_type($1_t) role system_r types $1_t; type $1_devpts_t; diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 7aab5d0..45bb6e8 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -4,8 +4,22 @@ ## ######################################## -# -# domain_base_domain_type(domain) +## +## Make the specified type usable as a basic domain. +## +## +##

+## Make the specified type usable as a basic domain. +##

+##

+## This is primarily used for kernel threads; +## generally the domain_type() interface is +## more appropriate for userland processes. +##

+##
+## +## Type to be used as a basic domain type. +## # interface(`domain_base_type',` gen_require(` @@ -26,19 +40,15 @@ interface(`domain_base_type',` # allow $1 to create child processes in this domain allow $1 self:process { fork sigchld }; - - # Files with domain types are currently only proc files - # self is excepted since domains and files can have - # the same type in SEFramework - # cjp: perhaps this should be a conditional exception, - # so it is excepted only on SEFramework policies - neverallow $1 { domain -$1 }:dir ~r_dir_perms; - neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms; ') ######################################## -# -# domain_type(domain) +## +## Make the specified type usable as a domain. +## +## +## Type to be used as a domain type. +## # interface(`domain_type',` # start with basic domain @@ -69,8 +79,17 @@ interface(`domain_type',` ') ######################################## -# -# domain_entry_file(domain,entrypointfile) +## +## Make the specified type usable as +## an entry point for the domain. +## +## +## Domain to be entered. +## +## +## Type of program used for entering +## the domain. +## # interface(`domain_entry_file',` gen_require(` @@ -79,7 +98,10 @@ interface(`domain_entry_file',` ') files_type($2) + allow $1 $2:file entrypoint; + allow $1 $2:file rx_file_perms; + typeattribute $2 entry_type; ') @@ -159,6 +181,105 @@ interface(`domain_obj_id_change_exempt',` ') ######################################## +## +## Make the specified domain the target of +## the user domain exception of the +## SELinux role and identity change +## constraints. +## +## +##

+## Make the specified domain the target of +## the user domain exception of the +## SELinux role and identity change +## constraints. +##

+##

+## This interface is needed to decouple +## the user domains from the base module. +## It should not be used other than on +## user domains. +##

+##
+## +## Domain target for user exemption. +## +# +interface(`domain_user_exemption_target',` + gen_require(` + attribute process_user_target; + ') + + typeattribute $1 process_user_target; +') + +######################################## +## +## Make the specified domain the source of +## the cron domain exception of the +## SELinux role and identity change +## constraints. +## +## +##

+## Make the specified domain the source of +## the cron domain exception of the +## SELinux role and identity change +## constraints. +##

+##

+## This interface is needed to decouple +## the cron domains from the base module. +## It should not be used other than on +## cron domains. +##

+##
+## +## Domain target for user exemption. +## +# +interface(`domain_cron_exemption_source',` + gen_require(` + attribute cron_source_domain; + ') + + typeattribute $1 cron_source_domain; +') + +######################################## +## +## Make the specified domain the target of +## the cron domain exception of the +## SELinux role and identity change +## constraints. +## +## +##

+## Make the specified domain the target of +## the cron domain exception of the +## SELinux role and identity change +## constraints. +##

+##

+## This interface is needed to decouple +## the cron domains from the base module. +## It should not be used other than on +## user cron jobs. +##

+##
+## +## Domain target for user exemption. +## +# +interface(`domain_cron_exemption_target',` + gen_require(` + attribute cron_job_domain; + ') + + typeattribute $1 cron_job_domain; +') + +######################################## # # domain_use_wide_inherit_fd(domain) # diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te index 2878652..efd8a4b 100644 --- a/refpolicy/policy/modules/system/domain.te +++ b/refpolicy/policy/modules/system/domain.te @@ -9,30 +9,58 @@ policy_module(domain,1.0) # Mark process types as domains attribute domain; +# Transitions only allowed from domains to other domains +neverallow domain ~domain:process { transition dyntransition }; + +# Domains that can set their current context +# (perform dynamic transitions) +attribute set_curr_context; + +# enabling setcurrent breaks process tranquility. If you do not +# know what this means or do not understand the implications of a +# dynamic transition, you should not be using it!!! +neverallow { domain -set_curr_context } self:process setcurrent; + # entrypoint executables attribute entry_type; # widely-inheritable file descriptors attribute privfd; -# Domains that can set their current context -# (perform dynamic transitions) -attribute set_curr_context; - +# # constraint related attributes +# + +# [1] types that can change SELinux identity on transition attribute can_change_process_identity; + +# [2] types that can change SELinux role on transition attribute can_change_process_role; + +# [3] types that can change the SELinux identity on a filesystem +# object or a socket object on a create or relabel attribute can_change_object_identity; -# Transitions only allowed from domains to other domains -neverallow domain ~domain:process { transition dyntransition }; +# [3] types that can change to system_u:system_r +attribute can_system_change; -# enabling setcurrent breaks process tranquility. If you do not -# know what this means or do not understand the implications of a -# dynamic transition, you should not be using it!!! -neverallow { domain -set_curr_context } self:process setcurrent; +# [4] types that have attribute 1 can change the SELinux +# identity only if the target domain has this attribute. +# Types that have attribute 2 can change the SELinux role +# only if the target domain has this attribute. +attribute process_user_target; + +# For cron jobs +# [5] types used for cron daemons +attribute cron_source_domain; +# [6] types used for cron jobs +attribute cron_job_domain; + +# [7] types that are unconditionally exempt from +# SELinux identity and role change constraints +attribute process_uncond_exempt; # add userhelperdomain to this one # TODO: # cjp: also need to except correctly for SEFramework -#neverallow { domain unlabeled_t } file_type:process *; -#neverallow ~{ domain unlabeled_t } *:process *; +neverallow { domain unlabeled_t } file_type:process *; +neverallow ~{ domain unlabeled_t } *:process *; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 3fa926c..375092f 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -29,6 +29,7 @@ template(`base_user_template',` type $1_t, userdomain; domain_type($1_t) corecmd_shell_entry_type($1_t) + domain_user_exemption_target($1_t) role $1_r types $1_t; allow system_r $1_r;